Supplemental Document : BIG-IP 11.6.1 Hotfixes :: Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.6.1

BIG-IP APM

  • 11.6.1

BIG-IP GTM

  • 11.6.1

BIG-IP Link Controller

  • 11.6.1

BIG-IP Analytics

  • 11.6.1

BIG-IP LTM

  • 11.6.1

BIG-IP AFM

  • 11.6.1

BIG-IP PEM

  • 11.6.1

BIG-IP ASM

  • 11.6.1
Original Publication Date: 03/18/2018 Updated Date: 04/18/2019

BIG-IP Hotfix Release Information

Version: BIGIP-11.6.1
Build: 338.0
Hotfix Rollup: 2

Cumulative fixes from BIG-IP v11.6.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.6.1 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 8 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 7 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.6.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
631582-4 CVE-2016-9250 K55792317 Administrative interface enhancement
624570-3 CVE-2016-8864 K35322517 BIND vulnerability CVE-2016-8864
612128 CVE-2016-6515 K31510510 OpenSSH vulnerability CVE-2016-6515
611469-2 CVE-2016-7467 K95444512 Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-1 CVE-2016-9252 K46535047 Improper handling of IP options
596340-3 CVE-2016-9244 K05121675 F5 TLS vulnerability CVE-2016-9244
591329-2 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K36488941 CVE-2016-2108 fixed in Oracle Access Manager library used by BIG-IP APM
588496-3 CVE-2009-3555 K10737 SSL Renegotiation vulnerability - CVE-2009-3555 / VU#120541
586131-3 CVE-2014-3566 K15702 SSLv3 vulnerability CVE-2014-3566
635412-2 CVE-2017-6137 K82851041 Invalid mss with fast flow forwarding and software syn cookies
618261-3 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
604442-1 CVE-2016-6249 K12685114 iControl log
597023-4 CVE-2016-4954 K82644737 NTP vulnerability CVE-2016-4954
594496-3 CVE-2016-4539 K35240323 PHP Vulnerability CVE-2016-4539
520924-4 CVE-2016-5020 K00265182 Restricted roles for custom monitor creation
475743-4 CVE-2017-6128 K92140924 Improve administrative login efficiency
635933-1 CVE-2004-0790 K23440942 K13361021 The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
600198-4 CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 K53084033 OpenSSL vulnerability CVE-2016-2178
599285-4 CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 K51390683 PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
597010-4 CVE-2016-4955 K03331206 NTP vulnerability CVE-2016-4955
596997-4 CVE-2016-4956 K64505405 NTP vulnerability CVE-2016-4956
591767-3 CVE-2016-1547 K11251130 NTP vulnerability CVE-2016-1547
573343-3 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 K01324833 NTP vulnerability CVE-2015-8158


Functional Change Fixes

ID Number Severity Description
620712-1 3-Major Added better search capabilities on the Pool Members Manage & Pool Create page.
599536-2 3-Major IPsec peer with wildcard selector brings up wrong phase2 SAs
581840 3-Major Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
564876-1 3-Major New DB variable log.lsn.comma changes CGNAT logs to CSV format
561348-4 3-Major krb5.conf file is not synchronized between blades and not backed up
541549-4 3-Major AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-5 3-Major OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
454492-1 3-Major Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures
451433-7 3-Major HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe)
609084-1 4-Minor Max number of chunks not configurable above 1000 chunks
591733-2 4-Minor Save on Auto-Sync is missing from the configuration utility.


TMOS Fixes

ID Number Severity Description
624457-3 1-Blocking Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
624263-3 2-Critical iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
624245 2-Critical Hung tasks leading to system problems and lack of management access via ssh/GUI
616864-3 2-Critical BIND vulnerability CVE-2016-2776
614865-2 2-Critical Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
613536-2 2-Critical tmm core while running the iRule STATS:: command
605476-2 2-Critical istatsd can core when reading corrupt stats files.
601527-3 2-Critical mcpd memory leak and core
591104-3 2-Critical ospfd cores due to an incorrect debug statement.
587698-2 2-Critical bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
583516-3 2-Critical tmm ASSERT's "valid node" on Active, after timer fire..
574055-3 2-Critical TMM crash after changing raccoon log level
570881-4 2-Critical IPsec configuration mismatch in IKEv2 causes TMM crash in isakmp_parse_proposal ()
570663-3 2-Critical Using iControl get_certificate_bundle_v2 causes a memory leak
570419-2 2-Critical Use of session DB on multi-process appliances and blades may core.
567457-3 2-Critical TMM may crash when changing the IKE peer config.
460833-1 2-Critical MCPD sync errors and restart after multiple modifications to file object in chassis
457252-1 2-Critical tmm crash when using sip_info persistence without a sip profile
440752-1 2-Critical qkview might loop writing output file if MCPD fails during execution
355806-3 2-Critical Starting mcpd manually at the command line interferes with running mcpd
623401-4 3-Major Intermittent OCSP request failures due to non-optimal default TCP profile setting
621417-1 3-Major sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.
621242 3-Major Reserve enough space in the image for future upgrades.
616242-2 3-Major basic_string::compare error in encrypted SSL key file if the first line of the file is blank
615934-2 3-Major Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
609119-5 3-Major Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
608320-4 3-Major iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604931-1 3-Major bgpd might core on restarting process with BGP debug enabled.
603149-1 3-Major Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
601502-1 3-Major Excessive OCSP traffic
600558-3 3-Major Errors logged after deleting user in GUI
597729-1 3-Major Errors logged after deleting user in GUI
597601-4 3-Major Improvement for a previous issue regressed NAT-T
596814-3 3-Major HA Failover fails in certain valid AWS configurations
592870-3 3-Major Fast successive MTU changes to IPsec tunnel interface crashes TMM
591455-2 3-Major NTP vulnerability CVE-2016-2516
590904-5 3-Major New HA Pair created using serial cable failover only will remain Active/Active
586878-2 3-Major During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.
585485-4 3-Major inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP
583285-7 3-Major BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
577440-1 3-Major audit logs may show connection to hagel.mnet
571344-3 3-Major SSL Certificate with special characters might cause exception when GUI retrieves items list page.
566507-2 3-Major Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
560510-6 3-Major Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.
557059-2 3-Major When a virtual server has an Anti-Fraud Profile and a Web Acceleration profile, POST requests to non-protected URLs hang
543208 3-Major Upgrading v11.6.0 to v12.x in a sync-failover group might cause mcpd to become unresponsive.
534021-5 3-Major HA on AWS uses default AWS endpoint (EC2_URL).
533813-3 3-Major Internal Virtual Server in partition fails to load from saved config
528498-5 3-Major Recently-manufactured hardware may not be identified with the correct model name and SNMP OID
523642-5 3-Major Power Supply status reported incorrectly after LBH reset
523527-6 3-Major Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.
516540-3 3-Major devmgmtd file object leak
509400-1 3-Major vCMP VIPRION: internal flooded unicast packets with multi-slot trunks impact performance
502714-4 3-Major Deleting files and file object references in a single transaction might cause validation errors
481089-7 3-Major Request group incorrectly deleted prior to being processed
479660-2 3-Major tmm crash in ipsec when ipsec-policy and ike-peer do not match.
460176-4 3-Major Hardwired failover asserts active even when standalone
400456-3 3-Major HTTP monitors with long send or receive strings may not save or update
339825-3 3-Major Management.KeyCertificate.install_certificate_from_file failing silently
598498-4 4-Minor Cannot remove Self IP when an unrelated static ARP entry exists.
591447-3 4-Minor PHP vulnerability CVE-2016-4070
585097-3 4-Minor Traffic Group score formula does not result in unique values.
581835-3 4-Minor Command failing: tmsh show ltm virtual vs_name detail.
551208-1 4-Minor Nokia alarms are not deleted due to the outdated alert_nokia.conf.
542347-1 4-Minor Denied message in audit log on first time boot
541320-6 4-Minor Sync of tunnels might cause restore of deleted tunnels.
535544-5 4-Minor Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled
477700-1 4-Minor Detail missing from power supply 'Bad' status log messages
470627-2 5-Cosmetic Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE
442231-2 5-Cosmetic Pendsect log entries have an unexpected severity


Local Traffic Manager Fixes

ID Number Severity Description
622166 2-Critical HTTP GET requests with HTTP::cookie iRule command receive no response
619528-2 2-Critical TMM may accumulate internal events resulting in TMM restart
616215-2 2-Critical TMM can core when using LB::detach and TCP::notify commands in an iRule
613088-1 2-Critical pkcs11d thread has session initialization problem.
612229-2 2-Critical TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
607360-2 2-Critical Safenet 6.2 library missing after upgrade
605865-2 2-Critical Debug TMM produces core on certain ICMP PMTUD packets
603082-2 2-Critical Ephemeral pool members are getting deleted/created over and over again.
603032-2 2-Critical clientssl profiles with sni-default enabled may leak X509 objects
597966 2-Critical ARP/neighbor cache nexthop object can be freed while still referenced by another structure
588351-2 2-Critical IPv6 fragments are dropped when packet filtering is enabled.
580026-3 2-Critical HSM logging error
574153-2 2-Critical If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout.
526367-3 2-Critical tmm crash
509646-7 2-Critical Occasional connections reset when using persistence
480009-2 2-Critical OSPFv2 Redistributed routes are deleted after blade failover with Graceful Restart
624616-3 3-Major Safenet uninstall is unable to remove libgem.so
618517-2 3-Major bigd may falsely complain of a file descriptor leak when it cannot open its debug log file
617862-1 3-Major Fastl4 handshake timeout is absolute instead of relative
617858-1 3-Major bigd core when using Tcl monitors
617824-2 3-Major "SSL::disable/enable serverside" + oneconnect reuse is broken
613673-1 3-Major Pool members may not be marked up and/or there might be a slight delay in monitors
610609-1 3-Major Total connections in bigtop, SNMP are incorrect
610429-3 3-Major X509::cert_fields iRule command may memory with subpubkey argument
607304-2 3-Major TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606575-3 3-Major Request-oriented OneConnect load balancing ends when the server returns an error status code.
604977-3 3-Major Wrong alert when DTLS cookie size is 32
603606 3-Major tmm core
603236-2 3-Major 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
602366-2 3-Major Safenet 6.2 HA performance
602358-2 3-Major BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
601496-1 3-Major iRules and OCSP Stapling
601178-3 3-Major HTTP cookie persistence 'preferred' encryption
600827-5 3-Major Stuck nitrox crypto queue can erroneously be reported
600593-4 3-Major Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
598874-3 3-Major GTM Resolver sends FIN after SYN retransmission timeout
595275-2 3-Major Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
594642-1 3-Major Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
592871-2 3-Major Cavium Nitrox PX/III stuck queue diagnostics missing.
592497-2 3-Major Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591789-1 3-Major IPv4 fragments are dropped when packet filtering is enabled.
591659-3 3-Major Server shutdown is propagated to client after X-Cnection: close transformation.
591476-8 3-Major Stuck crypto queue can erroneously be reported
591343-2 3-Major SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
588115-3 3-Major TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
586738-2 3-Major The tmm might crash with a segfault.
584029-2 3-Major Fragmented packets may cause tmm to core under heavy load
578971-1 3-Major When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
576224-1 3-Major NetHSM does not come back after TCP connection to device is reset
573402-2 3-Major "C_GetAttributeValue error" with netHSM
572281-2 3-Major Variable value in the nesting script of foreach command get reset when there is parking command in the script
571573-2 3-Major Persistence may override node/pmbr connection limit
570057-3 3-Major Can't install more than 16 SafeNet HSMs in its HA group
569642-4 3-Major Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
569288-2 3-Major Different LACP key may be used in different blades in a chassis system causing trunking failures
569206-2 3-Major After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades.
568743-3 3-Major TMM core when dnssec queries to dns-express zone exceed nethsm capacity
568543-3 3-Major Syncookie mode is activated on wildcard virtuals
567862-1 3-Major intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance
565799-2 3-Major CPU Usage increases when using masquerade addresses
563227-3 3-Major When a pool member goes down, persistence entries may vary among tmms
557358-1 3-Major TMM SIGSEGV and crash when memory allocation fails.
556117-2 3-Major client-ssl profile is case-sensitive when checking server_name extension
555432-1 3-Major Large configuration files may go missing on secondary blades
550669-1 3-Major Monitors stop working - throttling monitor instance probe because file descriptor limit 65436 reached
549329-1 3-Major L7 mirrored ACK from standby to active box can cause tmm core on active
545450-3 3-Major Log activation/deactivation of TM.TCPMemoryPressure
541126-4 3-Major Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed
537553-6 3-Major tmm might crash after modifying virtual server SSL profiles in SNI configuration
528736-1 3-Major When tcp connection is aborting tmm can crash with "hud_oob consumed" message
525675 3-Major SSL with forward proxy can leak memory
522310-3 3-Major ICMP errors cause the associated FastL4/TCP connection to be reset
519746-1 3-Major ICMP errors may reset FastL4 connections unexpectedly
518086-6 3-Major Safenet HSM Traffic failure after system reboot/switchover
505705-7 3-Major Expired mirrored persistence entries not always freed using intra-chassis mirroring
501984-2 3-Major TMM may experience an outage when an iRule fails in LB_SELECTED.
500003-4 3-Major Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP
494977-2 3-Major Rare outages possible when using config sync and node-based load balancing
490740-10 3-Major TMM may assert if HTTP is disabled by another filter while it is parked
475677-3 3-Major Connections may hang until timeout if a LTM policy action failed
464801-2 3-Major Intermittent tmm core
442539-1 3-Major OneConnect security improvements.
587966-3 4-Minor LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
574020-4 4-Minor Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')
538708-3 4-Minor TMM may apply SYN cookie validation to packets before generating any SYN cookies
513288-5 4-Minor Management traffic from nodes being health monitored might cause health monitors to fail.
499795-2 4-Minor "persist add" in server-side iRule event can result in "Client Addr" being pool member address
446830-3 4-Minor Current Sessions stat does not increment/decrement correctly.


Global Traffic Manager Fixes

ID Number Severity Description
603598-2 2-Critical big3d memory under extreme load conditions
587656-3 2-Critical GTM auto discovery problem with EHF for ID574052
587617-3 2-Critical While adding GTM server, failure to configure new IP on existing server leads to gtmd core
613576-2 3-Major QOS load balancing links display as gray
613045 3-Major Interaction between GTM and 10.x LTM results in some virtual servers marked down
601180-1 3-Major Link Controller base license does not allow DNS namespace iRule commands.
589256-3 3-Major DNSSEC NSEC3 records with different type bitmap for same name.
588289-4 3-Major GTM is Re-ordering pools when adding pool including order designation
574052-2 3-Major GTM autoconf can cause high CPU usage for gtmd


Application Security Manager Fixes

ID Number Severity Description
634001-1 2-Critical ASM restarts after deleting a VS that has an ASM security policy assigned to it
582003-2 2-Critical BD crash on startup or on XML configuration change
515728-5 2-Critical Repeated BD cores.
514571-1 2-Critical Apply policy operation hangs
511187-1 2-Critical bd crash with large configuration changes while under load
499347-3 2-Critical JSON UTF16 content could be blocked by ASM as Malformed JSON
621524-3 3-Major Processing Timeout When Viewing a Request with 300+ Violations
605921 3-Major scriptd and mcpd cores following multiple failovers due to bd (asm)
605616-3 3-Major Creating 256 Fundamental Security policies will result in an out of memory error
603945-1 3-Major BD config update should be considered as config addition in case of update failure
603479-1 3-Major "ASM starting" while it's already running, causing the restart of all ASM daemons
602221-3 3-Major Wrong parsing of redirect Domain
600174-1 3-Major Wildcard "*" redirection domain cannot be deleted if list is scrollable
582683-5 3-Major xpath parser doesn't reset a namespace hash value between each and every scan
580168-2 3-Major Information missing from ASM event logs after a switchboot and switchboot back
576591-4 3-Major Support for some future credit card number ranges
573406-3 3-Major ASU cannot be completed if license was last activated more than 18 months before
559541-2 3-Major ICAP anti virus tests are not initiated on XML with when should
553976-1 3-Major AJAX File uploads don't work in IE (import policy doesn't work)
528071-1 3-Major ASM periodic updates (cron) write errors to log
521204-1 3-Major Include default values in XML Policy Export
508957-1 3-Major ASM REST Slowness Viewing Policy List
392121-1 3-Major TMSH Command to retrieve the memory consumption of the bd process
609496-1 4-Minor Improved diagnostics in BD config update (bd_agent) added
603071-1 4-Minor XHTML validation fails on obfuscated JavaScript
471766-2 4-Minor Number of decoding passes configuration


Application Visibility and Reporting Fixes

ID Number Severity Description
565085-2 3-Major Analytics profile allows invalid combination of entities for Alerts setup
488989-3 3-Major AVRD does not print out an error message when the external logging fails
474613-1 3-Major Upgrading from previous versions


Access Policy Manager Fixes

ID Number Severity Description
622830 2-Critical LDAP type CRLDP is parsed incorrectly
622244-1 2-Critical Edge client can fail to upgrade when always connected is selected
618324-2 2-Critical Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
617310-1 2-Critical Edge client can fail to upgrade when Always Connected is selected
608408-4 2-Critical TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
582440-2 2-Critical Linux client does not restore route to the default GW on Ubuntu 15.10
625376-1 3-Major In some cases, download of PAC file by edge client may fail
623562-1 3-Major Large POSTs rejected after policy already completed
621202-1 3-Major Portal Access: document.write() with very long string as argument may be handled incorrectly.
620614-2 3-Major Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-3 3-Major HTTP iRule commands could lead to WEBSSO plugin being invoked
617316-1 3-Major Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration
617002-3 3-Major SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838 3-Major Citrix Remote desktop resource custom parameter name does not accept hyphen character
614891-4 3-Major Routing table doesn't get updated when EDGE client roams among wireless networks
613613-1 3-Major Incorrect handling of form that contains a tag with id=action
612419-2 3-Major APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
611669-1 3-Major Mac Edge Client customization is not applied on macOS 10.12 Sierra
610248 3-Major IE 11 browser does not display VDI profile columns properly
610243 3-Major HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication
610224-1 3-Major APM client may fetch expired certificate when a valid and an expired certificate co-exist
610180-3 3-Major SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
604767-4 3-Major Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
603293-3 3-Major Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs
601905-4 3-Major POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600116-1 3-Major DNS resolution request may take a long time in some cases
598211-2 3-Major Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
591268-3 3-Major VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
583113-3 3-Major NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-2 3-Major Macrocall could be topologically not connected with the rest of policy.
569309-1 3-Major Clientside HTML parser does not recognize HTML event attributes without value
567503-5 3-Major ACCESS::remove can result in confusing ERR_NOT_FOUND logs
566998-2 3-Major Edge client upgrade fails if client was configured in locked mode
559082-1 3-Major Tunnel details are not shown for MAC Edge client
554458 3-Major No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports with reduced zeros in Session ID
509595-1 3-Major Start uri is blank when going through portal in ie, but loads fine in firefox
451301-1 3-Major HTTP iRules break Citrix HTML5 functionality
389484-4 3-Major OAM reporting Access Server down with JDK version 1.6.0_27 or later
366149-1 3-Major ACL support for VPN tunnels
238444-2 3-Major An L4 ACL has no effect when a layered virtual server is used.
620922-1 4-Minor Online help for Network Access needs update


WebAccelerator Fixes

ID Number Severity Description
472942-2 2-Critical tmm crash while changing acceleration policy
596569-2 3-Major Memory leak on Central device in Symmetric deployment
506315-5 3-Major WAM/AAM is honoring OWS age header when not honoring OWS maxage.
474445-2 3-Major TMM crash when processing unexpected HTTP response in WAM


Wan Optimization Manager Fixes

ID Number Severity Description
619757-3 2-Critical iSession causes routing entry to be prematurely freed


Service Provider Fixes

ID Number Severity Description
607713-4 3-Major SIP Parser fails header with multiple sequential separators inside quoted string.
601255-3 3-Major RTSP response to SETUP request has incorrect client_port attribute
599521-2 3-Major Persistence entries not added if message is routed via an iRule
598854-1 3-Major sipdb tool incorrectly displays persistence records without a pool name
597835-1 3-Major Branch parameter in inserted VIA header not consistent as per spec
583010-9 3-Major Sending a SIP invite with "tel" URI fails with a reset


Advanced Firewall Manager Fixes

ID Number Severity Description
619710 3-Major GUI gives error when clicking "Update" making changes to VS in Security-Policies
614563-1 3-Major AVR TPS calculation is inaccurate
605427-2 3-Major TMM may crash when adding and removing virtual servers with security log profiles
592113-1 3-Major tmm core on the standby unit with dos vectors configured
580460-1 3-Major Client side integrity defense or proactive may break application
495390-4 3-Major An error occurs on Active Rules page after attempting to reorder Rules in a Policy


Policy Enforcement Manager Fixes

ID Number Severity Description
553735-3 2-Critical TMM core on HTTP response with steering action .
527992-2 2-Critical tmm might crash with 'DHCP:dhcp_server_flow_connect' error when the server flow is already connected to a different client.
624091 3-Major DHCP relay is not forwarding all of the DHCPOFFERS to clients
611355 3-Major tmm core with PEM
608742-4 3-Major DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode.
592070-1 3-Major DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
551303-3 3-Major TMM may core during processing of a CCA-T.
472122-4 3-Major DHCPv4: When configured in forwarding mode, BIG-IP will support client messages that use either UDP 67 or 68 as the source port.


Carrier-Grade NAT Fixes

ID Number Severity Description
532365-1 3-Major lsndb cores with "Assertion `size < bin_key_size' failed"
504828-2 3-Major "translate address" and "translate port" are enabled by default when configure from GUI
481948-1 3-Major LSN_DELETE messages may not be logged in PBA mode


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
621239-1 3-Major Certain DNS queries bypass DNS Cache RPZ filter.
620215-3 3-Major TMM out of memory causes core in DNS cache
619398-4 3-Major TMM out of memory causes core in DNS cache
491801 3-Major GTM iRule command [LB::status up] gives error
615187-1 4-Minor Missing hyperlink to GSLB virtual servers and servers on the pool member page.


Traffic Classification Engine Fixes

ID Number Severity Description
615260 2-Critical out of memory condition when URL categorization is configured to work with large feedlists


Device Management Fixes

ID Number Severity Description
522268-2 2-Critical hostagentd memory leak on VCMP hosts



Cumulative fixes from BIG-IP v11.6.1 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
596488-4 CVE-2016-5118 K82747025 GraphicsMagick vulnerability CVE-2016-5118.
591806-3 CVE-2016-3714 K03151140 ImageMagick vulnerability CVE-2016-3714
591328-2 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K36488941 OpenSSL vulnerability CVE-2016-2106
591327-2 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K36488941 OpenSSL vulnerability CVE-2016-2106
591325-2 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K75152412 OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-5 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K23230229 OpenSSL vulnerabilities
579955-2 CVE-2016-7475 K01587042 BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
577826-4 CVE-2016-1286 K62012529 BIND vulnerability CVE-2016-1286
573778-7 CVE-2016-1714 K75248350 QEMU vulnerability CVE-2016-1714
573124-2 CVE-2016-5022 K06045217 TMM vulnerability CVE-2016-5022
563670-11 CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 K86772626 OpenSSL vulnerabilities
601938-3 CVE-2016-7474 K52180214 MCPD stores certain data incorrectly
593447-2 CVE-2016-5024 K92859602 BIG-IP TMM iRules vulnerability CVE-2016-5024
591918-4 CVE-2016-3718 K61974123 ImageMagick vulnerability CVE-2016-3718
591908-4 CVE-2016-3717 K29154575 ImageMagick vulnerability CVE-2016-3717
591894-4 CVE-2016-3715 K10550253 ImageMagick vulnerability CVE-2016-3715
591881-4 CVE-2016-3716 K25102203 ImageMagick vulnerability CVE-2016-3716
587077-3 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 K37603172 Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
585424-3 CVE-2016-1979 K20145801 Mozilla NSS vulnerability CVE-2016-1979
582813-1 CVE-2016-0774 K08440897 Linux Kernel CVE-2016-0774
579220-3 CVE-2016-1950 K91100352 Mozilla NSS vulnerability CVE-2016-1950
564111-1 CVE-2015-8395 CVE-2015-8384 CVE-2015-8392 CVE-2015-8394 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-2328 CVE-2015-2327 CVE-2015-8393 K05428062 Multiple PCRE vulnerabilities
541231-2 CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 K16704 K16707 Resolution of multiple curl vulnerabilities
486791-2 CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 K16939 Resolution of multiple wireshark vulnerabilities
416734-1 CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 CVE-2013-1667 K15867 Multiple Perl Vulnerabilities
580340-3 CVE-2016-2842 K52349521 OpenSSL vulnerability CVE-2016-2842
580313-3 CVE-2016-0799 K22334603 OpenSSL vulnerability CVE-2016-0799
579975-3 CVE-2016-0702 K79215841 OpenSSL vulnerability
579829-3 CVE-2016-0702 K79215841 OpenSSL vulnerability CVE-2016-0702
579237-3 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
579085-4 CVE-2016-0797 K40524634 OpenSSL vulnerability CVE-2016-0797
578570-2 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
577828-5 CVE-2016-2088 K59692558 BIND vulnerability CVE-2016-2088
577823-4 CVE-2016-1285 K46264120 BIND vulnerability CVE-2016-1285
567379-1 CVE-2013-4397 K16015326 libtar vulnerability CVE-2013-4397
565895-4 CVE-2015-3217 K17235 Multiple PCRE Vulnerabilities
553454-2 CVE-2015-2730 K15955144 Mozilla NSS vulnerability CVE-2015-2730
551287-4 CVE-2010-2596 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 K16715 Multiple LibTIFF vulnerabilities
481806-2 CVE-2013-4002 K16872 Java Runtime Environment vulnerability CVE-2013-4002
479431-4 CVE-2014-3596 K16821 Apache Axis vulnerability CVE-2014-3596
416372-4 CVE-2012-2677 K16946 Boost memory allocator vulnerability CVE-2012-2677
570667-16 CVE-2016-0701 CVE-2015-3197 K64009378 OpenSSL vulnerabilities
517048-1 CVE-2015-2305 K16831 BSD regex library vulnerability CVE-2015-2305


Functional Change Fixes

ID Number Severity Description
532685-6 3-Major PAC file download errors disconnect the tunnel
544325-3 4-Minor BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).


TMOS Fixes

ID Number Severity Description
538761-4 1-Blocking scriptd may core when MCP connection is lost
583936-3 2-Critical Removing ECMP route from BGP does not clear route from NSM
574116-2 2-Critical MCP may crash when syncing configuration between device groups
570973-2 2-Critical L7 hardware syn cookie feature is broken in BIG-IP v12.0.0 hf1 and hf2
569634 2-Critical Aced process is not able to listen to port 6000
568889-2 2-Critical Some ZebOS daemons do not start on blade transition secondary to primary.
563064-1 2-Critical Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
561814-1 2-Critical TMM Core on Multi-Blade Chassis
560683-3 2-Critical HA IPSEC: tmm core/crash on standby in function ikev2_child_delete_outbound()
559034-1 2-Critical Mcpd core dump in the sync secondary during config sync
557144-3 2-Critical Dynamic route flapping may lead to tmm crash
542097-2 2-Critical Update to RHEL6 kernel
530903-1 2-Critical HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade
529141-5 2-Critical Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error
506274-2 2-Critical TMM crash/core seen when a traffic-selector is created Action discard
493053-2 2-Critical Route domains' firewall policies may be removed after sync
481647-5 2-Critical OSPF daemon asserts and generates core
477611-4 2-Critical ICMP monitor does not work on DAG Round Robin enabled VLANs
473527-2 2-Critical IPsec interop problem when using AES-GCM.
420438-3 2-Critical Default routes from standby system when HA is configured in NSSA
598039-3 3-Major MCP memory may leak when performing a wildcard query
595773-3 3-Major Cancellation requests for chunked stats queries do not propagate to secondary blades
579284 3-Major Potential memory corruption in MCPd
576305-3 3-Major Potential MCPd leak in IPSEC SPD stats query code
575735-2 3-Major Potential MCPd leak in global CPU info stats code
575726-2 3-Major MCPd might leak memory in vCMP interface stats.
575716-2 3-Major MCPd might leak memory in VCMP base stats.
575708-2 3-Major MCPd might leak memory in CPU info stats.
575671-2 3-Major MCPd might leak memory in host info stats.
575660-2 3-Major Potential MCPd leak in TMM rollup stats stats
575649-2 3-Major MCPd might leak memory in IPFIX destination stats query
575619-2 3-Major Potential MCPd leak in pool member stats query code
575608-2 3-Major MCPd might leak memory in virtual server stats query.
575595-1 3-Major Potential MCPd leak in eviction policy stats.
575591-2 3-Major Potential MCPd leak in IKE message stats query code
575589-1 3-Major Potential MCPd leak in IKE event stats query code
575587-2 3-Major Potential MCPd leak in BWC policy class stats query code
575027-2 3-Major Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
574045-2 3-Major BGP may not accept attributes using extended length
571210-4 3-Major Upgrade, load config, or sync might fail on large configs with large objects.
571019-3 3-Major Topology records can be ordered incorrectly.
570818-2 3-Major Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
570053-2 3-Major HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
569356-2 3-Major BGP ECMP learned routes may use incorrect vlan for nexthop
569236-4 3-Major BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
565534-2 3-Major Some failover configuration items may fail to take effect
562044-2 3-Major Statistics slow_merge option does not work
559939-2 3-Major Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
558858-4 3-Major Unexpected loss of communication between slots of a vCMP Guest
558779-6 3-Major SNMP dot3 stats occassionally unavailable
557281-2 3-Major The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%
555039-2 3-Major VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
553795-4 3-Major Differing certificate/key after successful config-sync
549971-5 3-Major Some changes to virtual servers' profile lists may cause secondary blades to restart
548385-3 3-Major iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results
546410-2 3-Major Configuration may fail to load when upgrading from version 10.x.
545745-2 3-Major Enabling tmm.verbose mode produces messages that can be mistaken for errors.
542860-4 3-Major TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event
542742-2 3-Major SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
542320-1 3-Major no login name may appear when running ssh commands through management port
541316-3 3-Major Unexpected transition from Forced Offline to Standby to Active
539199-3 3-Major HTML filter is truncating the server response when sending it to client
538133-4 3-Major Only one action per sensor is displayed in sensor_limit_table and system_check
537326-2 3-Major NAT available in DNS section but config load fails with standalone license
532559-4 3-Major Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.
526974-1 3-Major Data-group member records map empty strings to 'none'.
521270-2 3-Major Hypervisor might replace vCMP guest SYN-Cookie secrets
519081-1 3-Major Cannot use tmsh to load valid configuration created using the GUI.
516995-3 3-Major NAT traffic group inheritance does not sync across devices
513649-4 3-Major Transaction validation errors on object references
512954-2 3-Major ospf6d might leak memory distribute-list is used
511900-2 3-Major 'sessiondump -allkeys' command hangs
510580-5 3-Major Interfaces might be re-enabled unexpectedly when loading a partition
508076-2 3-Major Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name.
504803-5 3-Major GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'.
502049-1 3-Major Qkview may store information in the wrong format
502048-1 3-Major Qkview may store information in the wrong format
487625-3 3-Major Qkview might hang
486725-2 3-Major GUI creating key files with .key extensions in the name causing errors
486712-3 3-Major GUI PVA connection maximum statistic is always zero
485702-4 3-Major Default SNMP community 'public' is re-added after the upgrade
484534-4 3-Major interface STP state stays in blocked when added to STP as disabled
481696-2 3-Major Failover error message 'sod out of shmem' in /var/log/ltm
479553-4 3-Major Sync may fail after deleting a persistence profile
479543-6 3-Major Transaction will fail when deleting pool member and related node
478215-2 3-Major The command 'show ltm pool detail' returns duplicate members in some cases
477888-4 3-Major ESP ICSA support is non-functional on versions 11.4.0 and up
455651-5 3-Major Improper regex/glob validation in web-acceleration and http-compression profiles
451494-2 3-Major SSL Key/Certificate in different partition with Subject Alternative Name (SAN)
425980-3 3-Major Blade number not displayed in CPU status alerts
421971-9 3-Major Renewing certificates with SAN input in the GUI leads to error.
418664-4 3-Major Configuration utility CSRF vulnerability
405611-3 3-Major Configuration utility CSRF vulnerability
375246-1 3-Major Clarification of pool member session enabling versus pool member monitor enabling
372118-3 3-Major import_all_from_archive_file and import_all_from_archive_stream does not create file objects.
601927-3 4-Minor Security hardening of control plane
551481-3 4-Minor 'tmsh show net cmetrics' reports bandwidth = 0
536746-3 4-Minor LTM : Virtual Address List page uses LTM : Nodes List search filter.
533480-5 4-Minor qkview crash
532086-3 4-Minor Local Traffic Policy Rules Condition List select value to update with existing values.
478922-3 4-Minor ICSA logging issues on versions 11.4.0 and later
466612-1 4-Minor Missing sys DeviceModel OID for VIPRION C2200 chassis
487084-2 5-Cosmetic GUI iFile delete confirmation page lists incorrect items to be deleted


Local Traffic Manager Fixes

ID Number Severity Description
596619 2-Critical Some 10.2.x client SSL configurations fail to upgrade to 11.6.1.
579919-1 2-Critical TMM may core when LSN translation is enabled
575011-4 2-Critical Memory leak. Nitrox3 Hang Detected.
565409-4 2-Critical Invalid MSS with HW syncookies and flow forwarding
559973-2 2-Critical Nitrox can hang on RSA verification
558612-4 2-Critical System may fail when syncookie mode is activated
558534-3 2-Critical The TMM may crash if http url rewrite is used with APM
549868-4 2-Critical 10G interoperability issues reported following Cisco Nexus switch version upgrade.
534795-1 2-Critical Swapping VLAN names in config results in switch daemon core and restart.
521548-6 2-Critical Possible crash in SPDY
517613-1 2-Critical ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps
489217-1 2-Critical "cipher" memory can leak
488686-1 2-Critical Large file transfer hangs when HTTP is in passthrough mode
483665-2 2-Critical Restrict the permissions for private keys
466007-2 2-Critical DNS Express daemon, zxfrd, can not start if it's binary cache has filled /var
459671-2 2-Critical iRules source different procs from different partitions and executes the incorrect proc.
600535 3-Major TMM may core while exiting if MCPD connection was previously aborted
597089-5 3-Major Connections are terminated after 5 seconds when using ePVA full acceleration
593530-1 3-Major In rare cases, connections may fail to expire
592854-4 3-Major Protocol version set incorrectly on serverssl renegotiation
592784-4 3-Major Compression stalls, does not recover, and compression facilities cease.
589223-3 3-Major TMM crash and core dump when processing SSL protocol alert.
588442-3 3-Major TMM can core in a specific set of conditions.
587892-1 3-Major Multiple iRule proc names might clash, causing the wrong rule to be executed.
585412-2 3-Major SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
583957-4 3-Major The TMM may hang handling pipelined HTTP requests with certain iRule commands.
580303-3 3-Major When going from active to offline, tmm might send a GARP for a floating address.
579843-3 3-Major tmrouted may not re-announce routes after a specific succession of failover states
579371-2 3-Major BIG-IP may generate ARPs after transition to standby
576296-2 3-Major MCPd might leak memory in SCTP profile stats query.
575626 3-Major Minor memory leak in DNS Express stats error conditions
575612-3 3-Major Potential MCPd leak in policy action stats query code
575347-2 3-Major Unexpected backslashes remain in monitor 'username' attribute after upgrade
572025-2 3-Major HTTP Class profile using a path selector upgrade to a policy that does not match the entire path
571183-2 3-Major Bundle-certificates Not Accessible via iControl REST.
569349-2 3-Major Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled
566361-8 3-Major RAM Cache Key Collision
563591-2 3-Major reference to freed loop_nexthop may cause tmm crash.
563419-5 3-Major IPv6 packets containing extended trailer are dropped
563232-2 3-Major FQDN pool in resource prevents Access Policy Sync.
554295-3 3-Major CMP disabled flows are not properly mirrored
551189 3-Major Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data
548583-3 3-Major TMM crashes on standby device with re-mirrored SIP monitor flows.
547657-1 3-Major A TCL error in a DNS_RESPONSE iRule event can cause a tmm crash.
545704-2 3-Major TMM might core when using HTTP::header in a serverside event
543993-3 3-Major Serverside connections may fail to detach when using the HTTP and OneConnect profiles
540893-2 3-Major Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.
540213-2 3-Major mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary
536191-2 3-Major Transparent inherited TCP monitors may fail on loading configuration
534111-1 3-Major [SSL] Config sync problems when modifying cert in default client-ssl profile
530812-1 3-Major Legacy DAG algorithm reuses high source port numbers frequently
530795-3 3-Major In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.
528734-2 3-Major TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.
527742-4 3-Major The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system
523513-3 3-Major COMPRESS::enable keeps compression enabled for a subsequent HTTP request.
521711-4 3-Major HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual
521036-2 3-Major Dynamic ARP entry may replace a static entry in non-primary TMM instances.
520405-4 3-Major tmm restart due to oversubscribed DNS resolver
517510-1 3-Major HTTP monitor might add extra CR/LF pairs to HTTP body when supplied
513530-4 3-Major Connections might be reset when using SSL::disable and enable command
513319-4 3-Major Incorrect of failing sideband connections from within iRule may leak memory
504396-2 3-Major When a virtual's ARP or ICMP is disabled, the wrong mac address is used
503257-7 3-Major Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST
502747-1 3-Major Incoming SYN generates unexpected ACK when connection cannot be recycled
495588-5 3-Major Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases
490936-2 3-Major SSLv2/TLSv1 based handshake causing handshake failures
490174-2 3-Major Improved TLS protocol negotiation with clients supporting TLS1.3
472748-1 3-Major SNAT pool stats are reflected in global SNAT stats
472571-6 3-Major Memory leak with multiple client SSL profiles.
468790-2 3-Major Inconsistent SafeNet key deletion in BIG-IP and Safenet HSM
463202-7 3-Major BIG-IP system drops non-zero version EDNS requests
623135 4-Minor BIG-IP virtual server TCP sequence numbers vulnerability (CVE-2002-1463)
572015-3 4-Minor HTTP Class profile is upgraded to a case-insensitive policy
532799-2 4-Minor Static Link route to /32 pool member can end using dst broadcast MAC
531979-3 4-Minor SSL version in the record layer of ClientHello is not set to be the lowest supported version.
472051-1 4-Minor Manually adding username/password in ZebOS can cause imi to core


Global Traffic Manager Fixes

ID Number Severity Description
569972-2 2-Critical Unable to create gtm topology records using iControl REST
569521-4 2-Critical Invalid WideIP name without dots crashes gtmd.
539466-2 2-Critical Cannot use self-link URI in iControl REST calls with gtm topology
569472-2 3-Major TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled
561539-2 3-Major [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.
559975-5 3-Major Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth
517582-3 3-Major [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.
510888-1 3-Major [LC] snmp_link monitor is not listed as available when creating link objects


Application Security Manager Fixes

ID Number Severity Description
578334-3 2-Critical Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy.
583686-3 3-Major High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
579524-2 3-Major DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name'
577664-2 3-Major Policy import, to inactive policies list, results in different policies on the sync-failover peers
572922-2 3-Major Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.
568670-2 3-Major ASM fails to start with error - ndefined subroutine &F5::CRC::get_crc32
559055-1 3-Major Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"
554324-1 3-Major Signatures cannot be updated after Signature Systems have become corrupted in database
539704-2 3-Major Large ASM REST response causes all REST to hang
531566-2 3-Major A partial response arrives to the client when response logging is turned on
521370-3 3-Major Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
498433-1 3-Major Upgrading with ASM iRule and virtual server with no websecurity profile
521183-1 4-Minor Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5


Application Visibility and Reporting Fixes

ID Number Severity Description
579049-1 2-Critical TMM core due to wrong assert
578353 2-Critical Statistics data aggregation process is not optimized
575170-3 2-Critical Analytics reports may not identify virtual servers correctly
598909-1 3-Major SQL produces errors. AVR does not display any statistics.
596945-2 3-Major AVR DNS record lost after upgrade.
582029-1 3-Major AVR might report incorrect statistics when used together with other modules.
569958-2 3-Major Upgrade for application security anomalies
567355-1 3-Major Scheduled report lost after loading configuration
559060-3 3-Major AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration.
557062-2 3-Major The BIG-IP ASM configuration fails to load after an upgrade.
525448-1 3-Major Max TPS is always 0


Access Policy Manager Fixes

ID Number Severity Description
581770-2 1-Blocking Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6
592868-4 2-Critical Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-1 2-Critical APM ACL construction may cause TMM to core if TMM is out of memory
580817-3 2-Critical Edge Client may crash after upgrade
579909-2 2-Critical Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error
578844-2 2-Critical tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
575609-3 2-Critical Zlib accelerated compression can result in a dropped flow.
571090 2-Critical When BIG-IP is used as SAML IdP, tmm may restart under certain conditions
562919-2 2-Critical TMM cores in renew lease timer handler
513083-1 2-Critical d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server.
511478-2 2-Critical Possible TMM crash when evaluating expression for per-request policy agents.
428068-3 2-Critical Insufficiently detailed causes for session deletion.
598981-2 3-Major APM ACL does not get enforced all the time under certain conditions
597431-4 3-Major VPN establishment may fail when computer wakes up from sleep
596116-2 3-Major LDAP Query does not resolve group membership, when required attribute(s) specified
592591-1 3-Major Deleting access profile prompts for apply access policy for other untouched access profiles
592414-2 3-Major IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
590820-2 3-Major Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
589794 3-Major APD might crash if LDAP Query agent failed to retrieve primary group for a user
589118 3-Major Horizon View client throws an exception when connecting to Horizon 7 VCS through APM.
588888-2 3-Major Empty URI rewriting is not done as required by browser.
586718-3 3-Major Session variable substitutions are logged
586006-3 3-Major Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-1 3-Major VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
582526-2 3-Major Unable to display and edit huge policies (more than 4000 elements)
581834-4 3-Major Firefox signed plugin for VPN, Endpoint Check, etc
580893-1 3-Major Support for Single FQDN usage with Citrix Storefront Integration mode
580421-3 3-Major Edge Client may not register DLLs correctly
577939-1 3-Major DNS suffixes on user's machine may not be restored correctly in some cases
576350-2 3-Major External input from client doesn't pass to policy agent if it is not the first in the chain.
576069-2 3-Major Rewrite can crash in some rare corner cases
575499-1 3-Major VPN filter may leave renew_lease timer active after teardown
575292-4 3-Major DNS Relay proxy service does not respond to SCM commands in timely manner
574781-2 3-Major APM Network Access IPV4/IPV6 virtual may leak memory
573643-2 3-Major flash.utils.Proxy functionality is not negotiated
573581-4 3-Major DNS Search suffix are not restored properly in some cases after VPN establishment
573429-1 3-Major APM Network Access IPv4/IPv6 virtual may leak memory
572887-2 3-Major DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client
570640-2 3-Major APM Cannot create symbolic link to sandbox. Error: No such file or directory
570064-3 3-Major IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
567660-2 3-Major Disabling global Auto Last Hop setting breaks APM's Remote Desktop Gateway (RDG) feature
566646-4 3-Major Portal Access could respond very slowly for large text files when using IE < 11
565231-2 3-Major Importing a previously exported policy which had two object names may fail
564521-3 3-Major JavaScript passed to ExternalInterface.call() may be erroneously unescaped
564482-2 3-Major Kerberos SSO does not support AES256 encryption
563349-4 3-Major On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established
559218-2 3-Major Iframes could be inaccessible to a parent window on a page accessed through Portal Access
558946-4 3-Major TMM may core when APM is provisioned and access profile is attached to the virtual
556597-5 3-Major CertHelper may crash when performing Machine Cert Inspection
551999-2 3-Major Edge client needs to re-authenticate after lost network connectivity is restored
551454-5 3-Major Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server
551260-2 3-Major When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated
549086-8 3-Major Windows 10 is not detected when Firefox is used
547546-3 3-Major Add support for auto-update of MachineCertService
541622-6 3-Major APD/APMD Crashes While Verifying CAPTCHA
536575-1 3-Major Session variable report can be blank in many cases
534901-1 3-Major VMware View HTML5 client may load/initialize with delays
534373-5 3-Major Some Text on French Localized Edge client on windows has grammatical error
533422-2 3-Major sessiondump is not reusing connections
528701-2 3-Major Sessiondump does not accept single dash options
528548-2 3-Major @import "url" is not recognized by client-side CSS patcher
525429-12 3-Major DTLS renegotiation sequence number compatibility
519059-3 3-Major [PA] - Failing to properly patch webapp link, link not working
516219-4 3-Major User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled
508337-4 3-Major In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access
493106-4 3-Major HTTP Basic authentication module logs clear text password in /var/log/apm at debug level
479715-3 3-Major Multi-tab protection problems with multi-domain SSO
409323-3 3-Major OnDemand cert auth redirect omits port information
584373-3 4-Minor AD/LDAP resource group mapping table controls are not accessible sometimes
580429-5 4-Minor CTU does not show second Class ID for InstallerControll.dll
572543-2 4-Minor User is prompted to install components repeatedly after client components are updated.
554690-3 4-Minor VPN Server Module generates repeated Error Log "iface eth0 "... every 2 secs
541156-2 4-Minor Network Access clients experience delays when resolving a host


WebAccelerator Fixes

ID Number Severity Description
575631-3 3-Major Potential MCPd leak in WAM stats query code
562644-4 3-Major TMM may crash when AAM receives a pipelining HTTP request while shutting down the connection
506557-3 3-Major IBR tags might occasionally be all zeroes.
501714-2 3-Major System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS.
476476-7 3-Major Occasional inability to cache optimized PDFs and images


Service Provider Fixes

ID Number Severity Description
578564-3 3-Major ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-2 3-Major ADAPT recursive loop when handling successive iRule events
572224-4 3-Major Buffer error due to RADIUS::avp command when vendor IDs do not match
570363-2 3-Major Potential segfault when MRF messages cross from one TMM to another.
566576-2 3-Major ICAP/OneConnect reuses connection while previous response is in progress
550434-5 3-Major Diameter connection may stall if server closes connection before CER/CEA handshake completes
561500-1 4-Minor ICAP Parsing improvement


Advanced Firewall Manager Fixes

ID Number Severity Description
484013-4 2-Critical tmm might crash under load when logging profile is used with packet classification
575571-2 3-Major MCPd might leak memory in FW DOS SIP attack stats query.
569337-2 3-Major TCP events are logged twice in a HA setup


Policy Enforcement Manager Fixes

ID Number Severity Description
593070-5 2-Critical TMM may crash with multiple IP addresses per session
577863-2 3-Major DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime
577814-4 3-Major MCPd might leak memory in PEM stats queries.
566061-3 3-Major Subscriber info missing in flow report after subscriber has been deleted


Carrier-Grade NAT Fixes

ID Number Severity Description
515736-4 3-Major LSN pool with small port range may not use all ports


Fraud Protection Services Fixes

ID Number Severity Description
561623-3 2-Critical Realtime encryption causes high CPU usage in older browsers
593667 3-Major Dashboard displays incomplete alert details when Polish characters are included
583445 3-Major Alert dashboard does not correctly display Hebrew characters in alerts.
556162-3 3-Major Default obfuscator configuration causes very slow javascript in some browsers


Traffic Classification Engine Fixes

ID Number Severity Description
595270 2-Critical Memory leaks when session DB tables gets updated
554928-1 2-Critical tmm eventually crashes when classification profile is configured on the virtual


Device Management Fixes

ID Number Severity Description
580686-1 3-Major Hostagentd might leak memory on vCMP hosts.



Cumulative fixes from BIG-IP v11.6.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
570716-3 CVE-2016-5736 K10133477 BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
565169 CVE-2013-5825 CVE-2013-5830 K48802597 Multiple Java Vulnerabilities
542314-5 CVE-2015-8099 K35358312 TCP vulnerability - CVE-2015-8099
572495-3 CVE-2016-5023 K19784568 TMM may crash if it receives a malformed packet CVE-2016-5023
570535 CVE-2011-5321 CVE-2012-6657 CVE-2013-4483 CVE-2014-3184 CVE-2014-3185 CVE-2014-3611 CVE-2014-3940 CVE-2014-6410 CVE-2014-8160 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1593 CVE-2015-1805 CVE-2015-3636 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104 K15685 K15912 K31300371 K16011 K21632201 K31026324 K17239 K17543 K17121 K41739114 K17246 K17458 K17244 K17245 K90230486 K17309 K17307 K31026324 K94105604 Multiple Kernel Vulnerabilities
567475-5 CVE-2015-8704 K53445000 BIND vulnerability CVE-2015-8704
560925-2 CVE-2015-3194 K86772626 OpenSSL Vulnerability fix
560910-2 CVE-2015-3194 K86772626 OpenSSL Vulnerability fix
560180-2 CVE-2015-8000 K34250741 BIND Vulnerability CVE-2015-8000
554624-2 CVE-2015-5300 CVE-2015-7704 K10600056 K17566 NTP CVE-2015-5300 CVE-2015-7704
553902-2 CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 K17516 Multiple NTP Vulnerabilities
546080-5 CVE-2016-5021 K99998454 Path sanitization for iControl REST worker
545786-4 CVE-2015-7393 K75136237 Privilege escalation vulnerability CVE-2015-7393
545762 CVE-2015-7394 K17407 CVE-2015-7394
540767-2 CVE-2015-5621 K17378 SNMP vulnerability CVE-2015-5621
539923-1 CVE-2016-1497 K31925518 BIG-IP APM access logs vulnerability CVE-2016-1497
534090-2 CVE-2015-5380 K17238 Node.js vulnerability CVE-2015-5380
518275-2 CVE-2016-4545 K48042976 The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file
508057-1 CVE-2015-0411 K44611310 MySQL Vulnerability CVE-2015-0411
497065-1 CVE-2013-6435 K16383 Linux RPM vulnerability CVE-2013-6435
488015-1 CVE-2014-3669 CVE-2014-3670 CVE-2014-3668 K15866 Multiple PHP vulnerabilities
472093-1 CVE-2015-8022 K12401251 APM TMUI Vulnerability CVE-2015-8022
556383-1 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 K31372672 Multiple NSS Vulnerabilities
550596-3 CVE-2016-6876 K52638558 RESOLV::lookup iRule command vulnerability CVE-2016-6876
534633-3 CVE-2015-5600 K17113 OpenSSH vulnerability CVE-2015-5600
527762-1 CVE-2015-4000 K16674 TLS vulnerability CVE-2015-4000
525232-1 CVE-2015-4024 CVE-2014-8142 K16826 PHP vulnerability CVE-2015-4024
500089-1 CVE-2015-0206 K16124 OpenSSL vulnerability CVE-2015-0206
472696-1 CVE-2014-1544 K16716 Multiple Mozilla Network Security Services vulnerabilities
470842-1 CVE-2012-5784 K14371 Apache Axis vulnerability CVE-2012-5784
427174-7 CVE-2013-1620 CVE-2013-0791 K15630 SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620
560969-2 CVE-2015-3196 K55540723 OpenSSL vulnerability fix
560962-2 CVE-2015-3196 K55540723 OpenSSL Vulnerability CVE-2015-3196
560948-2 CVE-2015-3195 K12824341 OpenSSL vulnerability CVE-2015-3195
527639-2 CVE-2015-1791 K16914 CVE-2015-1791 : OpenSSL Vulnerability
527638-2 CVE-2015-1792 K16915 OpenSSL vulnerability CVE-2015-1792
527637-2 CVE-2015-1790 K16898 PKCS #7 vulnerability CVE-2015-1790
527633-2 CVE-2015-1789 K16913 OpenSSL vulnerability CVE-2015-1789
500094-1 CVE-2014-3570 K16120 OpenSSL vulnerability CVE-2014-3570
500093-1 CVE-2014-8275 K16136 OpenSSL vulnerability CVE-2014-8275
500092-1 CVE-2015-0205 K16135 OpenSSL vulnerability CVE-2015-0205
500090-1 CVE-2014-3572 K16126 OpenSSL vulnerability CVE-2014-3572
494735-1 CVE-2014-3566 K15702 SSLv3 vulnerability CVE-2014-3566
479897-1 CVE-2014-2497 CVE-2014-3538 CVE-2014-3597 CVE-2014-4670 CVE-2014-4698 CVE-2014-5120 CVE-2014-0238 K15761 Multiple PHP 5.x vulnerabilities
567484-5 CVE-2015-8705 K86533083 BIND Vulnerability CVE-2015-8705


Functional Change Fixes

ID Number Severity Description
470715-5 2-Critical Excessive IP fragmentation on tmm_bp vlan causes ftp data loss with vlan name >= 16 characters long
539130-6 3-Major bigd may crash due to a heartbeat timeout
530133-3 3-Major Support for New Platform: BIG-IP 10350 FIPS
520277-2 3-Major Components validation alert
497395-1 3-Major Correctly assign severity to check component alerts
493507-1 3-Major License checks for fictive URLs and injected tags
490537-6 3-Major Persistence Records display in GUI might cause system crash with large number of records
382157-3 3-Major Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats


TMOS Fixes

ID Number Severity Description
492460-3 1-Blocking Virtual deletion failure possible when using sFlow
572086 2-Critical Unable to boot v11.6.0 on 7250 or 10250 platforms
564427-3 2-Critical Use of iControl call get_certificate_list_v2() causes a memory leak.
562959-2 2-Critical In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
562122-5 2-Critical Adding a trunk might disable vCMP guest
557680-1 2-Critical Fast successive MTU changes to IPsec tunnel interface crashes TMM
556380-2 2-Critical mcpd can assert on active connection deletion
555686-5 2-Critical Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
554609-4 2-Critical Kernel panics during boot when RAM spans multiple NUMA nodes.
552481 2-Critical Disk provisioning error after restarting ASM service.
551661-2 2-Critical Monitor with send/receive string containing double-quote may fail to load.
544913-6 2-Critical tmm core while logging from TMM during failover
544481-5 2-Critical IPSEC Tunnel fails for more than one minute randomly.
543924 2-Critical Update kernel to latest public RHEL6.4 kernel: 2.6.32-358.61.1.el6
520380-6 2-Critical save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory
511527-2 2-Critical snmpd segmentation fault at get_bigip_profile_user_stat()
510559-6 2-Critical Add logging to indicate that compression engine is stalled.
505071-5 2-Critical Delete and create of the same object can cause secondary blades' mcpd processes to restart.
504508-5 2-Critical IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled
503600-6 2-Critical TMM core logging from TMM while attempting to connect to remote logging server
502841-2 2-Critical REST API hangs due to icrd startup issues
490801-2 2-Critical mod_ssl: missing support for TLSv1.1 and TLSv1.2
484453-6 2-Critical Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand)
365219-2 2-Critical Trust upgrade fails when upgrading from version 10.x to version 11.x.
606540-1 3-Major DB variable changed via GUI does not sync across HA group
567774-1 3-Major ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root
563475-3 3-Major ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
562928 3-Major Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
560423-2 3-Major VxLAN tunnel IP address modification is not supported
560220-1 3-Major Missing partition and subPath fields for some objects in iControl REST
559584-2 3-Major tmsh list/save configuration takes a long time when config contains nested objects.
558573-2 3-Major MCPD restart on secondary blade after updating Pool via GUI
556284-5 3-Major iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
555905-3 3-Major sod health logging inconsistent when device removed from failover group or device trust
554563-3 3-Major Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
554340-4 3-Major IPsec tunnels fail when connection.vlankeyed db variable is disabled
553649-3 3-Major The SNMP daemon might lock up and fail to respond to SNMP requests.
553576-3 3-Major Intermittent 'zero millivolt' reading from FND-850 PSU
552585-3 3-Major AAA pool member creation sets the port to 0.
551927-2 3-Major ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
551742-2 3-Major Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
550694-3 3-Major LCD display stops updating and Status LED turns/blinks Amber
550536-3 3-Major Incorrect information/text (in French) is displayed when the Edge Client is launched
549543-3 3-Major DSR rejects return traffic for monitoring the server
548239-3 3-Major BGP routing using route-maps cannot match route tags
547532-2 3-Major Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
541569-3 3-Major IPsec NAT-T (IKEv1) not working properly
540996-2 3-Major Monitors with a send attribute set to 'none' are lost on save
540871-1 3-Major Update/deletion of SNMPv3 user does not work correctly
539822-4 3-Major tmm may leak connflow and memory on vCMP guest.
539784-4 3-Major HA daemon_heartbeat mcpd fails on load sys config
538663-3 3-Major SSO token login does not work due to remote role update failures.
538024-3 3-Major Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load
534582-4 3-Major HA configuration may fail over when standby has only base configuration loaded.
534076-2 3-Major SNMP configured trap-source might not be used in v1 snmp traps.
533826-5 3-Major SNMP Memory Leak on a VIPRION system.
531986-3 3-Major Hourly AWS VE license breaks after reboot with default tmm route/gateway.
531705-2 3-Major List commands on non-existent iRules incorrectly succeeds.
530242-3 3-Major SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs
529977-1 3-Major OSPF may not process updates to redistributed routes
529484-4 3-Major Virtual Edition Kernel Panic under load
528987-3 3-Major Benign warning during formatting installation
528276-7 3-Major The device management daemon can crash with a malloc error
526817-4 3-Major snmpd core due to mcpd message timer thread not exiting
526031-2 3-Major OSPFv3 may not completely recover from "clear ipv6 ospf process"
524300-2 3-Major The MOS boot process appears to hang.
523867-3 3-Major 'warning: Failed to find EUDs' message during formatting installation
522871-1 3-Major [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)
522837-1 3-Major MCPD can core as a result of another component shutting down prematurely
522332-1 3-Major Configuration upgrade of httpclass which has the 'hosts' attribute done incorrectly
521144-5 3-Major Network failover packets on the management interface sometimes have an incorrect source-IP
517388-7 3-Major Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.
517209-7 3-Major tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable
517020-5 3-Major SNMP requests fail and subsnmpd reports that it has been terminated.
516322-7 3-Major The BIG-IP system may erroneously remove an iApp association from the virtual server.
513974-7 3-Major Transaction validation errors on object references
513659-3 3-Major AAM Policy not all regex characters can be used via the GUI
512130-4 3-Major Remote role group authentication fails with a space in LDAP attribute group name
510381-3 3-Major bcm56xxd might core when restarting due to bundling config change.
503246-4 3-Major TMM crashes when unable to allocate large amount of provisioned memory
496679-5 3-Major Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.
495865-2 3-Major iApps/tmsh cannot reconfigure pools that have monitors associated with them.
491727-2 3-Major Upgrade can fail to load config due to tcp profile no longer allowing time-wait-timeout of 4294967295 (indefinite).
482373-3 3-Major Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction
480246-4 3-Major Message: Data publisher not found or not implemented when processing request
473415-1 3-Major ASM Standalone license has to include URL and HTML Rewrite
449453-5 3-Major Loading the default configuration may cause the mcpd process to restart and produce a core file.
439559-2 3-Major APM policy sync resulting in failover device group sync may make the failover sync fail
433466-4 3-Major Disabling bundled interfaces affects first member of associated unbundled interfaces
421012-3 3-Major scriptd incorrectly reports that it is running on a secondary blade
405635-2 3-Major Using the restart cm trust-domain command to recreate certificates required by device trust.
553174-4 4-Minor Unable to query admin IP via SNMP on VCMP guest
533790-4 4-Minor Creating multiple address entries in data-group might result in records being incorrectly deleted
519216-4 4-Minor Abnormally high CPU utilization from external SSL/OpenSSL monitors
480071-2 4-Minor Backslashes in policy rule added/duplicated when modified in GUI.
401893-3 4-Minor Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies
223884 4-Minor Module not licensed message appears when APM is provisioned and APML is licensed.
572133-2 5-Cosmetic tmsh save /sys ucs command sends status messages to stderr
413708-5 5-Cosmetic BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.
388274-3 5-Cosmetic LTM pool member link in a route domain is wrong in Network Map.
291469-2 5-Cosmetic SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.


Local Traffic Manager Fixes

ID Number Severity Description
536690-4 1-Blocking Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)
476386-2 1-Blocking DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 should only be supported for tls1.2
576314-2 2-Critical SNMP traps for FIPS device fault inconsistent among versions.
565810-2 2-Critical OneConnect profile with an idle or strict limit-type might lead to tmm core.
562566-2 2-Critical High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems
554967-3 2-Critical Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
552151-2 2-Critical Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
549782-1 2-Critical XFV driver can leak memory
545810-1 2-Critical ASSERT in CSP in packet_reuse
544375-1 2-Critical Unable to load certificate/key pair
542564-3 2-Critical bigd detection and logging of load and overload
540568-2 2-Critical TMM core due to SIGSEGV
540473-6 2-Critical peer/clientside/serverside script with parking command may cause tmm to core.
537988-5 2-Critical Buffer overflow for large session messages
534804-2 2-Critical TMM may core with rate limiting enabled and service-down-action reselect on poolmembers
534052-3 2-Critical VLAN failsafe triggering on standby leaks memory
530505-4 2-Critical IP fragments can cause TMM to crash when packet filtering is enabled
529920-7 2-Critical Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit
528739-1 2-Critical DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses.
527011-6 2-Critical Intermittent lost connections with no errors on external interfaces
525882-2 2-Critical SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate.
524605-2 2-Critical Requests/responses may not be fully delivered to plugin in some circumstances
523995-2 2-Critical IPv4 link-local addresses can cause TMM crash when used in conjunction with ECMP routes
521336-6 2-Critical pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core
520105-3 2-Critical Possible segfault during hardware accelerated compression.
517465-4 2-Critical tmm crash with ssl
509284-2 2-Critical Improved reliability of a module interfacing with HSM
507611-4 2-Critical On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
489451-3 2-Critical TMM might panic due to OpenSSL failure during handshake generation
489329-6 2-Critical Memory corruption can occur with SPDY/HTTP2 profile(s)
484214-2 2-Critical Nitrox got stuck when processed certain SSL records
483719-2 2-Critical vlan-groups configured with a single member VLAN result in memory leak
341928-4 2-Critical CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM.
570617-4 3-Major HTTP parses fragmented response versions incorrectly
564371-2 3-Major FQDN node availability not reset after removing monitoring
562308-2 3-Major FQDN pool members do not support manual-resume
562292-1 3-Major Nesting periodic after with parking command could crash tmm
560685 3-Major TMM may crash with 'tmsh show sys conn'.
559933-2 3-Major tmm might leak memory on vCMP guest in SSL forward proxy
558517-3 3-Major Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.
557783-2 3-Major TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr
556568-2 3-Major TMM can crash with ssl persistence and fragmented ssl records
556560-2 3-Major DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
556103-3 3-Major Abnormally high CPU utilization for external monitors
554769-4 3-Major CPM might crash when TCLRULE_HTTP_RESPONSE is triggered.
554761-5 3-Major Unexpected handling of TCP timestamps under syncookie protection.
553688-4 3-Major TMM can core due to memory corruption when using SPDY profile.
553613-3 3-Major FQDN nodes do not support session user-disable
552931-4 3-Major Configuration fails to load if DNS Express Zone name contains an underscore
552865-4 3-Major SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
550782-4 3-Major Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit
550689-2 3-Major Resolver H.ROOT-SERVERS.NET Address Change
549800-2 3-Major Renaming a virtual server with an attached plugin can cause buffer overflow
549406-5 3-Major Destination route-domain specified in the SOCKS profile
548680-2 3-Major TMM may core when reconfiguring iApps that make use of iRules with procedures.
548678-2 3-Major ASM blocking page does not display when using SPDY profile
548563-2 3-Major Transparent Cache Messages Only Updated with DO-bit True
547732-1 3-Major TMM may core on using SSL::disable on an already established serverside connection
544028-5 3-Major Verified Accept counter 'verified_accept_connections' might underflow.
543220-1 3-Major Global traffic statistics does not include PVA statistics
542724-1 3-Major If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash
542640-2 3-Major bigd intentionally cores when it should shutdown cleanly
541571-3 3-Major FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses
538639-3 3-Major P-256 ECDH performance improvements
538603-2 3-Major TMM core file on pool member down with rate limit configured
537964-4 3-Major Monitor instances may not get deleted during configuration merge load
535759-3 3-Major SMTP monitor might mark the server down even if the server answers the HELO message.
534457-2 3-Major Dynamically discovered routes might fail to remirror connections.
533820-5 3-Major DNS Cache response missing additional section
532911-2 3-Major Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates.
532107-2 3-Major [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted
530761-1 3-Major TMM crash in DNS processing on a TCP virtual
529899-1 3-Major Installation may fail with the error "(Storage modification process conflict.)".
528407-4 3-Major TMM may core with invalid lasthop pool configuration
528007-6 3-Major Memory leak in ssl
527149-3 3-Major FQDN template node transitions to 'unknown' after configuration reload
527027-4 3-Major DNSSEC Unsigned Delegations Respond with Parent Zone Information
527024-3 3-Major DNSSEC Unsigned Delegations Respond with Parent Zone Information
525989-2 3-Major A disabled blade is spontaneously re-enabled
525958-11 3-Major TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
525672-2 3-Major tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup.
525322-7 3-Major Executing tmsh clientssl-proxy cached-certs crashes tmm
524960-2 3-Major 'forward' command does not work if virtual server has attached pool
524641-1 3-Major Wildcard NAPTR record after deleting the NAPTR records
523471-2 3-Major pkcs11d core when connecting to SafeNet HSM
519217-4 3-Major tmm crash: valid proxy
517282-7 3-Major The DNS monitor may delay marking an object down or never mark it down
517053-2 3-Major bigd detection and logging of load and overload
516816-4 3-Major RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
515759-3 3-Major Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
513213-5 3-Major FastL4 connection may get RSTs in case of hardware syncookie enabled.
513142-3 3-Major FQDN nodes with a default monitor may cause configuration load failure
512119-2 3-Major Improved UDP DNS packet truncation
511057-5 3-Major Config sync fails after changing monitor in iApp
510264-1 3-Major TMM core associated with smtps profile.
509641-3 3-Major Ephemeral pool members may not inherit attributes from FQDN parent
507410-2 3-Major Possible TMM crash when handling certain types of traffic with SSL persistence enabled
507109-4 3-Major inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade
505089-4 3-Major Spurious ACKs result in SYN cookie rejected stat increment.
504545-2 3-Major FQDN: node without service checking reported as 'service checking enabled, no results yet'
502480-1 3-Major Mirrored connections on standby device do not get closed when Verified Accept is enabled
500786-6 3-Major Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile
499430-2 3-Major Standby unit might bridge network ingress packets when bridge_in_standby is disabled
488921-2 3-Major BIG-IP system sends unnecessary gratuitous ARPs
476567-5 3-Major fastL4: acceleration state is incorrectly reported on show sys conn
476564-5 3-Major ePVA FIX: no RST for an unaccelerated flow targeting a network virtual
475701-2 3-Major FastL4 with FIX late-bind enabled may not honor client-timeout
472532-4 3-Major Cipher dhe-rsa-aes256-sha256 is missing from the SSL cipher list
460946-2 3-Major NetHSM key is displayed as normal in GUI
458348-2 3-Major RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.
455762-1 3-Major DNS cache statistics incorrect
452443-2 3-Major DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured
452439-5 3-Major TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads
446526-7 3-Major TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.
441058 3-Major TMM can crash when a large number of SSL objects are created
424831-6 3-Major State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover
418890-2 3-Major OpenSSL bug can prevent RSA keys from rolling forward
406001-3 3-Major Host-originated traffic cannot use a nexthop in a different route domain
372473-2 3-Major mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes
554774-2 4-Minor Persist lookup across services might fail to return a matching record when multiple records exist.
551614-2 4-Minor MTU Updates should erase all congestion metrics entries
546747-2 4-Minor SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets
541134-2 4-Minor HTTP/HTTPS monitors transmit unexpected data to monitored node.
534458-6 4-Minor SIP monitor marks down member if response has different whitespace in header fields.
452482-7 4-Minor HTTP virtual servers with cookie persistence might reset incoming connections
558053-2 5-Cosmetic Pool's 'active_member_cnt' attribute may not be updated as expected.
529897-1 5-Cosmetic Diameter monitor logging displays hex when monitor failing instead of the AVP which the monitor is failing on.


Performance Fixes

ID Number Severity Description
489816-1 1-Blocking F5 Enterprise MIB attribute sysTmmStatMemoryTotal returning zero
548796-2 2-Critical Avrd is at CPU is 100%


Global Traffic Manager Fixes

ID Number Severity Description
533658-5 2-Critical DNS decision logging can trigger TMM crash
471467 2-Critical gtmparse segfaults when loading wideip.conf because of duplicate virtual server names
469033 2-Critical Large big3d memory footprint.
551767-3 3-Major GTM server 'Virtual Server Score' not showing correctly in TMSH stats
546640 3-Major tmsh show gtm persist <filter option> does not filter correctly
529460-7 3-Major Short HTTP monitor responses can incorrectly mark virtual servers down.
526699-6 3-Major TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.
481328-2 3-Major Many 'tmsh save sys config gtm-only partitions all' stack memory issue.
552352-2 4-Minor tmsh list display incorrectly for default values of gtm listener translate-address/translate-port
494796 4-Minor Unable to create GTM Listener with non-default protocol profile.


Application Security Manager Fixes

ID Number Severity Description
565463-2 1-Blocking ASM-config consumes 1.3GB RAM after repeated Policy Import via REST
566758-2 2-Critical Manual changes to policy imported as XML may introduce corruption for Login Pages
555057-3 2-Critical ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
555006-3 2-Critical ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
552139-2 2-Critical ASM limitation in the pattern matching matrix builtup
478351-1 2-Critical Changing management IP can lead to bd crash
475551-1 2-Critical Flaw in CSRF protection mechanism
474252-1 2-Critical Applying ASM security policy repeatedly fills disk partition on a chassis
574451-2 3-Major ASM chassis sync occasionally fails to load on secondary slot
563237 3-Major ASM REST: name for ipIntelligenceReference is incorrect
562775-2 3-Major Memory leak in iprepd
558642-1 3-Major Cannot create the same navigation parameter in two different policies
554367-1 3-Major BIG-IQ ASM remote logger: Requests are not be logged.
553146-2 3-Major BD memory leak
547000-4 3-Major Enforcer application might crash on XML traffic when out of memory
542511-2 3-Major 'Unhandled keyword ()' error message in GUI and/or various ASM logs
541852-1 3-Major ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails
541406-1 3-Major ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request
540390-2 3-Major ASM REST: Attack Signature Update cannot roll back to older attack signatures
538195-1 3-Major Incremental Manual sync does not allow overwrite of 'newer' ASM config
535188-3 3-Major Response Pages custom content with \n instead of \r\n on policy import.
534246-2 3-Major rest_uuid should be calculated from the actual values inserted to the entity
531809-2 3-Major FTP/SMTP traffic related bd crash
530598-1 3-Major Some Session Tracking data points are lost on TMM restart
529610-1 3-Major On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db
529535-4 3-Major MCP validation error while deactivating a policy that is assigned to a virtual server
526162-7 3-Major TMM crashes with SIGABRT
520732-3 3-Major XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty
514313-1 3-Major Logging profile configuration is updated unnecessarily
514061-4 3-Major False positive scenario causes SMTP transactions to hang and eventually reset.
503696-1 3-Major BD enforcer updates may be stuck after BD restart
491371-1 3-Major CMI: Manual sync does not allow overwrite of 'newer' ASM config
491352-3 3-Major Added ASM internal parameter to add more XML memory
481530-1 3-Major Signature reporting details for sensitive data violation
538837-1 4-Minor REST: Filtering login pages or parameters by their associated URL does not work


Application Visibility and Reporting Fixes

ID Number Severity Description
529900-1 2-Critical AVR missing some configuration changes in multiblade system
519257-2 2-Critical cspm script isn't injected in text/html chuncked response
470559 2-Critical TMM crash after traffic stress with rapid changes to Traffic capturing profiles
552488-1 3-Major Missing upgrade support for AFM Network DoS reports.
549393-3 3-Major SWG URL categorization may cause the /var/lib/mysql file system to fill.
535246-6 3-Major Table values are not correctly cleaned and can occupy entire disk space.
530952-1 3-Major MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'
529903-1 3-Major Incorrect reports on multi-bladed systems
528031-3 3-Major AVR not reporting the activity of standby systems.
491185-1 3-Major URL Latencies page: pagination limited to 180 pages
490999-2 3-Major Subscriber-level AVR statistics display the subscriber-type as "Unknown" for subscribers created using Radius Acct-Start
537435-1 4-Minor Monpd might core if asking for export report by email while monpd is terminating
495744-1 4-Minor Some user defined ASM reports are not loading correctly after upgrade from 11.4 upwards


Access Policy Manager Fixes

ID Number Severity Description
553330-3 1-Blocking Unable to create a new document with SharePoint 2010
579559-2 2-Critical DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
572563-3 2-Critical PWS session does not launch on Internet Explorer
569306-3 2-Critical Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
565056-3 2-Critical Fail to update VPN correctly for non-admin user.
555507-2 2-Critical Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
555272-8 2-Critical Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade
551764-3 2-Critical [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
530622-1 2-Critical EAM plugin uses high memory when serving very high concurrent user load
522997-3 2-Critical Websso cores when it tries to shutdown
491080-5 2-Critical Memory leak in access framework
571003-1 3-Major TMM Restarts After Failover
570563-2 3-Major CRL is not being imported/exported properly
569255-3 3-Major Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
566908-5 3-Major Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
565527-3 3-Major Static proxy settings are not applied if NA configuration
564496-3 3-Major Applying APM Add-on License Does Not Change Effective License Limit
564493 3-Major Copying an access profile appends an _1 to the name.
564262-4 3-Major Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
564253-5 3-Major Firefox signed plugin for VPN, Endpoint Check, etc
563474-2 3-Major SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile
561976 3-Major Values of high-water and low-water mark for 'apd' pending request queue might not handle requests completely.
558870-3 3-Major Protected workspace does not work correctly with third party products
558631-2 3-Major APM Network Access VPN feature may leak memory
555457-5 3-Major Reboot is required, but not prompted after F5 Networks components have been uninstalled
555435-2 3-Major AD Query fails if cross-domain option is enabled and administrator's credentials are not specified
554993-2 3-Major Profile Stats Not Updated After Standby Upgrade Followed By Failover
554899-2 3-Major MCPD core with access policy macro during config sync in HA configuration
554626-1 3-Major Database logging truncates log values greater than 1024
554228-5 3-Major OneConnect does not work when WEBSSO is enabled/configured.
554041-5 3-Major No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
553734-1 3-Major Issue with assignment of non-string value to Form.action in javascript.
553063-1 3-Major Epsec version rolls back to previous version on a reboot
552498-1 3-Major APMD basic authentication cookie domains are not processed correctly
549588-2 3-Major EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
549108-1 3-Major RDP resource 'Custom parameters' fail to accept parameters containing spaces or colon in the value
548361 3-Major Performance degradation when adding VDI profile to virtual server
543222-3 3-Major apd may crash if an un-encoded session variable contains "0x"
539270-6 3-Major A specific NTLM client fails to authenticate with BIG-IP
539229-7 3-Major EAM core while using Oracle Access Manager
531983-5 3-Major [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added
528808-3 3-Major Source NAT translation doesn't work when APM is disabled using iRule
526637-4 3-Major tmm crash with APM clientless mode
522791-2 3-Major HTML rewriting on client might leave 'style' attribute unrewritten.
520088-2 3-Major Citrix HTML5 Receiver does not properly display initial tour and icons
518550-3 3-Major Incorrect value of form action attribute inside 'onsubmit' event handler in some cases
517846-2 3-Major View Client cannot change AD password in Cross Domain mode
511893-5 3-Major Client connection timeout after clicking Log In to Access Policy Manager on a Chassis
492122-5 3-Major Now Windows Logon Integration does not recreate temporary user for logon execution each time
488811-5 3-Major F5-prelogon user profile folder are not fully cleaned-up
482177-4 3-Major Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO
472446-2 3-Major Customization group template file might cause mcpd to restart
471318-1 3-Major AD/LDAP group name matching should be case-insensitive
467256-2 3-Major Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat
462598-4 3-Major Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.
462258-8 3-Major AD/LDAP server connection failures might cause apd to stop processing requests when service is restored
461084-3 3-Major Kerberos Auth might fail if client request contains Authorization header
389328-7 3-Major RSA SecurID node secret is not synced to the standby node


WebAccelerator Fixes

ID Number Severity Description
551010-7 3-Major Crash on unexpected WAM storage queue state
525478-2 3-Major Requests for deflate encoding of gzip documents may crash TMM


Wan Optimization Manager Fixes

ID Number Severity Description
552198-5 3-Major APM App Tunnel/AM iSession Connection Memory Leak
547537-3 3-Major TMM core due to iSession tunnel assertion failure


Service Provider Fixes

ID Number Severity Description
538784-3 3-Major ICAP implementation incorrect when HTTP request or response is missing a payload
523854-1 3-Major TCP reset with RTSP Too Big error when streaming interleaved data
545985-3 4-Minor ICAP 2xx response (except 200, 204) is treated as error


Advanced Firewall Manager Fixes

ID Number Severity Description
561433-3 3-Major TMM Packets can be dropped indiscriminately while under DOS attack
489379-1 3-Major Bot signature is not matched


Policy Enforcement Manager Fixes

ID Number Severity Description
529634-2 2-Critical Crash observed with HSL logging
512069-2 2-Critical TMM restart while relicensing the BIG-IP using the base license.
510923-2 2-Critical TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered.
565765-3 3-Major Flow reporting does not occur for unclassified flows.
564263-3 3-Major PEM: TMM asserts when Using Debug Image when Gy is being used
560607-3 3-Major Resource Limitation error when removing predefined policy which has multiple rules
559382-1 3-Major Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
557675-3 3-Major Failover from PEM to PCRF can cause session lookup inconsistency
549283-3 3-Major Add a log message to indicate transition in the state of Gx and Gy sessions.


Carrier-Grade NAT Fixes

ID Number Severity Description
555369-3 2-Critical CGNAT memory leak when non-TCP/UDP traffic directed at public addresses
545783-3 2-Critical TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool
540571-2 2-Critical TMM cores when multicast address is set as destination IP via iRules and LSN is configured
540484-2 2-Critical "show sys pptp-call-info" command can cause tmm crash
535101-1 2-Critical Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile.


Fraud Protection Services Fixes

ID Number Severity Description
564039-3 2-Critical WebSafe "Missing component" check gets applied on request with different referrer domain.
563554-3 2-Critical Accept-language in alerts
559129-3 2-Critical Update Generic Malware Signatures to detect new Dyre variant
554540 2-Critical RAT detection failure
554537-2 2-Critical Failed alerts on Internet Explorer
541670-1 2-Critical Memory leak and potential crash bug in secure channel cookie handling
537106-3 2-Critical Component checks wait for page load
564040-4 3-Major Differentiation of missing component alerts
560069-1 3-Major Default obfuscator configuration causes very slow javascript in some browsers
558255-2 3-Major Filtering encryption alerts
555818-3 3-Major Bait failure alerts do not give details of the cause of failure
554546-2 3-Major Only first entry in 'Mandatory Words' list is effective
552476-2 3-Major Use of JavaScript's 'eval' function may be prohibited by site's content security policy
551893-2 3-Major Alerts send from FPS plugin via HSL are sent in a malformed HTTP format
542586-3 3-Major Fallback alert mechanism can result in page refresh in Internet Explorer 8
542581-3 3-Major Websafe alerts with HTML attached cause the page to run slowly
542472 3-Major SSL::disable for alerts does not take effect and first alert fails
503160-3 3-Major FPS malicious words doesn't trigger alert when ignore list is defined
560791 4-Minor FPS doesn't encrypt inputs of type "hidden"
555827-2 4-Minor No fallback for alerts.
547038-2 4-Minor In very fast transactions, some detection data is missing


Device Management Fixes

ID Number Severity Description
538722-3 3-Major Configurable maximum message size limit for restjavad


iApp Technology Fixes

ID Number Severity Description
546082-5 2-Critical Special characters might change input.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 8 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-4 CVE-2016-5745 K64743453 NAT64 vulnerability CVE-2016-5745
599168-4 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-4 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-9 CVE-2013-0169 CVE-2016-6907 K14190 K39508724 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
569467-11 CVE-2016-2084 K11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.


Functional Change Fixes

ID Number Severity Description
557221-7 2-Critical Inbound ISP link load balancing will use pool members for only one ISP link per data center


TMOS Fixes

ID Number Severity Description
596603-11 2-Critical AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
547047 2-Critical Older cli-tools unsupported by AWS
595874-4 3-Major Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.
556277-6 3-Major Config Sync error after hotfix installation (chroot failed rsync error)
499537-3 3-Major Qkview may store information in the wrong format


Local Traffic Manager Fixes

ID Number Severity Description
557645-5 3-Major Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 7 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
591857 1-Blocking 10-core vCMP guest with ASM may not pass traffic



Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
532522-3 CVE-2015-1793 K16937 CVE-2015-1793
536984 CVE-2015-8240 K06223540 Ensure min_path_mtu is functioning as designed.
536481-9 CVE-2015-8240 K06223540 F5 TCP vulnerability CVE-2015-8240
534630-5 CVE-2015-5477 K16909 Upgrade BIND to address CVE 2015-5477
530829 CVE-2015-5516 K00032124 UDP traffic sent to the host may leak memory under certain conditions.
529509-5 CVE-2015-4620 K16912 BIND Vulnerability CVE-2015-4620
527799-9 CVE-2015-4000 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 K16674 K16915 K16914 OpenSSL library in APM clients updated to resolve multiple vulnerabilities
527630-1 CVE-2015-1788 K16938 CVE-2015-1788 : OpenSSL Vulnerability
506034-3 CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 K16393 NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)
540849-5 CVE-2015-5986 K17227 BIND vulnerability CVE-2015-5986
540846-5 CVE-2015-5722 K17181 BIND vulnerability CVE-2015-5722
531576-1 CVE-2016-7476 K87416818 TMM vulnerability CVE-2016-7476
520466-2 CVE-2015-3628 K16728 Ability to edit iCall scripts is removed from resource administrator role
516618-5 CVE-2013-7424 K16472 glibc vulnerability CVE-2013-7424
526514-1 CVE-2016-3687 K26738102 Open redirect via SSO_ORIG_URI parameter in multi-domain SSO
522878-1 CVE-2016-3686 K82679059 Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access.
515345-1 CVE-2015-1798 K16505 NTP Vulnerability


Functional Change Fixes

ID Number Severity Description
502443-4 2-Critical After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.
520705-5 3-Major Edge client contains multiple duplicate entries in server list
498992-6 3-Major Troubleshooting enhancement: improve logging details for AWS failover failure.
224903-5 3-Major CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.


TMOS Fixes

ID Number Severity Description
544980-3 1-Blocking BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
535806-2 1-Blocking Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
507312-1 1-Blocking icrd segmentation fault
477218-5 1-Blocking Simultaneous stats query and pool configuration change results in process exit on secondary.
473033-5 1-Blocking Datastor Now Uses Syslog-ng
529510-2 2-Critical Multiple Session ha state changes may cause TMM to core
523434 2-Critical mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object
513454-3 2-Critical An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts
510979-1 2-Critical Password-less SSH access after tmsh load of UCS may require password after install.
509503-4 2-Critical tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration
507602-1 2-Critical Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled
506199-4 2-Critical VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles
504496-3 2-Critical AAA Local User Database may sync across failover groups
497078-1 2-Critical Modifying an existing ipsec policy configuration object might cause tmm to crash
493791-2 2-Critical iApps do not support FQDN nodes
479460-5 2-Critical SessionDb may be trapped in wrong HA state during initialization
473105 2-Critical FastL4 connections reset with pva-acceleration set to guaranteed
471860-3 2-Critical Disabling interface keeps DISABLED state even after enabling
470813-1 2-Critical Memory corruption in f5::rest::CRestServer::g_portToServerMap
468473-2 2-Critical Monitors with domain username do not save/load correctly
464870-7 2-Critical Datastor cores and restarts.
438674-5 2-Critical When log filters include tamd, tamd process may leak descriptors
429018-2 2-Critical tmipsecd cores when deleting a non-existing traffic selector
420107-2 2-Critical TMM could crash when modifying HTML profile configuration
364978-1 2-Critical Active/standby system configured with unit 2 failover objects
544888-5 3-Major Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
534251-1 3-Major Live update with moving config breaks password-less ssh access
533458-4 3-Major Insufficient data for determining cause of HSB lockup.
533257-2 3-Major tmsh config file merge may fail when AFM security log profile is present in merged file
529640 3-Major Improvements in building Cloud images
528881 3-Major NAT names with spaces in them do not upgrade properly
528310 3-Major Upgrade failure when CertKeyChain exists in non-Common partition
527537 3-Major CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled
527145-4 3-Major On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
527094-1 3-Major iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata.
527021-1 3-Major BIG-IQ iApp statistics corrected for empty pool use cases
526419-1 3-Major Deleting an iApp service may fail
524791-3 3-Major non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0
524753-1 3-Major IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip
524490-4 3-Major Excessive output for tmsh show running-config
524326-4 3-Major Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips
523922-4 3-Major Session entries may timeout prematurely on some TMMs
523125 3-Major Disabling/enabling blades in cluster can result in inconsistent failover state
520640-2 3-Major The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.
519510-3 3-Major Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware
519372 3-Major vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files.
519068-3 3-Major device trust setup can require restart of devmgmtd
518283 3-Major Cookie rewrite mangles 'Set-Cookie' headers
518039-1 3-Major BIG-IQ iApp statistics corrected for partition use cases
517580-3 3-Major OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
517178-2 3-Major BIG-IP system as SAML Service Provider cannot process some messages from SimpleSAMLphp under certain conditions
516669-1 3-Major Rarely occurring SOD core causes failover.
515667-4 3-Major Unique truncated SNMP OIDs.
514726-4 3-Major Server-side DSR tunnel flow never expires
514724-1 3-Major crypto-failsafe fail condition not cleared when crypto device restored
513916-5 3-Major String iStat rollup not consistent with multiple blades
513294-8 3-Major LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances
510159-1 3-Major Outgoing MAP tunnel statistics not updated
510119-4 3-Major HSB performance can be suboptimal when transmitting TSO packets.
509782-3 3-Major TSO packets can be dropped with low MTU
509504-5 3-Major Excessive time to save/list a firewall rule-list configuration
509037-1 3-Major BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type
507853-1 3-Major MCP may crash while performing a very large chunked query and CPU is highly loaded
507575-1 3-Major An incorrectly formated NAPTR creation via iControl can cause an error.
506041-2 3-Major Folders belonging to a device group can show up on devices not in the group
505045-1 3-Major MAP implementation not working with EA bits length set to 0.
504494-2 3-Major Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.
502238-3 3-Major Connectivity and traffic interruption issues caused by a stuck HSB transmit ring
501437-3 3-Major rsync daemon does not stop listening after configsync-ip set to none
500234-4 3-Major TMM may core during failover due to invalid memory access in IPsec components
499260-3 3-Major Deleting trust-domain fails when standby IP is in ha-order
497564-2 3-Major Improve High Speed Bridge diagnostic logging on transmit/receive failures
497304-1 3-Major Unable to delete reconfigured HTTP iApp when auto-sync is enabled
495526-1 3-Major IPsec tunnel interface causes TMM core at times
493246-2 3-Major SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot
493213-1 3-Major RBA eam and websso daemons segfaulting while provisioning
491716-2 3-Major SNMP attribute type incorrect for certain OIDs
491556-7 3-Major tmsh show sys connection output is corrected
489084-1 3-Major Validation error in MCPD for FQDN nodes
484706-2 3-Major Incremental sync of iApp changes may fail
483104-3 3-Major vCMP guests report platform type as 'unknown'
481648-8 3-Major mib-2 ipAddrTable interface index does not correlate to ifTable
480679-1 3-Major The big3d daemon does not receive config updates from mcpd
473348-6 3-Major SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later
473088-4 3-Major Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile
470756-6 3-Major snmpd cores or crashes with no logging when restarted by sod
468837-5 3-Major SNAT translation traffic group inheritance does not sync across devices
464252-2 3-Major Possible tmm crash when modifying html pages with HTML profile.
464024-4 3-Major File descriptor leak when running some TMSH commands through scriptd
458104-3 3-Major LTM UCS load merge trunk config issue
455264-3 3-Major Error messages are not clear when adding member to device trust fails
442871-1 3-Major BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor
441297-3 3-Major Trunk remains down and interface's status is 'uninit' after mcpd restart
416388-1 3-Major vCMPD will not reattach to guest
410398-3 3-Major sys db tmrouted.rhifailoverdelay does not seem to work
405752-1 3-Major TCP Half Open monitors sourced from specific source ports can fail
383784-5 3-Major Remote Auth user names containing blank space cannot login through TMSH.
362267-3 3-Major Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors
359774-6 3-Major Pools in HA groups other than Common
355661-3 3-Major sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
524606-1 4-Minor SElinux violations prevent cpcfg from touching /service/mcpd/forceload
524185 4-Minor Unable to run lvreduce
523863-2 4-Minor istats help not clear for negative increment
492163-3 4-Minor Applying a monitor to pool and pool member may cause an issue.
475647-2 4-Minor VIPRION Host PIC firmware version 7.02 update
473163-2 4-Minor RAID disk failure and alert.conf log message mismatch results in no trap
471827-1 4-Minor Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist
465675-3 4-Minor Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
465317-1 4-Minor Failure notice from '/usr/bin/set-rsync-mgmt-fw close' seen on each boot.
464043-3 4-Minor Integration of Firmware for the 2000 Series Blades
443298-2 4-Minor FW Release: Incorporate VIPRION 2250 LOP firmware v1.20
356658-2 5-Cosmetic Message logged when remote authenticated users do not have local account login


Local Traffic Manager Fixes

ID Number Severity Description
522784-2 1-Blocking After restart, system remains in the INOPERATIVE state
420341-6 1-Blocking Connection Rate Limit Mode when limit is exceeded by one client also throttles others
552937-1 2-Critical HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
539344-1 2-Critical SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list
538255 2-Critical SSL handshakes on 4200/2200 can cause TMM cores.
533388-1 2-Critical tmm crash with assert "resume on different script"
530963-4 2-Critical BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
528432-2 2-Critical Control plane CPU usage reported too high
523079-2 2-Critical Merged may crash when file descriptors exhausted
514108-1 2-Critical TSO packet initialization failure due to out-of-memory condition.
510837-2 2-Critical Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. bigip sends bad client key exchange.
509346-2 2-Critical Intermittent or complete SSL handshake failure with netHSM keys
506304-2 2-Critical UDP connections may stall if initialization fails
505331-1 2-Critical SASP Monitor may core
505222-2 2-Critical DTLS drops egress packets when traffic is large
503343-7 2-Critical TMM crashes when cloned packet incorrectly marked for TSO
499422-1 2-Critical An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
497299-5 2-Critical Thales install fails if the BIG-IP system is also configured as the RFS
492352-3 2-Critical Mismatch ckcName between GUI and TMSH can cause upgrade failure
481677-2 2-Critical A possible TMM crash in some circumstances.
481162-2 2-Critical vs-index is set differently on each blade in a chassis
474601-5 2-Critical FTP connections are being offloaded to ePVA
450814-10 2-Critical Early HTTP response might cause rare 'server drained' assertion
431283-7 2-Critical iRule binary scan may core TMM when the offset is large
426328-8 2-Critical Updating iRule procs while in use can cause a core
402412-8 2-Critical FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
551612 3-Major BIG-IP SSL does not support sending multiple certificate verification requests to the hardware accelerator at the same time in 11.6.0.
530431 3-Major FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts
526810-5 3-Major Crypto accelerator queue timeout is now adjustable
525557 3-Major FQDN ephemeral nodes not re-populated after deleted and re-created
524666-3 3-Major DNS licensed rate limits might be unintentionally activated.
522147-2 3-Major 'tmsh load sys config' fails after key conversion to FIPS using web GUI
521774-3 3-Major Traceroute and ICMP errors may be blocked by AFM policy
521538-2 3-Major Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known
521522-3 3-Major Traceroute through BIG-IP may display destination IP address at BIG-IP hop
521408-3 3-Major Incorrect configuration in BigTCP Virtual servers can lead to TMM core
520540-1 3-Major Specific iRule commands may generate a core file
518020-11 3-Major Improved handling of certain HTTP types.
517790-1 3-Major When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
517556-3 3-Major DNSSEC unsigned referral response is improperly formatted
516598-1 3-Major Multiple TCP keepalive timers for same Fast L4 flow
516320-2 3-Major TMM may have a CPU spike if match cross persist is used.
515817-2 3-Major TMM may not reset connection when receiving an ICMP error
515322-1 3-Major Intermittent TMM core when using DNS cache with forward zones
515072-4 3-Major Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
514246-3 3-Major connflow_precise_check_begin does not check for NULL
512383-3 3-Major Hardware flow stats are not consistently cleared during fastl4 flow teardown.
512148-1 3-Major Self IP address cannot be deleted when its VLAN is associated with static route
512062-2 3-Major A db variable to disable verification of SCTP checksum when ingress packet checksum is zero
510921-1 3-Major Database monitors do not support IPv6 nodes
510720-1 3-Major iRule table command resumption can clear the header buffer before the HTTP command completes
510638-1 3-Major [DNS] Config change in dns cache resolver does not take effect until tmm restart
507529-1 3-Major Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow
506282-1 3-Major GTM DNSSEC keys generation is not sychronized upon key creation
505059-1 3-Major Some special characters are not properly handled for username and password fields in TCL monitors
504899-2 3-Major Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)
504306-2 3-Major https monitors might fail to re-use SSL sessions.
504105-4 3-Major RRDAG enabled UDP ports may be used as source ports for locally originated traffic
503979-1 3-Major High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.
503384-1 3-Major SMTP monitor fails on multi line greeting banner in SMTP server
501516-5 3-Major If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
497742-3 3-Major Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
496758-5 3-Major Monitor Parameters saved to config in a certain order may not construct parameters correctly
495836-2 3-Major SSL verification error occurs when using server side certificate.
495557-1 3-Major Ephemeral node health status may report as 'unknown' rather than the expected 'offline'
490713-3 3-Major FTP port might occasionally be reused faster than expected
490429-2 3-Major The dynamic routes for the default route might be flushed during operations on non-default route domains.
488600-2 3-Major iRule compilation fails on upgrade
488581 3-Major The TMM process may restart and produce a core file when using the SSL::disable clientside iRule command within a HTTP_REQUEST event
485472-3 3-Major iRule virtual command allows for protocol mismatch, resulting in crash
479674-1 3-Major bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.
478617-6 3-Major Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
478439-6 3-Major Unnecessary re-transmission of packets on higher ICMP PMTU.
478257-7 3-Major Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
476097-1 3-Major TCP Server MSS option is ignored in verified accept mode
474356-1 3-Major Client SSL on partition other than /Common does not load if no key/cert/inherit-certkeychain
471059-4 3-Major Malformed cookies can break persistence
465607-7 3-Major TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.
465590-9 3-Major Mirrored persistence information is not retained while flows are active
465052-6 3-Major Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing
462714-2 3-Major Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
460627-3 3-Major SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists
447874-5 3-Major TCP zero window suspends data transfer
447043-3 3-Major Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
422107-8 3-Major Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set
422087-5 3-Major Low memory condition caused by Ram Cache may result in TMM core
375887-4 3-Major Cluster member disable or reboot can leak a few cross blade trunk packets
374339-4 3-Major HTTP::respond/redirect might crash TMM under low-memory conditions
364994-7 3-Major TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.
352925-2 3-Major Updating a suspended iRule and TMM process restart
348000-1 3-Major HTTP response status 408 request timeout results in error being logged.
342013-6 3-Major TCP filter doesn't send keepalives in FIN_WAIT_2
226892-13 3-Major Packet filter enabled, default action discard/reject and IP fragment drop
486485-1 4-Minor TCP MSS is incorrect after ICMP PMTU message.
454692-4 4-Minor Assigning 'after' object to a variable causes memory leaks
442647-5 5-Cosmetic IP::stats iRule command reports incorrect information past 2**31 bits


Global Traffic Manager Fixes

ID Number Severity Description
515797-1 2-Critical Using qos_score command in RULE_INIT event causes TMM crash
513464-1 2-Critical Some autodiscovered virtuals may be removed from pools.
471819-2 2-Critical The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.
517083-1 3-Major Some autodiscovered virtuals may be removed from pools.
516685-2 3-Major ZoneRunner might fail to load valid zone files.
516680-2 3-Major ZoneRunner might fail when loading valid zone files.
515033 3-Major [ZRD] A memory leak in zrd
515030-1 3-Major [ZRD] A memory leak in Zrd
496775-3 3-Major [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor
479142-1 3-Major Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)
465951-2 3-Major If net self description size =65K, gtmd restarts continuously
479084-1 4-Minor ZoneRunner can fail to respond to commands after a VE resume.
353556-4 4-Minor big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed


Application Security Manager Fixes

ID Number Severity Description
524428-1 2-Critical Adding multiple signature sets concurrently via REST
524004-1 2-Critical Adding multiple signatures concurrently via REST
520280-1 2-Critical Perl Core After Apply Policy Action
513822-1 2-Critical ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page
511196-1 2-Critical UMU memory is not released when remote logger can't reach its detination
532030-3 3-Major ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI
531539-1 3-Major The NTLM login is not recognized as failed login.
527861 3-Major When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.
526856-1 3-Major "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency
523261-1 3-Major ASM REST: MCP Persistence is not triggered via REST actions
523260-1 3-Major Apply Policy finishes with coapi_query failure displayed
523201-2 3-Major Expired files are not cleaned up after receiving an ASM Manual Synchronization
520585-2 3-Major Changing Security Policy Application Language Is Not Validated or Propagated Properly
519053-1 3-Major Request is forwarded truncated to the server after answering challenge on a big request
516522-1 3-Major After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.
486829-1 3-Major HTTP Protocol Compliance options should not be modified during import/upgrade
467930-1 3-Major Searching ASM Request Log for requests with specific violations
514117-1 4-Minor Store source port higher than 32767 in Request Log record


Application Visibility and Reporting Fixes

ID Number Severity Description
531526-2 3-Major Missing entry in SQL table leads to misleading ASM reports
530356-2 3-Major Some AVR tables that hold ASM statistics are not being backed up in upgrade process.
525708-1 3-Major AVR reports of last year are missing the last month data
519022-2 3-Major Upgrade process fails to convert ASM predefined scheduled-reports.
518663-1 3-Major Client waits seconds before page finishes load
499315-1 3-Major Added "Collect full URL" functionality.
485251-1 3-Major AVR core witch include tmstat backtrace
479334-5 3-Major monpd/ltm log errors after Hotfix is applied
472117-2 3-Major Analytics scheduled report: "predefinedReportName" and "multiLeveledReport" are mutually exclusive


Access Policy Manager Fixes

ID Number Severity Description
492149-3 1-Blocking Inline JavaScript with HTML entities may be handled incorrectly
488736-5 1-Blocking Fixed problem with iNotes 9 Instant Messaging
482266-3 1-Blocking Windows 10 support for Network Access / BIG-IP Edge Client
482241-1 1-Blocking Windows 10 cannot be properly detected
439880-2 1-Blocking NTLM authentication does not work due to incorrect NetBIOS name
405769-3 1-Blocking APM Logout page is not protected against CSRF attack.
532340-1 2-Critical When FormBased SSO or SAML SSO are configured, tmm may restart at startup
526754-2 2-Critical F5unistaller.exe crashes during uninstall
525562-1 2-Critical Debug TMM Crashes During Initialization
523313-1 2-Critical aced daemon might crash on exit
520298-2 2-Critical Java applet does not work
520145-3 2-Critical [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy
519864-3 2-Critical Memory leak on L7 Dynamic ACL
518260-1 2-Critical Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message
517988-2 2-Critical TMM may crash if access profile is updated while connections are active
514220-1 2-Critical New iOS-based VPN client may fail to create IPv6 VPN tunnels
509490-2 2-Critical [IE10]: attachEvent does not work
507681-5 2-Critical Window.postMessage() does not send objects in IE11
506223-2 2-Critical A URI in request to cab-archive in iNotes is rewritten incorrectly
502269-1 2-Critical Large post requests may fail using form based SSO.
493993-6 2-Critical TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module
492287-1 2-Critical Support Android RDP client 8.1.3 with APM remote desktop gateway
480272-6 2-Critical During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
540778-3 3-Major Multiple SIGSEGV with core and failover with no logged indicator
539013-6 3-Major DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
537614-1 3-Major Machine certificate checker fails to use Machine cert check service if Windows has certain display languages
537000-2 3-Major Installation of Edge Client can cause Windows 10 crash in some cases
534755-1 3-Major Deleting APM virtual server produces ERR_NOT_FOUND error
533566-1 3-Major Support for View HTML5 client v3.5 shipped with VCS 6.2
532761 3-Major APM fails to handle compressed ICA file in integration mode
532096-2 3-Major Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used
531910-1 3-Major apmd, apd, localmgr random crash
531883-2 3-Major Windows 10 App Store VPN Client must be detected by BIG-IP APM
531541-1 3-Major Support Citrix Receiver 4.3 for Windows in PNAgent mode
531529-1 3-Major Support for StoreFront proxy
531483-2 3-Major Copy profile might end up with error
530800-1 3-Major Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use.
530773 3-Major per-request policy logs frequently in apm logs
530697-2 3-Major Windows Phone 10 platform detection
529392-2 3-Major Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script
528768-1 3-Major Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication
528727-1 3-Major In some cases HTML body.onload event handler is not executed via portal access.
528726-3 3-Major AD/LDAP cache size reduced
528675-2 3-Major BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
526677-1 3-Major VMware Horizon HTML5 View access client can not connect when using View Connection Server running version 6.1.1
526617-1 3-Major TMM crash when logging a matched ACL entry with IP protocol set to 255
526578-1 3-Major Network Access client proxy settings are not applied on German Windows
526492-2 3-Major DNS resolution fails for Static and Optimized Tunnels on Windows 10
526275-1 3-Major VMware View RSA/RADIUS two factor authentication fails
526084-3 3-Major Windows 10 platform detection for BIG-IP EDGE Client
525384-2 3-Major Networks Access PAC file now can be located on SMB share
524909-2 3-Major Windows info agent could not be passed from Windows 10
523431-2 3-Major Windows Cache and Session Control cannot support a period in the access profile name
523390-2 3-Major Minor memory leak on IdP when SLO is configured on bound SP connectors.
523327-2 3-Major In very rare cases Machine Certificate service may fail to find private key
523305-1 3-Major Authentication fails with StoreFront protocol
523222-6 3-Major Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
521835-2 3-Major [Policy Sync] Connectivity profile with a customized logo fails
521773-2 3-Major Memory leak in Portal Access
521506-2 3-Major Network Access doesn't restore loopback route on multi-homed machine
520642-3 3-Major Rewrite plugin should check length of Flash files and tags
520390-1 3-Major Reuse existing option is ignored for smtp servers
520205-3 3-Major Rewrite plugin could crash on malformed ActionScript 3 block in Flash file
520118-2 3-Major Duplicate server entries in Server List.
519966-2 3-Major APM "Session Variables" report shows user passwords in plain text
519415-3 3-Major apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
519198-3 3-Major [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user
518981-2 3-Major RADIUS accounting STOP message may not include long class attributes
518583-2 3-Major Network Access on disconnect restores redundant default route after looped network roaming for Windows clients
518573 3-Major The -decode option should be added to expressions in AD and LDAP group mapping.
518432 3-Major [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation
517564-1 3-Major APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port
517441-5 3-Major apd may crash when RADIUS accounting message is greater than 2K
516839-3 3-Major Add client type detection for Microsoft Edge browser
516462-2 3-Major Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines
515943-2 3-Major "Session variables" report may show empty if session variable value contains non-English characters
514912-3 3-Major Portal Access scripts had not been inserted into HTML page in some cases
513969-3 3-Major UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running
513953-1 3-Major RADIUS Auth/Acct might fail if server response size is more than 2K
513706-2 3-Major Incorrect metric restoration on Network Access on disconnect (Windows)
513545-1 3-Major '-decode' option produce incorrect value when it decodes a single value
513283-1 3-Major Mac Edge Client doesnt send client data if access policy expired
513098-1 3-Major localdb_mysql_restore.sh failed with exit code
512345-2 3-Major Dynamic user record removed from memcache but remains in MySQL
512245-7 3-Major Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
511854-4 3-Major Rewriting URLs at client side does not rewrite multi-line URLs
510709-1 3-Major Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
509722-1 3-Major BWC traffic blocked
509677-1 3-Major Edge-client crashes after switching to network with Captive Portal auth
504031-1 3-Major document.write()/document.writeln() redefinition does not work
501494-1 3-Major if window.onload is assigned null, then null should be retrieved
500938-3 3-Major Network Access can be interrupted if second NIC is disconnected
500450-1 3-Major ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.
495336-1 3-Major Logon page is not displayed correctly when 'force password change' is on for local users.
494637-2 3-Major localdbmgr process in constant restart/core loop
494565-4 3-Major CSS patcher crashes when a quoted value consists of spaces only
493023-3 3-Major Export of huge policies might ends up with 'too many pipes opened' error
492701-3 3-Major Resolved LSOs are overwritten by source device in new Policy Sync with new LSO
492305-1 3-Major Recurring file checker doesn't interrupt session if client machine has missing file
490830-4 3-Major Protected Workspace is not supported on Windows 10
488105-3 3-Major TMM may generate core during certain config change.
483792-5 3-Major when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
483501-1 3-Major Access policy v2 memory leak during object deletion in tmm.
483286-3 3-Major APM MySQL database full as log_session_details table keeps growing
483020-1 3-Major [SWG] Policy execution hang when using iRule event in VPE
482699-4 3-Major VPE displaying "Uncaught TypeError"
482251-3 3-Major Portal Access. Location.href(url) support.
481987-6 3-Major Allow NTLM feature to be enabled with APM Limited license
481663-5 3-Major Disable isession control channel on demand.
480761-1 3-Major Fixed issue causing TunnelServer to crash during reconnect
478751-6 3-Major OAM10g form based AuthN is not working for a single/multiple domain.
478492-7 3-Major Incorrect handling of HTML entities in attribute values
475735-4 3-Major Failed to load config after removing peer from sync-only group
475403-2 3-Major Tunnel reconnect with v2.02 does not occur
474779-1 3-Major EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
473488-6 3-Major In AD Query agent, resolving of nested groups may cause apd to spin
473255-3 3-Major Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.
472256-3 3-Major tmsh and tmctl report unusually high counter values
472062-3 3-Major Unmangled requests when form.submit with arguments is called in the page
471117-4 3-Major iframe with JavaScript in 'src' attribute not handled correctly in IE11
468137-6 3-Major Network Access logs missing session ID
466745-3 3-Major Cannot set the value of a session variable with a leading hyphen.
462514-1 3-Major Support for XMLHttpRequest is extended
461189-5 3-Major Generated assertion contains HEX-encoded attributes
458450-2 3-Major The ECA process may produce a core file when processing HTTP headers
457760-5 3-Major EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
452010-3 3-Major RADIUS Authentication fails when username or password contain non-ASCII characters
446860-4 3-Major APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
442698-10 3-Major APD Active Directory module memory leak in exception
431467-1 3-Major Mac OS X support for nslookup and dig utilities to use VPN DNS
426209-2 3-Major exporting to a CSV file may fail and the Admin UI is inaccessible
423282-8 3-Major BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence
408851-7 3-Major Some Java applications do not work through BIG-IP server
402793-12 3-Major APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients
340406-10 3-Major Localization of BIG-IP Edge Client for Macintosh
533723-4 4-Minor [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
524756 4-Minor APM Log is filled with errors about failing to add/delete session entry
523158-2 4-Minor In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails
517872-1 4-Minor Include proxy hostname in logs in case of name resolution failure
513201-6 4-Minor Edge client is missing localization of some English text in Japanese locale
510459-1 4-Minor In some cases Access does not redirect client requests
507321-3 4-Minor JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields
497627-3 4-Minor Tmm cores while using APM network access and no leasepool is created on the BIG-IP system.
486661-3 4-Minor Network Access should provide client IP address on reconnect log records
482145-3 4-Minor Text in buttons not centered correctly for higher DPI settings
478658-6 4-Minor Window.postMessage() does not send objects
478261-2 4-Minor WinInet handle leak in Edge Client on Windows
473685-1 4-Minor Websso truncates cookie domain value


WebAccelerator Fixes

ID Number Severity Description
522231-3 3-Major TMM may crash when a client resets a connection
521455-2 3-Major Images transcoded to WebP format delivered to Edge browser


Wan Optimization Manager Fixes

ID Number Severity Description
497389-1 3-Major Extraneous dedup_admin core
485182-2 3-Major wom_verify_config does not recognize iSession profile in /Common sub-partition
480910 3-Major A TCP profile with 'Rate Pace" or 'Tail Loss Probe' enabled fails to successfully establish a connection.
442884-1 3-Major TMM assert "spdy pcb initialized" in spdy_process()


Service Provider Fixes

ID Number Severity Description
521556-1 2-Critical Assertion "valid pcb" in TCP4 with ICAP adaptation
516057-3 2-Critical Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
503652-4 2-Critical Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.
480311-1 3-Major ADAPT should be able to work with OneConnect
489957-5 4-Minor RADIUS::avp command fails when AVP contains multiple attribute (VSA).
478920 4-Minor SIP::discard is not invoked for all request messages


Advanced Firewall Manager Fixes

ID Number Severity Description
524748-1 2-Critical PCCD optimization for IP address range
506286-1 2-Critical TMSH reset of DOS stats
534886-1 3-Major AFM Security checks were not being done for DNS over TCP
532022-1 3-Major tmm can crash when the reply pkt to a service flow request is a DoS pkt
531761-1 3-Major Web navigation flow may be reset when main page responds with non-HTML content
530865-2 3-Major AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)
526774 3-Major Search in FW policy disconnects GUI users
526277-1 3-Major AFM attack may never end on AVR dos overview page in a chassis based BIGIP
525522 3-Major Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains
523465-2 3-Major Log an error message when firewall rule serialization fails due to maximum blob limit being hit.
521763-1 3-Major Attack stopped and start messages should not have source/dst ip addresses in log messages
515112-1 3-Major Delayed ehash initialization causes crash when memory is fragmented.
510224-2 3-Major All descriptions for address-list members are flushed after the address-list was updated
509934-1 3-Major Blob activation fails due to counter revision
509919-2 3-Major Incorrect counter for SelfIP traffic on cluster
509600-1 3-Major Global rule association to policy is lost after loading config.
481706-2 3-Major AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP
533808-1 4-Minor Unable to create new rule for virtual server if order is set to "before"/"after"
533336-2 4-Minor Display 'description' for port list members
528499 4-Minor AFM address lists are not sorted while trying to create a new rule.
510226-2 4-Minor All descriptions for ports-list's members are flushed after the port-list was updated
491165-1 4-Minor Legal IP addresses sometimes logged in Attack Started/Stopped message.
495432-2 5-Cosmetic Add new log messages for AFM rule blob load/activation in datapath.


Policy Enforcement Manager Fixes

ID Number Severity Description
545558-1 1-Blocking Send RAA when RAR is sent by PCRF and session is deleted immediately after its created.
533929 1-Blocking PEM::subscriber info irule command can cause tmm core
525175-1 1-Blocking Fix a crash issue when querying SSP with multi-ip.
524780-1 1-Blocking TMM crash when quering the session information
522933-1 1-Blocking diam_app_process_async_lookup may cause TMM crash
534490 2-Critical Fixed TMM crash when IRULE configuration is modified.
534018-1 2-Critical Memory leak while running some of PEM::session and PEM::subscriber commands.
533734-1 2-Critical DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION
533203 2-Critical TMM may core on resuming iRule if the underlying flow has been deleted.
528715-1 2-Critical rare tmm crash when ipother irule parks
527016-1 2-Critical CLASSIFICATION_DETECTED irule event results in tmm core
524374-1 2-Critical TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule
523296-1 2-Critical TMM may core when using iRule custom actions in PEM policies
519506-1 2-Critical Flows dropped with initiate data from sever on virtual servers with HTTP
491771-2 2-Critical Parking command called from inside catch statement
541592-1 3-Major PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions
537034 3-Major PEM: CPU spike seen when iRule tries to update nonexistent sessions.
534323-1 3-Major Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.
533513-1 3-Major Data plane Listener summary does not show LSN translation correctly
529414-1 3-Major PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon
528787-1 3-Major PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code.
528247-1 3-Major PEM: New Requested units empty for when used units matches granted service units
528238-1 3-Major Quota Policy Added multiple times will lead to reset of Subscriber flows
527725-1 3-Major BigIP crash caused by PSC::ip_address iRule is fixed
527292-1 3-Major BigIP crash caused by PSC::user_name iRule is fixed
527289-1 3-Major TMM crashes with core when PSC::ip_address iRule is used to list IPs
527076-1 3-Major TMM crashes with core when PSC::policy iRule is used to set more than 32 policies
526786-1 3-Major Session lookup fails
526368-1 3-Major The number of IPv4 addresses per Gx session exceeds the limit of 1
526295-3 3-Major BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id
525860-2 3-Major PEM: Duplicate sessions formed with same IP
525633-1 3-Major Configurable behavior if PCRF returns unknown session ID in middle of session.
525416-1 3-Major List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed.
524409-1 3-Major Fix TMSH show and reset-stats commands for multi-ip sessions defect.
524198-1 3-Major PEM: Invalid HSL log generated when when session with static subscriber deleted.
522934 3-Major Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy
522579-1 3-Major TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM
522141-1 3-Major Tmm cores while changing properties of PEM policies and rules.
522140-1 3-Major Multiple IP is not added through iRule after setting the state of a session to provision by iRule
521683-1 3-Major PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs
521655-2 3-Major Session hangs when trying to switch state to provisioned
504627-1 3-Major Valid RADIUS sessions deleted on no session inactivity if no subscriber traffic exists during session timeout period.
499778-1 3-Major A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs
471926-1 3-Major Static subscriber sessions lost after bigstart restart
539677-1 4-Minor The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file


Carrier-Grade NAT Fixes

ID Number Severity Description
533562-1 2-Critical Memory leak in CGNAT can result in crash
515646-1 2-Critical TMM core when multiple PPTP calls from the same client
509108-1 2-Critical CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber
494743-1 2-Critical Port exhaustion errors on VIPRION 4800 when using CGNAT
494122-2 2-Critical Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades
490893-4 2-Critical Determinstic NAT State information incomplete for HSL log format
505097-1 3-Major lsn-pool backup-member not propagated to route table after tmrouted restart
504021-1 3-Major lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled
500424-2 3-Major dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error
486762-1 3-Major lsn-pool connection limits may be invalid when mirroring is enabled
480119-2 3-Major Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.
455020-1 3-Major RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout


Fraud Protection Services Fixes

ID Number Severity Description
526124 2-Critical Parameter matching inconsistency
520090-1 2-Critical Flows are closed as expired rather than closed gracefully.
529573 3-Major CSS attribute name
527075 3-Major Update domain availability default settings
525283-1 3-Major Add obfuscator tuning tools
524032-1 3-Major Control sending alerts during the source integrity learning process
513860-1 3-Major Incomplete support for special characters in input field names
503461-1 3-Major Intermittent JavaScript failure on Safari on Macintosh computer or device.
529587 4-Minor Errornous JS injections


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
514236-1 3-Major [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses


Device Management Fixes

ID Number Severity Description
525595 1-Blocking Memory leak of inbound sockets in restjavad.
509273 2-Critical hostagentd consumes memory over time
533307 3-Major Increasing memory usage due to continual creation of authentication tokens
521272 3-Major Fixed memory leak in restjavad's Authentication Token worker


iApp Technology Fixes

ID Number Severity Description
495525-1 4-Minor iApps fail when using FQDN nodes in pools



Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
523032-6 CVE-2015-3456 K16620 qemu-kvm VENOM vulnerability CVE-2015-3456
513034-1 CVE-2015-4638 K17155 TMM may crash if Fast L4 virtual server has fragmented packets
511651-3 CVE-2015-5058 K17047 CVE-2015-5058: Performance improvement in packet processing.
477278-5 CVE-2014-6032 K15605 XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033
476157-3 CVE-2014-4341 CVE-2014-4342 K15547 MIT Kerberos 5 vulnerability CVE-2014-4342
507842-2 CVE-2015-1349 K16356 Patch for BIND Vulnerability CVE-2015-1349
513382-13 CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 K16317 Resolution of multiple OpenSSL vulnerabilities
485917-3 CVE-2004-1060 K15792 BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)
476738-1 CVE-2007-6199 K15549 rsync daemon may be configured to listen on a public port
430799-3 CVE-2010-5107 K14741 CVE-2010-5107 openssh vulnerability


Functional Change Fixes

ID Number Severity Description
500303-3 2-Critical Virtual Address status may not be reliably communicated with route daemon
499947 2-Critical Improved performance loading thousands of Virtual Servers
497433-2 2-Critical SSL Forward Proxy server side now supports all key exchange methods.
487552-3 2-Critical triplets-not-allowed threshold too high because LTM minimum requirements for 6G guests are coming from 8G table
361367-3 2-Critical Create 8 MB-aligned partitions/volumes for VE images to improve disk I/O.
523803 3-Major Support two-factor authentication for Citrix Receivers in StoreFront proxy mode
512016-1 3-Major DB variable added to determine DNS UDP truncation behavior.
504348-1 3-Major iRules in event ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT cannot see modified headers
502770-2 3-Major clientside and serverside command crashes TMM
495273-1 3-Major LDAP extended error info only available at debug log level which could affect Branch rules
480811-2 3-Major qkview will not collect lib directories.
474465-3 3-Major Analysis processes appear to use high CPU though not affecting data plane


TMOS Fixes

ID Number Severity Description
510393-1 1-Blocking TMM may occasionally restart with a core file when deployed VCMP guests are stopped
504490-1 1-Blocking The BIG-IP system sometimes takes longer on boot up to become Active.
468175-8 1-Blocking IPsec interop with Cisco systems intermittent outages
520349 2-Critical iControl portal restarts
509475 2-Critical SPDY profile with activation-mode always may not load on upgrade to 11.6.0 or later
509276-4 2-Critical VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device
507487-1 2-Critical ZebOS Route not withdrawn when VAddr/VIP down and no default pool
505323-1 2-Critical NSM hangs in a loop, utilizing 100% CPU
502675-1 2-Critical Improve reliability of LOP/LBH firmware updates
501343-3 2-Critical In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle
495335-1 2-Critical BWC related tmm core
492458-1 2-Critical BIOS initial release
487233-1 2-Critical vCMP guests are unable to access NTP or RSYNC via their management network.
484733-4 2-Critical aws-failover-tgactive.sh doesn't skip network forwarding virtuals
477281-4 2-Critical Improved XML Parsing
474751-1 2-Critical IKEv1 daemon crashes when flushing SAs
474323 2-Critical ePVA IPv6 feature is not available
467646 2-Critical IDE DMA timeouts can result in stuck processes
467196-5 2-Critical Log files limited to 24 hours
466266-1 2-Critical In rare cases, an upgrade (or a restart) can result in an Active/Active state
460730-7 2-Critical On systems with multiple blades, large queries can cause TMM to restart
452293-4 2-Critical Tunneled Health Monitor traffic fails on Standby device
445911-6 2-Critical TMM fast forwarded flows are offloaded to ePVA
430323-4 2-Critical VXLAN daemon may restart when 8000 VXLAN tunnels are configured
422460-8 2-Critical TMM may restart on startup/config-load if it has too many objects to publish back during config load
376120-4 2-Critical tmrouted restart after reconfiguration of previously deleted route domain
519877 3-Major External pluggable module interfaces not disabled correctly.
516073 3-Major Revised AWS Setup Guide
514450-4 3-Major VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.
512485-3 3-Major Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding
510597-3 3-Major SNAT Origin Address List is now stored correctly when first created
507461-6 3-Major Net cos config may not persist on HA unit following staggered restart of both HA pairs.
507327-1 3-Major Programs that read stats can leak memory on errors reading files
506281 3-Major F5 Internal tool change to facilitate creating Engineering Hotfixes.
505878 3-Major Configuration load failure on secondary blades may occur when the chassis is rebooted
504572-4 3-Major PVA accelerated 3WHS packets are sent in wrong hardware COS queue
503875-1 3-Major Configure bwc policy category max rate
503604-3 3-Major Tmm core when switching from interface tunnel to policy based tunnel
501953-2 3-Major HA failsafe triggering on standby device does not clear next active for that device.
501371-4 3-Major mcpd sometimes exits while doing a file sync operation
495862-1 3-Major Virtual status becomes yellow and gets connection limit alert when all pool members forced down
494978-1 3-Major The hostagentd daemon should not be running in non-vcmp mode.
494367-2 3-Major HSB lockup after HiGig MAC reset
491791-3 3-Major GET on non-existent pool members does not show error
490414-1 3-Major /shared/vmisolinks present on systems running versions where block-devices are not present
489750-3 3-Major Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config
488916 3-Major CIDR can now be used for SNAT Origin Address List
488374-2 3-Major Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation
486512-7 3-Major audit_forwarder sending invalid NAS IP Address attributes
485939-1 3-Major OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.
485833-7 3-Major The mcpd process may leak memory when using tmsh to modify user attributes
484861-5 3-Major A standby-standby state can be created when auto failback acts in a CRC disagreement scenario
483762-3 3-Major Overlapping vCMP guest MAC addresses
483751-1 3-Major Internal objects can have load failures on restarted blades
483699-1 3-Major No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list
483683-3 3-Major MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
482434 3-Major Possible performance degradation in AWS cloud
481082-2 3-Major Software auto update schedule settings can be reset during a full sync
478761-1 3-Major load sys config default does not work with iCR
477859-1 3-Major ZebOS config load may fail if password begins with numeric character
477789-4 3-Major SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN.
476288-1 3-Major Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault
473200-2 3-Major Renaming a virtual server causes unexpected configuration load failure
473037-1 3-Major BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP
472365-4 3-Major The vCMP worker-lite system occasionally stops due to timeouts
471496-2 3-Major Standby node sends a summary LSA for the default route into a stub area with the same metric value as that of Active node.
468517-5 3-Major Multi-blade systems can experience active/standby flapping after both units rebooted
464132-2 3-Major Serverside SSL cannot be disabled if Rewrite profile is attached
463715-3 3-Major syscalld logs erroneous and benign timeout messages
447075-1 3-Major CuSFP module plugged in during links-down state will cause remote link-up
440346-5 3-Major Monitors removed from a pool after sync operation
440154-3 3-Major When IKEv2 is in use, user can only associate one Traffic Selector object with the IKE Peer object
439343 3-Major Client certificate SSL authentication unable to bind to LDAP server
436682-5 3-Major Optical SFP modules shows a higher optical power output for disabled switch ports
431634-6 3-Major tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails
420204-3 3-Major FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long
416292-1 3-Major MCPD can core as a result of another component shutting down prematurely
394236-3 3-Major MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -
510049 4-Minor Revised BIG-IP CGNAT Implementations content
493223-3 4-Minor syscalld core dumps now keep more debugging information
490171-1 4-Minor Cannot add FQDN node if management route is not configured
477111-5 4-Minor Dual management routes in the main routing table
475592-2 4-Minor Per-core and system CPU usage graphs do not match
473517-2 4-Minor 'OID not increasing error' during snmpwalk
463959-1 4-Minor stpd attempts to connect to slots in a chassis that are empty
492422-4 5-Cosmetic HTTP request logging reports incorrect response code
466116-3 5-Cosmetic Intermittent 'AgentX' warning messages in syslog/ZebOS log files


Local Traffic Manager Fixes

ID Number Severity Description
511873 1-Blocking TMM core observed during SSL cert-related tmsh execution.
507490-1 1-Blocking Invalid HTTP/2 input can cause the TMM to hang
507139-1 1-Blocking Invalid HTTP/2 input can cause the TMM to hang
504225-2 1-Blocking Virtual creation with the multicast IPv6 address returns error message
488931-1 1-Blocking TMM may restart when MPTCP traffic is being handled.
520413 2-Critical Aberrant behavior with woodside TCP congestion control
516408-1 2-Critical SSL reports certificate verification OK even verification returns failure for pcm=request.
516179-1 2-Critical Woodside falsely detects congestion
514521 2-Critical Rare TMM Cores with TCP SACK and Early Retransmit
509310-5 2-Critical Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances
503620-3 2-Critical ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later
495875-2 2-Critical Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic
495030-1 2-Critical Segfault originating from flow_lookup_nexthop.
494319-1 2-Critical Proxy SSL caused tmm to core by dereferencing a null pointer
491030-6 2-Critical Nitrox crypto accelerator can sometimes hang when encrypting SSL records
489796-2 2-Critical TMM cores when Woodside congestion control is used.
488908-1 2-Critical In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function.
486450-2 2-Critical iApp re-deployment causes mcpd on secondaries to restart
485189-3 2-Critical TMM might crash if unable to find persistence cookie
480699-2 2-Critical HA mirroring can overflow buffer limits on larger platforms
480370-6 2-Critical Connections to virtual servers with port-preserve property will cause connections to leak in TMM
480299-1 2-Critical Delayed update of Virtual Address might not always happen.
480113-4 2-Critical Install of FIPS exported key files (.exp) causes device-group sync failure
479171-3 2-Critical TMM might crash when DSACK is enabled
478983-1 2-Critical TMM core during certificate verification against CRL
478592-1 2-Critical When using the SSL forward proxy feature, clients might be presented with expired certificates.
477064-1 2-Critical TMM may crash in SSL
476683-2 2-Critical Suspended DNS_RESPONSE events are not resumed
476599-4 2-Critical TMM may panic when resuming DNS_REQUEST iRule event
475408-1 2-Critical SSL persistence profile does not find the server certificate.
475231-5 2-Critical TCP::close in CLIENTSSL_CLIENTCERT iRule event may result in tmm crash
474974-3 2-Critical Fix ssl_profile nref counter problem.
474388-3 2-Critical TMM restart, SIGSEGV messages, and core
472585-3 2-Critical tmrouted crashes after a series configuration changes
470191-2 2-Critical Virtual with FastL4 with loose initiation and close enabled might result in TMM core
417068-6 2-Critical Key install or deletion failure on FIPS key names longer than 32 chars on some platforms
517124 3-Major HTTP::retry incorrectly converts its input
516292-1 3-Major Incorrect handling of repeated headers
515482 3-Major Multiple teardown conditions can cause crash
514604-1 3-Major Nexthop object can be freed while still referenced by another structure
513243-1 3-Major Improper processing of crypto error condition might cause memory issues.
512490-3 3-Major Increased latency during connection setup when using FastL4 profile and connection mirroring.
511517-1 3-Major Request Logging profile cannot be configured with HTTP transparent profile
511130-3 3-Major TMM core due to invalid memory access while handling CMP acknowledgement
509416 3-Major Suspended 'after' commands may result in unexpected behaviors
508716-4 3-Major DNS cache resolver drops chunked TCP responses
507127-2 3-Major DNS cache resolver is inserted to a wrong list on creation.
506702-4 3-Major TSO can cause rare TMM crash.
506290-4 3-Major MPI redirected traffic should be sent to HSB ring1
505964 3-Major Invalid http cookie handling can lead to TMM core
505056-5 3-Major BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.
504633-1 3-Major DTLS should not update 'expected next sequence number' when the record is bad.
503741-2 3-Major DTLS session should not be closed when it receives a bad record.
503214-3 3-Major Under heavy load, hardware crypto queues may become unavailable.
503118-2 3-Major clientside and serverside command crashes TMM
502959-2 3-Major Unable get response from virtual server after node flapping
502683-3 3-Major Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on
502149-3 3-Major Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'
501690-3 3-Major TMM crash in RESOLV::lookup for multi-RR TXT record
499950-5 3-Major In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs
499946-3 3-Major Nitrox might report bad records on highly fragmented SSL records
499478-2 3-Major Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate
499280-1 3-Major Client side or server side SSL handshake may fail if it involves SHA512-signed certificates in TLS1.2
499150-3 3-Major OneConnect does not reuse existing connections in VIP targeting VIP configuration
498334-2 3-Major DNS express doesn't send zone notify response
498269-1 3-Major 5200 does not forward STP BPDUs across VLAN groups when in PASSTHRU mode
497584-2 3-Major The RA bit on DNS response may not be set
496950-1 3-Major Flows may not be mirrored successfully when static routes and gateways are defined.
496588-1 3-Major HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash
495574-3 3-Major DB monitor functionality might cause memory issues
495443-4 3-Major ECDH negotiation failures logged as critical errors.
495253-1 3-Major TMM may core in low memory situations during SSL egress handling
494322-6 3-Major The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used
493673-2 3-Major DNS record data may have domain names compressed when using iRules
493140-1 3-Major Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.
493117-6 3-Major Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted
491518-2 3-Major SSL persistence can prematurely terminate TCP connection
491454-6 3-Major SSL negotiation may fail when SPDY profile is enabled
490817-1 3-Major SSL filter might report codec alerts repeatedly
490480-3 3-Major UCS load may fail if the UCS contains FIPS keys with names containing dot
490129-1 3-Major SMTP monitor could not create socket on IPv6 node address
488598-1 3-Major SMTP monitor on non-default route domain fails to create socket
487757 3-Major Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on B4300/B2200/10000/12000-family platforms.
487592 3-Major Change in the caching duration of OCSP response when there is an error
487587-2 3-Major The allowed range of 'status-age' in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might not be wide enough for some of the scenarios
487554-2 3-Major System might reuse TCP source ports too quickly on the server side.
486724-3 3-Major After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails
484305-2 3-Major Clientside or serverside command with parking command crashes TMM
483539-1 3-Major With fastL4, incorrect MSS value might be used if SYN has options without MSS specified
483353-1 3-Major HTTP compression might cause TMM crash in low-memory conditions
481880-5 3-Major SASPD monitor cores
481216-1 3-Major Fallback may be attempted incorrectly in an abort after an Early Server Response
480686-7 3-Major Packet loop in VLAN Group
480443-1 3-Major Internal misbehavior of the SPDY filter
479682-4 3-Major TMM generates hundreds of ICMP packets in response to a single packet
479176-1 3-Major TMM hangs and receives SIGABRT due to race condition during DNS db load
478840-1 3-Major Cannot delete keys in subfolders using the BIG-IP GUI
478734-5 3-Major Incorrect 'FIPS import for failed for key' failure when operation actually succeeds
478195-4 3-Major Installation of FIPS .exp key files sets incorrect public exponent.
477375-5 3-Major SASP Monitor may core
475791-4 3-Major HTTP caching configured in a Web Acceleration profile may dispatch internal messages out-of-order, leading to assert
475322-2 3-Major cur_conns number different in tmstat and snmp output.
474584-2 3-Major igbvf driver leaks xfrags when partial jumbo frame received
474226-2 3-Major LB_FAILED may not be triggered if persistence member is down
474002-4 3-Major Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys
473759-1 3-Major Unrecognized DNS records can cause mcpd to core during a DNS cache query
472148-7 3-Major Highly fragmented SSL records can result in bad record errors on Nitrox based systems
471821-1 3-Major Compression.strategy "SIZE" is not working
471625-8 3-Major After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM
470394-2 3-Major Priority groups may result in traffic being load balanced to a single pool member.
469705-4 3-Major TMM might panic when processing SIP messages due to invalid route domain
469115-3 3-Major Management client-ssl profile does not support multiple key/cert pair.
468472-7 3-Major Unexpected ordering of internal events can lead to TMM core.
467868-3 3-Major Leak due to monitor status reporting
464651-2 3-Major Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core.
464163-3 3-Major Customized cert-key-chain of a client ssl profile might be reverted to its parent's.
457934-4 3-Major SSL Persistence Profile Causing High CPU Usage
456763-5 3-Major L4 forwarding and TSO can cause rare TMM outages
456413-5 3-Major Persistence record marked expired though related connection is still active
455840-7 3-Major EM analytic does not build SSL connection with discovered BIG-IP system
449891-7 3-Major Fallback source persistence entry is not used when primary SSL persistence fails
447272-2 3-Major Chassis with MCPD audit logging enabled will sync updates to device group state
444710-6 3-Major Out-of-order TCP packets may be dropped
443006-1 3-Major In low memory situations initializing the HTTP parser will cause the TMM to crash
438792-5 3-Major Node flapping may, in rare cases, lead to inconsistent persistence behavior
428163-3 3-Major Removing a DNS cache from configuration can cause TMM crash
384451-6 3-Major Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions
503560-2 4-Minor Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
498597-5 4-Minor SSL profile fails to initialize and might cause SSL operation issues
481820-1 4-Minor Internal misbehavior of the SPDY filter
480888-2 4-Minor Tcl parks during HTTP::collect, and serverssl is present, data can be truncated
469739-4 4-Minor ConfigSync may fail if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile
463696-5 4-Minor FIPS keys might not be recoverable from UCS
451224-3 4-Minor IP packets that are fragmented by TMM, the fragments will have their DF bit


Performance Fixes

ID Number Severity Description
476144-1 1-Blocking TMM generates a core file when dynamically loading a shared library.
497619-6 3-Major TMM performance may be impacted when server node is flapping and persist is used
426939-5 3-Major APM Polices does not work in VIPRION 4800 chassis if there is no slot1


Global Traffic Manager Fixes

ID Number Severity Description
477240-2 2-Critical iQuery connection resets every 24 hours
468519-1 3-Major BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file.
491554-2 4-Minor [big3d] Possible memory leakage for auto-discovery error events.


Application Security Manager Fixes

ID Number Severity Description
488306-1 1-Blocking Requests not logged locally on the device
478674-1 1-Blocking ASM internal parameters for high availability timeout was not handled correctly
516523-2 2-Critical Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group
515433-1 2-Critical BD crash on specific signature sets configuration.
512616-1 2-Critical BD crash during brute force attack on cluster environement
508908-1 2-Critical Enforcer crash
507919-1 2-Critical Updating ASM through iControl REST does not affect CMI sync state
506372 2-Critical XML validation files related errors on upgrade
504182-1 2-Critical Enforcer cores after upgrade upon the first request
503169-1 2-Critical XML validation files are broken after upgrade
493401-2 2-Critical Concurrent REST calls on a single endpoint may fail
492978-1 2-Critical All blades in a cluster remain offline after provisioning ASM or FPS
487420-1 2-Critical BD crash upon stress on session tracking
486323-1 2-Critical The datasyncd process may keep restarting during the first 30 minutes following a hotfix installation
481476-5 2-Critical MySQL performance
517245-2 3-Major A request that should be blocked was forwarded to the server
515449-1 3-Major bd agent listens on all addresses instead of the localhost only
515190-2 3-Major Event Logs -> Brute Force Attacks can't show details after navigating to another page
514093-1 3-Major Allow request logs to be filtered by destination IP
513763 3-Major Slow response from GUI when listing Event Logs
512668-1 3-Major ASM REST: Unable to Configure Clickjacking Protection via REST
512001-1 3-Major Using REST API to Update ASM Attack Signatures Fails
512000-1 3-Major Event Log Filter using Policy Group isn't accurate
511947-1 3-Major Policy auto-merge of Policy Diff
511488-1 3-Major Correlation restarting on a multi-bladed vCMP guest
511477-2 3-Major Manage ASM security policies from BIG-IQ
510499-2 3-Major System Crashes after Sync in an ASM-only Device Group.
509968-3 3-Major BD crash when a specific configuration change happens
509873-1 3-Major Rare crash and core dump of TMM or bd after rebooting a device or joining a trust domain.
509495 3-Major A TMM memory leak when HTTP protocol security enabled profile and no AFM license
508519-4 3-Major Performance of Policy List screen
508338-1 3-Major Under rare conditions cookies are enforced as base64 instead of clear text
507905 3-Major Saving Policy History during UCS load causes DB deadlock/timeout
507902-1 3-Major Failure and restart of mcpd in secondary blade when cluster is part of a trust domain.
507289-3 3-Major User interface performance of Web Application Security Editor users
506407 3-Major Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages
506386-2 3-Major Automatic ASM sync group remains stuck in init state when configured from tmsh
506355-1 3-Major Importing an XML file without defined entity sections
506110-1 3-Major Log flood within datasyncd.log in clustered environment
504973-1 3-Major Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead
504718-2 3-Major Policy auto-merge of Policy Diff
502852-2 3-Major Deleting an in-use custom policy template
501612-4 3-Major Spurious Configuration Synchronizations
500544-1 3-Major XML validation files are not correctly imported/upgraded
498708-1 3-Major Errors logged in bd.log coming from the ACY module
498189-3 3-Major ASM Request log does not show log messages.
497769 3-Major Policy Export: BIG-IP does not export redirect URL for "Login Response Page"
496565-1 3-Major Secondary Blades Request a Sync
496264-1 3-Major SOAP Methods Were Not Being Validated For WSDL Based XML Profiles
490284-3 3-Major ASM user interface extremely slow to respond (e.g. >2 minutes to render policy list)
489648-1 3-Major Empty violation details for attack signatures
485764-5 3-Major WhiteHat vulnerability assessment tool is configured but integration does not work correctly
484079-1 3-Major Change to signature list of manual Signature Sets does not take effect.
482915-1 3-Major Learning suggestion for the maximum headers check violation appears only for blocked requests
475819-4 3-Major BD crash when trying to report attack signatures
471103-1 3-Major Ignoring null values for parameters with different content types


Application Visibility and Reporting Fixes

ID Number Severity Description
508544-1 3-Major AVR injects CSPM JavaScript when the payload does not contain an HTML <head> tag
504414-1 3-Major AVR HTTP External log - missing fields
503683 3-Major Configuration upgrade failure due to change in an ASM predefined report name
503471-1 3-Major Memory leak can occur when there is a compressed response, and abnormal termination of the connection
500457-1 3-Major Synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash
500034-1 3-Major [SMTP Configuration] Encrypted password not shown in GUI
497681-1 3-Major Tuning of Application DoS URL qualification criteria
497376-1 3-Major Wrong use of custom XFF headers when there are multiple matches
488713-1 3-Major Corrupt memory


Access Policy Manager Fixes

ID Number Severity Description
497662-3 1-Blocking BIG-IP DoS via buffer overflow in rrdstats
517146-1 2-Critical Log ID 01490538 may be truncated
516075-6 2-Critical Linux command line client fails with on-demand cert
513795-1 2-Critical HTML5 client is not available on APM Full Webtop when using VMware Horizon 6.1
507782-1 2-Critical TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data
506235-2 2-Critical SIGSEGV caused by access_redirect_client_to_original_uri
497436-4 2-Critical Mac Edge Client behaves erratically while establishing network access connection
496894-1 2-Critical TMM may restart when accessing SAML resource under certain conditions.
495901-3 2-Critical Tunnel Server crash if probed on loopback listener.
493360-1 2-Critical Fixed possible issue causing Edge Client to crash during reconnect
489328-9 2-Critical When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
473092-1 2-Critical Transparent Proxy + On-Demand Cert Auth will reset
431980-1 2-Critical SWG Reports: Overview and Reports do not show correct data.
515387 3-Major Update EPSEC package to latest verified in 11.6.0 branch
514636-1 3-Major SWG Category Lookup using Subject.CN results in a crash if the certificate presented does not have a Subject.CN.
514277-1 3-Major Provide a way to enable connection bar for Citrix desktops only
513646-1 3-Major APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer
512999-1 3-Major LDAP Query may fail if user belongs to a group from foreign domain
512378-1 3-Major Changing per request policy in the middle of data traffic can cause TMM to crash
511961-1 3-Major BIG-IP Edge Client does not display logon page for FirePass
511648-2 3-Major On standby TMM can core when active system sends leasepool HA commands to standby device
511441-3 3-Major Memory leak on request Cookie header longer than 1024 bytes
509956-4 3-Major Improved handling of cookie values inside SWG blocked page.
509758-2 3-Major EdgeClient shows incorrect warning message about session expiration
509010 3-Major Adding/Deleting a local user takes 30 seconds to complete
508719-1 3-Major APM logon page missing title
508630-4 3-Major The APM client does not clean up DNS search suffixes correctly in some cases
507899 3-Major Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value
507318-3 3-Major JS error when sending message from DWA new message form using Chrome
507116-1 3-Major Web-application issues and/or unexpected exceptions.
506349-4 3-Major BIG-IP Edge Client for Mac identified as browser by APM in some cases
505797-1 3-Major Citrix Receiver for Android fails to authenticate with APM configured as StoreFront proxy and Access Gateway
505755-3 3-Major Some scripts on dynamically loaded html page could be not executed.
504880-2 3-Major TMM may crash when RDP client connects to APM configured as Remote Desktop Gateway
504606-3 3-Major Session check interval now has minimum value
503319-4 3-Major After network access is established browser sometimes receives truncated proxy.pac file
502441-5 3-Major Network Access connection might reset for large proxy.pac files.
502016-4 3-Major MAC client components do not log version numbers in log file.
501498-1 3-Major APM CTU doesn't pick up logs for Machine Certificate Service
499620-6 3-Major BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.
499427-1 3-Major Windows File Check does not work if the filename starts with an ampersand
498993-1 3-Major it is possible to get infinite loop in LDAP Query while resolving nested groups
498782-2 3-Major Config snapshots are deleted when failover happens
498469-5 3-Major Mac Edge Client fails intermittently with machine certificate inspection
497455-1 3-Major MAC Edge client crashed during routine Network Access.
497325-1 3-Major New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment
496817-1 3-Major Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy
495702-4 3-Major Mac Edge Client cannot be downloaded sometimes from management UI
495319-3 3-Major Connecting to FP with APM edge client is causing corporate network to be inaccessible
495265-1 3-Major SAML IdP and SP configured in same access profile not supported
494176-5 3-Major Network access to FP does not work on Yosemite using APM Mac Edge Client.
494088-4 3-Major APD or APMD should not assert when it can do more by logging error message before exiting.
490844-4 3-Major Some controls on a web page might stop working.
490681-1 3-Major Memcache entry for dynamic user leaks
490675-1 3-Major User name with leading or trailing spaces creates problems.
489382-7 3-Major Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert
487170-1 3-Major Enahnced support for proxy servers that resolve to multiple IP addresses
486597-1 3-Major Fixed Network Access renegotiation procedure
486268-1 3-Major APM logon page missing title
485355-3 3-Major Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace)
484582-2 3-Major APM Portal Access is inaccessible.
483526-1 3-Major Rarely seen Edge Client for Mac crash on session disconnect
482269-1 3-Major APM support for Windows 10 out-of-the-box detection
480817-3 3-Major Added options to troubleshoot client by disabling specific features
480242-5 3-Major APD, APMD, MCPD communication error failure now reported with error code
477898-1 3-Major Some strings on BIG-IP APM EDGE Client User Interface were not localized
477795-1 3-Major SSL profile passphrase may be displayed in clear text on the Dashboard
476038-1 3-Major Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name
475505-6 3-Major Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.
474698-2 3-Major BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.
474582-3 3-Major Add timestamps to logstatd logs for Policy Sync
473697-6 3-Major HD Encryption check should provide an option to choose drive
473129-5 3-Major httpd_apm access_log remains empty after log rotation
471421-5 3-Major Ram cache evictions spikes with change of access policy leading to slow webtop rendering
471331-2 3-Major APM::RBA reset due to a leaked HUDEVT_REQUEST_DONE
460715-5 3-Major Changes in captive portal probe URL
452464-4 3-Major iClient does not handle multiple messages in one payload.
452416-1 3-Major tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values
437744-4 3-Major SAML SP service metadata exported from APM may fail to import.
437743-6 3-Major Import of Access Profile config that contains ssl-cert is failing
436201-6 3-Major JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
433972-13 3-Major New Event dialog widget is shifted to the left and Description field does not have action widget
433847-1 3-Major APD crashes with a segmentation fault.
432900-9 3-Major APM configurations can fail to load on newly-installed systems
431149-6 3-Major APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"
416115-14 3-Major Edge client continues to use old IP address even when server IP address changed
410089-2 3-Major Linux client hangs after receiving the application data
403991-8 3-Major Proxy.pac file larger than 32 KB is not supported
510596-6 4-Minor Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty
505662-1 4-Minor Signed SAML IdP/SP exported metadata contains some elements in wrong order
504461-2 4-Minor Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.
485202-1 4-Minor LDAP agent does not escape '=' character in LDAP DN
482134-1 4-Minor APD and APMD cores during shutdown.
471452-2 4-Minor Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.
465012-4 4-Minor Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access
464992-7 4-Minor Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria
461597-11 4-Minor MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate
460427-2 4-Minor Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.
456911-3 4-Minor Add BIG-IP hostname to system's static DNS host entries
493385-6 5-Cosmetic BIG-IP Edge Client uses generic icon set even if F5 icon set is configured


WebAccelerator Fixes

ID Number Severity Description
514838-1 1-Blocking TMM Crash on Relative URL
514785-2 1-Blocking TMM crash when processing AAM-optimized video URLs
486346-3 2-Critical Prevent wamd shutdown cores
447254-1 2-Critical Core in parked transaction due to evicted stand-in document
511534-1 3-Major A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
481431-1 3-Major AAM concatenation set memory leak on configuration change
467633-5 3-Major WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases)
488917-2 4-Minor Potentially confusing wamd shutdown error messages


Service Provider Fixes

ID Number Severity Description
486356-1 2-Critical unable to configure a virtual with stats profile and sip profile in 11.6.0
482436-1 2-Critical BIG-IP processing of invalid SIP request may result in high CPU utilization
478442-5 2-Critical Core in sip filter due to sending of HUDEVT message while processing of HUDCTL message
477318-1 2-Critical Fixes possible segfault
466761-4 2-Critical Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.
455006-7 2-Critical Invalid data is merged with next valid SIP message causing SIP connection failures
512054-1 3-Major CGNAT SIP ALG - RTP connection not created after INVITE
511326-2 3-Major SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.
507143-1 3-Major Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion
503676-4 3-Major SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events
500365-3 3-Major TMM Core as SIP hudnode leaks
499701-1 3-Major SIP Filter drops UDP flow when ingressq len limit is reached.
472376-3 3-Major A SIP virtual server may crash while trying to send a message if the connection is in the process of shutting down
448493-10 3-Major SIP response from the server to the client get dropped


Advanced Firewall Manager Fixes

ID Number Severity Description
515562-1 2-Critical Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned.
513403-1 2-Critical TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.
512609 2-Critical Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses
503541-2 2-Critical Use 64 bit instead of 10 bit for Rate Tracker library hashing.
501480-3 2-Critical AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.
500925-3 2-Critical Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
517019-1 3-Major AVR-HTTP (and Application DoS): Detection of pool-member is sometimes incorrect
515187-2 3-Major Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.
513565-1 3-Major AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept.
511406-1 3-Major Pagination issue on firewall policy rules page
505624-1 3-Major Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration
503085-3 3-Major Make the RateTracker threshold a constant
502414-2 3-Major Make the RateTracker tier3 initialization number less variant.
501986-3 3-Major Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process
496278-2 3-Major Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name
500449 4-Minor "Any IPv4 or IPv6" choice in sweep attack has atypical definition
497311 4-Minor Can't add a ICMPv6 type and code to a FW rule.


Policy Enforcement Manager Fixes

ID Number Severity Description
519407-1 2-Critical PEM session lookup by subscriber ID in TMSH fails if same IP is being used to create session with different subscriber ID
518967-1 2-Critical Possible error when parsing for certain URL categorization input.
508051-1 2-Critical DHCP response may return to wrong DHCP client.
506734 2-Critical Cloud lookup stress condition
506283 2-Critical 100% TPS drop when webroot cloud lookup is enabled under stress condition
505529 2-Critical wr_urldbd restarts continuously on VIPRION chassis with webroot lookup enabled.
505069 2-Critical Webroot cloud lookup granularity
503381-2 2-Critical SSL persistence may cause connection resets
500219-1 2-Critical TMM core if identical radius starts messages received
496976-2 2-Critical Crash when receiving RADIUS message to update PEM static subscriber.
484278-4 2-Critical BIG-IP crash when processing packet and running iRule at the same time
480544-1 2-Critical Secondary IP flows are not forwarded in multiple IP session
473680-1 2-Critical Multiple DHCP solicit packets may not succeed.
515638 3-Major 5% drop in Webroot cloud lookup performance with mixed upper/lowercase URLs
512734 3-Major Socket error when Webroot cloud lookup is enabled under stress condition
511064-1 3-Major Repeated install/uninstall of policy with usage monitoring stops after second time
510811-1 3-Major PEM::info irule does not take effect if used right after PEM::session config policy irule
510721-1 3-Major PEM::enable / PEM::disable iRule errors out with an error message
509105-1 3-Major TMM cores sometimes if provisioning hold time is set to non-zero.
507753 3-Major URL categorization missed if HTTP1.0 header does not have HOST
507549-1 3-Major PEM may ignore a RAR if the target session is in the Provision-Pending state
506578 3-Major Webroot cloud lookup does not yield a category.
505986 3-Major Extra Webroot cloud lookup requests when cache is full
504028-1 3-Major Generate CCR-T first and then CCR-I if session being replaced
495913-2 3-Major TMM core with CCA-I policy received with uninstall
488166-1 3-Major Provide an option to delete the session if IP class address Limit reached when new IP being added and create a new one instead.
467106-1 3-Major Loading ucs file after install 11.6.0 on top of 11.5.0 failed when Gx reporting is enabled.
512663 4-Minor Added urlcatblindquery iRule command
489767 4-Minor Webroot cloud lookup support
478399-2 4-Minor PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.


Carrier-Grade NAT Fixes

ID Number Severity Description
519723 2-Critical dnatutil utility needs update because DAG changed.
494280-3 2-Critical TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel
493807-5 2-Critical TMM might crash when using PPTP with profile logging enabled
482202-1 3-Major Very long FTP command may be ignored.


Fraud Protection Services Fixes

ID Number Severity Description
487553 3-Major FPS alerts


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
499719-1 3-Major Order Zones statistics would cause database error
475549-3 3-Major Input handling error in GTM GUI
475092 3-Major Viewing DNS::Zones:Zones:Zones List:Statistics in the GUI generates error.
494305-3 4-Minor [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list.


Anomaly Detection Services Fixes

ID Number Severity Description
461949 2-Critical Virtual server with Portal Access and DOS profile resets connection


Traffic Classification Engine Fixes

ID Number Severity Description
513215 2-Critical Only one of the TMMs load the classification library after an IM package upgrade
508660-1 2-Critical Intermittent TMM crash in classification library
484483-2 2-Critical TCP and UDP was classified as Unknown by classification library



Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
503237-8 CVE-2015-0235 K16057 CVE-2015-0235 : glibc vulnerability known as Ghost
496849-1 CVE-2014-9326 K16090 F5 website update retrievals vulnerability
494078-4 CVE-2014-9326 K16090 Update Check feature can be target of man-in-middle-attack
492368-5 CVE-2014-8602 K15931 Unbound vulnerability CVE-2014-8602
492367-4 CVE-2014-8500 K15927 BIND vulnerability CVE-2014-8500
489323-1 CVE-2015-8098 K43552605 Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.
485812-2 CVE-2014-3660 K15872 libxml2 vulnerability CVE-2014-3660
477274-8 CVE-2014-6031 K16196 Buffer Overflow in MCPQ
500088-1 CVE-2014-3571 K16123 OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update
497719-1 CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296, K15934 NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296
496845-1 CVE-2014-9342 K15933 NTP vulnerability CVE-2014-9296
474757-15 CVE-2014-3508 CVE-2014-5139 CVE-2014-3509 CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3510 CVE-2014-3511 CVE-2014-3512 K15573 OpenSSL DTLS vulnerabilities CVE-2014-3505, CVE-2014-3506, and CVE-2014-3507, OpenSSL vulnerability CVE-2014-3508, OpenSSL vulnerability CVE-2014-3510, TLS vulnerability CVE-2014-3511.
471014-14 CVE-2014-2970 CVE-2014-5139 K15567 OpenSSL vulnerability CVE-2014-5139


Functional Change Fixes

ID Number Severity Description
480583-1 2-Critical Support SIP/DNS DOS only for UDP packets and SIP DOS does not drop packets but count drops
477524 3-Major Enable ssh for admin account and disable ssh for root account for Amazon deployments


TMOS Fixes

ID Number Severity Description
493275-3 1-Blocking Restoring UCS file breaks auto-sync requiring forced sync.
483436-1 1-Blocking Update 11.5.0 license files for "hourly billing" with production licenses.
482943-1 1-Blocking Cannot upgrade because of lack of root/admin access.
476126-1 1-Blocking Adding SR-IOV and VLAN tagging in the F5 VE with Emulex NIC
475829-1 1-Blocking AWS - VE is locked out after live install on 2nd slot.
499880 2-Critical boot menu titles might not contain volume suffix
487567-4 2-Critical Addition of a DoS Profile Along with a Required Profile May Fail
486137-3 2-Critical License activation may not proceed if MCPD is not fully operational
484399-2 2-Critical Virtual Edition second installation slot and VMWare
478896 2-Critical Hourly Billing AMIs for 11.6.0 contain internal instead of production license
477031-2 2-Critical Deleting multiple VXLAN tunnels with flooding type multipoint can cause TMM restart
473641-1 2-Critical Missing a tunnel FDB endpoint configuration in VXLAN tunnels could result in memory leak
497870-1 3-Major PEM configured with BWC doing pem policy changes could trigger leak
497062-1 3-Major PEM configured with BWC doing PEM policy changes could trigger leak
492809-4 3-Major Small but continuous mcpd memory leak associated with statistics.
485352-1 3-Major TMM dumps core file when loading configuration or starting up
483228-3 3-Major The icrd_child process generates core when terminating
479359-1 3-Major Loading a UCS file with no-platform-check stalls at platform check
479302-3 3-Major Error message in ltm log: bcm56xxd: reading L2 entry Operation failed bs_arl.cpp.
479152-5 3-Major Hardware parity error mitigation on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
474172 3-Major BIG-IQ at times cannot discover BIG-IP running TMOS 11.6.0 - 11.6.0 HF3, failure reason: Failed getting time zone.
474166-4 3-Major ConfigSync operation failing with rarely occurring sFlow error
473409-1 3-Major Route domain stats can not be reset by using F5-BIGIP-LOCAL-MIB::ltmRouteDomainStatResetStats
468514-4 3-Major Receiving several ConfigSync requests in a short period of time may cause the mcpd process to restart and produce a core file
468021-3 3-Major UCS file from earlier version may not load into 11.5.0 or later image
481135-1 4-Minor The pool members of a wide IP in Link Controller can not be modified once created
441512-4 4-Minor ConfigSync failing with sFlow error


Local Traffic Manager Fixes

ID Number Severity Description
490225-3 2-Critical Duplicate DNSSEC keys can cause failed upgrade.
484948-1 2-Critical UDP connflow may aborted from parked iRule in server_closed.
478812-2 2-Critical DNSX Zone Transfer functionality preserved after power loss
502174-4 3-Major DTLS fragments do not work for ClientHello message.
484429-4 3-Major After updating a key/certificate in place and synchronizing the configuration, TMM may log critical-level messages that it could not load a key, certificate, or chain.
483974-2 3-Major Unrecognized EDNS0 option may be considered malformed.
483328-4 3-Major Client SSL profiles might fail to complete handshake, system logs critical-level error '01260000:2: Profile name-of-profile: could not load key/certificate'
477924-1 3-Major System can crash referencing compression provider where selection of provider has been deferred
477394-1 3-Major LTM might reset and cause out-of-ports
476281 3-Major tmm crash on uninitialized variable
475055-3 3-Major Core caused by incorrect accounting of I/O flows
472944-3 3-Major SMTPS race condition after STARTTLS may cause incorrect SMTP responses
463902-3 3-Major Hardware Compression in CaveCreek may cause excessive memory consumption.
437627-5 3-Major TMM may crash if fastl4 vs has fragmeneted pkt
492780-1 4-Minor Elliptic Curves Extension in ServerHello might cause failed SSL connection.


Application Security Manager Fixes

ID Number Severity Description
504232-1 2-Critical Attack signatures are not blocked after signature/set change
489705-2 2-Critical Running out of memory while parsing large XML SOAP requests
478876-2 2-Critical BIG-IP with many active ASM accounts after a restart
478672-1 2-Critical Enforcer memory leak
477432-6 2-Critical Roll forward from 11.3.0 with iApp configured fails to load correctly and causes bd to core
475856-1 2-Critical BD may crash when enabling Base64 Decoding on Wildcard cookie
496011-1 3-Major Resets when session awareness enabled
492570-1 3-Major JavaScript error during CSRF protection
481792-1 3-Major BD may crash within HTTP payload parser.
476191-1 3-Major Bypass unicode validation on XML and JSON profiles by internal parameter
476179-1 3-Major Brute Force end attack operation mode reported as blocking while it was actually in transparent mode
475861-1 3-Major Session Awareness: Requests are reset
475135-1 3-Major BIG-IP goes offline after time change
474430-1 3-Major Rare issue: client session might not be restored by fingerprint in the Web Scraping mitigation.
473410-1 3-Major Policy Diff on merging missing URLs
470779-1 3-Major The Enforcer should exclude session awareness violations when counting illegal requests.
469786-1 3-Major Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule
467776-1 3-Major Fix in the Guardium to ASM protocol
450241-3 3-Major iControl error when discover ASM from EM
441239-1 3-Major Event Correlation is not enabled on vCMP guests if the disk is SSD.
438809-6 3-Major Brute Force Login


Application Visibility and Reporting Fixes

ID Number Severity Description
499299-1 2-Critical Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash
480350-1 2-Critical AVR and APM: TMM crashes
476336 2-Critical TMM and other daemons, such as the Enforcer, crash
475439-1 2-Critical Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash
474251-1 2-Critical IP addresses are not properly cleaned from lookup tables, so there might be no room for new IP addresses to be collected.
472969-1 2-Critical If you try to create more than 264 AVR profiles, avrd might crash.
499036 3-Major Rare cases of errors when loading data into mysql
496560-1 3-Major AVR and APM: TMM crashes (additional fixes for ID 480350)
493825-1 3-Major Upgrade failure from version 11.4.0 due to incorrect configuration being saved
489682-1 3-Major Configuration upgrade failure due to change in an ASM predefined report name
481541-1 3-Major Memory leak in monpd when LTM and AVR or ASM are provisioned
478346-1 3-Major Some AVR statistics not collected properly
472607 3-Major VCMP: Warning messages in AVR log
467945-3 3-Major Error messages in AVR monpd log


Access Policy Manager Fixes

ID Number Severity Description
488986-2 1-Blocking Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.
504060 2-Critical iOS and Mac receivers cannot create account on Citrix StoreFront in proxy mode
494098-6 2-Critical PAC file download mechanism race condition
485906 2-Critical TMM may core when an APM virtual server has a OneConnect profile attached to the virtual server
485465-3 2-Critical TMM might restart under certain conditions when executing SLO.
484454-3 2-Critical Users not able to log on after failover
482833 2-Critical apd crash for missing db variable
479524-5 2-Critical If a "refresh" response header should not be rewritten, it can crash the rewrite plugin or be improperly rewritten
477540-1 2-Critical 'ACCESS::policy evaluate' iRule command causes crash of apmd daemon
476736-2 2-Critical APM IPv6 Network Access connection may fail in some cases
475049-1 2-Critical Missing validation of disallowing empty DC configuration list
474532-5 2-Critical TMM may restart when SLO response is received on SLO request URL (.../post/sls)
474392-1 2-Critical OS X 10.10 Yosemite support
474058-5 2-Critical When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions
471874-1 2-Critical VDI plugin crashes when trying to respond to client after client has disconnected
469960-1 2-Critical Managing apd connection from tmm
458928-5 2-Critical APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.
455284-4 2-Critical Monitor traffic rejected with ICMP message, causing node down
496449-1 3-Major APM does not support using session variables for the destination address in Citrix and VMware View remote desktop resources.
496447-1 3-Major APM does not apply route domain configured in visual policy editor to Citrix/VMware View connections when their backends are specified as hostname/IP address.
496441-1 3-Major APM does not apply route domain configured in visual policy editor to Java AppTunnel connections.
496440-1 3-Major APM does not apply route domain configured in visual policy editor to Java RDP connections.
494284-3 3-Major Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.
494189-1 3-Major Poor performance in clipboard channel when copying
493487-3 3-Major Function::call() and Function::apply() wrapping does not work as expected
493164-3 3-Major flash.net.NetConnection::connect() has an erroneous security check
492238-6 3-Major When logging out of Office 365 TMM may restart
492153-2 3-Major Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.
491887-1 3-Major Changing the ending of a macro in Access Policy crashes TMM.
491478-1 3-Major EAM is a CMP plugin and spins up one thread per TMM.
491233-1 3-Major Rare deadlock in CustomDialer component
490811-5 3-Major Proxy configuration might not to be restored correctly in some rare cases
490482-1 3-Major Applying Access Policy with an unused macro crashes TMM.
488892-3 3-Major JavaRDP client disconnects
487859-1 3-Major Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.
485948-5 3-Major Machine Info Agent should have a fallback branch
485396 3-Major Online help about persistent cookies does not specify supported use
484847-2 3-Major DTLS cannot be disabled on Edge Client for troubleshooting purposes
484298-2 3-Major The aced process may restart in a loop
483601 3-Major APM sends a logout Bookmarked Access whitelist URL when session is expired.
483379-1 3-Major High CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes
482710-4 3-Major SSLv3 protocol disabled in APM clients
482260-4 3-Major Location of Captive portal configuration registry entry in 64 bit windows is incorrect
482046-1 3-Major Old password is not verified during password change from View client.
481257-5 3-Major Information on "OPSWAT Integration Libraries V3" is missing from CTU report
481210-1 3-Major Active Directory Query doesn't populate all values of multi-value attributes
481203-5 3-Major User name case sensitivity issue
481046-5 3-Major F5_Inflate_text(o, incr, v) wrapper need to be fixed for case when o is script tag
481020-1 3-Major Traffic does not flow through VPN tunnel in environements where proxy server is load balanced
480995-1 3-Major APM client components are not using extended logging by default.
480247-5 3-Major Modifying edge client application folder causes gatekeeper to throw warning
480047-1 3-Major BIG-IP Edge Client for Windows does not enable you to generate a client troubleshooting report from the user interface.
479451-1 3-Major Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth
478491 3-Major Microsoft RDP client for iOS doesn't work against F5 APM for versions >= 8.1.0
478333 3-Major Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions
478285-2 3-Major [MAC][NA] Routing table is not restored correctly in multi-homed environment if server settings disallow local subnet access
478214-1 3-Major APM Native RDP Proxy does not allow users to authenticate without specifying a domain name.
478115-5 3-Major The action attribute value of a form HTML tag is not properly rewritten in the Minimal Content Rewriting mode when it starts with "/"
477841-1 3-Major Safari 8 does not use Network Access proxy.
477642-5 3-Major Portal Access rewriting leads to page reload in Firefox
477474-3 3-Major Wrong HTML rewriting at client side for very special case
477445-1 3-Major APM client improved to support 2 interface connected to the same network segment
476133-1 3-Major In APM OAM authentication, ObSSOCookie _lastUseTime was not updated.
476033-1 3-Major APM does not support Microsoft Remote Desktop 8.0.8 client for iOS to work using APM as RD Gateway.
476032-1 3-Major BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server
475770-1 3-Major Fixed routing table management for cases when 2 or more interfaces are used
475682-6 3-Major APM OAM should be sending a single Cookie header with the cookies delimited by semi-colon.
475650-5 3-Major The TMM may restart when processing single logout (SLO) messages.
475363-6 3-Major Empty or invalid configuration, or during exception in NTLM, handling might not work as expected.
475360-6 3-Major Edge client remembers specific virtual server URI after it is redirected
475262-1 3-Major In some cases Edge Client for Windows does not re-resolve server hostname while reconnecting
475163-5 3-Major Submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL.
475148-1 3-Major Microsoft RDP Client for Mac OS X ver. 8.0.9 does not work correctly with BIG-IP APM.
475143 3-Major CATEGORY::filetype command may cause tmm to crash and restart
474730-5 3-Major Incorrect handling of form if it contains a tag with id=action
474231-5 3-Major RAM cache evictions spikes with change of access policy which may lead to slow webtop rendering
473728-3 3-Major Incorrect HTML form handling.
473386-4 3-Major Improved Machine Certificate Checker matching criteria for FQDN case
473344-6 3-Major Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
472825-2 3-Major The Dashboard charts may dip when a blade is rebooted.
471825-3 3-Major Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322.
471772-1 3-Major APM does not support VMware View application remoting.
471714-1 3-Major Certain SMTP servers (Windows) do not receive complete email due to missing CRLF header terminator in Emails generated by APM Email agent.
471125 3-Major Fixed issue causing EdgeClient to work improperly behind environment with CaptivePortal.
470414-4 3-Major Portal Access rewrite daemon may crash while processing some Flash files
470225-4 3-Major Machine Certificate checker now correctly works in Internet Explorer 11
470205-2 3-Major /config/.../policy_sync_d Directory Is 100% Full
469100-5 3-Major JavaScript index expressions with a comma are not properly rewritten
468478-5 3-Major APM Portal Access becomes unresponsive.
467849-6 3-Major In some cases user cannot go to external sites through proxy when vpn is connected
466877-6 3-Major When BIG-IP is used as SAML SP, signatures created by IBM Tivoli Federated Identity Manager may fail validation
466325-6 3-Major Continuous policy checks on windows might fail incorrectly in some cases
463776-2 3-Major VMware View client freezes when APM PCoIP is used and user authentication fails against VCS 5.3
463230-1 3-Major Aced service does not recover if child process dies.
462727-1 3-Major TMM crash when processing ACCESS::session iRule without an attached Access Policy
456403-2 3-Major Citrix Storefront native protocol
454493-1 3-Major VMWare View applications are not available on BIG-IP APM webtops
447013-4 3-Major The Citrix Client Detection process may incorrectly prompt for the installation of client software.
441355-1 3-Major Enable change password within vmview client when password doesn't meet the AD policy requirements
439518-3 3-Major Portal access resource item modifications are not synced
438730-5 3-Major DNS Filtering driver causes crash/BSOD
432102-6 3-Major HTML reserved characters not supported as part of SAML RelayState
431810-5 3-Major APMD process core due to missing exception handling in execute agents
428387-2 3-Major SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')
418850-1 3-Major Do not restrict AD to be the last auth agent for View Client
407350-4 3-Major Client side checks on Windows Phone 8
400726-4 3-Major No support for multi-valued attributes inside SAML assertion.
398657-8 3-Major Active Session Count graph underflow
503924-1 4-Minor Citrix receivers cannot authenticate
492844-1 4-Minor Office365 generated SAML SLO message causes browser connection to be reset.
489888-1 4-Minor Configuring VDI profile when APM is not provisioned, but does not.
489364-1 4-Minor Now web VPN client correctly minimizes IE window to tray
485760-1 4-Minor Tag <NameIDFormat> in SAML metadata may contain wrong attributes
480827-1 4-Minor Logging might show unnecessary messages when Citrix Receiver connects to Storefront: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND).
480360-5 4-Minor Edge Client for Mac blocks textexpander application's functionality
478397-1 4-Minor Memory leak in BIG-IP APM Edge Client Windows API.
477138-1 4-Minor Only one of several VMware View Desktop/Application pools with the same display name can be launched from APM Webtop
473377-5 4-Minor BIG-IP as IdP may rejects AuthnRequest with specific NameID format
472216-2 4-Minor Duration counter for customized Edge Client
466797-6 4-Minor Added warning message when maximum session timeout is reached
464547-1 4-Minor Show proper error message when VMware View client sends invalid credentials to APM
450033-5 4-Minor Sometimes VMware View client 2.3 for Windows can't launch desktops via APM
447302-3 4-Minor APM incorrectly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode.
432423-5 4-Minor Need proactive alerts for APM license usage
421901-2 4-Minor The 'Restore down' button can be hidden for full-screen RDP resources.
503673-1 5-Cosmetic APM sets MRHSession cookie on /cgi/login request from Citrix Receivers
486344-2 5-Cosmetic French translation does not properly fit buttons in BIG-IP Edge client on Windows
484856-1 5-Cosmetic Citrix remote desktop visible even if the user cannot access it


Wan Optimization Manager Fixes

ID Number Severity Description
479889-5 1-Blocking Memory leaks when iSession and iControl are configured
480305-1 4-Minor tmm log flood: isession_handle_evt: bad transition:7


Service Provider Fixes

ID Number Severity Description
476886-3 3-Major When ICAP cuts off request payload, OneConnect does not drop the connection
472092-3 3-Major ICAP loses payload at start of request in response to long execution time of iRule


Advanced Firewall Manager Fixes

ID Number Severity Description
496036 1-Blocking GUI throws an error in some situations when an ASM policy is assigned to virtual server
484245-1 1-Blocking Delete firewall rule in GUI changes port settings in other rules to 'any'
498227-2 2-Critical Incorrect AFM firewall rule counter update after pktclass-daemon restarts.
497342 2-Critical TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.
480903-1 2-Critical AFM DoS ICMP sweep mitigation performance impact
478644 2-Critical dwbld race with mcpd causes core.
477769-1 2-Critical TMM crash (panic) in AFM pktclass code (Assertion 'classifier ref non-zero' failed.) when virtual server has SPDY or HTTP Prefetching enabled along with AFM Rules.
469512-2 2-Critical TMM aborted by SOD due to heartbeat failure when trying to load huge firewall policies.
500640-1 3-Major TMM core could be seen if FLOW_INIT iRule attached to Virtual server
497732-2 3-Major Enabling specific logging may trigger other unrelated events to be logged.
497667-2 3-Major Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error
497263-1 3-Major Global whitelist count exhausted prematurely
496498-3 3-Major Firewall rule compilation will fail in certain scenario when there are multiple scheduled AFM rules and one of the non scheduled AFM rule is modified.
495928-5 3-Major APM RDP connection gets dropped on AFM firewall policy change
495698-3 3-Major iRule can be deleted even though it exists in a rule-list
493234-1 3-Major Device version in AFM log message could be empty
485787-1 3-Major Firewall ACL counters for staged policy attached to a Virtual/SelfIP are not incremented when a policy with a similar rule to drop/reject packets is enforced by the Global or Route Domain context
485771-1 3-Major TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort.
480826 3-Major IPs can be added for infinite duration
478816 3-Major Fastl4 TCP connection trasitions are not logged
477576-1 3-Major Valid iRule command FLOWTABLE::limit gets rejected when virtual server or route domain name is not specified
474896-1 3-Major Remote logs without attack ID and mitigation fields
442535-5 3-Major Time zone changes do not apply to log timestamps without tmm restart
429885-6 3-Major Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics)
498785 4-Minor Black List Classes/Black List Categories terminology inconsistency
481189-2 4-Minor Change the default value of pccd.hash.load.factor to 25
480623 4-Minor Category defaulted to whitelist when a valid category was not specified
480196 4-Minor Packets not counted in tmctl ip_intelligence_stat on accept-decisively ACL match
478631 4-Minor No validation for Shun TTL lengths


Policy Enforcement Manager Fixes

ID Number Severity Description
489754-1 2-Critical Flow based reporting attribute mismatch between TMUI and TCL
483798-1 2-Critical TMM crashes if iRule PSC::ip_address is used after RADIUS Authentication of DHCP discovery.
481373-1 2-Critical TMM might core when deleting an entry for a user in a Radius AAA cache
472860-3 2-Critical RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
484095-1 3-Major RADIUS accounting message with multiple IPv6 prefix causes TMM crash
482137-1 3-Major Adding TCP iRules to PEM space
479917-1 3-Major TMM crashes if new IP address is added to a session through radius interim update message.
476705-1 3-Major TMM can crash if receiving radius start or stop messages with multiple IP but no subscriber ID.
474638-1 3-Major PEM: Session policy list may be lost if there is an radius update of custom attributes
453959-3 3-Major UDP profile improvement for flexible TTL handling
481950-1 4-Minor DHCP: Need an upgrade script for DHCPRELAY virtuals for BIG-IP version 11.5 and 11.4
476904-2 4-Minor App type 0 session Update Failed on PEMDB: ERR_INPROGRESS


Fraud Protection Services Fixes

ID Number Severity Description
484020 2-Critical If Identify as Username is enabled for a parameter, the Encrypt checkbox is not grayed out.
492549 3-Major FPS injection only into success responses
489933 3-Major Generic malware false positives
486001 3-Major Application Layer encryption not working on password field in certain situations
485253 3-Major Enable directory protection
482034 3-Major Browser displays error in console in Firefox 3.6.22
474469 3-Major Identical source integrity alerts are present.
473771 3-Major No URL path in the Browser Automation alert
491168 4-Minor Encrypt checkbox should be greyed out for a new parameter when Application Layer Encryption is disabled under URL Configuration.
478859 4-Minor Username displayed with trailing "&" sign


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
482442-5 4-Minor [GTM] [GUI] Changes to a single wideip Propagates to All WIPs


Traffic Classification Engine Fixes

ID Number Severity Description
487512-1 2-Critical Enable Bittorrent classification in Qosmos by default
479450 2-Critical SSL traffic is not forwarded to destination



Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
484635-1 CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568 K15722 OpenSSL DTLS SRTP Memory Leak CVE-2014-3513, OpenSSL vulnerability CVE-2014-3567, and OpenSSL vulnerability CVE-2014-3568.
451218-2 CVE-2014-8730 K15882 TLS1.x padding vulnerability CVE-2014-8730.


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
478791-1 1-Blocking Hardware compression test fails on 5000 series, 7000 series, 10000 series platforms


Local Traffic Manager Fixes

ID Number Severity Description
488208-1 2-Critical openssl v1.0.1j.
485188-1 3-Major Support for TLS_FALLBACK_SCSV


Global Traffic Manager Fixes

ID Number Severity Description
487808-3 3-Major End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
476475 1-Blocking SSL accelerator card does not function on the BIG-IP 12250 platform.
479374-5 2-Critical Setting appropriate TX driver settings for 40 GB interfaces.
478948 2-Critical DC PSU reported as AC
477676 2-Critical HSB v2.3.12.1 bitstream integrated to fix HSB firmware issues
473772 3-Major SNMP reports the incorrect product name for the BIG-IP 10350 NEBS platform.
473210 3-Major Chassis Temperature Status not showing Nitrox3x3 temperatures
472767-1 3-Major Adding slots to running guests with host-iso can become stuck
467693-1 3-Major sysObjectID SNMP OID returns 'linux' instead of BIG-IP platform.
410101-3 3-Major HSBe2 falls off the PCI bus


Local Traffic Manager Fixes

ID Number Severity Description
477571-1 2-Critical HTTP/2 support.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
480931-1 CVE-2014-6271 CVE-2014-7169 CVE-2014-7187 CVE-2014-7186 CVE-2014-6277 CVE-2014-6278 K15629 Multiple BASH vulnerabilities - ShellShock


Functional Change Fixes

None


Cumulative fix details for BIG-IP v11.6.1 Hotfix 2 that are included in this release

635933-1 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Vulnerability Solution Article: K23440942 K13361021


635412-2 : Invalid mss with fast flow forwarding and software syn cookies

Vulnerability Solution Article: K82851041


634001-1 : ASM restarts after deleting a VS that has an ASM security policy assigned to it

Component: Application Security Manager

Symptoms:
ASM restarts with the following errors:

'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.

Impact:
ASM restart

Workaround:
None.

Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.


631582-4 : Administrative interface enhancement

Vulnerability Solution Article: K55792317


625376-1 : In some cases, download of PAC file by edge client may fail

Component: Access Policy Manager

Symptoms:
Edge client may fail to download PAC file and incorrectly apply proxy configuration after VPN connection.

Conditions:
- User machine proxy configuration points to a proxy auto configuration file.
- Network access proxy configuration points to a proxy auto configuration file.
- PAC file URI in either case has uppercase characters.
- PAC file is hosted on a server where resource names are case sensitive.

Impact:
PAC file download will fail and client will use incorrect proxy settings due to unavailability of PAC file.

Workaround:
Use only lowercase characters in PAC file URI.

Fix:
Now Edge client can download PAC files from URIs that have uppercase as well as lowercase characters.


624616-3 : Safenet uninstall is unable to remove libgem.so

Component: Local Traffic Manager

Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:

rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.

Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.

Impact:
Uninstall is unable to complete.

Workaround:
None.

Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.


624570-3 : BIND vulnerability CVE-2016-8864

Vulnerability Solution Article: K35322517


624457-3 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195

Component: TMOS

Symptoms:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html

Conditions:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html

Impact:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html

Fix:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html


624263-3 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.


624245 : Hung tasks leading to system problems and lack of management access via ssh/GUI

Component: TMOS

Symptoms:
Problems with bigd, snmpd and other daemons. System becomes inaccessible via ssh and GUI.

Hung tasks recorded in kern logs, typically snmpd, bigd, chmand, big3d hung.

Caused by Centos kernel bug in netlink code where mutex is left locked on error path.

Conditions:
Seen when a system is handling heavy SNMP traffic and memory is low.

Impact:
SNMP traffic fails with hung tasks. Reboot required.

Workaround:
Apparently reducing SNMP load helps avoid/postpone the problem.


624091 : DHCP relay is not forwarding all of the DHCPOFFERS to clients

Component: Policy Enforcement Manager

Symptoms:
When upgrading from v11.5.3 to v11.6.1, DHCPOFFER packets got silently dropped.

Conditions:
If DHCP clients send broadcast DHCP packets with non-zero unicast source IP address via BIG-IP, and regular DHCP discovery packets(0.0.0.0 source IP addrees), multiple client connection flows are created, after some are aged out, BIG-IP may stop relay DHCP server replies back to clients.

Impact:
BIG-IP will stop to relay DHCPOFFER and DHCPACK back
to DHCP clients

Workaround:
Manually delete all system connection flows by doing "delete sys conn" under tmsh.


623562-1 : Large POSTs rejected after policy already completed

Component: Access Policy Manager

Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:

/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big

/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960

Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.

Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.

Workaround:
Move the resource from '/' to another URL.

Fix:
The logic of '/' in this area was changed to be consistent with other URLs.


623401-4 : Intermittent OCSP request failures due to non-optimal default TCP profile setting

Component: TMOS

Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.

Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.

Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.

Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.


623135 : BIG-IP virtual server TCP sequence numbers vulnerability (CVE-2002-1463)

Component: Local Traffic Manager

Symptoms:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html

Conditions:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html

Impact:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html

Fix:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html


622830 : LDAP type CRLDP is parsed incorrectly

Component: Access Policy Manager

Symptoms:
After upgrading to 11.6.1 HF1, CRLDP authentication stopped working.

It can be seen from following sample log that the URL is not parsed correctly:

warning apd[15314]: 0149015e:4: fc98d22d: CRLDP Auth agent: CRL lookup failed for LDAP url 'ldap::::389//crl.certificate.../..../certificaterevocationlist?certificateRevocationList' reason 'Invalid CRLDP URL.

Conditions:
The problem occurs only when LDAP type CRLDP is available in the client certificate and it is used from the CRL Distribution Points list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure other than LDAP type distribution points in the Certificate or if multiple distribution points are present in the client certificate, make sure other than LDAP type scheme succeeds before hitting LDAP CRLDP.

Fix:
The system now parses LDAP type CRLDP URL correctly, so after upgrading, CRLDP authentication now works as expected.


622244-1 : Edge client can fail to upgrade when always connected is selected

Component: Access Policy Manager

Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client

Impact:
Upgrade will fail

Workaround:
Disable the Always Connected mode

Fix:
Upgrade functions as intended regardless of connection mode


622166 : HTTP GET requests with HTTP::cookie iRule command receive no response

Component: Local Traffic Manager

Symptoms:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers do not get a response.

Conditions:
An LTM virtual server with an iRule including the HTTP::cookie command.

Impact:
No response is received by the client.

Workaround:
None.

Fix:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers now get a response as expected.


621524-3 : Processing Timeout When Viewing a Request with 300+ Violations

Component: Application Security Manager

Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.

Conditions:
Attempting to view a request that triggered hundreds or thousands of violations

Impact:
A timeout is encountered.

Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.

Fix:
Processing high violation requests is now more efficient.


621417-1 : sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.

Component: TMOS

Symptoms:
On a BIG-IP deployed in AWS cloud, sys-icheck reports size an md5 errors for /usr/share/defaults/BIG-IP_base.conf file as following:

ERROR: S.5...... c /usr/share/defaults/BIG-IP_base.conf (no backup)

Conditions:
BIG-IP deployed in AWS cloud.

Impact:
sys-icheck reports "rpm --verify" size and md5 errors for /usr/share/defaults/BIG-IP_base.conf. This doesn't have any functional impact on the product but looks like factory config file was modified incorrectly by a user/application.

Workaround:
No workaround exists for this issue.

Fix:
sys-icheck error for /usr/share/defaults/BIG-IP_base.conf in AWS.


621242 : Reserve enough space in the image for future upgrades.

Component: TMOS

Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.

Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).

Impact:
Extends the disk image to reserve more disk space for upgrades.

Workaround:
N/A

Fix:
Increased the reserved free space on VE images.


621239-1 : Certain DNS queries bypass DNS Cache RPZ filter.

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.

Conditions:
A DNS Cache configured with RPZ.

Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.

Fix:
The DO-bit is now ignored with respect to RPZ filtering.


621202-1 : Portal Access: document.write() with very long string as argument may be handled incorrectly.

Component: Access Policy Manager

Symptoms:
JavaScript code may include document.write() calls with very long strings (> 60K). In some cases these strings may be rewritten incorrectly.

Conditions:
- document.write() with very long string as argument.
- argument string contains HTML tags with quoted attribute values which include '>' inside.

Impact:
rewritten HTML page may not work correctly.

Fix:
Now document.write() calls with long HTML strings are handled correctly by Portal Access.


620922-1 : Online help for Network Access needs update

Component: Access Policy Manager

Symptoms:
Online help for advanced network settings does not tell users that if they fill in the DNS Address Space setting, they also need to install the DNS Relay Proxy service on Windows-based systems to get the desired result.

Conditions:
Split tunneling configured. Windows-based system in use. DNS Address Space setting filled in.

Impact:
Use of DNS Address Space setting does not provide the expected result.

Workaround:
Install the DNS Relay Proxy server on Windows-based systems.

Fix:
Network Access online help now states that for DNS Address Space to work properly on a Windows-based system, the DNS Relay Proxy service must be installed and running on the client.


620712-1 : Added better search capabilities on the Pool Members Manage & Pool Create page.

Component: Global Traffic Manager (DNS)

Symptoms:
Large amount of virtual servers were hard to manage on the GSLB Pool Member Manage page.

Conditions:
Having large amount of virtual servers/wide ips

Impact:
Poor usability.

Workaround:
No workaround.

Fix:
The GSLB Pool Member Manage page now has a new search feature in the form of a combo box to allow for better management of large amount of virtual servers.

Behavior Change:
The GSLB Pool Member Manage page now has the new search feature to allow for better management of large amount of virtual servers.


620614-2 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account

Component: Access Policy Manager

Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.

/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.

The above error, otherwise, below error which deletes the session id abruptly.

Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).

Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.

Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth

Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.

Fix:
Use the right session id for decrypting the password.


620215-3 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.


619879-3 : HTTP iRule commands could lead to WEBSSO plugin being invoked

Component: Access Policy Manager

Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 bigip3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor

With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 bigip3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))

Conditions:
HTTP::disable followed by HTTP::enable.

when CLIENT_ACCEPTED {
    HTTP::disable
    // do some other stuff
    HTTP::enable
}

Impact:
client receives a HTTP 503 reset

Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.

Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.


619757-3 : iSession causes routing entry to be prematurely freed

Component: Wan Optimization Manager

Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.

Conditions:
iSession-enabled virtual.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No reasonable workaround short of not using iSession functionality.

Fix:
iSession no longer causes routing entries to be prematurely freed.


619710 : GUI gives error when clicking "Update" making changes to VS in Security-Policies

Component: Advanced Firewall Manager

Symptoms:
GUI times out and generates an error when ASM policy takes longer time to update (in Virtual Server Security page)

Conditions:
When the same ASM policy is attached to hundreds of virtual servers, it takes longer to update.

Impact:
GUI times out before the changes are saved. Users will be able to see the updated changes only after refreshing the page.

Workaround:
Refresh the page in the browser once the error shows up.

Fix:
GUI doesn't time out when ASM policy is updated.


619528-2 : TMM may accumulate internal events resulting in TMM restart

Component: Local Traffic Manager

Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.

Conditions:
HTTP virtual with long-lived connections.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.

Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.


619398-4 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.


618517-2 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file

Component: Local Traffic Manager

Symptoms:
- On 11.6.1, bigd will report erroneously mark pool members down and messags similar to the following will be seen in the ltm log file:

Sep 23 10:45:59 bipve1 warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.

- On 12.1.x, this bug has negligible impact.

Conditions:
Monitoring must be in use, bigd debug logging must be enabled, and the bigd debug log file (/var/log/bigdlog) must be full.

Impact:
- On 11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.

- In 12.1.x, some of the underlying logging code changed and there is no real impact.

Workaround:
You can rotate the log file, using the following command:
logrotate -f bigdlog

Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.


618324-2 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor

Component: Access Policy Manager

Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.

Conditions:
Wrongful information displayed.

Impact:
Wrongful information displayed.

Workaround:
N/A

Fix:
Correct (*** Invalid ***) information displayed.


618261-3 : OpenSSL vulnerability CVE-2016-2182

Vulnerability Solution Article: K01276005


617862-1 : Fastl4 handshake timeout is absolute instead of relative

Component: Local Traffic Manager

Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.

Conditions:
A TCP connection in three-way handshake.

Impact:
Connections are expired prematurely if they are still in three-way handshake.

Workaround:
Disable handshake timeout.

Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.

Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.


617858-1 : bigd core when using Tcl monitors

Component: Local Traffic Manager

Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.

Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).

Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.

Workaround:
None.

Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.


617824-2 : "SSL::disable/enable serverside" + oneconnect reuse is broken

Component: Local Traffic Manager

Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.

Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.

Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.

Workaround:
You can work around the problem by disabling oneConnect.


617316-1 : Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration

Component: Access Policy Manager

Symptoms:
Desktop launched from browser or from native receiver has garbled title.

Conditions:
Citrix storefront integration mode through APM with no STA configured. Double byte language such as Japanese character set is used in the backend.

Impact:
Desktop title is not shown properly.

Workaround:
None

Fix:
Double byte character language title is shown properly


617310-1 : Edge client can fail to upgrade when Always Connected is selected

Component: Access Policy Manager

Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client.

Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.

Workaround:
Turn off Always Connected before upgrading.

Fix:
Edge client now succeeds during upgrade when Always Connected is selected.


617002-3 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Component: Access Policy Manager

Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.

Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.

Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.

Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.


616864-3 : BIND vulnerability CVE-2016-2776

Component: TMOS

Symptoms:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html

Conditions:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html

Impact:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html

Fix:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html


616838 : Citrix Remote desktop resource custom parameter name does not accept hyphen character

Component: Access Policy Manager

Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,

01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"

Conditions:
Having Citrix resource with custom parameter name with hyphen character

Impact:
Custom parameter can not be used with hyphen character

Workaround:
None

Fix:
Accept custom parameter name with hyphen character


616242-2 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank

Component: TMOS

Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:

    01070711:3: basic_string::compare

If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.

Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.

Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).

Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.


616215-2 : TMM can core when using LB::detach and TCP::notify commands in an iRule

Component: Local Traffic Manager

Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.

Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.

Fix:
TMM no longer cores in this instance.


615934-2 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.

Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.


615260 : out of memory condition when URL categorization is configured to work with large feedlists

Component: Traffic Classification Engine

Symptoms:
out of memory condition when URL categorization is configured to work with large (millions of records) feedlists.

Conditions:
In order to hit this issue user would have to load and unload large feedlist multiple times

Impact:
SWAP memory will increase and will eventually lead the box to run out of memory

Fix:
This problem is fixed in v12.1


615187-1 : Missing hyperlink to GSLB virtual servers and servers on the pool member page.

Component: Global Traffic Manager (DNS)

Symptoms:
Hyperlinks to to GSLB virtual servers and servers on the pool member page were removed in 11.x.

Conditions:
Have a GSLB pool with pool members set up.

Impact:
Must manually note of the member's virtual or server.

Workaround:
Manually take note of virtual or server and search for it.

Fix:
Added hyperlink to GSLB virtuals and servers on the pool member page.


614891-4 : Routing table doesn't get updated when EDGE client roams among wireless networks

Component: Access Policy Manager

Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.

Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.

Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.


614865-2 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()

Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.

Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.

Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.

- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.

Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.


614563-1 : AVR TPS calculation is inaccurate

Component: Advanced Firewall Manager

Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.

Conditions:
DoS profile attached to the virtual server.

Impact:
Attack can wrongly be detected.

Workaround:
None.

Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.


613673-1 : Pool members may not be marked up and/or there might be a slight delay in monitors

Component: Local Traffic Manager

Symptoms:
A UDP monitor might fail to mark a pool member up even when the pool member is up.

Other monitor types may mark a pool member down.

A slight delay (less than 0.1 seconds) might be noticed in monitor traffic sent by the BIG-IP.

Conditions:
To experience the incorrect pool member status issue, there is generally some other monitor on the system that is legitimately down.

To experience the delay, run an affected version. The issue has been observed with TCP, HTTP, and HTTPS monitors.

Impact:
Incorrect pool member status or pool member flapping.

Connections to monitored pool members might last slightly longer than necessary.

Workaround:
None.

Fix:
In this release, the system now correctly sets pool member status and connections to monitored pool members no longer last longer than necessary.


613613-1 : Incorrect handling of form that contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.

Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.


613576-2 : QOS load balancing links display as gray

Component: Global Traffic Manager

Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.

Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.

Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.

Workaround:
Remove all ilnks from configuration or install this hotfix.


613536-2 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED


613088-1 : pkcs11d thread has session initialization problem.

Component: Local Traffic Manager

Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.

Conditions:
This occurs when SafeNet is configured with VIPRION chassis

Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.

Workaround:
None.

Fix:
Fixed a pkcs11d thread session initialization problem that prevented SafeNet connections.


613045 : Interaction between GTM and 10.x LTM results in some virtual servers marked down

Component: Global Traffic Manager

Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.

Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.

Impact:
On the GTM side, that LTM virtual server will never get marked up.

Workaround:
None.

Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.


612419-2 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))

Component: Access Policy Manager

Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.

Conditions:
Network access; full webtop, multiple Network Access resources.

Impact:
Memory usage increases over time.

Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.

Fix:
Fixed a memory leak related to network access.


612229-2 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing an LTM policy.

Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.

Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.

Workaround:
Ensure any LTM policy disable action is the last in the list of actions.

Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.


612128 : OpenSSH vulnerability CVE-2016-6515

Vulnerability Solution Article: K31510510


611669-1 : Mac Edge Client customization is not applied on macOS 10.12 Sierra

Component: Access Policy Manager

Symptoms:
Mac Edge Client's Icon, application name, company name amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.

Conditions:
macOS Sierra 10.12, Edge client, customization

Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.

Workaround:
run following command on Terminal and re-launch Edge client:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

Fix:
Edge client honors customization on macOS Sierra 10.12 now.


611469-2 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector

Vulnerability Solution Article: K95444512


611355 : tmm core with PEM

Component: Policy Enforcement Manager

Symptoms:
tmm cores intermittently on SIGSEGV.

Conditions:
A background job processing HA session information might rarely trigger this. No external factor is causing this.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the rarely encountered issue in which a background job processing HA session information might have triggered a tmm core.


610609-1 : Total connections in bigtop, SNMP are incorrect

Component: Local Traffic Manager

Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.

Conditions:
This occurs on PVA-enabled hardware platforms.

Impact:
The total connection count statistic is incorrect.


610429-3 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields


610248 : IE 11 browser does not display VDI profile columns properly

Component: Access Policy Manager

Symptoms:
Microsoft Internet Explorer version 11 browsers do not properly display the two columns 'General information' and 'MSRDP settings' in the VDI profile edit window.

Conditions:
Using IE 11 browser, and APM is provisioned to use VDI profile.

Impact:
Makes it difficult to configure VDI profile using the GUI.

Workaround:
Use other browsers to configure VDI profile.

Fix:
Microsoft Internet Explorer version 11 browsers now properly display the two columns 'General information' and 'MSRDP settings' in the VDI profile edit window.


610243 : HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication

Component: Access Policy Manager

Symptoms:
HTML5 client can not be used to access the published applications or desktops.
HTML5 client access displays returns blank/black screen and displays "Can not connect to the server".

Conditions:
APM is configured Citrix Storefront integration mode. And in Storefront html5 client access is enabled.

Impact:
HTML5 client can not be used to access the published resources

Workaround:
None

Fix:
HTML5 client can be used to access the published resources.


610224-1 : APM client may fetch expired certificate when a valid and an expired certificate co-exist

Component: Access Policy Manager

Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.

Conditions:
A valid and an expired certificate co-exist in the certificate store.

Impact:
Machine Certificate check fails.

Workaround:
Remove the expired certificate from the store.

Fix:
When a valid and an expired certificate co-exist, the system now matches the valid certificate.


610180-3 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.

Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO

Impact:
SSO plugin leaks memory

Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.

Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.


609496-1 : Improved diagnostics in BD config update (bd_agent) added

Component: Application Security Manager

Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.

Conditions:
Further troubleshooting of BD config update transmission is needed.

Impact:
No diagnostics are available.

Workaround:
None.

Fix:
Improved diagnostics in BD config update (bd_agent) were added.


609119-5 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:

Component: TMOS

Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:

-- err mcpd[19114]: 01070711:3:

For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.

Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.

Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.

Workaround:
None. The problem corrects automatically when the system rewrites the log.

Fix:
The logging system prints out a blank message in response to failed file object configuration change validations.


609084-1 : Max number of chunks not configurable above 1000 chunks

Component: Application Security Manager

Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:

Unparsable request content Chunks number exceeds request chunks limit: 1000.

Conditions:
This occurs when the request exceeds 1000 chunks.

Impact:
Requests that are valid from the server side are being rejected.

Workaround:
None.

Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000


608742-4 : DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode.

Component: Policy Enforcement Manager

Symptoms:
When BIGIP is configured in Forwarding mode, renewal ack message from server in response to unicast renewal message from DHCP clients is getting dropped.

Conditions:
BIG IP in forwarding mode. DHCP clients sending unicast renewal message to DHCP server

Impact:
Unicast DHCP renewal requests are not acked. DHCP clients will send broadcast renewal messages and will be acked by servers.

Workaround:
After unable to receive acks from DHCP servers for unicast DHCP renewal messages, DHCP client will send broadcast DHCP renewal messages and will be acked by DHCP server and acks forwarded by BIGIP and received by DHCP clients.


608408-4 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library

Component: Access Policy Manager

Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.

Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.

Impact:
TMM may restart.

Workaround:
None.

Fix:
TMM no longer restarts when internal error happens upon adding new SAML SSO configurations. Instead, the system logs the following error in /var/log/apm to indicate problematic configuration object: Internal error processing sso config <name>.


608320-4 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.


607713-4 : SIP Parser fails header with multiple sequential separators inside quoted string.

Component: Service Provider

Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.

Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.

Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.

Workaround:
None.

Fix:
The SIP parser has been improved to ignore multiple sequential separators if within quotes.


607360-2 : Safenet 6.2 library missing after upgrade

Component: Local Traffic Manager

Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.

Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.

Impact:
Safenet 6.2 is not functional.

Workaround:
Reinstall Safenet 6.2. Or,

run this command at all blades of BIG-IP after the installation.

ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so

Fix:
Add symbolic link to libgem at time of pkcs11d daemon start/restart.


607304-2 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Conditions:
This can occur under normal operation, while running the geo_update command.

Impact:
Traffic disrupted while tmm restarts.


606575-3 : Request-oriented OneConnect load balancing ends when the server returns an error status code.

Component: Local Traffic Manager

Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.

Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.

Impact:
The client remains connected to the server, and no further load-balancing decisions are made.

Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.

To do so, use an iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 200 } { return }
    if { [HTTP::status] == 401 } {
        set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
        if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
            # Connection-oriented auth. System should already be doing the right thing
            unset auth_header
            return
        }

        unset auth_header
    }

    catch { ONECONNECT::detach enable }
}.

Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).

Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.


606540-1 : DB variable changed via GUI does not sync across HA group

Component: TMOS

Symptoms:
If a configuration change is made in the BIG-IP GUI which is backed by a DB variable, the change is not synced to other devices in the same sync-failover device group.
If the same db variable change is made using the Traffic Management Shell (tmsh), the db variable change will be synced to other devices in the same sync-failover device group.

Note that db variable changes are never synced to devices in sync-only device groups.

Conditions:
1. BIG-IP systems in HA group, provisioned with modules (in addition to LTM) which create their own device groups (for example, ASM).
2. Original sync-failover device group replaced by a different sync-failover device group.
3. Using the GUI to change a configuration item which is backed by a DB variable.
Examples include:
failover.standby.linkdowntime (GUI: Device Management :: Device Groups : <fodg_name> : Failover : Link Down Time on Failover )
statemirror.clustermirroring (GUI: Device Management :: Devices : <device_name> : Cluster Options )

Impact:
Configuration of devices within a sync-failover device group may not be synchronized as expected.

Workaround:
To force synchronization of a db variable change made via the GUI, use a tmsh command of the following form:

tmsh modify cm device-group <sync-failover device group name> devices modify { <device name> { set-sync-leader } }

If the sync-failover device group is not automatically synced, manually sync the device group:

tmsh run cm config-sync to-group <sync-failover device group name>


To avoid creating a db variable change that will not be synchronized across sync-failover device group members, change the configuration or db variable using tmsh:

tmsh modify sys db <variable name> value <new value>

If the sync-failover device group is not automatically synced, manually sync the device group:

tmsh run cm config-sync to-group <sync-failover device group name>

Fix:
DB variable changed via GUI now syncs across HA group as expected.


605921 : scriptd and mcpd cores following multiple failovers due to bd (asm)

Component: Application Security Manager

Symptoms:
You encounter multiple failovers due to BD (asm) failure and mcpd coring. the GUI is sluggish, then bd becomes unresponsive or mcpd cores.

Conditions:
Apply policies on a device at the same time that it becomes the Master Blade.

Impact:
A deadlock condition can occur when policies are being applied at the same time as a change arrives in the cluster config.

Workaround:
None.

Fix:
Fixed a deadlock condition when applying policies.


605865-2 : Debug TMM produces core on certain ICMP PMTUD packets

Component: Local Traffic Manager

Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.

Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.

Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.

Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.

Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.


605616-3 : Creating 256 Fundamental Security policies will result in an out of memory error

Component: Application Security Manager

Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.

Conditions:
Create 256 fundamental security policies.

Impact:
Out of memory error.

Workaround:
None.

Fix:
Improved memory allocations for shared XML profiles to enable more than 256 fundamental security policies.


605476-2 : istatsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.

Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.

Impact:
iStatsd process will restart due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.

3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.

4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.

Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.


605427-2 : TMM may crash when adding and removing virtual servers with security log profiles

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.

Traffic disrupted while tmm restarts.

Fix:
TMM no longer crashes with multiple creation, modification and deletion of many virtual servers with security log profiles attached.


604977-3 : Wrong alert when DTLS cookie size is 32

Component: Local Traffic Manager

Symptoms:
When ServerSSL profile using DTLS receives cookie with length of 32 bytes it throws fatal alert.

Conditions:
Another LTM with ClientSSL profile issues 32byte long cookie.

Impact:
DTLS with cookie size 32 is not supported.


604931-1 : bgpd might core on restarting process with BGP debug enabled.

Component: TMOS

Symptoms:
On a BIG-IP system configured with dynamic routing using the BGP routing protocol, when BGP debugging is enabled, the bgpd daemon may crash.

Conditions:
- BGP configured and peering established.
- BGP debugging enabled.
- BGP process is restarted gracefully.

Impact:
bgpd may crash.

Workaround:
Disable BGP debug.

Fix:
The bgpd might core on restarting process with BGP debug enabled.


604767-4 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.

Component: Access Policy Manager

Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.

Conditions:
BIG-IP is used as SAML SP.

Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.

Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.


604442-1 : iControl log

Vulnerability Solution Article: K12685114


603945-1 : BD config update should be considered as config addition in case of update failure

Component: Application Security Manager

Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.

Conditions:
The condition that leads to this scenario is not clear and is still under investigation.

Impact:
The update fails and the entity is not added.

Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.

This fixes the issue in the cases in which it is a single entity.

Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.


603606 : tmm core

Component: Local Traffic Manager

Symptoms:
A tmm core occurrs with the following log message: notice panic: ../kern/page_alloc.c:521: Assertion "vmem_hashlist_remove not found" failed.

Conditions:
It is not known exactly what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


603598-2 : big3d memory under extreme load conditions

Component: Global Traffic Manager

Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.

This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.

Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.

When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.

For this to happen, the Active queue must be full as well as the Pending queue.

One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.

Thus the Pending queue might become full and the memory leak can occur.

In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.

In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.

Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.

In later versions, the leak is still possible, but is less likely to occur.

Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.

Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.

This will minimize the chances that the Pending queue
does not become full.

There is no mechanism to resize the queues.

Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.


603479-1 : "ASM starting" while it's already running, causing the restart of all ASM daemons

Component: Application Security Manager

Symptoms:
ASM daemons suddenly restart, w/ the message "ASM Starting" in '/var/log/asm', while ASM is already running and without ASM stopping first.

Conditions:
Unknown

Impact:
ASM daemons restart

Workaround:
N/A

Fix:
We have prevented the ASM start script from being executed if it is already running.
Thus, preventing the possibility of a spurious ASM Start while it's already running.


603293-3 : Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs

Component: Access Policy Manager

Symptoms:
L4 Dynamic ACL is not applied to incoming traffic when assigned in combination with L7 ACL.

Conditions:
APM supports a combination of L7 ACL and L4 ACL to be assigned to one session. When L7 ACLs are assigned with higher priority than L4 ACLs, the processing of L4 ACLs is automatically deferred until L7 information is available. The issue here is that when none of L7 ACLs with higher priority match with the traffic, L4 ACL is incorrectly marked to be applied only to HTTP traffic. Therefore if the incoming traffic is not HTTP, for example, HTTPS, then this particular dynamic L4 ACL is bypassed.

Impact:
L4 Dynamic ACL is not applied correctly.

Workaround:
Reorder L4 ACLs with higher priority than L7 ACLs, if possible, or to prevent the issue from occurring, avoid assigning L7 ACLs if not needed.

Fix:
When L7 ACL is assigned in combination to L4 Dynamic ACL, L4 Dynamic ACL is correctly applied to all kinds of traffic, not only HTTP traffic.


603236-2 : 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware

Component: Local Traffic Manager

Symptoms:
Creating 1024 and 4096 size keys fail when the SafeNet client version installed on BIG-IP is 6.2 and SafeNet appliance firmware is 6.10.9.

Conditions:
-- SafeNet appliance: 6.2.
-- SafeNet client: 6.2.
-- SafeNet firmware: 6.10.9.

Impact:
Cannot create 1024 or 4096 size RSA keys.

Workaround:
None.

Fix:
Removed the config line, RSAKeyGenMechRemap = 1, that was conflicting with 6.10.9 firmware.


603149-1 : Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy

Component: TMOS

Symptoms:
Setting max data limit transmitted (in kilobytes) to a very large limit results in a smaller limit, causing SAs to expire too quickly. Values for ike-phase2-lifetime-kilobytes inside ipsec-policy can reach 2^32-1 kilobytes, but will be processed incorrectly, as if the value were smaller.

Conditions:
When lifetime-kilobytes is large enough, it can act as though it were smaller.

Impact:
Negotiated SAs expire too quickly when size lifetime is calculated too small.

Workaround:
Before the fix, decrease lifetime-kilobytes until properly stable.

Fix:
The fix should make every value no more than 4294967295 kilobytes work correctly, without becoming some smaller value. (Note this value is 2^32-1.) If the size of ike-phase2-lifetime-kilobytes becomes 64-bit in the future, this will also work, causing a 64-bit value for kilobytes to occur in isakmp negotiation.


603082-2 : Ephemeral pool members are getting deleted/created over and over again.

Component: Local Traffic Manager

Symptoms:
When fqdn nodes are configured, you may see ephemeral pool members getting created and deleted continuously. In severe cases, this can cause mcpd to run out of memory and crash.

Conditions:
It is not known exactly what triggers this condition, but it has been observed after running bigstart restart in a configuration containing many fqdn nodes.

Impact:
Traffic disrupted while mcpd restarts.


603071-1 : XHTML validation fails on obfuscated JavaScript

Component: Application Security Manager

Symptoms:
The obfuscated JavaScript injected by ASM for CSRF protection and other features causes web pages to fail w3c validation.

Conditions:
CSRF or WebScrapping enabled in ASM policy

Impact:
Threre is no end user impact, but if checking the page with w3c online validator it returns errors

Workaround:
N/A

Fix:
Wrapped the script in CDATA - the validator will not complain on errors.


603032-2 : clientssl profiles with sni-default enabled may leak X509 objects

Component: Local Traffic Manager

Symptoms:
SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.

Conditions:
clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.

Impact:
The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.

Workaround:
No workaround short of not using sni-default.

Fix:
SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.


602366-2 : Safenet 6.2 HA performance

Component: Local Traffic Manager

Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.

Conditions:
Safenet 6.2 client is installed and Safenet HA is used.

Impact:
Only one HSM is used for the HA setup.

Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>

Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable

Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test

Fix:
Installation script is updated for Safenet 6.2 HA.


602358-2 : BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version

Component: Local Traffic Manager

Symptoms:
During SSL/TLS renegotiation, the TLS standard requires that the new ClientHello version matches the first session.

Usually, SSL/TLS servers require the new ClientHello version to match the previous negotiated (ServerHello) version. The BIG-IP ServerSSL default behavior is to match this requirement.

The problem occurs if the SSL/TLS server requires the ClientHello (both in the Record layer and Handshake Protocol) in the new ClientHello to be exactly the same as the SSL/TLS version of the first ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************
As a result, the SSL/TLS server will reject the renegotiation handshake, causing the connection to terminate.

Conditions:
This occurs when using virtual servers configured with one or more ServerSSL profiles, and an SSL/TLS renegotiation occurs, and the server requires the new ClientHello version to match the first ClientHello instead of the previous ServerHello version.

Impact:
SSL/TLS renegotiation between BIG-IP ServerSSL profile and server may fail, resulting in an unexpected connection close or reset.

Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.

Fix:
A new db variable called ssl.RenegotiateWithInitialClientHello has been added to control the SSL/TLS version in the 2nd ClientHello:

1. The default is disable, which means that the 2nd ClientHello SSL/TLS version will be set to the negotiated version in the 1st round ServerHello.

2. If it is set to enable, both ClientHello versions will be exactly the same.


602221-3 : Wrong parsing of redirect Domain

Component: Application Security Manager

Symptoms:
ASM learns wrong domain names

Conditions:
no '/' after domain name in the redirect domain

Impact:
wrong learning suggestion can lead to wrong policy

Workaround:
N/A

Fix:
Fixing an issue with parsing the URL in the location header


601938-3 : MCPD stores certain data incorrectly

Vulnerability Solution Article: K52180214


601927-3 : Security hardening of control plane

Component: TMOS

Symptoms:
File permissions changes needed as found by internal testing

Conditions:
N/A

Impact:
N/A

Fix:
Apply latest security practices to control plane files.


601905-4 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server

Component: Access Policy Manager

Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.

Conditions:
Most likely, the POST request contains large post data.

Impact:
The POST request will fail.

Workaround:
The following iRule will workaround the issue:

 when HTTP_REQUEST {

  if {[HTTP::method] eq "POST"}{
    # Trigger collection for up to $max_collect of data
    set max_collect 1000000
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
      set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length $max_collect
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
  }


601527-3 : mcpd memory leak and core

Component: TMOS

Symptoms:
Mcpd can leak memory during config update or config sync.

Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http

Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.

Fix:
Fixed a memory lean in mcpd


601502-1 : Excessive OCSP traffic

Component: TMOS

Symptoms:
With OCSP configured on a virtual server, you see excessive OCSP requests going to the OCSP server.

Conditions:
Virtual server configured with an OCSP profile

Impact:
OCSP responses are not cached properly and excessive requests are sent to the server.

Workaround:
None.

Fix:
OCSP responses are now cached properly, so excessive requests are no longer sent to the server.


601496-1 : iRules and OCSP Stapling

Component: Local Traffic Manager

Symptoms:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak.

You may notice warning messages similar to the following in /var/log/ltm:
warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.

Conditions:
This occurs when the following conditions are met:
-- Virtual server with OCSP Stabling enabled.
-- iRule attached to the virtual server that uses SSL::renegotiate.

Impact:
TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.

Workaround:
None.

Fix:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile no longer causes OCSP requests to be reissued, so there is no associated memory leak.


601255-3 : RTSP response to SETUP request has incorrect client_port attribute

Component: Service Provider

Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)

Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection

Impact:
Unicast media may forwarded to incorrect UDP port (0).

Fix:
Initialize 'client_port' attribute to value received from server when re-writing response to client.


601180-1 : Link Controller base license does not allow DNS namespace iRule commands.

Component: Global Traffic Manager

Symptoms:
The Link Controller base license was improperly preventing DNS namespace iRule commands.

Conditions:
A Link Controller license without an add-on that allowed Layer 7 iRule commands.

Impact:
An administrator would not be able add DNS namespace commands to an iRule or upgrade from a pre-11.5 configuration where the commands were working to 11.5.4 through 12.1.1.

Workaround:
To address the inability to upgrade, removal of DNS namespace commands from the configuration prior to upgrade will allow the upgrade to proceed. The commands will then be able to be re-added after a fixed version is installed.

Fix:
DNS namespace iRule commands are now properly accepted with a Link Controller base license.


601178-3 : HTTP cookie persistence 'preferred' encryption

Component: Local Traffic Manager

Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.

Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.

Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.


600827-5 : Stuck nitrox crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Hardware Error(Co-Processor): n3-crypto0 request queue stuck" will appear in the ltm log file.

Conditions:
Nitrox based system performing SSL under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.

Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.


600662-4 : NAT64 vulnerability CVE-2016-5745

Vulnerability Solution Article: K64743453


600593-4 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests

Component: Local Traffic Manager

Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.

Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.

Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.

Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:

when HTTP_PROXY_REQUEST {
   if { [HTTP::method] equals "CONNECT" } {
      ONECONNECT::reuse disable
   }
   else {
      ONECONNECT::reuse enable
   }
}


600558-3 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:

1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.

Fix:
Errors are no longer logged after deleting user in GUI.


600535 : TMM may core while exiting if MCPD connection was previously aborted

Component: Local Traffic Manager

Symptoms:
TMM cores while exiting after MCPD has spontaneously restarted.

Conditions:
MCPD aborts connection to TMM, typically due to fatal internal configuration errors causing MCPD to exit. This is generally a rarely occurring issue.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
TMM no longer cores when exiting.


600198-4 : OpenSSL vulnerability CVE-2016-2178

Vulnerability Solution Article: K53084033


600174-1 : Wildcard "*" redirection domain cannot be deleted if list is scrollable

Component: Application Security Manager

Symptoms:
Wildcard "*" redirection domain cannot be deleted if list is scrollable

Conditions:
Add redirection domains until list becomes scrollable (at least 4 or 5)

Impact:
first redirection domain in the list cannot be deleted

Workaround:
first delete redirection domains (not first one) to make list not scrollable, then re-add again

Fix:
Any redirection domain can be removed from the list


600116-1 : DNS resolution request may take a long time in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution may appear slow in some cases

Conditions:
All of following conditions should be met

1) DNS Relay proxy is installed on user's machine
2) User's machine has multiple network adapters and some of them are in disconnected state.

Impact:
DNS resolution will be slow

Workaround:
Disable network adapters that are not connected.

Fix:
Now DNS Relay proxy server doesn't proxy DNS servers on non-connected interfaces. This fixes slow resolution DNS issue.


599536-2 : IPsec peer with wildcard selector brings up wrong phase2 SAs

Component: TMOS

Symptoms:
If a remote IPsec peer sends a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector in phase2, the BIG-IP system will find a match against a non-wildcard selector and use that policy to complete phase2 negotiation.

You may encounter this problem if you have one or more remote peers attempting to negotiate phase2 with wildcard traffic-selectors. An IPsec tunnel may start but fail to pass data and at the same time another IPsec tunnel may stop working.

Conditions:
The remote IPsec peer sends a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector in phase2. Phase1 must be established first.

Impact:
A tunnel will start, but data communication (over ESP or AH) will fail.
Other tunnels may be subject to an accidental DOS when a peer establishes phase1 but uses wildcard traffic-selectors in phase2. A traffic-selector matched by wildcard might be bound to a tunnel already in use, which is then taken offline by the new Security Associations.

Fix:
Ensure that phase2 negotiation using a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector does not establish a Security Association with an ipsec-policy associated with a non-wildcard traffic-selector.

Behavior Change:
Previously, a wildcard selector was able to match a non-wildcard selector, and thus engage the wrong (IPsec) tunnel to attempt negotiation, usually failing.

In effect, a wildcard selector was able to bind to the wrong peer; but after this change only the right peer should bind. This cleans up behavior of selector as identity key, and prevents subjecting random wrong peers from noise.


599521-2 : Persistence entries not added if message is routed via an iRule

Component: Service Provider

Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.

Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.

Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.

Workaround:
An iRule could be used to route messages directed towards the original client.

Fix:
MRF SIP will add a persistence entry for message routed via an iRule.


599285-4 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095

Vulnerability Solution Article: K51390683


599168-4 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: K35520031


598983-4 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: K35520031


598981-2 : APM ACL does not get enforced all the time under certain conditions

Component: Access Policy Manager

Symptoms:
APM ACL does not get enforced all the time under certain conditions

Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.

Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.

Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.

Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.


598909-1 : SQL produces errors. AVR does not display any statistics.

Component: Application Visibility and Reporting

Symptoms:
SQL produces errors. AVR does not display any statistics. AFM, APM, ASM, AVR, FPS and SWG might be non-functional.

Conditions:
In version 11.6.0 and 11.6.1, there is an issue that occurs intermittently during software build operations.

Impact:
SQL produces errors. AVR does not display any statistics.

Workaround:
If occurs:
1. Edit file /var/avr/avr_srv_code.sql.
2. Make sure that the following text starts in a new line:
   '# Old tables (for DB upgrade only)'
3. touch /var/avr/init_avrdb.
4. Restart the Monpd daemon: bigstart restart monpd.

Fix:
SQL no longer produces errors in response to an intermittent issue that occurred during software build operations.


598874-3 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.

Fix:
Do not send anything in response to a SYN retransmission timeout.


598854-1 : sipdb tool incorrectly displays persistence records without a pool name

Component: Service Provider

Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb

Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.

Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.

Fix:
The fix corrects the sipdb tool so that entries which do not have a pool name will display correctly.


598498-4 : Cannot remove Self IP when an unrelated static ARP entry exists.

Component: TMOS

Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.

Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.

Impact:
Must delete static ARP entries in order to delete Self IP addresses.

Workaround:
None.

Fix:
In this release, you can delete Self IP addresses if unrelated static ARP entries exist.


598211-2 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.

Component: Access Policy Manager

Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.

Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.

Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.

Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.

when HTTP_REQUEST {
    if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
        log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
        HTTP::path "/Citrix/$store_name/"
    }
}

Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.


598039-3 : MCP memory may leak when performing a wildcard query

Component: TMOS

Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.

Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).

Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).

Workaround:
Do not perform wildcard queries.

Fix:
Stopped MCP leaking when wildcard queries are performed.


597966 : ARP/neighbor cache nexthop object can be freed while still referenced by another structure

Component: Local Traffic Manager

Symptoms:
Use after free or double-free of the nexthop object may cause memory corruption or TMM core.

Conditions:
This can happen if the server-side connection establishment takes some time to complete, creating a large enough time window where the nexthop object might be freed.

Impact:
The BIG-IP dataplane might crash. This is a very timing/memory-usage-dependent issue.

Workaround:
None.

Fix:
Management of nexthop object reference counting is more consistent.


597835-1 : Branch parameter in inserted VIA header not consistent as per spec

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.

Conditions:
Enabling SIP Via header insertion on the BIGIP on SIP MRF profile and need to cancel an INVITE

Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.

Fix:
The code has been improved to ensure the branch field in the via header does not change.


597729-1 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:

1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.


597601-4 : Improvement for a previous issue regressed NAT-T

Component: TMOS

Symptoms:
An earlier improvement request regressed NAT-T whereby phase2 cannot establish.

Conditions:
Using NAT-T with IKEv1.

Impact:
NAT-T does not work.

Fix:
NAT-T is now working after fixing the issue introduced in the improvement.


597431-4 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.


597394-1 : Improper handling of IP options

Vulnerability Solution Article: K46535047


597089-5 : Connections are terminated after 5 seconds when using ePVA full acceleration

Component: Local Traffic Manager

Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.

Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.

Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.

Workaround:
Disabling the PVA resolves the issue.


597023-4 : NTP vulnerability CVE-2016-4954

Vulnerability Solution Article: K82644737


597010-4 : NTP vulnerability CVE-2016-4955

Vulnerability Solution Article: K03331206


596997-4 : NTP vulnerability CVE-2016-4956

Vulnerability Solution Article: K64505405


596945-2 : AVR DNS record lost after upgrade.

Component: Application Visibility and Reporting

Symptoms:
After upgrading to 11.5.1 through 11.6.0, you are unable to view DNS stats in AVR.

Conditions:
AVR enabled, DNS statistics visible in a version prior to 11.5.1, then upgrade to versions 11.5.1 through 11.6.0.

Impact:
You will be unable to view the DNS statistics.

Fix:
Fixed an issue with DNS stats not displaying in AVR after upgrade.


596814-3 : HA Failover fails in certain valid AWS configurations

Component: TMOS

Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.

Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.

Fix:
Failover now narrows network description by filtering with VPC id.


596619 : Some 10.2.x client SSL configurations fail to upgrade to 11.6.1.

Component: Local Traffic Manager

Symptoms:
Some 10.2.x client SSL configurations fail to upgrade to 11.6.1. The upgrade fails with an error similar to the following:

emerg load_config_files: "/usr/libexec/bigpipe load" - failed. -- BIGpipe parsing error (/config/bigpipe/BIG-IP.conf Line 67): 012e0020:3: The requested item (myclientssl {) is invalid (<profile arg> ` show ` list ` edit ` delete ` stats reset) for 'profile'.

Conditions:
Running 10.2.x with a Client SSL profile that has a custom Certificate and Key, and attempting to upgrade to version 11.6.1 or higher.

Impact:
The system fails to upgrade and presents a bigpipe parsing error.

Workaround:
If you have already upgraded and are encountering this issue, do the following:
1. Make a backup copy of /config/bigpipe/BIG-IP.conf.
2. Edit /config/bigpipe/BIG-IP.conf and remove any reference to inherit-certificatechain in the affected ssl profiles.
3. Run /usr/libexec/bigpipe daol.
4. Run tmsh save sys config.
5. Run tmsh load sys config.

This should install the configuration after upgrade failure.

Fix:
A 10.2.x configuration containing a Client SSL profile with a custom Certificate and Key now successfully upgrades to 11.6.1.


596603-11 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.

Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.


596569-2 : Memory leak on Central device in Symmetric deployment

Component: WebAccelerator

Symptoms:
When AAM is provisioned and symmetric configuration is deployed, a central unit will suffer a memory leak.

Conditions:
AAM is provisioned and a symmetric deployment is used.

Impact:
Due to memory leak BIG-IP will run out of memory and won't be able to properly serve new requests.

Fix:
It immediately releases a memory allocation which previously leaked once the allocation is no longer required.


596488-4 : GraphicsMagick vulnerability CVE-2016-5118.

Vulnerability Solution Article: K82747025


596340-3 : F5 TLS vulnerability CVE-2016-9244

Vulnerability Solution Article: K05121675


596116-2 : LDAP Query does not resolve group membership, when required attribute(s) specified

Component: Access Policy Manager

Symptoms:
Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.

Conditions:
This occurs when the following conditions are met:
-- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All".
-- The Required Attribute includes the "memberOf" LDAP attribute.

Impact:
Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.

Workaround:
Add the following attribute to the "Required Attributes" list:

"objectClass"

If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list:

"primaryGroupID"

Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.

Fix:
LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.


595874-4 : Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) instances that use the Amazon Web Services (AWS) hourly billing license model may fail when upgrading to version 12.1.0.

As a result of this issue, you may encounter the following symptom:

After upgrading to version 12.1.0, the BIG-IP VE instance license is invalid.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have BIG-IP VE instances that use the hourly billing licensing model.
-- Your BIG-IP VE instances are running 11.5.x or 11.6.x software versions.
-- Your BIG-IP VE instances are running within the AWS EC2 environment.
-- You upgrade the BIG-IP VE instance using the liveinstall method.

Impact:
BIG-IP VE instance licenses are not valid after upgrading to software version 12.1.0.

Workaround:
To work around this issue, you can use the liveinstall method on the hotfix image directly (instead of installing the base software image and then the hotfix image). To do so, perform the following procedure:

Impact of workaround: Performing the following procedure requires rebooting the system and should be performed only during a maintenance window.

Download the BIGIP-12.1.0.0.0.1434.iso and Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso files to your workstation. For more information about downloading software, refer to SOL167: Downloading software and firmware from F5.
Copy the downloaded files from your workstation to the /shared/images directory on the VE instance.
To perform the installation by using the liveinstall method, and reboot the BIG-IP VE instance to the volume running the new software, use the following command syntax:

tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume <volume-number> reboot

For example, to install the hotfix to volume HD1.3 and reboot to the volume running the newly installed software, type the following command:

tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume HD1.3 reboot
 
Verify the installation progress by typing the following command:
tmsh show sys software

Output appears similar to the following example:

Sys::Software Status
Volume Product Version Build Active Status
----------------------------------------------------------------
HD1.1 BIG-IP 12.0.0 0.0.606 yes complete
HD1.2 BIG-IP 12.1.0 0.0.1434 no complete
HD1.3 BIG-IP 12.1.0 0.0.1434 no installing 6.000 pct

Fix:
BIG-IP VE instances that use the AWS hourly billing license model now complete successfully when upgrading to version 12.1.0.


595773-3 : Cancellation requests for chunked stats queries do not propagate to secondary blades

Component: TMOS

Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.

Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).

Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.

Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.


595275-2 : Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN

Component: Local Traffic Manager

Symptoms:
Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN when pool goes empty.

Conditions:
This occurs when the configuration contains a pool with only one FQDN pool member.

Impact:
VIP can go briefly RED and offline.

Workaround:
Configuring a fallback static IP node or multiple FQDN pool members removes this risk.


595270 : Memory leaks when session DB tables gets updated

Component: Traffic Classification Engine

Symptoms:
Memory usage stats indicate possible memory leaks.

Conditions:
When CEC flow bundling is used.

Impact:
Potential memory leaks.

Workaround:
Disable CEC flow bundling (tmm.gpa.cec.flow_bundling.enable = false).


594642-1 : Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.

Component: Local Traffic Manager

Symptoms:
Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.

Conditions:
Stream filter is active during low memory situations

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Stream may now be configured to parse xbufs in chunks. This limits the maximum amount of memory required and reduces the chance of an allocation failure.


594496-3 : PHP Vulnerability CVE-2016-4539

Vulnerability Solution Article: K35240323


593667 : Dashboard displays incomplete alert details when Polish characters are included

Component: Fraud Protection Services

Symptoms:
Polish alerts are not fully displayed fully in the dashboard.

Conditions:
Alert details contain Polish characters.

Impact:
Causes difficulty assigning alert severity.

Workaround:
None

Fix:
Alerts are now displayed correctly.


593530-1 : In rare cases, connections may fail to expire

Component: Local Traffic Manager

Symptoms:
Connections have an idle timeout of 4294967295 seconds.

Conditions:
Any IP (ipother) profile is assigned to virtual server.

Impact:
Connections may linger.

Workaround:
None.

Fix:
Fixed idle initialization error when using Any IP (ipother) profile.


593447-2 : BIG-IP TMM iRules vulnerability CVE-2016-5024

Vulnerability Solution Article: K92859602


593070-5 : TMM may crash with multiple IP addresses per session

Component: Policy Enforcement Manager

Symptoms:
TMM crash

Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Check for timer expiration prior to processing the timer.


592871-2 : Cavium Nitrox PX/III stuck queue diagnostics missing.

Component: Local Traffic Manager

Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.

Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.

Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.

Workaround:
None.

Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.


592870-3 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).


592868-4 : Rewrite may crash processing HTML tag with HTML entity in attribute value

Component: Access Policy Manager

Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.

Conditions:
HTML tag like this:
<script src="&#10;" type="text/javascript"></script>

Impact:
Web application may not work correctly.

Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.

Fix:
Now rewrite correctly handles HTML entities in attribute values.


592854-4 : Protocol version set incorrectly on serverssl renegotiation

Component: Local Traffic Manager

Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.

Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.

Impact:
Protocol field is invalid (0), and the server will reset the connection.

Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.


592784-4 : Compression stalls, does not recover, and compression facilities cease.

Component: Local Traffic Manager

Symptoms:
Compression stalls, does not recover, and compression facilities may cease.

Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).

Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.

Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.

Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.


592591-1 : Deleting access profile prompts for apply access policy for other untouched access profiles

Component: Access Policy Manager

Symptoms:
After deleting an access profile, the 'Apply Access Policy' link shows up and the status flags for some other untouched access profiles turn yellow. Also, there are APM log messages indicating that the configurations for those untouched access profile have been changed.

Conditions:
If an access profile containing macros is copied on the admin UI and is deleted subsequently.

Impact:
There is no change to the access profiles that are affected by the deletion. Admin can go ahead to click "Apply Access Policy" link to make the link disappear.


592497-2 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.

Component: Local Traffic Manager

Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.

Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.

Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.

Workaround:
None.

Fix:
This release honors the idle timeout in FIN_WAIT_2 when server-side expired and HTTP in fallback state.


592414-2 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed

Component: Access Policy Manager

Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.

Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.

Impact:
Web application malfunction.

Workaround:
None.

Fix:
Fixed.


592113-1 : tmm core on the standby unit with dos vectors configured

Component: Advanced Firewall Manager

Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump

Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured

Impact:
Traffic disrupted while tmm restarts.


592070-1 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied

Component: Policy Enforcement Manager

Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.

Conditions:
DHCP virtual created in a non-local traffic group.

Impact:
Variable sharing in the TCL context will not work.

Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.

Fix:
Copy the traffic group from client to server connFlows such that both connFlows have the same traffic group.


591918-4 : ImageMagick vulnerability CVE-2016-3718

Vulnerability Solution Article: K61974123


591908-4 : ImageMagick vulnerability CVE-2016-3717

Vulnerability Solution Article: K29154575


591894-4 : ImageMagick vulnerability CVE-2016-3715

Vulnerability Solution Article: K10550253


591881-4 : ImageMagick vulnerability CVE-2016-3716

Vulnerability Solution Article: K25102203


591857 : 10-core vCMP guest with ASM may not pass traffic

Component: TMOS

Symptoms:
The TMM plugin manager does not expect/support an ASM guest configuration of 10 cores, thus its calculations as to the number of devices required and numbering does not match the existing number of threads/devices.

Conditions:
11.6.0 HF6
ASM provisioned on a vCMP guest
10 CPU cores allocated to an ASM guest

Impact:
System may not start or may exhibit intermittent failures.

Workaround:
Change the number of cores on the ASM guest to use either 8 CPU cores or 12 CPU cores.

Fix:
This issue was partially fixed in 11.6.0 HF6, but the tmplugin RPM was incorrect. This fix includes the proper RPM.


591806-3 : ImageMagick vulnerability CVE-2016-3714

Vulnerability Solution Article: K03151140


591789-1 : IPv4 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv4 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled on version 11.5.4, 11.6.0 HF6, or 11.6.1.

Impact:
IPv4 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.

Fix:
IPv4 fragments are no longer incorrectly dropped when packet filtering is enabled.


591767-3 : NTP vulnerability CVE-2016-1547

Vulnerability Solution Article: K11251130


591733-2 : Save on Auto-Sync is missing from the configuration utility.

Component: TMOS

Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.

Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.

Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.

Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.

Fix:
This release adds per-device-group save_on_auto_sync flag to GUI: flag now shows in GUI and correctly saves.
GUI: The "Sync Type" option in the GUI must be set to "Automatic with Full/Incremental Sync" in order for "Save on Auto-Sync" option to show.

Behavior Change:
Beginning in version 11.5.0, the /cm trust-domain 'save-on-auto-sync' attribute is no longer configured as part of the trust-domain, but is part of the configuration of a device group. With this change, the option to set that attribute becomes available in the GUI on the condition that the "Sync Type" option is set to "Automatic with Full/Incremental Sync".


591659-3 : Server shutdown is propagated to client after X-Cnection: close transformation.

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.

Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.


591476-8 : Stuck crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox-based systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck.

Conditions:
-- Running on one of the following platforms:
 + BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 5xxx, 7xxx, 10xxx, 11xxx, and 12xxx
 + VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.

Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:

tmsh modify sys db crypto.queue.timeout value 0

Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue.


591455-2 : NTP vulnerability CVE-2016-2516

Component: TMOS

Symptoms:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253

Conditions:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253

Impact:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253

Fix:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253


591447-3 : PHP vulnerability CVE-2016-4070

Component: TMOS

Symptoms:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html

Conditions:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html

Impact:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html

Fix:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html


591343-2 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.

Component: Local Traffic Manager

Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.

Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.

Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.

Workaround:
None.

Fix:
The returned session ID in both the SERVERSSL_SERVERHELLO and SERVERSSL_HANDSHAKE events is the one presented by the SSL server.


591329-2 : CVE-2016-2108 fixed in Oracle Access Manager library used by BIG-IP APM

Vulnerability Solution Article: K36488941


591328-2 : OpenSSL vulnerability CVE-2016-2106

Vulnerability Solution Article: K36488941


591327-2 : OpenSSL vulnerability CVE-2016-2106

Vulnerability Solution Article: K36488941


591325-2 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109

Vulnerability Solution Article: K75152412


591268-3 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions

Component: Access Policy Manager

Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns

Conditions:
Specific client machine configuration

Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue

Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service

Fix:
Now DNS Relay proxy service cleans up DNS cache after initialization mitigating issue described


591117-1 : APM ACL construction may cause TMM to core if TMM is out of memory

Component: Access Policy Manager

Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.

Conditions:
BIG-IP is extremely loaded and out of memory.

Impact:
Traffic disrupted while tmm restarts.

Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.


591104-3 : ospfd cores due to an incorrect debug statement.

Component: TMOS

Symptoms:
ospfd cores due to an incorrect debug statement.

Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.

Impact:
ospfd might crash, interrupting dynamic routing.

Workaround:
Do not enable debugging in ospf that includes 'route ase'.

Fix:
ospfd no longer crashes when debugging is enabled in imish.


591042-5 : OpenSSL vulnerabilities

Vulnerability Solution Article: K23230229


590904-5 : New HA Pair created using serial cable failover only will remain Active/Active

Component: TMOS

Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.

Conditions:
Create a new sync-failover device-group without enabling network failover.

Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.

Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.

Fix:
After creating the sync-failover group with without network failover configured, but a serial failover cable installed, one of the devices becomes Standby and the other remains Active.


590820-2 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Component: Access Policy Manager

Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.

Impact:
Very low web application performance when using Microsoft Internet Explorer.

Workaround:
None.

Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.


589794 : APD might crash if LDAP Query agent failed to retrieve primary group for a user

Component: Access Policy Manager

Symptoms:
APD will crash and generate a core file.

Conditions:
The problem can happen only when the following is true:
1. LDAP Query is used with AD backend
2. "Fetch groups to which the user or group belong" is defined other value than None (direct/all)
3. There were logins to bigip before, so group cache is built and valid
4. New group created in the domain and assigned as a primary group for the user trying to authenticate

Impact:
Authentication service will be interrupted.

Workaround:
Administrator should reset group cache using either GUI (AAA LDAP Server configuration page) or tmsh (apm aaa ldap object). After cache is reset, it will be built from scratch on next request and the new group will be added to the cache.


589256-3 : DNSSEC NSEC3 records with different type bitmap for same name.

Component: Global Traffic Manager

Symptoms:
For a delegation from a secure zone to an insecure zone, BIG-IP returns different type bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.

Conditions:
For insecure delegations, our DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which we dynamically sign.

Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.

Workaround:
None.

Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.


589223-3 : TMM crash and core dump when processing SSL protocol alert.

Component: Local Traffic Manager

Symptoms:
TMM crash and core dump when processing SSL protocol alert.

Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A problem of TMM restarting when processing SSL protocol alert has been fixed.


589118 : Horizon View client throws an exception when connecting to Horizon 7 VCS through APM.

Component: Access Policy Manager

Symptoms:
If APM is configured as PCoIP proxy against Horizon 7 VCS, the Horizon View client fails to retrieve the list of entitlements with an exception written in its logs.

Conditions:
APM as PCoIP proxy for Horizon 7 View Connection Server.

Impact:
Horizon View client cannot be used with APM to access Horizon 7.

Workaround:
You can use the following iRule to update the broker protocol version returned by APM to be 11.0 instead of 9.0.

when HTTP_REQUEST {
   if { [HTTP::header "Origin"] ne "" } {
        HTTP::header remove "Origin"
    }
     if { [ HTTP::method ] == "POST" && [ HTTP::uri ] == "/broker/xml" } {
        set BROKER_REQUEST 1
        HTTP::collect [HTTP::header Content-Length]
    }
}

when HTTP_REQUEST_DATA {
    if { [ info exists BROKER_REQUEST ] && [ regexp {<have-authentication-types[ \t\r\n]*>[ \t\r\n]*<name[ \t\r\n]*>[ \t\r\n]*saml[ \t\r\n]*</name>[ \t\r\n]*</have-authentication-types>} [HTTP::payload] ] } {
        HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8"?><broker version="11.0"><set-locale><result>ok</result></set-locale><configuration><result>ok</result><broker-guid>1</broker-guid><authentication><screen><name>saml</name><params></params></screen></authentication></configuration></broker>} Content-Type text/xml
    }
}

when HTTP_RESPONSE {
    if { ! [ IP::addr [ IP::remote_addr ] equals 127.0.0.0/8 ] } { return }
    set BROKER_RESPONSE 1
    set content_length 0
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
        set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length 1048576
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
}

when HTTP_RESPONSE_DATA {
    if { ! [ info exists BROKER_REQUEST ] || ! [ info exists BROKER_RESPONSE ] } { return }
    regsub "<broker version=\"9.0\">" [HTTP::payload] "<broker version=\"11.0\">" payload
    HTTP::payload replace 0 [HTTP::payload length] $payload
    HTTP::release
}

Fix:
Horizon View client can now be used with APM to access Horizon 7.


588888-2 : Empty URI rewriting is not done as required by browser.

Component: Access Policy Manager

Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat this type of URI in a specific way).

Conditions:
A tag with an empty 'src' or 'href' attribute.

Impact:
Web application malfunction, such as incorrect or unexpected behavior or error messages.

Workaround:
Use an application-specific iRule that modifies the empty URI.
-- For example, for JavaScript methods such as setAttribute(), an iRule should change this:
'F5_Invoke_setAttribute(o, "src", uri)'
to this:
'(uri=="")?o.setAttribute("src", uri):F5_Invoke_setAttribute(o, "src", uri)'.

-- As another example, for JavaScript methods such as write(str), writeln(str), innerHTML=str, outerHTML=str, and similar methods, if str contains <img src="" ... >, the iRule must remove the src attribute.

Fix:
This release fixes the issue of rewriting the empty URI the same way at the server side and client side: as empty URI (all browsers treat this type of URI in a specific way).


588496-3 : SSL Renegotiation vulnerability - CVE-2009-3555 / VU#120541

Vulnerability Solution Article: K10737


588442-3 : TMM can core in a specific set of conditions.

Component: Local Traffic Manager

Symptoms:
TMM can core and assert: 'ifc not set'.

Conditions:
This occurs under the following conditions:
  - A unit with license that ratelimits throughput performance to something other than max or 1.
  - One or more virtual IP addresses configured with DNS profiles with rapid-response enabled.
  - Something causing the listener to be disabled or a listener to not be found.
  - A DNS request sent to the disabled listener.

Impact:
TMM might core and assert: 'ifc not set'.

Workaround:
None.


588351-2 : IPv6 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
IPv6 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.

Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.


588289-4 : GTM is Re-ordering pools when adding pool including order designation

Component: Global Traffic Manager

Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.

Conditions:
This occurs when adding pools with a specified order.

Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.


588115-3 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw

Component: Local Traffic Manager

Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.

Conditions:
- Unit configured with a floating self-IP and allow-service != none.
  - More specific route exists via GW to the self-IP.
  - Configured gateway for the overlapping route is unreachable.
  - Ingress traffic to the floating self-IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.

Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.


587966-3 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port

Component: Local Traffic Manager

Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.

Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.

Impact:
A Type DNS Query dropped intermittently.

Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.

Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.


587892-1 : Multiple iRule proc names might clash, causing the wrong rule to be executed.

Component: Local Traffic Manager

Symptoms:
Multiple iRule proc names might clash, causing the wrong rule to be executed.

Conditions:
This occurs when there is an iRule configured with more than one proc, which might cause the wrong proc to get executed.

Impact:
The call proc might execute the wrong proc.

Workaround:
None.

Fix:
Multiple iRules configured with more than one proc no longer cause the wrong proc to get executed.


587698-2 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured

Component: TMOS

Symptoms:
bgpd daemon crashes

Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.

Impact:
bgpd daemon crashes leading to route loss and traffic loss.

Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.


587656-3 : GTM auto discovery problem with EHF for ID574052

Component: Global Traffic Manager

Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Conditions:
After applying EHF9-685.88-ENG

Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG

Fix:
This problem only occurs with the one faulty EHF9-685.88-ENG and does not occur anywhere else.


587617-3 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core

Component: Global Traffic Manager

Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.

Conditions:
No GTM server object configured with existent selfip.

Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.

Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671

Fix:
gtmd will not core.


587077-3 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118

Vulnerability Solution Article: K37603172


586878-2 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.

Component: TMOS

Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.

The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.

Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).

Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.

Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
    For example, it might look similar to the following:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            "" { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }

   Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            default { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.


586738-2 : The tmm might crash with a segfault.

Component: Local Traffic Manager

Symptoms:
The tmm might crash with a segfault.

Conditions:
Using IPsec with hardware encryption.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.


586718-3 : Session variable substitutions are logged

Component: Access Policy Manager

Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged

Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.

Impact:
Session variable substitution should not be logged, even if it is secure.

Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.

Fix:
Session variable substitutions are no longer logged.


586131-3 : SSLv3 vulnerability CVE-2014-3566

Vulnerability Solution Article: K15702


586006-3 : Failed to retrieve CRLDP list from client certificate if DirName type is present

Component: Access Policy Manager

Symptoms:
Client certification revocation check will fail.

Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.


585562-1 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari

Component: Access Policy Manager

Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.

Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.

Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.

Workaround:
when HTTP_REQUEST {
    if { [HTTP::header "Origin"] ne "" } {
        HTTP::header remove "Origin"
    }
}

Fix:
VMware View HTML5 client shipped with Horizon 7 now work sthrough BIG-IP APM in Chrome/Safari.


585485-4 : inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP

Component: TMOS

Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.

BIG-IP sends and expect messages with two SPI's inside.

Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.

Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.

Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:

(tmos)# delete net ipsec ipsec-sa ?
Properties:
  "{" Optional delimiter
  dst-addr Specifies the destination address of the security associations
  spi Specifies the SPI of the security associations
  src-addr Specifies the source address of the security associations
  traffic-selector Specifies the name of the traffic selector

Fix:
The BIG-IP system will remove both SAs associated with one traffic-selector (tunnel) when the peer sends a delete SPI message.


585424-3 : Mozilla NSS vulnerability CVE-2016-1979

Vulnerability Solution Article: K20145801


585412-2 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines

Component: Local Traffic Manager

Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'

Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.

8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.

Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.

Workaround:
None.

Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.


585097-3 : Traffic Group score formula does not result in unique values.

Component: TMOS

Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.

Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.

The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.

Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.

Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.

Fix:
The Active device selection logic has been changed to deterministically choose the Active device location, even in cases with identical static scores.


584373-3 : AD/LDAP resource group mapping table controls are not accessible sometimes

Component: Access Policy Manager

Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds

Conditions:
very long group names and resource names

Impact:
Impossible to delete and move rows in table - still possible to edit tho.

Workaround:
Spread one assign thru multiple rows

Fix:
Scroll bar is appearing when needed


584029-2 : Fragmented packets may cause tmm to core under heavy load

Component: Local Traffic Manager

Symptoms:
tmm core due to assertion

Conditions:
tmm offloads a fragmented packet via an ffwd operation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


583957-4 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.

Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.

Impact:
The TMM will be restarted by SOD.

Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.


583936-3 : Removing ECMP route from BGP does not clear route from NSM

Component: TMOS

Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.

Conditions:
ECMP routing must be enabled and in-use.

Impact:
ECMP routes are not properly removed from the main routing table.

Fix:
Now properly removing ECMP routes from the routing table.


583686-3 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import

Component: Application Security Manager

Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.

Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.

Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered


583516-3 : tmm ASSERT's "valid node" on Active, after timer fire..

Component: TMOS

Symptoms:
TMM crashes on ASSERT's "valid node".

Conditions:
The cause is unknown, and this happens rarely.

Impact:
tmm crash

Workaround:
no

Fix:
TMM no longer asserts on 'valid node'


583445 : Alert dashboard does not correctly display Hebrew characters in alerts.

Component: Fraud Protection Services

Symptoms:
Alert server cannot decrypt Hebrew characters in alerts.

Conditions:
Malicious script injection containing wide characters.

Impact:
Incorrectly displayed alerts in dashboard.

Workaround:
None.

Fix:
Alerts are sent encoded and are decoded in the dashboard.


583285-7 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the second part of a fix provided for this issue. See fixes for bug 569236 for the first part.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system.

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part two of a two-part fix. Fixes for bug 569236 provide part one of the fix.


583113-3 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials.

when HTTP_PROXY_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
    }
}

Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.

Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.

Workaround:
The following iRule works from HTTP_REQUEST

when HTTP_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
        ECA::disable
    }
}

Fix:
When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin"

Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."


583010-9 : Sending a SIP invite with "tel" URI fails with a reset

Component: Service Provider

Symptoms:
Using a "INVITE tel:" URI results in SIP error (Illegal value).

Conditions:
Sending a SIP "INVITE tel:" to BIG-IP does not work.

Impact:
"INVITE tel:" messages are not accepted by BIG-IP.

Workaround:
None

Fix:
An EHF will be released to address this issue. It will also be addressed in a future release.


582813-1 : Linux Kernel CVE-2016-0774

Vulnerability Solution Article: K08440897


582752-2 : Macrocall could be topologically not connected with the rest of policy.

Component: Access Policy Manager

Symptoms:
It is possible to create macrocall access policy item that:

1. Belongs to policy items list.
2. Correctly connected to ending.
3. Have no incoming rules (i.e., no items pointing at it).

Conditions:
1. Create access policy with macrocall item in one of the branches.
2. Remove the item which refers to this macrocall item from AP

As a result, macrocall item remains.

Impact:
VPE fails to render this access policy.

Workaround:
Delete macrocall access policy item manually using tmsh commands.

Fix:
Any modification of access policy is not allowed if it makes any access policy item non-referenced.
At upgrade time, non-referenced access policy items are deleted. All subsequent access policy items are deleted as well. Resulting access policies can be rendered correctly by VPE. Note that only active configuration is corrected, saved configuration file (/config/bigip.conf) contains uncorrected version until any new configuration changes are done. Active configuration can be saved by explicit tmsh command ('tmsh save sys config partitions all").


582683-5 : xpath parser doesn't reset a namespace hash value between each and every scan

Component: Application Security Manager

Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.

Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.

Impact:
XML content based routing does not work dependably.

Workaround:
N/A

Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.


582526-2 : Unable to display and edit huge policies (more than 4000 elements)

Component: Access Policy Manager

Symptoms:
It takes a very long time or is not possible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple halts.

Conditions:
Huge Access Policy, for example, containing 4000 or more elements.

Impact:
Unable to edit policy because VPE times out.

Workaround:
None.

Fix:
VPE loading times for APM policies is greatly improved, so displaying very large policies (for example, 4000 elements) now completes successfully.


582440-2 : Linux client does not restore route to the default GW on Ubuntu 15.10

Component: Access Policy Manager

Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.

Conditions:
Ubuntu 15.0, network access tunnel connect and then disconnect

Impact:
User will not be able to reach internet after disconnecting from network access.

Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.


582029-1 : AVR might report incorrect statistics when used together with other modules.

Component: Application Visibility and Reporting

Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.

Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.

Impact:
AVR reports incorrect statistics: unexpectedly large numbers.

Workaround:
None.

Fix:
AVR now identifies the other modules' activity and collects the activity statistics accordingly.


582003-2 : BD crash on startup or on XML configuration change

Component: Application Security Manager

Symptoms:
BD crash.
out of memory XML message in the bd.log.
The BD doesn't startup and keeps crashing upon startup.

Conditions:
Many XML profiles and relatively large XML configuration.

Impact:
ASM down, machine is offline.

Workaround:
Increase the XML available memory.

Fix:
Fixed an XML memory sanity test that caused a crash when out of XML memory upon reading XML configuration.


581840 : Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.

Component: Device Management

Symptoms:
If trying to manage a BIG-IP version 11.6.1 or 11.6.1 HF1 with an administrator account named other than “admin”, this can fail.

Conditions:
This can occur with a BIG-IQ managing a BIG-IP version 11.6.1 or 11.6.1HF1 system with a different account than “admin”.

Impact:
You cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.

Workaround:
Install 11.6.1 HF2 on the BIG-IP system, or use an administrator account named “admin” for managing the device.

Fix:
Can now manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.

Behavior Change:
local requests through iControl client are now made on port 80, instead of 443.


581835-3 : Command failing: tmsh show ltm virtual vs_name detail.

Component: TMOS

Symptoms:
The following command fails: tmsh show ltm virtual vs_name detail. The system posts the following error:

01020036:3: The requested profile exchange: virtual server object (exchange_profile_name:vs_name) was not found.

Conditions:
Occurs when an APM Access Profile has an Exchange Profile attached and the access profile is then assigned to a virtual server.

Impact:
No information is displayed by the tmsh show command.

Workaround:
None.

Fix:
The tmsh show command now presents information, and 'tmsh show ltm virtual vs_name detail' shows the expected details without error.


581834-4 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above

Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin

Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above

Fix:
The Firefox plugin now supports all versions.


581770-2 : Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6

Component: Access Policy Manager

Symptoms:
Network Access clients are unable to pass IPv6 traffic

Conditions:
Network Access resource configured with IPv4&IPv6
Client attempts to pass IPv6 traffic

Impact:
IPv6 traffic is dropped

Fix:
APM will now pass IPv6 traffic through the tunnel if an IPv4&IPv6 resource is configured.


580893-1 : Support for Single FQDN usage with Citrix Storefront Integration mode

Component: Access Policy Manager

Symptoms:
Adding a new login account onto Citrix Receiver enumerates the applications and desktop. Logging off and reconnecting using the same account starts failing.

Conditions:
-- Citrix Storefront Integration mode with APM.
-- Using the same FQDN to access both Storefront as well as an APM virtual server.

Impact:
Clients are unable to connect.

Workaround:
No workaround other than using different FQDNs.

Fix:
You can now use the same FQDN to successfully access both Storefront as well as an APM virtual server.


580817-3 : Edge Client may crash after upgrade

Component: Access Policy Manager

Symptoms:
The Edge client may crash after upgrading to 11.4.1 through 12.0.0.

Conditions:
Access Policy with Firewall Checker
Update BIG-IP to 12.1.0

Impact:
Users are unable to use the Edge client

Fix:
Fixed a crash in the Edge client


580686-1 : Hostagentd might leak memory on vCMP hosts.

Component: Device Management

Symptoms:
hostagentd resident memory keeps leaking over time. Unexplained system instability. Health monitors might work intermittently.

Conditions:
This occurs when host uptime is two months or longer.

Impact:
hostagentd consumes more than 400 MB of resident memory. In some cases, the process consumes more than 1 GB. This might cause system instability and intensive usage of vCMP host swap memory.

Workaround:
Restart hostagentd on vCMP host.

Fix:
Many stability and other improvements have been made to hostagentd daemon and associated functionality, so that memory leaks on vCMP hosts no longer occur.


580596-9 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Vulnerability Solution Article: K14190 K39508724


580460-1 : Client side integrity defense or proactive may break application

Component: Advanced Firewall Manager

Symptoms:
A blank page is shown when client side integrity/proactive is turned on.

Conditions:
1. Client side integrity/proactive is turned on
2. IE 11 in compatibility mode - version 8 or lower. IE6 and 7 work.

Impact:
Application is broken - blank page is shown

Workaround:
N/A


580429-5 : CTU does not show second Class ID for InstallerControll.dll

Component: Access Policy Manager

Symptoms:
Client troubleshooting utility does not display the registered class id of Installer control.dll.

Conditions:
Client troubleshooting utility is used to display all installed edge client components.

Impact:
No impact to end user or administrator. Impacts F5 support.

Workaround:
None.

Fix:
CTU now shows the class id of installer control.dll.


580421-3 : Edge Client may not register DLLs correctly

Component: Access Policy Manager

Symptoms:
After an end-user confirms that they want to install InstallerControll.cab, the browser gets stuck in 'Checking client'.

Conditions:
Client is using Internet Explorer

Impact:
Clients are unable to install the Edge client components

Fix:
Edge client components are now getting properly registered.


580340-3 : OpenSSL vulnerability CVE-2016-2842

Vulnerability Solution Article: K52349521


580313-3 : OpenSSL vulnerability CVE-2016-0799

Vulnerability Solution Article: K22334603


580303-3 : When going from active to offline, tmm might send a GARP for a floating address.

Component: Local Traffic Manager

Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.

Conditions:
Using high availability, and switching a device from active to offline.

Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.

Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.

Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.


580168-2 : Information missing from ASM event logs after a switchboot and switchboot back

Component: Application Security Manager

Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back

Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone

Impact:
Information missing from ASM event logs after a switchboot and switchboot back

Workaround:
N/A

Fix:
N/A


580026-3 : HSM logging error

Component: Local Traffic Manager

Symptoms:
In some cases HSM logging does not function as designed.

Conditions:
Installing SafeNet HSM to BIG-IP chassis.

Impact:
Inaccurate HSM logs

Fix:
Improve HSM logging


579975-3 : OpenSSL vulnerability

Vulnerability Solution Article: K79215841


579955-2 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475

Vulnerability Solution Article: K01587042


579919-1 : TMM may core when LSN translation is enabled

Component: Local Traffic Manager

Symptoms:
tmm core

Conditions:
Virtual uses LSN translation with a destination matching a pool-based route

Impact:
Traffic disrupted while tmm restarts.

Fix:
Virtual with LSN translation no longer leads tmm coring when destination matches a pool-based route.


579909-2 : Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error

Component: Access Policy Manager

Symptoms:
Secondary blade MCPD exits if APM Sandbox intends to log a warning message when it fails to remove the corresponding sandbox directory /var/sam/www/webtop/sandbox/files_d/<partition_name>_d while the user is removing the partition.

There are multiple cases that can potentially log such kind of Sandbox warning message and cause an mcpd crash and/or tmm crash. APM can log the warning if it encounters a directory which is not empty, or if the directory does not exist. You will see this error signature in /var/log/ltm:

Mar 11 11:36:49 slot2/viprion-3 warning mcpd[6022]: 010717ac:4: Configuration Warning: Cannot remove directory with symlink to sandbox for partition (p1). Error: Directory not empty. If you have access to bash shell, try to run command: rmdir /var/sam/www/webtop/sandbox/files_d/p1_d/

Conditions:
The sandbox directory corresponding to the partition that you are deleting cannot be removed due to any reason such as Not Existing, Not Empty, etc. on the secondary blade. This can occur on the secondary blades if you create a partition before provisioning APM, then delete the partition on the primary blade, and auto-sync is enabled in the device group.

Impact:
Secondary MCPD exits and blade restarts. Tmm can core. Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fixed such that Secondary MCP will not exit but only log the warning message as the partition is successfully deleted.


579843-3 : tmrouted may not re-announce routes after a specific succession of failover states

Component: Local Traffic Manager

Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.

Conditions:
- Active/Standby HA pair set up
 - Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
 - Active unit has the following succession of failover states:
   Active->Offline->Online->Standby->Active

Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.

Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.

Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.


579829-3 : OpenSSL vulnerability CVE-2016-0702

Vulnerability Solution Article: K79215841


579559-2 : DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration

Component: Access Policy Manager

Symptoms:
Network Access always fallbacks to TLS connection even if DTLS is configured when connecting to some hardware platforms.

Conditions:
Network Access is configured to use DTLS
Hardware BIG-IP with DTLS Nitrox acceleration is used,

Impact:
Network Access connection always fallbacks to TLS connection

Workaround:
N/A

Fix:
Previously, Network Access always fell back to a TLS connection even if DTLS was configured when connecting to some hardware platforms. Network Access no longer falls back to TLS.


579524-2 : DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name'

Component: Application Security Manager

Symptoms:
Policy Import via iControl REST in an HA pair occasionally fails on the Standby device with - DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name'

Conditions:
Active/Standby pair configured
ASM provisioned
Import a security policy, via iControl REST

Impact:
Policy import fails

Workaround:
n/a

Fix:
We have fixed the import policy via iControl REST so that it does not generate the database error


579371-2 : BIG-IP may generate ARPs after transition to standby

Component: Local Traffic Manager

Symptoms:
tmm generates unexpected ARPs after entering standby.

Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.

Impact:
Unexpected ARP requests that might result in packet loops.

Workaround:
None.

Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.


579284 : Potential memory corruption in MCPd

Component: TMOS

Symptoms:
Memory in mcpd could get corrupted. The effect of this is unpredictable.

Conditions:
Varies. One way (but not the only way) this could be seen is by cancelling a chunked stats query (e.g. hitting ctrl-c during "show sys connection").

Impact:
Varies. Sometimes nothing will happen; other times MCP could start acting unpredictably. In one case it closed its connection to TMM, which caused all TMMs to restart.

Fix:
Identified and fixed areas of potential memory corruption in MCP.


579237-3 : OpenSSL Vulnerability CVE-2016-0705

Vulnerability Solution Article: K93122894


579220-3 : Mozilla NSS vulnerability CVE-2016-1950

Vulnerability Solution Article: K91100352


579085-4 : OpenSSL vulnerability CVE-2016-0797

Vulnerability Solution Article: K40524634


579049-1 : TMM core due to wrong assert

Component: Application Visibility and Reporting

Symptoms:
Under stress traffic tmm can core with the following backtrace:
frame 3:
in *__GI___assert_fail
frame 4 will look like this:
.... avr_alloc_segmempool_with_id .. mempool.c:278

Conditions:
AVR provision and collecting statistic.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an issue that intermittently caused the TMM to core.


578971-1 : When mcpd is restarted on a blade, cluster members may be temporarily marked as failed

Component: Local Traffic Manager

Symptoms:
When mcpd is restarted on a blade, the clusterd process on that blade may become blocked for some time. This may result in cluster member heartbeat timeouts, which are seen in the /var/log/ltm log file with messages that include:

"Slot 1 suffered heartbeat timeout ..."

This causes cluster members to be marked failed. The condition resolves itself within one minute, and the cluster fully recovers on its own.

Conditions:
Mcpd is restarted on a blade.

Impact:
Though all blades recover on their own, the cluster members being marked fail may result in a failover.

Workaround:
There is no workaround for this issue. It is recommended to avoid restarting mcpd on any blade belonging to the active unit of an HA group. The issue resolves itself within about a minute, and all cluster members will be marked as up again.

Fix:
The clusterd daemon has been fixed to no longer become blocked when mcpd is restarted. This prevents the cluster member heartbeat timeouts from occurring, and thus no cluster members will be marked failed.


578844-2 : tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.

Component: Access Policy Manager

Symptoms:
tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.

Conditions:
NA resource with IPv4&IPv6 is used (SNAT pool in NA resource is set to None). User is connected to IPv4 Virtual server.
While connected user clicks on 'Change server' and chooses an IPv6 virtual server.

Impact:
Traffic disrupted while tmm restarts.


578570-2 : OpenSSL Vulnerability CVE-2016-0705

Vulnerability Solution Article: K93122894


578564-3 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response

Component: Service Provider

Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"

Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.

Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.

Fix:
HTTP::respond works as expected even on an HTTP response returned by an ICAP server after request adaption.


578353 : Statistics data aggregation process is not optimized

Component: Application Visibility and Reporting

Symptoms:
CPU spikes may occur every 5 minutes

Conditions:
Occurs all the time

Impact:
High CPU usage may be observed every 5 minutes

Workaround:
For versions based on 11.5.4 and 11.6.0 take the following steps:

1. Edit the entry 'AggregationMode' under the /etc/avr/monpd/monpd.cfg file and set it to be 'low' instead of 'medium' or 'high'.

2.Restart Monpd afterwards.

For 12.0.0 and on:
tmsh modify sys db avr.stats.aggregation value low

Fix:
The aggregation process of statistics in DB which is done using monpd should be optimized, and skip redundant updates of tables.


578334-3 : Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy.

Component: Application Security Manager

Symptoms:
These errors are visible in asm log:
--------------------
Mar 3 20:18:33 Bip_102 crit g_server.pl[29381]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ImportExportPolicy::Base::fatal_error): no such file '/ts/var/sync/admin~t6jsI8OQtyjKrbs2Djpjng'
Mar 3 20:18:33 Bip_102 info perl[29340]: 01310053:6: ASMConfig change: Import Policy Task Import Policy Task (1457029113.860000) [update]: Status was set to FAILURE. End Time was set to 1457029114. Message was set to Exported policy file not found!.. { audit: username = admin, client IP = 172.18.185.226 }
--------------------

The policy created on the peer device is a stub - default policy.

Conditions:
ASM provisioned
HA pair (CMI)
Policy Import (REST, inline XML import)

Impact:
Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy on the peer device.

Workaround:
n/a

Fix:
We have fixed the import/export mechanism on HA pair (CMI).


577939-1 : DNS suffixes on user's machine may not be restored correctly in some cases

Component: Access Policy Manager

Symptoms:
DNS suffixes on user's may not be restored correctly if user reboots his machine without disconnecting VPN.

This may result in incorrect or failed DNS resolution.

Conditions:
1)DNS relay proxy components is installed on user's machine
2) User reboots the machine without disconnecting VPN first

Impact:
DNS suffixes are not restored correctly, which may lead to incorrect or failed DNS resolution

Workaround:
Disconnect VPN before rebooting machine

Fix:
DNS Suffixes are now restored properly.


577863-2 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime

Component: Policy Enforcement Manager

Symptoms:
If routing table on DHCP server is mis-configured, so that DHCP server know how to send packets to BigIP selfIP(used by BigIP DHCP relay), but does not know how to send packets to DHCP clients, DCHP client will not receive DHCP reply for unicast request and will start to broadcast DHCP renewal. After a while, BigIP will stop to relay DHCPOFFER and DHCPACK back to DHCP clients all together.

Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets(with client's IP as source IP).

Impact:
BigIP will stop to relay DHCPOFFER and DHCPACK back
to DHCP clients

Workaround:
Fix the DHCP server routing table, so that DHCP server can deliver DHCP reply packet back to client successfully.


577828-5 : BIND vulnerability CVE-2016-2088

Vulnerability Solution Article: K59692558


577826-4 : BIND vulnerability CVE-2016-1286

Vulnerability Solution Article: K62012529


577823-4 : BIND vulnerability CVE-2016-1285

Vulnerability Solution Article: K46264120


577814-4 : MCPd might leak memory in PEM stats queries.

Component: Policy Enforcement Manager

Symptoms:
Memory leak may result in an "Out of Memory" condition causing functional issues in the BIG-IP.

Conditions:
Occurs when a valid PEM stats query is issued by a UI (GUI TMSH, REST, etc.) and PEM is configured on the BIG-IP.

Impact:
System may be unresponsive or crash due to being out of memory.

Workaround:
None.

Fix:
Fixed the potential MCPd memory leak in PEM stats queries.


577664-2 : Policy import, to inactive policies list, results in different policies on the sync-failover peers

Component: Application Security Manager

Symptoms:
Having a standard Active/Standby setup, with a single Sync-Failover DG, Auto-Sync, with ASM enabled.
When importing an ASM policy (named "ddddd") into the inactive policies list, the following results in GUI at -
"Security ›› Application Security : Security Policies : Inactive Policies"

On active device:
Security Policy Name - Version
ddddd - 2016-02-25 10:39:49
ddddd_2 - 2016-03-01 00:11:46

On standby device:
Security Policy Name - Version
ddddd - 2016-03-01 00:11:41
ddddd_2 - 2016-02-25 10:39:49

According to the "Version" field (time stamps), the "ddddd" on active is actually "ddddd_2" on standby and then the other two policies are not the same.

The group ends up with three different policies on the two devices.

Conditions:
Active/Standby pair
ASM provisioned
Import security policy to the inactive policies list

Impact:
Three different policies are created on the two devices.

Workaround:
n/a

Fix:
We have fixed the import policy process so that it results in consistent state on both devices in a device group.


577440-1 : audit logs may show connection to hagel.mnet

Component: TMOS

Symptoms:
An iControl host header is improperly formatted with the name hagal.mnet

The request is properly delivered to the correct host but contains a badly addressed host header that is ignored.

If the authorization fails for the icontrol query then the audit log will contain this destination information which may be confusing.

Conditions:
Setting up device trust exercises this code path.

Impact:
No impact to functionality but is confusing for log interpretation.

Workaround:
There is not workaround

Fix:
When this bug is fixed then the host header is properly formatted with the destination of the iControl request.


576591-4 : Support for some future credit card number ranges

Component: Application Security Manager

Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.

Impact:
The traffic passes unmasked or unblocked to the end client.

Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.


576350-2 : External input from client doesn't pass to policy agent if it is not the first in the chain.

Component: Access Policy Manager

Symptoms:
When client gets authenticated, and then the session is deleted (times out or is manually deleted from memcache), the browser still has its authorization token.

If client refreshes the page, the browser passes the existing 'authorization' token, which gets deleted by the agent processing the existing task (a message box, in this case) for the targeted agent (HTTP_401_Response agent, in this case).

Conditions:
When a logon page is not the first agent in the access policy chain and it gets a pre-authenticated token from browser.

Impact:
Although client (browser) sends the pre-authenticated token, the browser still posts a challenge for credential (pop up window). This is unnecessary and should not occur.

Workaround:
None.

Fix:
An HTTP_401_RESPONSE page can be placed anywhere in the access policy chain. Any pre-authenticated information for the targeted agent will not be consumed by another agent sitting in front.


576314-2 : SNMP traps for FIPS device fault inconsistent among versions.

Component: Local Traffic Manager

Symptoms:
The snmp traps bigipFipsDeviceError and bigipFipsFault are inconsistent among versions.

Conditions:
This trap is raised if the FIPS device firmware has stopped responding to requests and is no longer functional. The trap is different on the BIG-IP 10350 FIPS platform.

Impact:
The meaning of the trap is that the system is not able to perform any FIPS operations and process FIPS related traffic. You will need to be mindful of which version you are on to interpret the OIDs correctly.

Fix:
An SNMP trap is generated when the system has detected a FIPS device fault indicating that said device can no longer service FIPS operations. The OIDs are different across versions and one specific platform. Here is the OIDs and versions:

BIGIP-COMMON-MIB::bigipFipsDeviceError .1.3.6.1.4.1.3375.2.4.0.152
This trap means "Encountered error in the FIPS card operation" on all FIPS platforms

BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.156 (from v11.5.4-hf1 and 11.6.1, not 12.0.0)
BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.166 (from v12.1.0)
These traps mean "The FIPS card is currently in faulty state" for the specific FIPS hardware included on the BIG-IP 10350


576305-3 : Potential MCPd leak in IPSEC SPD stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IPSEC SPD stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.


576296-2 : MCPd might leak memory in SCTP profile stats query.

Component: Local Traffic Manager

Symptoms:
The memory allocation for mcpd might grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.

Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.

Impact:
Performance may be degraded.

Workaround:
None.

Fix:
Resolved a memory leak in mcpd resulting from a query of SCTP profile stats.


576224-1 : NetHSM does not come back after TCP connection to device is reset

Component: Local Traffic Manager

Symptoms:
NetHSM does not come back after TCP connection to device is reset.

Conditions:
TCP connection to NetHSM device is reset.

Impact:
NetHSM stops working.

Workaround:
None.

Fix:
NetHSM connectivity is restored after TCP connection to device is reset.


576069-2 : Rewrite can crash in some rare corner cases

Component: Access Policy Manager

Symptoms:
Rewrite can crash in some rare corner cases when some specific erroneous elements are present in an HTML content.

Conditions:
Any of the strings:

<meta http-equiv="refresh" />
<meta http-equiv="location" />
<param name="general_servername" />
<param name="wmode" />

triggers guaranteed rewrite crash.

Impact:
Web application malfunction.

Workaround:
iRule or direct fix of improper HTML tag.

Fix:
Fixed.


575735-2 : Potential MCPd leak in global CPU info stats code

Component: TMOS

Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.

Conditions:
In some cases, querying global CPU information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying global CPU information stats.


575726-2 : MCPd might leak memory in vCMP interface stats.

Component: TMOS

Symptoms:
MCPd might leak memory in vCMP interface stats.

Conditions:
The memory leak occurs when viewing VCMP interface statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying vCMP interface stats.


575716-2 : MCPd might leak memory in VCMP base stats.

Component: TMOS

Symptoms:
MCPd might leak memory in VCMP base stats.

Conditions:
This occurs when looking at VCMP base statistics.

Impact:
Over time this might cause MCPd to run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying VCMP base stats.


575708-2 : MCPd might leak memory in CPU info stats.

Component: TMOS

Symptoms:
MCPd might leak memory in CPU info stats.

Conditions:
In some cases, querying CPU information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying CPU information stats.


575671-2 : MCPd might leak memory in host info stats.

Component: TMOS

Symptoms:
MCPd might leak memory in host info stats.

Conditions:
In some cases, querying host information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying host information stats.


575660-2 : Potential MCPd leak in TMM rollup stats stats

Component: TMOS

Symptoms:
MCPd leaks memory so the amount of used memory will grow over time.

Conditions:
In rare cases, such as immediately after a reboot before system performance stats are populated, querying system performance stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying system performance stats.


575649-2 : MCPd might leak memory in IPFIX destination stats query

Component: TMOS

Symptoms:
MCPd might leak memory in IPFIX destination stats query.

Conditions:
In some cases, querying IPFIX destination stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPFIX destination stats.


575631-3 : Potential MCPd leak in WAM stats query code

Component: WebAccelerator

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying WAM stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying WAM stats.


575626 : Minor memory leak in DNS Express stats error conditions

Component: Local Traffic Manager

Symptoms:
A minor memory leak might occur in certain error conditions relating to DNS Express statistics.

Conditions:
There are no known DNS Express configurations that lead to this issue. The problem was detected through standard code review practices.

Impact:
Memory leaks might eventually lead to system reboots.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur in certain error conditions relating to DNS Express statistics.


575619-2 : Potential MCPd leak in pool member stats query code

Component: TMOS

Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.

Conditions:
In some cases, querying pool member stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying pool member stats.


575612-3 : Potential MCPd leak in policy action stats query code

Component: Local Traffic Manager

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying policy action stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying policy action stats.


575609-3 : Zlib accelerated compression can result in a dropped flow.

Component: Access Policy Manager

Symptoms:
Some compression requests would fail when the estimated compression output block was too small. Such errors deposit an error in the log similar to: Device error: n3-compress0 Zip engine ctx eviction (comp_code=2): ctx dropped.

Conditions:
A block that will not compress can generate a compression output that exceeds the estimated output block size.

Impact:
The flow that encounters the error is dropped.

Workaround:
Disable hardware accelerated compression.

Fix:
Difficult to compress requests may be dropped.


575608-2 : MCPd might leak memory in virtual server stats query.

Component: TMOS

Symptoms:
MCPd might leak memory in virtual server stats query.

Conditions:
In some cases, querying virtual server stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying virtual server stats.


575595-1 : Potential MCPd leak in eviction policy stats.

Component: TMOS

Symptoms:
The memory allocation for mcpd will grow by a small amount if a eviction policy stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.

Conditions:
An eviction policy is configured, and the stats are displayed in TMSH or the GUI.

Impact:
Performance may be degraded.

Fix:
Resolved a memory leak in mcpd resulting from a query of eviction policy stats.


575591-2 : Potential MCPd leak in IKE message stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE message stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IKE message stats.


575589-1 : Potential MCPd leak in IKE event stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE event stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IKE event stats.


575587-2 : Potential MCPd leak in BWC policy class stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying BWC policy stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.


575571-2 : MCPd might leak memory in FW DOS SIP attack stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW DOS SIP attack stats query.

Conditions:
This occurs when looking at firewall DOS SIP stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575499-1 : VPN filter may leave renew_lease timer active after teardown

Component: Access Policy Manager

Symptoms:
TMM core making the system unavailable for a period of time until it comes back up.

Conditions:
When using both IPv4 & IPv6 network access resources with static IP address for IPv4 and dynamic address assignment for IPv6 tmm will core while NA tunnel is running or on NA's disconnect time.

Impact:
TMM core and bring down the system.

Workaround:
N/A

Fix:
No more stale renew_lease timer in vpn_ctx to cause TMM core.


575347-2 : Unexpected backslashes remain in monitor 'username' attribute after upgrade

Component: Local Traffic Manager

Symptoms:
The monitor 'username' attribute contains unexpected backslashes.

Conditions:
Upgrading from an earlier version with a configuration that contains a monitor 'username' attribute with at least one escaped backslash ('\\').

Impact:
Monitor probes contain excess backslashes which can lead to monitor failures.

Workaround:
Un-escape backslashes after upgrade by transforming '\\' sequences to '\'.

Fix:
Removed excess backslashes from monitor 'username' attribute during upgrade process.


575292-4 : DNS Relay proxy service does not respond to SCM commands in timely manner

Component: Access Policy Manager

Symptoms:
DNS relay proxy service may appear unresponsive when stopped/started through Service control manager and user may see a system dialog box saying "Service did not respond in a timely manner"

Conditions:
DNS relay services component of edge client is installed on user's machine

Impact:
Usability, User may think that service has failed.

Workaround:
Wait for service to respond proper status

Fix:
Service now reports correct status to service control manager immediately.


575170-3 : Analytics reports may not identify virtual servers correctly

Component: Application Visibility and Reporting

Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.

Conditions:
This occurs for virtual servers that are configured in one of these ways:

1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.

2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).

Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.

Workaround:
None.

Fix:
Correct identification of the virtual server and the activity reported in the charts is displaying to the right virtual server.


575027-2 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Component: TMOS

Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.

Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)

Workaround:
Use untagged VLANs and hypervisor side tagging.

Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.


575011-4 : Memory leak. Nitrox3 Hang Detected.

Component: Local Traffic Manager

Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".

Conditions:
Compression device unavailable during creation of a new context.

Impact:
System can run out of memory.

Workaround:
Disable hardware compression using tmsh:

% tmsh modify sys db compression.strategy softwareonly

Fix:
Repaired memory leak.


574781-2 : APM Network Access IPV4/IPV6 virtual may leak memory

Component: Access Policy Manager

Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, xhead and xdata caches grow over time. Additionally, the ppp_npmode_errors in the ppp stat table will increment with each leak.

Conditions:
APM virtual with Network Access configured with IPV4 and IPv6.

Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.

Workaround:
No workaround short of not enabling IPv6.

Fix:
APM Network Access now correctly manages its memory resources.


574451-2 : ASM chassis sync occasionally fails to load on secondary slot

Component: Application Security Manager

Symptoms:
ASM chassis sync occasionally fails to load on secondary slot when a new policy is created after a series of other configuration changes in quick succession.

Conditions:
A new policy is created after a series of other configuration changes in quick succession

Impact:
ASM chassis sync fails to load on secondary slot.

Workaround:
Make another system-wide configuration change, such as creating a user-defined signature, or wait until the hourly sync occurs.

Fix:
ASM chassis blades are now synchronized correctly after every policy creation.


574153-2 : If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout.

Component: Local Traffic Manager

Symptoms:
If an SSL connection gracefully begins to disconnect at the same time as data is being encrypted by SSL acceleration hardware, the connection will remain open until the TCP profile timeout occurs instead of being closed immediately. This can cause unwanted higher memory usage, possibly causing crashes elsewhere.

Conditions:
* A virtual server with ClientSSL or ServerSSL profile.
* BIG-IP SSL acceleration hardware.
* While an SSL record is being encrypted by SSL accelerator hardware, the SSL connection begins to close by client TCP FIN or by any iRule command that closes the connection.

Impact:
There is a potential for higher memory usage, which in turn may cause TMM crash due to memory exhaustion resulting in service disruption.

Workaround:
If the affected SSL traffic does not include any long idle periods, memory consumption can be mitigated by reducing the idle timeout of the TCP or SCTP profile.

Fix:
SSL connections now disconnect normally if a disconnect attempt occurs while data is being encrypted by SSL acceleration hardware.


574116-2 : MCP may crash when syncing configuration between device groups

Component: TMOS

Symptoms:
mcpd on the sync target crashes when syncing configuration.

Conditions:
This can occur when a local non-synced object references an object that is synced (such as a local-only virtual server referencing a synced iRule), and a non-synced object on the target machine happens to be referencing the same synced object. In this condition, mcpd could crash if objects in a sync group are deleted and synced.

Impact:
Outage due to mcp crash which causes tmm to restart.

Workaround:
When you have devices with local-only resources that are referencing objects contained in a sync/failover group, avoid deleting any objects (such as iRules) that might be referenced by other local-only resources on other devices. Instead of a "this object is in use error", mcpd on the target machine will crash.

Fix:
Verify existence of rule objects when validating configuration.


574055-3 : TMM crash after changing raccoon log level

Component: TMOS

Symptoms:
TMM crashes after changing the raccoon log level to debug2

Conditions:
Debug level is set to debug2 while tmm is passing traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
set debug level to INFO

Fix:
A tmm crash related to changing the debug level while passing traffic has been fixed.


574052-2 : GTM autoconf can cause high CPU usage for gtmd

Component: Global Traffic Manager

Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.

In large configurations of LTM vses that contain "." (dot) in the name.

Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.

This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.

This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)

Impact:
CPU usage is high, which may impact monitoring and LB decisions.

Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.

1. Rename the virtual servers on the LTM to remove the "."
   This would require deleting the GTM configuration and
   rediscovering it and recreating pools.

2. Turn off autoconf.
   Run autoconf once to populate the config, then turn it
   off.

3. Reduce the frequency of autoconf. It will still cause
   a high CPU usage scenario, but it will be less frequent.

Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.

Fix:
Change algorithm used to match LTM VS names to GTM VS to reduce linear walk of all VSes on a server.


574045-2 : BGP may not accept attributes using extended length

Component: TMOS

Symptoms:
If a BGP peer sends a path attribute using the "extended length" flag and field, the attribute may be rejected and the BGP connection terminated.

Conditions:
Neighbor sends path attributes using extended length.

Impact:
The BGP adacency will repeatedly bounce and the RIB will never converge.

Fix:
Received BGP attributes using extended length are no longer rejected.


574020-4 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')

Component: Local Traffic Manager

Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').

Conditions:
This issue occurs when the following conditions are met:

-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').

Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.

Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).

Fix:
Safenet HSM installation script install now completes successfully if partition password contains special metacharacters (!#{}').

Note: When using passwords with non-alphanumeric characters, make sure that they are escaped correctly, so that bash does not attempt to reinterpret or expand the password.


573778-7 : QEMU vulnerability CVE-2016-1714

Vulnerability Solution Article: K75248350


573643-2 : flash.utils.Proxy functionality is not negotiated

Component: Access Policy Manager

Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.

Conditions:
Presence of flash.utils.Proxy descendants.

Impact:
Customer application malfunction.

Workaround:
None.


573581-4 : DNS Search suffix are not restored properly in some cases after VPN establishment

Component: Access Policy Manager

Symptoms:
Modified DNS suffix after VPN establishment and closure may result in failure to resolve some DNS names

Conditions:
DNS Relay proxy service is stopped in the middle of VPN session.
User's machine is rebooted.

Impact:
DNS suffixes are not restored properly which may lead to incorrect resolution of certain DNS names.

Workaround:
Any of the following workarounds
1) Do not stop DNS relay proxy service in the middle of a VPN session
2)Restore DNS search suffixes manually.


573429-1 : APM Network Access IPv4/IPv6 virtual may leak memory

Component: Access Policy Manager

Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, connflow and tunnel_nexthop caches grow over time.

Conditions:
APM virtual with Network Access configured with no SNAT and both IPV4 and IPV6 enabled.

Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.

Workaround:
No workaround short of not enabling IPv6 support.

Fix:
Network Access now correctly manages its memory resources.


573406-3 : ASU cannot be completed if license was last activated more than 18 months before

Component: Application Security Manager

Symptoms:
Attack Signature Update (ASU) if license was last activated more than 18 months before.

Conditions:
The license was last activated more than 18 months before.

Impact:
Attack SIgnature Update (ASU) cannot be performed.

Workaround:
The license must be re-activated.

Fix:
Attack Signature Update (ASU) can now be completed based on a license retrieved from server.


573402-2 : "C_GetAttributeValue error" with netHSM

Component: Local Traffic Manager

Symptoms:
When netHSM is used with BigIP, sometimes you will see "C_GetAttributeValue error".

Conditions:
When netHSM is used, this error message may appear.

Impact:
This message is benign and can be ignored.

Workaround:
This error message is not harmful. User can ignore them in the log.

Fix:
When netHSM is used, the benign 'C_GetAttributeValue error' messages are no longer posted.


573343-3 : NTP vulnerability CVE-2015-8158

Vulnerability Solution Article: K01324833


573124-2 : TMM vulnerability CVE-2016-5022

Vulnerability Solution Article: K06045217


573075-2 : ADAPT recursive loop when handling successive iRule events

Component: Service Provider

Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause "ADAPT unexpected state transition".
The adapt profile statistic "records adapted" reaches a very high number as it counts every attempt.

Conditions:
A requestadapt or responseadapt profile is configured.
An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.

Impact:
The connection is aborted with RST cause "ADAPT unexpected state transition".
The statistic "records adapted" reaches a very high number.
Eventually the TMM crashes and the Big-IP fails over.

Workaround:
If possible, arrange the iRules to avoid the conditions above.
In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.

Fix:
ADAPT correctly processes successive iRule events exactly once for each adaptation, and the "records adapted" statistic reports the correct number.


572922-2 : Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.

Component: Application Security Manager

Symptoms:
The following error is produced in ASM log during upgrade:
-----------
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
-----------

Conditions:
ASM provisioned

Impact:
Different portions of the security policy may be incorrectly upgraded.

Workaround:
N/A

Fix:
We have fixed the root cause so that the following error does not reproduce upon upgrading:
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>


572887-2 : DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client

Component: Access Policy Manager

Symptoms:
DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client. This happens because f5fpc fails to patch /etc/resolv.conf on Ubuntu 15.10 release.

Conditions:
/etc/resolv.conf, Ubuntu 15.10, f5fpc CLI client and network access establishment.

Impact:
DNS doesn't work properly on Ubuntu 15.10

Fix:
Now DNS works fine on Ubuntu 15.10 because /etc/resolv.conf can be patched correctly now by f5fpc command line client.


572563-3 : PWS session does not launch on Internet Explorer

Component: Access Policy Manager

Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).

Conditions:
One of the DLLs provided by APM, vdeskctrl.dll, provides COM services. Internet Explorer (IE), consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. For some reason (especially on slow systems), IE does not unload the the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, old DLL provides the service. Due to the recent renewal of our signing certificate, old DLL can't certify the integrity of the new PWS components. We have researched the issue, but we have not found a way to instruct IE to unload the old DLL after upgrade.

Impact:
PWS session does not launch.

Workaround:
After upgrade, if Internet Explorer(IE) does not enter into PWS within 60 seconds, close IE and start a new session. This is an one time event.

Fix:
Internet Explorer can now launch a Protected Workspace session.


572543-2 : User is prompted to install components repeatedly after client components are updated.

Component: Access Policy Manager

Symptoms:
After auto-update of client components from internet explorer, user will be prompted to install components again if he goes to VPN site again.

Conditions:
Administrator upgrades big-ip to 12.1.
User has client components from a release older than 12.1

Impact:
User is prompted to install components again and again

Workaround:
Restart browser after components are updated the first time.


572495-3 : TMM may crash if it receives a malformed packet CVE-2016-5023

Vulnerability Solution Article: K19784568


572281-2 : Variable value in the nesting script of foreach command get reset when there is parking command in the script

Component: Local Traffic Manager

Symptoms:
When there is something like the following script:

foreach a [list 1 2 3 4] {
   set a 10
   after 100
}

There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.

Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962

Impact:
Variable values get reset.

Workaround:
Set(or set again) the variable value after the parking command.

Fix:
Will fix in later release.


572224-4 : Buffer error due to RADIUS::avp command when vendor IDs do not match

Component: Service Provider

Symptoms:
Errors similar to the following in the ltm log:

err tmm3[21915]: 01220001:3: TCL error: /Common/RadiusTest CLIENT_DATA - Buffer error (line 1) (line 1) invoked from within 'RADIUS::avp 26 ip4 index 0 vendor-id 12345 vendor-type 6'.

Conditions:
The issue happens when there is a RADIUS::avp command for a vendor specific AVP and there's a RADIUS request that contains a different vendor-id than what was specified in the iRule command.

Impact:
You are unable to use vendor-specific RADIUS AVP commands

Workaround:
None.

Fix:
Vendor-specific RADIUS AVP commands no longer generate errors.


572133-2 : tmsh save /sys ucs command sends status messages to stderr

Component: TMOS

Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.

Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.

Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.

Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.

Fix:
The command will send the status messages to stdout.


572086 : Unable to boot v11.6.0 on 7250 or 10250 platforms

Component: TMOS

Symptoms:
Unable to boot or system constantly rebooting.

Conditions:
Booting into v11.6.0 on 7250 or 10250 platform with RAID disk layout.

Impact:
Unable to boot.

Workaround:
None.

Fix:
This version of the software boots boots correctly on 7250 or 10250 platforms with RAID disk layout.


572025-2 : HTTP Class profile using a path selector upgrade to a policy that does not match the entire path

Component: Local Traffic Manager

Symptoms:
If you upgrade to version 11.4.0 through 12.0.0, and your configuration contains a HTTP Class profile containing a paths selector, the generated policy does not match.

Conditions:
A HTTP Class profile containing a paths selector.

Impact:
The generated policy does not match the same paths as original HTTP Class profile.

Workaround:
Manually edit resulting policy

Fix:
The path selector specifier is no longer added to the generated policy allowing the entire http-uri to matched.


572015-3 : HTTP Class profile is upgraded to a case-insensitive policy

Component: Local Traffic Manager

Symptoms:
If you upgrade to version 11.4.0 through 12.0.0, and your configuration contains a HTTP Class profile, the generated policy will be case-insensitive.

Conditions:
HTTP Class profile

Impact:
Generated policy does not match on the same conditions as original HTTP Class profile.

Workaround:
Manually edit generated policy

Fix:
The case-sensitive attribute is added to generated policies during upgrade.


571573-2 : Persistence may override node/pmbr connection limit

Component: Local Traffic Manager

Symptoms:
In certain circumstances the BIG-IP system may load balance connections to a node or poolmember over the configured connection limit.

Conditions:
- Node or pool member configured with connection limit.
- L4 or L7 virtual server.
- Persistence configured on the Virtual Server.
- Very high load on unit.

Impact:
BIG-IP system may load balance connections to a node or pool member over the configured connection limit.

Workaround:
Remove persistence or use another method of limiting the connections (rate limiting or connection limit on the Virtual Server).

Fix:
The BIG-IP system now correctly enforces the pool member/node connection limit.


571344-3 : SSL Certificate with special characters might cause exception when GUI retrieves items list page.

Component: TMOS

Symptoms:
After upgrading, unable to view certain certs from gui. Catalina.out file could contain the signature MalformedByteSequenceException: Invalid byte 2 of 3-byte UTF-8 sequence.

iControl SOAP methods
====================
Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 will return an exception if returning a certificate with special characters.

Conditions:
SSL Certificate with special characters might cause exception when GUI retrieves items list page. This has been observed on upgrades to BIG-IP version 11.5.4 through 12.0.0.

Impact:
The GUI does not display the page containing certificate information. iControl SOAP cannot return a list of certificates if they contain information with special characters.

Workaround:
None.

Fix:
The GUI now correctly displays certificates with special characters, and iControl SOAP methods Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 no longer return exceptions.


571210-4 : Upgrade, load config, or sync might fail on large configs with large objects.

Component: TMOS

Symptoms:
Attempting to load a large config with large objects may result in the following error message:

err mcpd[7366]: 01070710:3: Database error (52), Can't write blob data, attribute:implementation status:52 - EdbBlobData.cpp, line 57

Attempting to synchronize a large change may result in the following error messages and a crash of the MCPD process:

err mcpd[8210]: 01071693:3: Incremental sync: Caught an exception while adding a transaction to the incremental config sync cache: unexpected exception.

err mcpd[8210]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: Can't write blob data, attribute:msgs status:52

err mcpd[8210]: 01070596:3: An unexpected failure has occurred, request_group destroyed while processing, exiting...

Conditions:
The config must be approximately 19.75 MB (slightly less) prior to processing a large object in the config that exceeds 256 KB.

Or, once config exceeds 19.75 MB and 2 MB of additional memory has been allocated, processing config objects that exceed 256 KB (the larger, the more likely to occur) lead to the error.

Impact:
Upgrade, load config, or sync might fail, and a system crash and restart might occur.

Workaround:
Stagger the load, or reduce the size of particularly large objects within a config.

Fix:
Memory handling is improved so that large configs with large objects now successfully complete upon upgrade, load config, or sync.


571183-2 : Bundle-certificates Not Accessible via iControl REST.

Component: Local Traffic Manager

Symptoms:
Bundle-certificates Not Accessible via iControl REST.

Conditions:
This occurs when using iControl REST to look at bundle certificates via /mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt/bundle-certificates

Impact:
Unable to get data from the command.

Workaround:
If you do not need to do it via iControl REST, you can view bundle certificates using the tmsh command tmsh list sys file ssl-cert ca-bundle.crt bundle-certificates

Fix:
The iControl rest command for viewing bundle-certificates now displays all of the certificates.


571090 : When BIG-IP is used as SAML IdP, tmm may restart under certain conditions

Component: Access Policy Manager

Symptoms:
tmm restarts.

Conditions:
It is not known exactly what the conditions are, but this occurs when BIG-IP is configured as SAML IdP.

Impact:
Tmm may restart.

Workaround:
None


571019-3 : Topology records can be ordered incorrectly.

Component: TMOS

Symptoms:
Topology records can contain missing order numbers, duplicate order numbers, and differences in the ordering of topology records on BIG-IP's in a sync group.

Conditions:
When adding or deleting topology records or modifying the order of existing topology records, the resulting ordering of the topology records can be inconsistent. This can lead to ordering issues including differences in the ordering of topology records on BIG-IP's in a sync group.

Impact:
It is difficult to manage the order of topology records. Topology records are evaluated in different orders on different BIG-IP's in a sync group.

Workaround:
None.

Fix:
Topology records are now ordered consistently.


571003-1 : TMM Restarts After Failover

Component: Access Policy Manager

Symptoms:
TMM generates core file and restarts.

Conditions:
1. In a HA pair running pre 11.5.3-HF2 or 11.6.0-HF6, the standby is upgraded to 11.6.0-HF6 EHF 186, 241, 243, or 247.
2. Force failover.
3. A new session is established or an existing session terminated.

Impact:
Serivce is disrupted. All existing sessions are terminated.

Workaround:
None.

Fix:
TMM no longer generates core file and restarts upon upgrade.


570973-2 : L7 hardware syn cookie feature is broken in BIG-IP v12.0.0 hf1 and hf2

Component: TMOS

Symptoms:
In BIG-IP v12.0.0 hf1 and hf2 hardware syn cookie feature for L7 (e.g. Standard Virtual Server type or FastL4 with http profile) virtual server is broken due to HSB bitstream update with a new hardware syn cookie algorithm. It does not impact 12.0.0 base release.

Conditions:
Hardware syn cookie is enabled (which is the default setting) on L7 virtual server.

Impact:
When syncookie protection is triggered, ingress legitimate traffic may be dropped by BIG-IP.

Workaround:
Disable hardware syn cookie on L7 virtual servers.

Note: After this workaround you may encounter Bug ID 555020 SW syncookies and windowscaling will cause 3WHS to fail on L7 VIP in which case you would need to apply the workaround from that as well.

Fix:
This bug is fixed in 12.0.0-hf3 and 12.1.0.


570881-4 : IPsec configuration mismatch in IKEv2 causes TMM crash in isakmp_parse_proposal ()

Component: TMOS

Symptoms:
crash (NULL pointer access)

Conditions:
IPsec configuration mismatch in IKEv2 (for initiator and responder)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
use correct configuration

Fix:
Proper reaction (connection reject) was added for improper configuration.


570818-2 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.

Component: TMOS

Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.

Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.

Impact:
Failure in establishing IPsec SA.

Workaround:
None.

Fix:
Address lease-pool in IKEv2 no longer interferes with IKEv2 negotiations.


570716-3 : BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736

Vulnerability Solution Article: K10133477


570667-16 : OpenSSL vulnerabilities

Vulnerability Solution Article: K64009378


570663-3 : Using iControl get_certificate_bundle_v2 causes a memory leak

Component: TMOS

Symptoms:
Using iControl call get_certificate_bundle_v2() causes a memory leak. iControlPortal memory use grows unbounded every time the method is called.

Conditions:
This occurs anytime the method is invoked; BIG-IP devices managed by Enterprise Manager can be especially impacted.

Impact:
Eventually iControlPortal will run out of memory and crash.

Fix:
The memory leak issue has been fixed.


570640-2 : APM Cannot create symbolic link to sandbox. Error: No such file or directory

Component: Access Policy Manager

Symptoms:
The user may encounter the following configuration error when adding a new APM sandbox-contained object in a non-default partition (other than /Common) if the user has ever attempted (but failed) to delete this partition (for example, couldn't delete it because it was not empty).

01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Validating configuration process failed.

Conditions:
The user has ever attempted (but failed) to delete the partition.

Impact:
No more APM sandbox object such as Hosted-Content can be added to the partition.

Upgrade may fail to install configuration with the impacted sandbox object.

Workaround:
Manually use the shell command 'mkdir -p' to re-create the missing folder where the symbolic link is suppsed to be created as shown in the error message.

Directories are: {to do mkdir -p)
/config/filestore/files_d/OUTSIDE_PROD_d/sandbox_file_d
/var/sam/www/webtop/sandbox/files_d/OUTSIDE_PROD_d/sandbox_file_d
After creating the directors sync to active unit.


570617-4 : HTTP parses fragmented response versions incorrectly

Component: Local Traffic Manager

Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.

Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.

Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.

Workaround:
None.

Fix:
HTTP correctly bounds the response version for other filters to parse.


570563-2 : CRL is not being imported/exported properly

Component: Access Policy Manager

Symptoms:
CRL assigned as part of Machine Cert Auth is not being imported/exported properly.

Conditions:
This occurs when importing SSL Certificates and Keys using the CRL type. Or when adding the Machine Cert Check agent to import an Access Profile in when creating a New Certificate Authority Profile.

Impact:
Prevents CRL from being exported. Might also impact the import/export of Certificate Authority Profiles.

Workaround:
1. Copy and install the CRL to the other BIG-IP system separately.
2. Modify the exported configuration to use CRL from step 1

Fix:
Import and export of CRL is fully supported.


570535 : Multiple Kernel Vulnerabilities

Vulnerability Solution Article: K15685 K15912 K31300371 K16011 K21632201 K31026324 K17239 K17543 K17121 K41739114 K17246 K17458 K17244 K17245 K90230486 K17309 K17307 K31026324 K94105604


570419-2 : Use of session DB on multi-process appliances and blades may core.

Component: TMOS

Symptoms:
On selected devices and blades, tmm runs multiple processes. When running multiple processes, the session DB may occasionally attempt an operation that will cause a tmm segfault.

Conditions:
In order to experience this failure, tmm must be running in multiple processes on the appliance or on the blade, and session DB usage is required with mirroring.

Impact:
Outage and restart of tmm. This applies when bringing up blades as well as bringing peers online.

Workaround:
None.

Fix:
Use of session DB on multi-process appliances and blades no longer cores when bringing up blades as well as bringing peers online.


570363-2 : Potential segfault when MRF messages cross from one TMM to another.

Component: Service Provider

Symptoms:
Potential segfault when Message Routing Framework (MRF) messages cross from one TMM to another.

Conditions:
This issue occurs when MRF messages travel from one TMM to another, and an asynchronous operation also occurs (like persistence).

Impact:
It is possible for the message object to be removed before the asynchronous operation completes. If this occurs, a segfault may occur and the system might restart.

Workaround:
None.

Fix:
This release corrects the issue of potential segfault occurring when MRF messages cross from one TMM to another.


570064-3 : IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"

Component: Access Policy Manager

Symptoms:
When logging into a VPN connection using Internet Explorer, Internet Explorer may prompt "Do you want to run ... InstallerControll.cab"

Conditions:
BIG-IP APM configured and is accessed by Internet Explorer. This can happen after an upgrade of BIG-IP.

Impact:
The prompt should not occur.

Fix:
Internet Explorer will no longer prompt to run InstallerControll.cab


570057-3 : Can't install more than 16 SafeNet HSMs in its HA group

Component: Local Traffic Manager

Symptoms:
With installation script on the BIG-IP, you can't install more than 16 SafeNet HSMs in its high availability group with versions 5.2 and 5.4.

Conditions:
Attempt to install more than 16 SafeNet HSMs.

Impact:
Installer script failure.

Workaround:
The limit is set by SafeNet. Currently, with F5-supported 5.2 and 5.4 client software, SafeNet doesn't allow more than 16 HSMs in one high availability configuration.

Fix:
Updated SafeNet installation scripts by replacing "vtl" to "lunacm" for high availability group creation and member adding operations for version 6.2.


570053-2 : HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.

Component: TMOS

Symptoms:
HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.

Conditions:
The issue is seen when all the below conditions are met.
1. When more than one certkeychains are configured in the clientSSL profile.
2. When the content of a certkeychain of the clientSSL profile is modified. For example, "modify ltm profile client-ssl a4 cert-key-chain modify { default { cert rsa.crt key rsa.key } }".
3. Performs config sync in HA setup.

Impact:
Missing certkeychain of a clientSSL profile can result in its inability to handle some kind of SSL traffic. For example, if the clientSSL originally has EC key/cert but loses it, then it is no longer able to handle SSL connection using EC cipher suites.

Workaround:
Basically reconfigure certkeychain but avoid modifying the content.
1. On any BIG-IP system, leave only the RSA certkeychain in the clientSSL profile, just like the default configuration.
2. Config sync, so that both systems have only the RSA certkeychain.
3. In any BIG-IP system, add certkeychains for other types (EC or DSA) you need. You can "add" or "delete" but do not "modify" any existing certkeychain.
4. Do config sync, so that both systems have the same certkeychains in the clientSSL profile.


569972-2 : Unable to create gtm topology records using iControl REST

Component: Global Traffic Manager

Symptoms:
The user is unable to create gtm topology records using iControl REST.

Conditions:
This occurs when a user issues an iControl REST POST command for a gtm topology record.

Impact:
The iControl REST POST command fails with the following error: 'Topologies must specify both regions: ldns: server:'.

Workaround:
Use TMSH, iControl SOAP, or the GUI to create gtm topology records.

Fix:
You can now create gtm topology records using iControl REST.

Please be sure to format the gtm topology oid string using the following rules:

1) Use only a single space between each item in the topology string.
2) Use a fully-pathed name for datacenter, isp, region, and pool objects.

For example:
"ldns: subnet 11.11.11.0/24 server: datacenter /Common/DC".


569958-2 : Upgrade for application security anomalies

Component: Application Visibility and Reporting

Symptoms:
If upgrading to newer version, old statistics for application security anomalies are not shown.

Conditions:
Upgrade from BIG-IP version older than 12.1.0 to newer version

Impact:
Losing old statistics for application security anomalies

Fix:
Upgrade to newer version and verify that old statistics are shown.


569642-4 : Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core

Component: Local Traffic Manager

Symptoms:
In certain circumstances TMM may core if an HA pair configured with mirroring has all the routes to the server pool removed.

Conditions:
- HA pair.
 - FastL4 VIP with mirroring.
 - default route to pool via an intermediate router.
 - The active unit is handling traffic.
 - Active unit fails over and loses its mirroring connection.
 - Prior active unit comes back and HA connection is reestablished.
 - During the loss of HA and its recovery the now active unit loses its only route to the pool member.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not remove all routes to poolmembers. If this is needed please create other backup routes prior to the deletion.

Fix:
TMM no longer cores on deleting all routes on a unit with a mirroring fastL4 Virtual during HA connection loss and recovery.


569634 : Aced process is not able to listen to port 6000

Component: TMOS

Symptoms:
When Aced process cannot listen to the port, it aborts and causes core dump to be produced.

Conditions:
In certain scenarios, an exiting instance of aced process does not perform a proper cleanup of the socket(listening of port 6000) and does not exit completely and the new instance of aced wont be able to listen to it.

Impact:
Aced process keeps crashing repeatedly.

Fix:
Aced process is fixed in order to explicitly close the socket file descriptor during exit. The new instance will be able to listen to that port.


569521-4 : Invalid WideIP name without dots crashes gtmd.

Component: Global Traffic Manager

Symptoms:
If a user creates a WideIP or WideIP Alias with a name that does not contain a dot, gtmd crashes.

The symptom is a crash and core dump from gtmd.

Conditions:
This occurs when the following conditions are met:
-- FQDN validation is suppressed by the following setting: gtm global-settings general domain-name-check == 'none'.
-- User attempts to create a WideIP with a name that does not contain a dot.

Impact:
gtmd crashes and WideIPs do not function.

Workaround:
When creating a WideIP or WideIP Alias while FQDN validation has been disabled (by setting gtm global-settings general domain-name-check == 'none'), make sure that the WideIP or WideIP Alias name contains at least one dot, and follows these rules:
-- The name must not end with a dot.
-- The name must not begin with a dot, unless '.' is the entire name.
-- The name contains no consecutive dots.

Fix:
FQDN now validates to confirm that a WideIP or WideIP Alias name has at least one dot in an appropriate position, and has no consecutive dots, so there is no crash and core dump from gtmd. This validation occurs even when other FQDN validation has been suppressed by setting
gtm globlal-settings general domain name check == 'none'.


569472-2 : TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled

Component: Global Traffic Manager

Symptoms:
tmm cores with sigsegv within lb_why_pmbr_str.

Conditions:
1. Disable a GTM/BIG-IP DNS pool or pool member;
2. pool-member-selection is enabled for load-balancing-decision-log-verbosity.

Impact:
tmm cores.

Workaround:
Disable pool-member-selection for load-balancing-decision-log-verbosity.

Fix:
tmm no longer cores when disabling pool-member-selection for load-balancing-decision-log-verbosity.


569467-11 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Vulnerability Solution Article: K11772107


569356-2 : BGP ECMP learned routes may use incorrect vlan for nexthop

Component: TMOS

Symptoms:
BGP with ECMP may result in learned routes using an incorrect next-hop vlan if there are more than one VLAN configured with global IPv6 addresses in the same RD where the routing protocol is running.

Conditions:
BIG-IP configuration with two or more VLANs configured with IPv6 global addresses and BGP with ECMP is peered with an active IPv6 BGP neighbor. The BGP is also configured with max-paths.

Impact:
The traffic randomly gets sent using the incorrect nexthop.

Workaround:
None

Fix:
Routes learned from the peer will have the correct nexthop VLANs.


569349-2 : Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled

Component: Local Traffic Manager

Symptoms:
When net cos (class of Service) feature is enabled, vlan priority for those cmp redirected packets are not being preserved from ingress to egress.

Conditions:
1. net cos feature is enabled
2. packet is being cmp redirected from one tmm to another tmm for processing.

Impact:
Egress packets are not being processed according to the ingress vlan priority by BIG-IP and down stream router. Certain packets will be dropped by downstream router due to the wrong mark of vlan priority.

Workaround:
None.


569337-2 : TCP events are logged twice in a HA setup

Component: Advanced Firewall Manager

Symptoms:
TCP log events are logged twice (if enabled in security log profile) with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).

Conditions:
When there's a HA setup (Active/Standby) or both client side and server side connection flow.

Impact:
TCP log events are logged twice (duplicate events from active unit and standby unit or from both client side and server side of the connection flow).

Workaround:
N/A

Fix:
TCP log events are no longer logged twice when enabled in the security log profile with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).


569309-1 : Clientside HTML parser does not recognize HTML event attributes without value

Component: Access Policy Manager

Symptoms:
Assignment of a specific HTML content to tag.innerHTML could lead to a JavaScript error. This happens when one or more of tags in HTML text contain html event attributes without value (such as <div onclick />)

Following or similar error is logged in browser JavaScript console:
Unable to get property 'charAt' of undefined or null reference

Impact:
Web application does not work when accessed through Portal Access.

Workaround:
iRule could be provided for specific application.

Fix:
Now empty inline event handler attributes are not rewritten on client side.


569306-3 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected

Component: Access Policy Manager

Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.

Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected

Impact:
User has to retype his credentials to connect to VPN

Workaround:
Enter the credentials again to connect to VPN

Fix:
Now logged on credentials are used automatically to connect to VPN


569288-2 : Different LACP key may be used in different blades in a chassis system causing trunking failures

Component: Local Traffic Manager

Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.

Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.

Impact:
Non aggregated trunk members won't be able to pass traffic.

Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"


569255-3 : Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON

Component: Access Policy Manager

Symptoms:
When Network Access is already established and a second network interface is being connected to client system, VPN quickly reconnects, which breaks existing TCP connections. Because reconnect occurs very quickly, it might appear to the user that nothing happened.

Conditions:
-- 'Allow Local subnet access' enabled.
-- Client system is getting second network interface connected.

Impact:
Long-standing TCP connection may break, for example, VPN over Network Access.

Workaround:
Disable 'Allow Local subnet access'.

Fix:
Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.


569236-4 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the first part of a fix provided for this issue. See fixes for bug 569236 for the second part.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system.

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part one of a two-part fix. Fixes for bug 583285 provide part two of the fix.


569206-2 : After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades.

Component: Local Traffic Manager

Symptoms:
After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades.

Conditions:
Connectivity loss and restoration between HSM and pkcs11d.

Impact:
Sometimes, one or more blades have SSL failure consistently. Others are working fine after the network restoring.

Workaround:
None. This is an intermittent failure.

Fix:
All blades now recover the working condition after the network is restored.


568889-2 : Some ZebOS daemons do not start on blade transition secondary to primary.

Component: TMOS

Symptoms:
In some specific cases the standby unit's secondary blade ZebOS daemons might not get started when it becomes active.

Conditions:
If the failover occurs as a result of the primary blade's mcpd restarting

Impact:
The new primary blade does not start some ZebOS daemons resulting in ospf not working as expected on the standby unit.

Workaround:
Run the following tmsh command on the new active unit: bigstart restart tmrouted.

Fix:
The BIG_IP system now correctly starts ZebOS daemons on the standby unit on a new blade that is starting up as a primary.


568743-3 : TMM core when dnssec queries to dns-express zone exceed nethsm capacity

Component: Local Traffic Manager

Symptoms:
tmm crashes, and in /var/log/ltm you see entries indicating "Signature failed":

err tmm1[16816]: 01010216:3: DNSSEC: Signature failed (signature creation) for RRSET (host0530.f5test.net, 1) with key /Common/myZSK2, generation 1.

Conditions:
This can occur when a dns-express zone generates more responses than the Thales can sign. The excess requests are queued and tmm can core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer core when dnssec queries to dns-express zone exceed nethsm capacity.


568670-2 : ASM fails to start with error - ndefined subroutine &F5::CRC::get_crc32

Component: Application Security Manager

Symptoms:
ASM fails to start with error in ts_debug.log -

Undefined subroutine &F5::CRC::get_crc32 called at /usr/local/share/perl5/F5/RamCache.pm line 69

Conditions:
asm provisioned

Impact:
asm fails to start

Workaround:
n/a

Fix:
A rare condition in which asm fails to start has been fixed


568543-3 : Syncookie mode is activated on wildcard virtuals

Component: Local Traffic Manager

Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.

Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.

Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.

Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.

Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)


567862-1 : intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance

Component: Local Traffic Manager

Symptoms:
BIG-IP intermittently has SSL traffic failures with HSM. This symptom happens on both chassis and appliance. The general error messages are logged with

"FIPS acceleration device failure: fips_poll_completed_reqs: req: 44 status: 0x1 : Cancel"

Conditions:
When Safenet HSM is used with BIG-IP.

Impact:
SSL traffic is failing.

Workaround:
"bigstart restart pkcs11d" might mitigate this issue.

Fix:
Multiple issues are fixed including better sync-up between tmm and pkcs11d. Fixes are also included to deal with key handle changes at HSM.


567774-1 : ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root

Component: TMOS

Symptoms:
The properties 'ca-devices' and 'non-ca-device' are available in the 'restart' command but are not valid.

Conditions:
None

Impact:
You should not use the restart command with the properties 'ca-devices' and 'non-ca-device'. It has to be used similar to the delete command.

Workaround:
A new tmsh command to reset a device trust was added:
'restart cm trust-domain Root' which operates exactly like 'delete cm trust-domain Root'. The properties 'ca-devices' and 'non-ca-device' are available in the 'restart' command but are not valid. These properties are not available in the 'delete cm trust-domain'. Workaround for customer is to not use these two properties when running the 'restart cm trust-domain' command or to use the 'delete cm trust-domain'

Fix:
The 'ca-devices' and 'non-ca-devices' properties were removed from the tmsh command 'restart cm trust-domain' command because they are not valid.


567660-2 : Disabling global Auto Last Hop setting breaks APM's Remote Desktop Gateway (RDG) feature

Component: Access Policy Manager

Symptoms:
Existing TCP connection is being sporadically disrupted by BIGIP virtual server sending out a SYN, ACK, causing existing connection to fail.
The client and virtual server setup a good tcp connection, complete SSL handshake and starts to pass application data.
APM virtual then sends SYN, ACK with sequence and ack numbers which do not match existing stream.
The APM then tries three syn-ack's before giving up and sends out a rst-ack which drops the connection attempt, but as it shares the same ip:port number as the existing connection, resets the good connection.

Conditions:
Auto Last Hop setting is disabled

Impact:
APM RDG feature does not work

Workaround:
1. Enable Auto Last Hop
OR
2. Set cmp_enabled to 'NO' on virtual

Fix:
APM RDG feature now works as expected when Auto Last Hop is disabled.


567503-5 : ACCESS::remove can result in confusing ERR_NOT_FOUND logs

Component: Access Policy Manager

Symptoms:
When using the iRule command ACCESS::remove, ERR_NOT_FOUND messages may appear in /var/log/apm. Theses are not real errors. ACCESS is trying to insert a session variable, but it is not able to find the session because the iRule already deleted the session.

The logs in /var/log/apm look something like this:
err tmm1[15932]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_save_init_req_to_sessiondb, Line: 14823.

Conditions:
An iRule using the command ACCESS::remove, and the end-user does a POST.

Impact:
No functional impact, the iRule correctly deletes the session, and BIG-IP does not send a reset. But the log messages can be alarming or confusing.

Workaround:
None.

Fix:
ACCESS::remove no longer results in confusing ERR_NOT_FOUND logs.


567484-5 : BIND Vulnerability CVE-2015-8705

Vulnerability Solution Article: K86533083


567475-5 : BIND vulnerability CVE-2015-8704

Vulnerability Solution Article: K53445000


567457-3 : TMM may crash when changing the IKE peer config.

Component: TMOS

Symptoms:
TMM might crash when changing the IKE peer config. It can happen with either IKEv1 or IKEv2 (TMM config crash).

Conditions:
This occurs when making changes to IPsec tunnels that causes the configuration to become invalid. For example, changing ISAKMP phase1 from SHA-1 to MD5 results in an invalid configuration.

Note: This occurs in the GUI only. The tmsh 'create' command does not cause this core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use tmsh to make the affected configuration changes... this occurs in the GUI only. The tmsh 'create' command does not cause this core.

Fix:
TMM no longer crashes when changing the IKEv1 or IKEv2 peer config, even if the changes are not valid for the configuration.


567379-1 : libtar vulnerability CVE-2013-4397

Vulnerability Solution Article: K16015326


567355-1 : Scheduled report lost after loading configuration

Component: Application Visibility and Reporting

Symptoms:
Saved scheduled report will be lost after loading the system configuration.

Conditions:
Create scheduled report.
Save the configuration.
Load the configuration.
The scheduled report wont be existing anymore.

Impact:
The scheduled report can be lost.

Fix:
A saved scheduled report is no longer lost after loading the system configuration.


566998-2 : Edge client upgrade fails if client was configured in locked mode

Component: Access Policy Manager

Symptoms:
Edge client cannot be upgraded automatically to a newer version

Conditions:
Edge client package was downloaded with "Enable Always Connected mode" option checked

Server contains a newer version of edge client

Impact:
Automatic upgrade of edge client will fail

Workaround:
Manually uninstall and re-install client


566908-5 : Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file

Component: Access Policy Manager

Symptoms:
Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN if proxy.pac is defined in a way that forwards all web traffic over VPN.

Conditions:
proxy.pac, network access, OS X system.

Impact:
Local web server is inaccessible if proxy.pac is defined in a way that forwards all traffic over VPN to corporate proxy server.

Workaround:
None.

Fix:
Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server.


566758-2 : Manual changes to policy imported as XML may introduce corruption for Login Pages

Component: Application Security Manager

Symptoms:
Manual changes to policy imported as XML may introduce corruption for Login Pages. If the expiration period is omitted, the Login Page will be inaccessible.

Conditions:
Expiration period is omitted in hand-crafted XML policy file.

Impact:
The Login Page created as a result is inaccessible in GUI and REST.

Workaround:
Ensure that expiration period exists in XML policy file before import.

Fix:
A policy file, with a missing expiration field, imported as XML is now handled correctly.


566646-4 : Portal Access could respond very slowly for large text files when using IE < 11

Component: Access Policy Manager

Symptoms:
When accessing a large 'text/plain' file from server with Internet Explorer versions 7 through 10 client browsers, Portal Access sometimes holds the response until it fetches and processes the entire file contents. This can take several dozen seconds, or even minutes.

Conditions:
Internet Explorer version 7 through 10 with Portal Access

Impact:
Large text files can't be accessed or downloaded through Portal Access.

Workaround:
Irule that does any of following:
a) Preferred: append F5CH=I to request uri in HTTP_REQUEST for affected requests.
b) Call REWRITE::disable for affected requests.

Fix:
Fixed the issue where Portal Access could try to buffer contents of some large files and respond with significant delay.


566576-2 : ICAP/OneConnect reuses connection while previous response is in progress

Component: Service Provider

Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.

Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.

Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.

Workaround:
Remove OneConnect.

Fix:
Big-IP with ICAP and OneConnect never reuses a server connection while a previous ICAP transaction is still in progress. Whenever the IVS disconnects prior to completion of an ICAP transaction, the connection is not pooled for reuse.


566507-2 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.

Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system. Note: The ZebOS routing protocol suite available for BIG-IP configurations does not support traffic groups, so this issue might still be seen in certain circumstances.


566361-8 : RAM Cache Key Collision

Component: Local Traffic Manager

Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled

Conditions:
This occurs when RAM cache is enabled in certain circumstances.

Impact:
Invalid response format, and/or serving the wrong object from cache, and/or tmm crash, interruption of service.

Workaround:
None.

Fix:
The system now avoids RAM Cache Key collisions, the correct object and response format are delivered from the cache, and tmm no longer cores.


566061-3 : Subscriber info missing in flow report after subscriber has been deleted

Component: Policy Enforcement Manager

Symptoms:
If we have a subscriber flow during which the subscriber gets deleted, then the flow reports begin to report subscriber id as "unknown". It becomes difficult to map the flow to that specific subscriber.

Conditions:
Flow reporting is enabled for a subscriber. And the subscriber gets deleted in the middle of a flow.

Impact:
If the customer is looking for subscriber id to match the flows, then they would miss out on these flows that get reported with unknown subscriber.

Fix:
We now save the subscriber id so that it can be accessed even after the subscriber has been deleted.


565895-4 : Multiple PCRE Vulnerabilities

Vulnerability Solution Article: K17235


565810-2 : OneConnect profile with an idle or strict limit-type might lead to tmm core.

Component: Local Traffic Manager

Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.

Conditions:
OneConnect profile with a limit-type value of idle or strict.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use a limit-type of 'none'.

Fix:
A OneConnect profile using an idle or strict limit-type no longer causes the tmm to core when attempting to shutdown idle connections.


565799-2 : CPU Usage increases when using masquerade addresses

Component: Local Traffic Manager

Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.

Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.

Impact:
Possible performance degradation or reduction in capacity

Fix:
Performance of masquerade address checks is restored.


565765-3 : Flow reporting does not occur for unclassified flows.

Component: Policy Enforcement Manager

Symptoms:
Flow reports are missing for some of the flows.

Conditions:
Flow reporting action has been configured with no classification filter. This was observed for flows that remained unclassified until the very end.

Impact:
If you are using flow reports to track the data usage of the subscriber, the usage will not be accurate.

Workaround:
None.

Fix:
For flows that do not get classified at all, the system now sends out flow reports at the end of the flow. The FLOW_INIT and FLOW_END reports are sent out in this case (that is, there are no FLOW_INTERIM reports). This is correct behavior


565534-2 : Some failover configuration items may fail to take effect

Component: TMOS

Symptoms:
These symptoms apply to version 12.0.0 and later:

When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device.

These symptoms can occur on all versions:

When the unicast address list is changed at the same time as other device properties, sod (the failover daemon) may fail to recognize one of the other changes.

Conditions:
For version 12.0.0 and later:

Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location, or after performing the procedure in K13030: Forcing the mcpd process to reload the BIG-IP configuration https://support.f5.com/csp/article/K13030.

For all versions:

A change is made to the cm device configuration that includes a unicast-address change along with something else.

Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.

Workaround:
Mitigation for v12.0.0 (and later) symptom:

To restore multicast failover, disable and re-enable multicast failover.

To do so, perform the following procedure on the the local device.
1. Determine which interface is being used for multicast failover by running the following tmsh command:
list cm device device1 multicast-interface.
3. Disable and re-enable multicast failover by running the following tmsh commands:
modify cm device device1 { multicast-interface none }.
modify cm device device1 { multicast-interface eth0 }.


Mitigation for all versions symptoms:
Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.

Fix:
With the fix, sod now sends out multicast FO heartbeat datagrams under the same condition.


565527-3 : Static proxy settings are not applied if NA configuration

Component: Access Policy Manager

Symptoms:
Applications that cannot evaluate PAC file cannot make use of static proxy configuration either.

Conditions:
- Network Access (NA) setting has static proxy configuration.
- Application on user's system does not support proxy auto configuration, but does support static proxy configuration.

Impact:
Application cannot make connections if the proxy is required to connect to the destination. This could result in failed connection from that application

Workaround:
None.

Fix:
Static proxy settings are now applied in Network Access configurations. This allow applications that do not support PAC files to work inside the VPN.


565463-2 : ASM-config consumes 1.3GB RAM after repeated Policy Import via REST

Component: Application Security Manager

Symptoms:
Multiple ASM-config processes are running (more than 10) and consuming more than a GB.

Conditions:
ASM provisioned.
Repeated policy import via REST.

Impact:
The BIG-IP system might run low on memory and post the following message in /var/log/kern.log: Out of memory: Kill process 22699.

Workaround:
Restart asm - disrupting
Restart asm_config_server.pl - non disrupting

Fix:
We modified an operation to limit the number of ASM configuration processes. The operation now reuses processes instead of creating new ones, so the system no longer runs out of memory.


565409-4 : Invalid MSS with HW syncookies and flow forwarding

Component: Local Traffic Manager

Symptoms:
A packet may have an MSS set to 65536 when using HW syncookies and flow forwarding.

Conditions:
The conditions which cause this are not fully known.

Impact:
TMM core/reboot.

Workaround:
Disable HW syncookies or TSO.


565231-2 : Importing a previously exported policy which had two object names may fail

Component: Access Policy Manager

Symptoms:
If an exported access policy includes two object names profile_name-aaa and aaa, import that policy may fail or be incorrect.

Conditions:
For example:
access policy name "test"
access policy item name "test-empty"
access policy item name "empty"

For example:
access policy name "test"
access policy item name "test-empty"
macro name "empty"

Impact:
Rare case, but the import of such a policy may fail.

Workaround:
One of the objects could be renamed in the bigip.conf file to avoid such a naming pattern.

Fix:
Objects are being exported correctly without error.


565169 : Multiple Java Vulnerabilities

Vulnerability Solution Article: K48802597


565085-2 : Analytics profile allows invalid combination of entities for Alerts setup

Component: Application Visibility and Reporting

Symptoms:
When non cumulative metrics are selected for an Alert on a dimension that's other than a Virtual Server, errors appear in the log.

Conditions:
Analytics in use, and non-cumulative metrics such as the following are used on a time dimension:

- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput

Impact:
You are able to configure invalid alerts but no warning is given and the metric does not work and generates errors in the /var/log/monpd.log file.

Workaround:
None needed. This is Cosmetic.

Fix:
Invalid combination of entities for Alerts setup is no longer allowed. Validation is present both on UI side and the backend.


565056-3 : Fail to update VPN correctly for non-admin user.

Component: Access Policy Manager

Symptoms:
VPN is not updated correctly for non-admin users.

Conditions:
Steps to Reproduce:
1. In BIG-IP 12.0, create Access Policy containing (Firewall Check, Machine Info, Machine Cert Auth, Cache and Session Control, Protected Workspace, VPN Resources with Optimized Applications.)
2. Login with a User without admin privileges
3. Run FF
4. Login to VS and install components
5. Click on NA resource on the webtop to start VPN tunnel => a user is asked for an admin password and VPN is successfully installed and established
6. Close FF and exit PWD

Impact:
VPN is not updated. A user is not asked to enter admin credentials and an error is given: "Error downloading required files (-1)"

Workaround:
None.

Fix:
VPN is now updated as expected for non-admin users.


564876-1 : New DB variable log.lsn.comma changes CGNAT logs to CSV format

Component: Carrier-Grade NAT

Symptoms:
New CSV format that does not use quotes as delimiters was not present prior to 12.1.2.

Conditions:
Setting the DB variable log.lsn.comma

Impact:
More control of logging format via the DB variable log.lsn.comma

Workaround:
N/A

Fix:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.

Behavior Change:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.


564521-3 : JavaScript passed to ExternalInterface.call() may be erroneously unescaped

Component: Access Policy Manager

Symptoms:
JavaScript passed to ExternalInterface.call() may be erroneously unescaped.

Conditions:
Adobe ActionScript 3.0 version 24 or less.

Impact:
Adobe Flash application may crash.

Workaround:
None

Fix:
Completely fixed.


564496-3 : Applying APM Add-on License Does Not Change Effective License Limit

Component: Access Policy Manager

Symptoms:
When an add-on license is applied on the active node, the effective license limit is not updated, even though telnet output shows that it is.

Conditions:
1. Set up a high availability (HA) configuration with a base APM license.
2. Apply an APM add-on license to increase Access and CCU license limits.

Impact:
The actual number of sessions that can be established remains unchanged after adding an add-on license.

Workaround:
To make the add-on license effective, run the following command:
bigstart restart tmm.

For systems running v11.5.3, v11.5.4, and v11.6.0, use the following workaround:
 - Take one unit Offline.
 - Remove the HA configuration.
 - Reactivate license on the offline unit.
 - Take a peer unit Offline.
 - Release the first unit from Offline.
 - Reactivate license on the peer unit.
 - Rebuild HA configuration.
 - Release the peer unit from Offline.

Fix:
Applying APM add-on license now increases Access and CCU license limits, as expected.


564493 : Copying an access profile appends an _1 to the name.

Component: Access Policy Manager

Symptoms:
Copying an access profile appends an _1 to the name.

Conditions:
This occurs on every copy operation on an access profile.

Impact:
This is a cosmetic issue that does not impact system functionality.

Workaround:
To workaround this:
1. Copy the profile.
2. Edit bigip.conf to remove the _1 from the profile name.
3. Issue the command: tmsh load sys config.

Fix:
Copying an access profile no longer appends an _1 to the name unless it is needed, for example, when copying a profile whose name already exists.


564482-2 : Kerberos SSO does not support AES256 encryption

Component: Access Policy Manager

Symptoms:
If the delegation account is enforced to use AES256 encryption, then APM Kerberos SSO will fail. Example error message: Dec 18 19:22:19 bigip8910mgmt err websso.7[31499]: 014d0005:3: Kerberos: can't decrypt S4U2Self ticket for user 'username' - Decrypt integrity check failed (-1765328353).

Conditions:
Delegation account is enforced to use AES256 encryption.

Impact:
Kerberos SSO will fail and user will be prompted to enter credential.

Workaround:
Disable the option to enforce AES256 encryption for the delegation account.

Fix:
Delegation account can be enforced to use AES256 encryption, provided the delegation account is configured as SPN format on the Kerberos SSO configuration.


564427-3 : Use of iControl call get_certificate_list_v2() causes a memory leak.

Component: TMOS

Symptoms:
Use of iControl call get_certificate_list_v2() causes a memory leak.

Conditions:
This occurs when using the Management::KeyCertificate::get_certificate_list_v2 method in iControl.

Impact:
memory leak.

Workaround:
Restarting httpd helps reduce memory, but it must be restarted periodically to clear up the memory issues.

Fix:
Use of Management::KeyCertificate::get_certificate_list_v2 method in iControl no longer causes a memory leak.


564371-2 : FQDN node availability not reset after removing monitoring

Component: Local Traffic Manager

Symptoms:
If you are using FQDN nodes that are being monitored, the node status will remain set to whatever it was before the monitor was removed.

Conditions:
This occurs when removing monitoring from FQDN nodes

Impact:
The expected behavior is that the node status becomes 'unknown'. This could make it so FQDN nodes are permanently marked down or up.

Workaround:
None

Fix:
FQDN node status will now change to Unknown if monitoring is removed.


564263-3 : PEM: TMM asserts when Using Debug Image when Gy is being used

Component: Policy Enforcement Manager

Symptoms:
TMM assert leading to restart.

Conditions:
When a policy P1 is installed over Gx with a reference to rating group R1 and later when an update is received over Gx to remove P1 and add policy P2 which also referring to same rating group R1 then TMM will core when Policy P2 is being removed.

Impact:
TMM restart and disruption of service.

Workaround:
PCRF should make sure add and remove policies are not done in single update.

Fix:
Issue has been fixed now.


564262-4 : Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code

Component: Access Policy Manager

Symptoms:
Tunnel server component of Edge client crashes, and user cannot establish VPN.

Conditions:
-DNS names cannot be resolved on client system.
-PAC file used to determine proxy server uses JavaScript DNS resolution function.

Impact:
Tunnel server crashes and user cannot establish VPN.

Workaround:
Enable DNS resolution on client or do not use DNS resolution JavaScript functions in PAC file.

Fix:
Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.


564253-5 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
Firefox v44.0 and later does not allow loading of Netscape Plugin Application Programming Interface (NPAPI) plugins, which are not signed by Firefox.

Conditions:
Using APM with Firefox v44.0 and later.

Impact:
Firefox v44.0 and later cannot establish network access or perform endpoint checking.

Workaround:
- Use Firefox v43.0 and earlier on all platforms.
- Use Safari on Mac systems and Microsoft Internet Explorer on Microsoft Windows systems.

Fix:
Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.


564111-1 : Multiple PCRE vulnerabilities

Vulnerability Solution Article: K05428062


564040-4 : Differentiation of missing component alerts

Component: Fraud Protection Services

Symptoms:
The alert reads as 'no cookie' while the actual situation is different.

Conditions:
The component check cookie exists, but it fails to be parsed by the plugin.

Impact:
False positive missing component no-cookie alerts.

Workaround:
None.

Fix:
If the Component Check cookie exists and cookie parsing fails for different reasons, the system now sends different alert components (Unseal Failed or Cookie Malformed).


564039-3 : WebSafe "Missing component" check gets applied on request with different referrer domain.

Component: Fraud Protection Services

Symptoms:
The "Missing component" checker looks only looks at referrer header path and not the domain name. The result is a false positive alert indicating the cookie is missing.

Conditions:
The referrer is coming from a different domain and the system is still performing component validation check.

Impact:
False positive missing component alerts when redirecting from other sites to a WebSafe protected site.

Workaround:
Do not configure the same URL as a protected page.

Fix:
The Missing Component check now looks at the referrer header path as well as the domain name. This prevents false-positive Missing Component alerts when redirecting from other sites to a WebSafe protected site.


563670-11 : OpenSSL vulnerabilities

Vulnerability Solution Article: K86772626


563591-2 : reference to freed loop_nexthop may cause tmm crash.

Component: Local Traffic Manager

Symptoms:
tmm may crash intermittently when there are cmp directed VIP (Virtual IP) to VIP traffic.

Conditions:
When CMP directed VIP to VIP traffic exists.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none.

Fix:
tmm should not crash on this condition any more


563554-3 : Accept-language in alerts

Component: Fraud Protection Services

Symptoms:
Accept-language header is not sent in alerts generated by FPS plugin.

Conditions:
Alerts generated by FPS plugin.

Impact:
Prevents analyzing the cause for plugin-generated alerts.

Workaround:
None.

Fix:
The accept-language header is now sent in alerts generated by the FPS plugin.


563475-3 : ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.

Component: TMOS

Symptoms:
ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. If dynamic offloading is enabled in the fastl4 profile, flows that collide in the ePVA will ping/pong in and out of the ePVA due to immediate eviction and re-offloading. Flows that are evicted due to collisions are reported in the epva_flowstat stats, tot.hash_evict.

Conditions:
A fastl4 profile with PVA Offload Dynamic enabled and two flows that result in a hash collision, resulting in an evicted flow.

Impact:
Flows that collide will be re-offloaded, evicted, and then re-offloaded again within a short time span. It is unknown if there is a direct impact, but in some cases a delay in processing packets on a connection may occur.

Workaround:
Disable PVA Offload Dynamic in the fastl4 profile. Another option would be to disable PVA Flow Evict in the fastl4 profile.

Fix:
The system now handles flows involved in hash collisions such that ePVA dynamic offloading no longer results in immediate eviction and re-offloading of flows.


563474-2 : SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile

Component: Access Policy Manager

Symptoms:
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns a zero value for an APM access profile that has been edited but not yet applied, which should instead return a non-zero value.

config # snmpwalk -v2c 127.0.0.1 -c public F5-BIGIP-APM-MIB::apmPmStatConfigSyncState
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState."/Common/my-test-access" = Counter64: 0

Conditions:
The access profile has been edited but not yet applied.

Impact:
SNMP users cannot discriminate the status of an APM access profile: applied or not applied.

Workaround:
None available.

Fix:
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState now returns the correct non-zero value.


563419-5 : IPv6 packets containing extended trailer are dropped

Component: Local Traffic Manager

Symptoms:
Some IPv6 packets are dropped

Conditions:
IPv6 packet contains trailing bytes after payload

Impact:
Packet loss

Fix:
IPv6 packets that exceed the size of the 'Payload Length' header will be trimmed and processed instead of being dropped.


563349-4 : On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established

Component: Access Policy Manager

Symptoms:
In some cases, user may not be able to browse to external or internal web sites, Because the proxy settings won't be used.

Conditions:
User's machine has local proxy settings configured
NA settings specify a proxy configuration

Impact:
User may not be able to browse some sites, or the connection would not take the proxy settings into account.

Workaround:
None


563237 : ASM REST: name for ipIntelligenceReference is incorrect

Component: Application Security Manager

Symptoms:
The reference name for a Security Policy's ip-intelligence configuration is not consistent with F5 REST standards; which dictate that a reference name starts with a lower case letter.

In the return for a policy resource the following is seen:
...
 'IpIntelligenceReference': {
                'link': 'https://localhost/mgmt/tm/asm/policies/<POLICY ID>/ip-intelligence'
...

This should be 'ipIntelligenceReference'

This has already been corrected in versions 12.0.0 and later.

Conditions:
ASM REST is used to access IP Intelligence for Security Policies.

Impact:
Reference names are inconsistent and confusing.

Workaround:
If an API client wishes to $expand the resource wanted in a way that works against all versions, the pre-expanded name can be used.

?$expand=ip-intelligence

Fix:
We corrected an inconsistent reference name.
'IpIntelligenceReference' is now 'ipIntelligenceReference'.


563232-2 : FQDN pool in resource prevents Access Policy Sync.

Component: Local Traffic Manager

Symptoms:
FQDN pool in resource causes Access Policy Sync to fail. You will see an error such as "PolicySyncMgr: Failed to create the policy /Common/ap_vdi" after making changes with the following error: "01070734:3: Configuration error: Cannot assign (/Common/myfqdnpool.example.com-10.10.10.10) as a pool member."

Conditions:
- Create a pool with FQDN node
- Add the pool to a resource such as remote-desktop
- Add the resource to an access policy
- Start a policy sync with the policy

Impact:
Policy cannot sync to other devices.

Fix:
User can sync an access policy that include a resource with FQDN pool.


563227-3 : When a pool member goes down, persistence entries may vary among tmms

Component: Local Traffic Manager

Symptoms:
When a pool member goes down, persistence entries may vary among tmms. The result will be that rather than persisting to a single pool member, the new connections may arrive on different pool members based on the number of tmms on the BIG-IP platform in use.

Conditions:
Using persistence with some connections persisted to a pool member that goes down, either administratively or due to a monitor. During this time, the client is issuing several new connections to the BIG-IP system.

Impact:
Inconsistent persistence entries.

Workaround:
None.

Fix:
The race conditions that involved dropping an offline pool member have been resolved.


563064-1 : Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory

Component: TMOS

Symptoms:
Cipher memory initialized when an IPsec tunnel is created is not cleaned up when IPsec tunnel is removed.

Conditions:
Every time an IPsec tunnel is established and then removed will leave the allocated cipher memory in the system.

Impact:
Slowly leak TMM memory

Fix:
Cipher memory is freed when an IPsec tunnel is removed


562959-2 : In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.

Component: TMOS

Symptoms:
In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.

Conditions:
This occurs when there is some issue processing the packet going through IPsec tunnel.

Impact:
Tmm restart without core due to internal connection timeout.

Workaround:
None.

Fix:
IPsec now only sends packets intended for IPsec over the tunnel.


562928 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.

Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.

Impact:
TCP connections do not complete the three way handshake and traffic does not pass.

Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.

Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.


562919-2 : TMM cores in renew lease timer handler

Component: Access Policy Manager

Symptoms:
TMM generates core.

Conditions:
All three following conditions have to be met for this to trigger :
1) Both IPv4 and IPv6 network access connection has to be enabled for the same network access resource.
2) IPv4 address have to be statically assigned.
3) IPv6 address have to be dynamically assigned from the leasepool.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Workaround 1) Use IPv4 only network access connection.

Workaround 2) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint addresses from IPv4 and IPv6 leasepool respectively.

Workaround 3) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint statically.

Fix:
TMM no longer cores in renew lease timer handler


562775-2 : Memory leak in iprepd

Component: Application Security Manager

Symptoms:
The IP reputation daemon (iprepd) has a small leak of around ~8 to ~16 bytes every 5 minutes.

Conditions:
This occurs when the BIG-IP box is licensed with IPI Subscription, and iprepd is running.

Impact:
Memory increases slowly until the kernel out-of-memory kills the iprepd process.

Workaround:
None.

Fix:
This release fixes a memory leak in the IP reputation daemon (iprepd).


562644-4 : TMM may crash when AAM receives a pipelining HTTP request while shutting down the connection

Component: WebAccelerator

Symptoms:
In rare conditions when a client sends pipelining HTTP requests and AAM is configured it may incorrectly process a consequent request resulting in crashing of TMM.

Conditions:
AAM and ASM licensed and provisioned
HTTP compression profile configured on a virtual server

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when AAM receives a pipelining HTTP request which while shutting down the connection


562566-2 : High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems

Component: Local Traffic Manager

Symptoms:
Prior to expiration, the age of persistence entries is reset back to 0, thus retaining the persistence entries forever.

Conditions:
Persistence is configured on a multi-blade system, a configured High Availability peer is present, and a flap occurs on the High Availability connection between active and standby systems.

Impact:
Retention of persistence entries leads to eventual low memory conditions, performance degradation, and traffic outage or restarting of some daemons.

Workaround:
Although no reasonable workaround exists, you can clear the persistence table to reclaim leaked memory.

Fix:
Persistence entries are no longer retained beyond their expiration.


562308-2 : FQDN pool members do not support manual-resume

Component: Local Traffic Manager

Symptoms:
FQDN pool members do not support manual-resume, but allow its configuration.

Conditions:
Attempting to use manual-resume for FQDN pool members.

Impact:
FQDN pool members do not honor manual-resume setting.

Workaround:
Do not configure manual-resume on FQDN pool members.

Fix:
FQDN pool members do not support manual-resume, and BIG-IP no longer allows its configuration.


562292-1 : Nesting periodic after with parking command could crash tmm

Component: Local Traffic Manager

Symptoms:
If an iRule contains a periodic after command, and within this there is another periodic after command whose contents park, it can lead to tmm crashes.

Conditions:
A periodic after command is used, and within this there is another periodic after command whose contents park.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not nest after commands with parking command.

Fix:
TMM no longer crashes with iRules that contain a periodic after command, which itself contains a periodic after command whose contents park. These iRules now complete as expected.


562122-5 : Adding a trunk might disable vCMP guest

Component: TMOS

Symptoms:
If a vCMP guest is running when a trunk is added, the guest might fail until vCMP is restarted.

Conditions:
-- vCMP guest running
-- Trunk added.

Impact:
Guest failure. vCMP restart required.

Workaround:
Restart vCMP.

Fix:
Adding a trunk no longer disables vCMP guests.


562044-2 : Statistics slow_merge option does not work

Component: TMOS

Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge' then the merging of statistics stops working. This causes statistics to no longer appear to be updated.

Conditions:
The DB variable 'merged.method' is set to 'slow_merge'.

Impact:
Statistics no longer appear to be updated.

Workaround:
1) Set "merged.method" to "fast_merge" which is the default.

-or-

2) Create the /var/tmstat/cluster directory using mkdir. Please note the directory must be created on every blade in a chassis. Additionally, this directory needs to be re-created after reboots, so something like "/bin/mkdir /var/tmstat/cluster" should be added to "/config/startup"

Fix:
Statistics are now updated as expected when the statistics DB variable option 'merged.method' is set to 'slow_merge'.


561976 : Values of high-water and low-water mark for 'apd' pending request queue might not handle requests completely.

Component: Access Policy Manager

Symptoms:
Under heavy authentication requests from tmm with a slow or down back-end authentication server, the apd accept connection queue could get full, resulting in apd logs: AD module: authentication with '1439805563539620' failed: Too many open files.

Conditions:
- Incoming authentication request to apd (from tmm) is very high.
- Back-end authentication server is slow or down.

Impact:
Authentication failures; might bring authentication rate down to zero.

Workaround:
Adjust the value of connhwm, connlwm and soconnmax values using tmsh commands.
- To set the value to 1024, use the following command:
        sysctl -w net.core.somaxconn=1024.

- Change Low water mark first using the following command:
    tmsh modify sys db apm.apd.connlwm value 480.

- Change highwater mark next using the following command:
    tmsh modify sys db apm.apd.connhwm value 512.

Fix:
Values of high-water and low-water mark for the 'apd' pending request queue now handle requests as expected.


561814-1 : TMM Core on Multi-Blade Chassis

Component: TMOS

Symptoms:
TMM core.

Conditions:
On a multi-blade chassis with WAM caching in use, where the datastor daemon is stopped and restarted, and where traffic is being cached by datastor.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The software defect has been found and fixed.


561623-3 : Realtime encryption causes high CPU usage in older browsers

Component: Fraud Protection Services

Symptoms:
When encrypting using realtime encryption, CPU usage on the browser rises very high

Conditions:
Client: Internet Explorer 8 or below
FPS: Configured to encrypt password using realtime encryption

Impact:
In extreme cases, browser may prompt user to stop the encryption script.

Workaround:
Disable realtime encryption in your anti-fraud policy.

Fix:
Improved performance of realtime encryption


561539-2 : [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.

Component: Global Traffic Manager

Symptoms:
When upgrading from 10.x to 11.x Wide IP pool member ratio value is changed from 0 to 1.

Conditions:
1. Upgrade from v10.x to v11.x through 12.0.0
2. Have a Wide IP pool member ratio set to 0.

Impact:
Wide IP pool member ratio is changed to 1 (the default) from 0 after upgrading, potentially enabling selection of members that had been "disabled" with a ratio of 0.

Workaround:
Manually change ratio back to 0 after upgrade.


561500-1 : ICAP Parsing improvement

Component: Service Provider

Symptoms:
If a malformed ICAP message is sent to the Big-IP the ICAP parser can enter a state where it consumes an increasing amount of CPU and memory.

Conditions:
A request-adapt or response-adapt profile is configured.
An ICAP message is received from an ICAP server lacking "ICAP/1.0" as initial header line.

Impact:
Memory and CPU usage increase.
Eventually the TMM may crash causing Big-IP fail-over.

Fix:
ICAP parser checks for correct initial ICAP/1.0 header line and rejects message if missing.


561433-3 : TMM Packets can be dropped indiscriminately while under DOS attack

Component: Advanced Firewall Manager

Symptoms:
When we have a loaded tmm which cannot consume packets fast enough, then packets could be dropped while DMAing from the HW.

Conditions:
This could happen for a variety of reasons which cause tmm to be loaded.

Impact:
Packets will be dropped indiscriminately.

Workaround:
none

Fix:
We've now added a sys db tunable (sys db dos.scrubtime) which can be set to drop DoS attack packets in HW more aggressively. This will prevent other non-attack packets from being dropped indiscriminately.


561348-4 : krb5.conf file is not synchronized between blades and not backed up

Component: Access Policy Manager

Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.

Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.

Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.

Workaround:
None.

Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.

In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.

Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.

When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.


560969-2 : OpenSSL vulnerability fix

Vulnerability Solution Article: K55540723


560962-2 : OpenSSL Vulnerability CVE-2015-3196

Vulnerability Solution Article: K55540723


560948-2 : OpenSSL vulnerability CVE-2015-3195

Vulnerability Solution Article: K12824341


560925-2 : OpenSSL Vulnerability fix

Vulnerability Solution Article: K86772626


560910-2 : OpenSSL Vulnerability fix

Vulnerability Solution Article: K86772626


560791 : FPS doesn't encrypt inputs of type "hidden"

Component: Fraud Protection Services

Symptoms:
FPS doesn't encrypt inputs of type "hidden"

Conditions:
HTML input element of type "hidden" needs encrypting.

Impact:
Unable to support some applications

Workaround:
None

Fix:
FPS now encrypts all input types, including the 'hidden' type.


560685 : TMM may crash with 'tmsh show sys conn'.

Component: Local Traffic Manager

Symptoms:
Although unlikely, the 'tmsh show sys conn' command may cause the tmm process to crash when displaying connections.

Conditions:
Although the conditions under which this occurs are not well understood, this is a rarely occurring issue.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The only workaround is to not issue the command: tmsh show sys conn.

Fix:
Running the command 'tmsh show sys conn' no longer causes TMM to crash when displaying connections.


560683-3 : HA IPSEC: tmm core/crash on standby in function ikev2_child_delete_outbound()

Component: TMOS

Symptoms:
tmm crash after a number of failovers (approximately two to four).

Conditions:
This occurs in a high availability (HA) configuration with IPSEC traffic and multiple failovers. This is an intermittent issue.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The intermittent tmm crash no longer occurs in a high availability (HA) configuration with IPSEC traffic and multiple failovers.


560607-3 : Resource Limitation error when removing predefined policy which has multiple rules

Component: Policy Enforcement Manager

Symptoms:
Resource Limitation error when removing a predefined policy which has multiple rules referring to the same rating group.

Conditions:
- Gx and Gy are configured for the session
- All rules refer to the same rating group

Impact:
Unable to remove an existing policy

Workaround:
none

Fix:
Policies can be removed and updated regardless of rules or rating group limitations.


560510-6 : Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.

Component: TMOS

Symptoms:
When MCPD is not in the running state, dhclient directly writes domain-name-server information into /etc/resolv.conf. If multiple domain-name-servers are given by DHCP server, they are written in the incorrect format with multiple domain-name-servers in a single line comma-separated. Each domain-name-servers entry should be written in a single line with "nameserver" prefix.

Conditions:
- MCPD is not in the running state.
 - DHCP is enabled.
 - DHCP server has provided multiple domain-name-server entries in the lease.

Impact:
Domain name resolution doesn't work.

Workaround:
Bring up MCPD which would write the resolv.conf in the correct format. Alternatively, user can manually modify /etc/resolv.conf to write multiple nameserver entry one per line.

Fix:
DHCP will now write a single nameserver per line in /etc/resolv.conf when multiple nameservers are configured in DHCP.


560423-2 : VxLAN tunnel IP address modification is not supported

Component: TMOS

Symptoms:
VxLAN tunnel local and remote tunnel IP address change is not supported.

Conditions:
If a user tries to change the local and/or remote tunnel IP address, the configuration handler will fail the configuration change.

Impact:
The user must delete and recreate the VxLAN tunnel in order to change the tunnel local and/or remote address. Tunnel deletion also requires removing references to the tunnel, for example the tunnel self IP address and routes pointing to the tunnel, before the tunnel can be deleted. Those self IP addresses and routes must be re-added after recreating the tunnel with changed IP address parameters. This can be error-prone, especially if the number of tunnels is extremely large.

Workaround:
Delete existing VxLAN tunnel, and add a new tunnel with the modified tunnel IP address parameters.

Fix:
Modifying VxLAN tunnel IP addresses now works. Only tunnels that have been created with a multicast flooding type and have a multicast remote IP address are supported.


560220-1 : Missing partition and subPath fields for some objects in iControl REST

Component: TMOS

Symptoms:
When using iControl REST, the return output of some objects does not include the partition and subPath properties. Also the name property contains the full path instead of only the object name.

Conditions:
This occurs when running BIG-IP systems with 11.6.0 HF6 installed.

Impact:
This breaks custom scripts that rely on those properties.

Workaround:
Do not use custom scripts to gather the partition and subPath properties of objects on BIG-IP systems with 11.6.0 HF6 installed.


560180-2 : BIND Vulnerability CVE-2015-8000

Vulnerability Solution Article: K34250741


560069-1 : Default obfuscator configuration causes very slow javascript in some browsers

Component: Fraud Protection Services

Symptoms:
Slow javascript causes page to render with a slight delay.

Conditions:
FPS enabled on highly optimized web page

Impact:
Mainly on older browsers, a slight rendering delay (~1 second) may be noticed.

Workaround:
Run the following commands on the BIG-IP system:
    echo "-x" > /shared/datasync/compiler_conf/cs_fpm/OBF_FLAGS
    chattr +i /shared/datasync/compiler_conf/cs_fpm/OBF_FLAGS

Fix:
Improved performance of obfuscated javascript.


559975-5 : Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth

Component: Global Traffic Manager

Symptoms:
HTTP basic authentication uses a base64 encoded string. When an HTTP monitor username or password is changed, the b64 string is regenerated and may become malformed.

Conditions:
When an http monitor username or password is changed, e.g. shortened, then the HTTP basic auth string may be mangled.

Impact:
An HTTP monitor may show its resource as unavailable after changing the username or password.

Workaround:
Restart big3d, or delete then recreate the monitor instead of modifying the existing monitor.

Fix:
HTTP monitors will now correctly handle a username or password change.


559973-2 : Nitrox can hang on RSA verification

Component: Local Traffic Manager

Symptoms:
With certain signatures, RSA verification can hang the Nitrox crypto accelerator chip. Errors in the ltm log show crit tmm[11041]: 01010260:2: Hardware Error(Co-Processor): n3-crypto2 request queue stuck

Conditions:
RSA verification with certain signatures.

Impact:
Nitrox crypto accelerator can hang.

Fix:
The Nitrox crypto accelerator will no longer hang when performing RSA verification.


559939-2 : Changing hostname on host sometimes causes blade to go RED / HA TABLE offline

Component: TMOS

Symptoms:
If the UI System::Platform screen is used to change the hostname on a Standalone VIPRION, the non-primary blades in the chassis may temporarily report an offline state.

Conditions:
This affects only multi-blade chassis systems in Standalone mode.

Impact:
If the system is hosting vCMP guests, it may cause unexpected failovers, and interruption of traffic.

Workaround:
To change the hostname on the VIPRION, use the tmsh command:
'modify sys global-settings hostname new-host-name'.

Fix:
Changing hostname on Standalone VIPRION no longer causes the non-primary blade to go RED / HA TABLE offline.


559933-2 : tmm might leak memory on vCMP guest in SSL forward proxy

Component: Local Traffic Manager

Symptoms:
In SSL forward proxy configuration on vCMP guest tmm might slowly leak memory when subjected to SSL Hello messages containing server name extension (SNI) that is not configured on the virtual server.

Conditions:
This occurs with the following conditions are met:
-- SSL forward proxy configuration.
-- SSL hello with SNI extension.

Impact:
tmm might leak memory

Workaround:
None.

Fix:
tmm no longer leaks leak memory on the vCMP guest in SSL forward proxy configurations.


559584-2 : tmsh list/save configuration takes a long time when config contains nested objects.

Component: TMOS

Symptoms:
A configuration containing a number of nested objects takes a long time to list or save. For example, the tmsh listing time for a ~2 MB config can exceed 30 seconds.

Conditions:
Following is an example of nested objects in a config. If the config contains thousands of such virtual servers, it might take longer than 30 seconds to run either of the following commands: -- tmsh list ltm virtual. -- tmsh save config.

ltm virtual vs {
    destination 10.10.10.10:http
    ip-protocol tcp
    mask 255.255.255.255
    profiles { ::: nested object
        http { }
        http_security { }
        tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 26
}
.

Impact:
When commands take longer than 30 seconds to complete, iControlREST times out.

Workaround:
None.

Fix:
A configuration containing a number of nested objects no longer takes a long time to list or save, so iControlREST no longer times out. Note: You might still encounter this issue in configurations that have greater than ~6000 nested objects, which is the largest number tested.


559541-2 : ICAP anti virus tests are not initiated on XML with when should

Component: Application Security Manager

Symptoms:
ICAP anti virus tests are not performed on XML with sensitive data.

Conditions:
ICAP and XML profile are configured on the policy, the ICAP configured to inspect the XML.
The XML has sensitive data configured.
The XML request contained sensitive data.
The expectation was that XML with sensitive data would initiate ICAP tests.

Impact:
Virus tests will not be enabled on this request if the only reason for testing the ICAP was the existence of the sensitive XML data.

Fix:
ICAP tests are performed on XML with sensitive data.


559382-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers

Component: Policy Enforcement Manager

Symptoms:
CCR-I requests from PEM to PCRF contain subscriber ID type is set to 6 (UNKNOWN) for DHCP subscribers instead of NAI.

Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.

Impact:
Might impact the way policies are provided from the PCRF.

Workaround:
None.

Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.


559218-2 : Iframes could be inaccessible to a parent window on a page accessed through Portal Access

Component: Access Policy Manager

Symptoms:
document.write from window to iframe could silently fail, if page is accessed by FQDN, and Same Origin Policy restrictions were relaxed with assignment to a document.domain.
The code on the page will be executed without errors, but no content will appear in iframe.

Conditions:
This can occur with web applications that use heavy javascript including javascript across iFrames.

Impact:
Some content could be not displayed on a page accessed through Portal Access.

Workaround:
iRule workaround specific to a web application

Fix:
Now iFrame with empty origin inherits origin value from parent window being accessed via Portal Access in the same manner as all browsers do.


559129-3 : Update Generic Malware Signatures to detect new Dyre variant

Component: Fraud Protection Services

Symptoms:
The generic malware signatures aren't detecting a new Dyre variant.

Conditions:
Dyre detection.

Impact:
Systems targeted by the new Dyre variant will not receive alerts from the FPS module when attacked.

Workaround:
None.

Fix:
Detect the new Dyre variant with an updated generic malware signature.


559082-1 : Tunnel details are not shown for MAC Edge client

Component: Access Policy Manager

Symptoms:
Tunnel details are not shown for MAC Edge client.
Tunnel details are located in Edge client :: View details :: Connection :: Tunnel details

Conditions:
MAC Edge client and established network access connection.

Impact:
Minor. Only diagnostic information is missing, otherwise tunnel works fine.

Workaround:
None.

Fix:
Tunnel details are now shown for MAC Edge client.


559060-3 : AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration.

Component: Application Visibility and Reporting

Symptoms:
AVR presents incorrect data in the GUI statistics (for example, unexpected pool members, and so on, with hitcount 0).

Conditions:
Multiple BIG-IP systems are configured, one is acting as server for the other and both have 'collect client latency' enabled.

Impact:
Invalid data is presented in the statistics.

Workaround:
Turn off 'collect client latency' in the AVR profile on the BIG-IP system that is acting as the server.

Fix:
Correct data is now presented in the statistics of a configuration in which one BIG-IP system is acting as the server in a multiple BIG-IP device configuration.


559055-1 : Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"

Component: Application Security Manager

Symptoms:
Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".

Conditions:
Learn New Parameters is set to "Add All Entities".

Impact:
Staging on wildcard parameter "*" remains unchanged.

Workaround:
Disable staging on wildcard parameter "*" manually.

Fix:
Staging is now disabled correctly on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".


559034-1 : Mcpd core dump in the sync secondary during config sync

Component: TMOS

Symptoms:
mcpd will crash if certain files are missing from the file store during sync operations.

Conditions:
This can happen when files associated with file objects are removed from the file store. Users are not permitted to directly modify the contents of the file store.

Impact:
mcpd will crash

Workaround:
Users are not permitted to directly modify the contents of the file store. Use tmsh or the Configuration Utility to manage BIG-IP objects such certificates.

Fix:
Mcpd will no longer crash during a config sync if a file store object is missing.


558946-4 : TMM may core when APM is provisioned and access profile is attached to the virtual

Component: Access Policy Manager

Symptoms:
TMM may core when APM is provisioned and access profile is attached to the virtual.

Conditions:
This crash is most likely to occur when there are more than 1 ABORT events sent to a connection on a virtual with attached access profile.

Impact:
Traffic disrupted while tmm restarts.

Fix:
APM virtual server that can have multiple ABORTs events to a connection will no longer cause TMM to crash and restart.


558870-3 : Protected workspace does not work correctly with third party products

Component: Access Policy Manager

Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines.
2) Microsoft OneDrive does not work correctly inside protected workspace.

Conditions:
Norton Internet Security 22.x is installed on user's desktop.
Protected workspace is used.

Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace.
Files cannot be synced to OneDrive.

Workaround:
There is no workaround.

Fix:
User can now launch Internet Explorer or Firefox inside protected workspace.


558858-4 : Unexpected loss of communication between slots of a vCMP Guest

Component: TMOS

Symptoms:
1. Within the vCMP guest, the affected slot shows the other slot(s) to be offline. When logged into any other "offline" slot, the slot shows itself to be online.

2. Within the vCMP guest, on the affected slot, the log files (such as /var/log/ltm) have stopped recording log entries from the other slot(s).

3. Within the vCMP guest, on the affected slot, the eth1 interface shows TX increasing but RX not increasing. The eth1 interface on other slots shows both TX and RX increasing.

Conditions:
Only affects vCMP guests with 2 or more slots on VIPRION C2000-series chassis.

Impact:
The number of working slots in a vCMP guest is reduced to 1 slot. The effect on traffic may range from none to severe.

Workaround:
Within the vCMP guest, login to the command line (vconsole or SSH) of the affected slot and run the following:

ifconfig eth1 down ; ifconfig eth1 up

Alternatively, from the hypervisor, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.

Fix:
This release no long exhibits loss of communication between slots of a vCMP Guest.


558779-6 : SNMP dot3 stats occassionally unavailable

Component: TMOS

Symptoms:
SNMP would not provide values for some dot3 stats.

Conditions:
Always under affected version

Impact:
SNMP would not provide values for some dot3 stats.
This is no impact actual traffic.

Workaround:
None

Fix:
The dot3 stats are now available.


558642-1 : Cannot create the same navigation parameter in two different policies

Component: Application Security Manager

Symptoms:
Cannot create the same navigation parameter in two different policies. A validation issue blocks the user from adding a navigation parameter that is already defined in a different security policy.

Conditions:
This occurs after adding navigation parameter X to one policy, and then attempting to add the same parameter to another policy.

Impact:
Cannot add navigation parameter X to another policy after adding it to the first policy.

Workaround:
None.

Fix:
The system now supports adding the same navigation parameter to different security policies.


558631-2 : APM Network Access VPN feature may leak memory

Component: Access Policy Manager

Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.

Conditions:
-- APM Network Access feature is configured.
-- VPN connections are being established.

Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.

Workaround:
No workaround short of not using the APM Network Access feature.

Fix:
The APM Network Access VPN feature no longer leaks memory.


558612-4 : System may fail when syncookie mode is activated

Component: Local Traffic Manager

Symptoms:
TMM may core when syncookie mode has been activated when under extreme memory pressure.

Conditions:
L7 VIP with certain TCP profile attributes enabled.
Syncookies have been activated.
System under memory pressure due to heavy load.

Impact:
tmm may core.

Workaround:
Use the default TCP profile for all L7 VIPs.

Fix:
The BIG-IP will not encounter a system failure when syncookie mode has been activated.


558573-2 : MCPD restart on secondary blade after updating Pool via GUI

Component: TMOS

Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster.

When this occurs, errors similar to the following will be logging from the secondary blades:
-- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found.
-- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.

Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.

Impact:
Daemon restarts, disruption of traffic passing on secondary blades.

Workaround:
Perform pool updates via the tmsh command-line utility.

Fix:
Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.


558534-3 : The TMM may crash if http url rewrite is used with APM

Component: Local Traffic Manager

Symptoms:
The HTTP uri rewrite feature depends on having a client-side to determine the ip address of that client. However, APM may use the HTTP filter without having a client-side. This can cause a TMM crash when the missing ip address is used by the HTTP uri rewrite feature.

Conditions:
APM + HTTP uri rewrite feature. (This is different to the "rewrite" profile.)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the HTTP uri rewrite feature when using APM. An iRule may be used to safely implement its transformations.

Fix:
The TMM no longer crashes when the HTTP uri rewrite feature is used with APM.


558517-3 : Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.

Component: Local Traffic Manager

Symptoms:
Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.

After upgrading the bigip.conf still has the old #TMSH-VERSION header. This is behavior is an intended behavior in 12.1.0, so it is not a bug; the configuration is still loaded in memory properly. The TMSH-VERSION string will be updated the next time a save sys config command is issued.

Conditions:
This occurs only when upgrading BIG-IP software in the following situations:
-- From 11.6.0 base version, or from 11.6.0 HF1 through 11.6.0 HF5 (or any engHF built on these versions) to final :11.6.0 HF6 through 11.6.0 HF8
-- From 11.5.3 base version, or from 11.5.3 HF1 or 11.5.3 HF2 (or any engHF for these versions) to 11.5.3 HF2 engHF2 or 11.5.3 HF2 engHF45.

Impact:
Monitors send/recv strings contain extra escape characters, for example: \\r, \\n etc. Post upgrade the monitors containing escaped characters will fail.

Workaround:
Manually/by script remove the additional escaping within the send/recv strings.

Fix:
The system no longer appends extra escape characters to monitor send/receive strings after upgrading.


558255-2 : Filtering encryption alerts

Component: Fraud Protection Services

Symptoms:
There was no option in 11.6.0 or earlier to filter out encryption alerts.

Conditions:
Encryption is failing.

Impact:
There is always an alert sent, even if it comes from an unsupported browser.

Workaround:
None.

Fix:
A new DB variable 'AntiFraud.EncryptionAlerts' has been added that controls whether or not the FPS plugin filters encryption alerts.


558053-2 : Pool's 'active_member_cnt' attribute may not be updated as expected.

Component: Local Traffic Manager

Symptoms:
If a pool has no associated monitors, new pool members added to the pool do not increment the active_member_cnt even if traffic will be passed to it. In other cases, for FQDN pool members, the active_member_cnt does not update in user-down scenarios, or other state transitions.

Conditions:
1) Configure a pool without a monitor, and make use of an iRule that attempts to use the 'active_member_cnt' attribute.

2) Configure a pool with FQDN nodes and change the state to user-down, and check the active_member_cnt via an iRule or GUIshell.

Impact:
Although this does not impact load balancing and is not visible in the GUI or tmsh, it is exposed as a consumable attribute in iRules, which can impact your scripts.

Workaround:
member_count returns total members with no status information.

Fix:
Pool's 'active_member_cnt' attribute is now updated as expected, even for pools that have no assigned monitors.


557783-2 : TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr

Component: Local Traffic Manager

Symptoms:
TMM might use a link-local IPv6 address when attempting to reach an external global address for traffic generated from TMM (for example, dns resolver, sideband connections, etc.).

Conditions:
- ECMP IPv6 routes to a remote destination where the next hop is a link local address. Typically this occurs with dynamic routing.
- Have configured a virtual server that generates traffic from TMM (for example, dns resolver, sideband connections, etc.).

Impact:
Traffic might fail as its egresses from a link-local address instead of a global address.

Workaround:
It might be possible to work around if the dynamic routing peer can announce the route from a global address instead of a link local.
Use of static routes might also work around the issue.

Fix:
TMM now uses the correct IPv6 global address when generating traffic to a remote address using ECMP routes via link-local next-hops.


557680-1 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).


557675-3 : Failover from PEM to PCRF can cause session lookup inconsistency

Component: Policy Enforcement Manager

Symptoms:
A small number of PEM sessions can be looked up only by their session-ip, but not by their subscriber-id.

Conditions:
Using PEM, failover to PCRF.

Impact:
Fails to find sessions needed for traffic processing.

Workaround:
none

Fix:
The code change provides an internal fixup for incorrect sessions.


557645-5 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Component: Local Traffic Manager

Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.

Multiple devices in an HA configuration.

TMM incorrectly identifies which TMM should handle host connections from an HA peer.

The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.

Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.

Workaround:
None.

Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.


557358-1 : TMM SIGSEGV and crash when memory allocation fails.

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV and crash when memory allocation fails.

Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.

Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.

Workaround:
None known at this time.

Fix:
TMM SIGSEGV and crash no longer occur when memory allocation fails due to a command attempting to remove the connection for removal from the SSL queue a second time.


557281-2 : The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%

Component: TMOS

Symptoms:
audit_forwarder and mcpd consume almost 100% CPU. When syslog-ng restarts it will start another audit_forwarder process, but it is the orphaned audit_forwarder process that will consume almost 100% CPU. When syslog-ng is restarted and audit_forwarder does not exit cleanly, the mcpd process will also begin consuming high CPU.

Conditions:
syslog-ng is stopped manually or sometimes (rarely) during a normal resstart of syslog-ng.

Impact:
The audit_forwarder and mcpd processes consume excessive CPU.

Workaround:
Stop audit_forwarder manually (kill -9), once the orphaned audit_forwarder process is stopped, mcpd will return to normal CPU consumption.

Fix:
When syslog-ng is stopped manually (or when expected), audit_forwarder also exits, so the audit_forward process no longer consumes increasing CPU.


557221-7 : Inbound ISP link load balancing will use pool members for only one ISP link per data center

Component: Global Traffic Manager

Symptoms:
In BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0, the inbound ISP link load balancing functionality uses pool members for more than one ISP link per data center.

Conditions:
Using the inbound ISP link load balancing functionality in BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0.

Impact:
If a pool has multiple members that use different ISP links within a data center, the system uses only pool members associated with the ISP link of the first available pool member. The system marks pool members associated with subsequent ISP links as unavailable (grey).

Fix:
The inbound ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.

Behavior Change:
Beginning in BIG-IP Link Controller and GTM 11.5.4, 11.6.1, and BIG-IP DNS 12.1.0, the ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.

The link that is associated with the first configured and available pool member within each data center will determine the link that will be used for the data center. The system will use only pool members associated with that link.


557144-3 : Dynamic route flapping may lead to tmm crash

Component: TMOS

Symptoms:
When dynamic routing is in use and routes are being actively added and removed, tmm may crash.

Conditions:
Virtual Server configured with Dynamic Routing

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Flapping dynamic routes no longer trigger a tmm crash.


557062-2 : The BIG-IP ASM configuration fails to load after an upgrade.

Component: Application Visibility and Reporting

Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version - (11.3 or 11.4) and upgrading to a version prior to 12.1.0.

Conditions:
Define scheduled report with 'predefined-report-name: '/Common/Top alerted URLs' on version 11.3 or 11.4 upgrade the version.

Impact:
Version upgrade fails (the BIG-IP system becomes unusable).

Workaround:
Manually change predefined-report-name '/Common/Top alerted URLs' to predefined-report-name '/Common/Top alarmed URLs'.

Fix:
If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs.


557059-2 : When a virtual server has an Anti-Fraud Profile and a Web Acceleration profile, POST requests to non-protected URLs hang

Component: TMOS

Symptoms:
A POST request to a virtual will timeout and will not immediately return a response. After a timeout occurs, an HTTP 400 response status will be returned.

Conditions:
This issue is encountered when sending a POST request to a virtual server that is configured with an Anti-Fraud Profile and a Web Acceleration profile.

Impact:
The request times out and 400 HTTP response status is returned. The application will break.

Fix:
POST requests no longer time out when sent to a virtual server that has an Anti-Fraud Profile and a Web Acceleration profile.


556597-5 : CertHelper may crash when performing Machine Cert Inspection

Component: Access Policy Manager

Symptoms:
CertHelper may crash while checking of machine certificate.

Conditions:
APM installed

Impact:
Authentication may fail.

Fix:
Fixed crash cause in CertHelper.


556568-2 : TMM can crash with ssl persistence and fragmented ssl records

Component: Local Traffic Manager

Symptoms:
Unusual fragmented ssl records may be handled incorrectly resulting in tmm crash.

Conditions:
Ssl persistence and fragemented ssl records.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Possibly switch to different persistence type.

Fix:
The error in parsing fragmented ssl records has been resolved.


556560-2 : DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.

Component: Local Traffic Manager

Symptoms:
DNS messages which contain an OPT record followed by more than one record in the additional section will become malformed when they pass through a virtual with an assigned DNS profile.

Conditions:
A DNS message contains and OPT record in the Additional section, the message is compressed, and more than one record follow the OPT record.

Impact:
This issue impacts all DNS messages that contain an OPT record followed by more than one record. The DNS handling code expects a message containing an OPT record to have 0 or 1 TSIG record following the OPT record in the additional record section of a message.

The RFCs permit the OPT record to be placed anywhere in the additional record section of a DNS message, with the exception of a TSIG record. If a TSIG record is present, it must always be last. If no TSIG record is present, then an OPT record can be last.

The RFCs do not restrict a query from containing records in the additional record section of the message.

When a DNS query or response is passed through the TMM DNS message handler, and that message contains an OPT record followed by more than one record, and those records that follow the OPT record contain compression pointers to other records that also follow the OPT record, then the message becomes mangled.

Workaround:
Disable DNS compression on the resolver, or configure the resolver to place OPT records at the end of the additional section (except TSIG records which must always be last).

Fix:
DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted.

The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers.

The subsequent code paths which depend on the OPT record's position now work as expected.


556383-1 : Multiple NSS Vulnerabilities

Vulnerability Solution Article: K31372672


556380-2 : mcpd can assert on active connection deletion

Component: TMOS

Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.

Conditions:
Removal of all peers while a connection is handling a transaction.

Impact:
MCPD asserts and restarts.

Workaround:
No workaround is necessary. MCPD restarts.

Fix:
Connection tear down checks for active connections and does not result in an assert when removing all peers while a connection is handling a transaction.


556284-5 : iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found

Component: TMOS

Symptoms:
GTM/LC config sync fails with error in /var/log/gtm and /var/log/ltm similar to the following:
Monitor /Common/my_http_monitor parent not found

Conditions:
There is a customized GTM monitor on one member of a high availability configuration, but not on others.

Impact:
Config sync fails. On the device that does not have the monitor, the system logs a parent-not-found message into /var/log/gtm.

Workaround:
None.

Fix:
GTM/LC sync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition.


556277-6 : Config Sync error after hotfix installation (chroot failed rsync error)

Component: TMOS

Symptoms:
Once an installation has been booted into, applying a hotfix over that installation does not change the SELinux policy, but instead uses the previously installed SELinux policy.

Conditions:
This affects installations of a later hotfix atop an earlier hotfix, or onto a base build of the same software version. Installation onto a new volume is unaffected.

To determine whether the configuration will experience this issue, use md5sum to see whether the following have the same checksums:
-- /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp
-- /usr/share/selinux/targeted/f5_mcpd.pp.

If the checksums are the same, the system will use the SELinux policy installed with the previous hotfix, and this issue will occur.

Impact:
Sync of file objects might fail with an error similar to the following:

01071488:3: Remote transaction for device group [name] to commit id [number] failed with error 01070712:3: Caught configuration exception (0), verify_sync_result:() :Failed to sync files. - sys/validation/FileObject.cpp, line 6276..

Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install the base ISO (for example 11.5.4) into a volume, and then install the hotfix onto that volume, without booting the volume in between.

Fix:
Installing a hotfix over an existing base install now rebuilds the SELinux policy as expected.


556162-3 : Default obfuscator configuration causes very slow javascript in some browsers

Component: Fraud Protection Services

Symptoms:
Slow javascript causes page to render with a slight delay.

Conditions:
Client on Explorer 8 on a slow machine or VM.

Impact:
Mainly on older browsers, a slight rendering delay (~1 second) may be noticed.

Workaround:
Run the following commands on the BIG-IP system:
    echo "-x" > /shared/datasync/compiler_conf/cs_fpm/OBF_FLAGS
    chattr +i /shared/datasync/compiler_conf/cs_fpm/OBF_FLAGS

Fix:
Improved performance of obfuscated javascript.


556117-2 : client-ssl profile is case-sensitive when checking server_name extension

Component: Local Traffic Manager

Symptoms:
The client-ssl profile is Case-Sensitive when configuring server-name in the client-ssl profiles and checking server_name extension in the ClientHello Message.

Conditions:
When using mixed upper-lower case server-name in the client-ssl profile configuration and ClientHello messages.

Impact:
The system treats mixed upper-lower case server-name as different names which violate the RFC6066, which states: "Currently, the only server names supported are DNS hostnames. DNS hostnames are case-insensitive."

Workaround:
1. Configure only one client-ssl profile with same server-name.

2. Use only lower-case server-name when configure the client-ssl profile.

3. Use lower-case server-name in the Client side.

Fix:
The system now treats mixed upper-lower case server-names as the same name, so server-name is no longer case sensitive.


556103-3 : Abnormally high CPU utilization for external monitors

Component: Local Traffic Manager

Symptoms:
High CPU utilization for external monitors that use SSL.

Conditions:
External monitor using SSL.

Impact:
Abnormally high CPU utilization.

Workaround:
None.

Fix:
This release improves the handling of external monitors that use SSL so that CPU utilization no longer increases.


555905-3 : sod health logging inconsistent when device removed from failover group or device trust

Component: TMOS

Symptoms:
When a device is in a failover group, sod logs the state change messages indicating the reachability of other devices in the group. For example:

Nov 2 11:34:54 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Online).
Nov 2 11:31:19 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Offline).
Nov 2 11:31:43 BIGIP-1 notice sod[5716]: 010c007e:5: Not receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Disconnected).

If a reachable device is removed from the failover group, no "Disconnected" message is issued, so the last reported status will be inaccurate.

When a device is part of a trust, sod logs messages indicating what unicast addresses it is monitoring on remote devices:

Nov 2 11:34:29 BIGIP-1 info sod[5716]: 010c007a:6: Added unicast failover address 10.145.192.5 port 1026 for device /Common/BIGIP-3.localdomain.

If devices are removed from the trust, sod does not log a message that those unicast addresses are no longer in use.

Conditions:
When a device is removed from a failover device group, or removed from a device trust.

Impact:
Inaccurate state reporting.

Fix:
When a device is removed from a failover device group, it is now reported as "Disconnected".

When a device is removed from the device trust, sod on the other devices correctly reports that the unicast addresses belonging to the other devices have been deleted.


555827-2 : No fallback for alerts.

Component: Fraud Protection Services

Symptoms:
No fallback for alerts.

Conditions:
Alerts blocked by proxy.

Impact:
Alerts do not reach alert server.

Workaround:
When alert sending fails, other methods of contacting the alert server should be tried. In some scenarios, these fallbacks are not attempted.

Fix:
Use fallback methods when primary alert fails.


555818-3 : Bait failure alerts do not give details of the cause of failure

Component: Fraud Protection Services

Symptoms:
Bait fail alert details are always the same.

Conditions:
Honeypot mechanism failed due to http error, clientside error, timeout, etc.

Impact:
Difficult to find cause of failures due to poor granularity of error alert

Workaround:
None

Fix:
The following details were added to the Bait Failure alert:

bf_malformed : Malformed bait response
bf_jserror : Bait checks errored
bf_timeout : Bait request timed out
bf_<status_code> : Bait response was not 200 OK. Eg bf_404
bf_unknown : Other failure


555686-5 : Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers

Component: TMOS

Symptoms:
Some OPT-0015 copper small form-factor pluggable (SFP) transceiver might cause an internal bus to hang.

Conditions:
This happens only when the following conditions are met:
-- 10000-series appliances.
-- At reboot, at a restart of the bcm56xxd daemon, or when a copper SFP is enabled or disabled.
-- There is at least one copper SFP present in the appliance.
-- Interfaces are spread between hardware muxes. That means some SFPs are in ports 1.1-1.8 and other SFPs are in ports 1.9-1.16.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up. Enable and disable of copper SFPs may not work.

Workaround:
None.

Fix:
The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.


555507-2 : Under certain conditions, SSO plugin can overrun memory not owned by the plugin.

Component: Access Policy Manager

Symptoms:
Under certain conditions, SSO plugin can overrun memory not owned by the plugin. Symptoms could be different based on the owner of overrun memory.

Conditions:
This occurs when the following conditions are met:

1. The BIG-IP system is configured and used as SAML Identity Provider.
2. Single Logout (SLO) protocol is configured on an attached SP connector.
3. At least one user executed SAML WebSSO profile.

Impact:
Symptoms might differ based on the owner of overrun memory.
Potentially, tmm could restart as a result of this issue.

Workaround:
Disable SAML SLO: remove SLO request and SLO response URLs from configuration in appropriate SAML SP connectors.

Fix:
SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues:

The BIG-IP system is configured and used as a SAML Identity Provider.
Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector.
At least one user executed SAML webSSO profile.


555457-5 : Reboot is required, but not prompted after F5 Networks components have been uninstalled

Component: Access Policy Manager

Symptoms:
Attempt to establish a VPN connection from a Windows 10, Windows 8.1, Windows 7, or Vista desktop fails if F5 Networks components have been removed previously and the desktop was not rebooted.

Typically this issue can be identified by these log records:
<snip>
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter (7) <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 155, GetVPNDriverRASDeviceName, found device, F5 Networks VPN Adapter
<snip>
DIALER, 1, \urdialer.cpp, 1573, CURDialer::OnRasCallback(), RAS error (state=RASCS_OpenPort, error=633: The modem (or other connecting device) is already in use or is not configured properly.)

Conditions:
Windows desktop.
Existing F5 components uninstalled.
Reboot was not performed after uninstall.

Impact:
End users cannot establish a VPN connection from Windows-based clients.

Workaround:
Reboot the affected Windows desktop.

Fix:
After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected.


555435-2 : AD Query fails if cross-domain option is enabled and administrator's credentials are not specified

Component: Access Policy Manager

Symptoms:
AD Query fails in cross-domain environment, when AAA AD Server has no administrator credentials configured and user's logon name is different from pre-win2k name

Conditions:
- AD Query is configured in an Access Policy.
- The administrator's credentials are not specified at AAA AD Server configuration page (that is in use by AD Query).
- The domain logon name is different from pre-win2k name.

Impact:
AD Query fails

Workaround:
The administrator should provide AD administrator credentials at AAA AD Server configuration page.

Fix:
AD Query now completes as expected if cross-domain option is enabled and administrator's credentials are not specified.


555432-1 : Large configuration files may go missing on secondary blades

Component: Local Traffic Manager

Symptoms:
bigip.conf or other configuration files may go missing on secondary blades once the configuration exceeds a certain size (approximately 8 MB).

Conditions:
This is only relevant on chassis.

Impact:
If the primary changes, then the configuration is at risk of being lost.

Workaround:
touch the relevant configuration file (usually bigip.conf) and the configuration file will reappear.

Fix:
bigip.conf or other configuration files would go missing on secondary blades once the configuration exceeded a certain size (approximately 8 MB). This has been fixed.


555369-3 : CGNAT memory leak when non-TCP/UDP traffic directed at public addresses

Component: Carrier-Grade NAT

Symptoms:
When rejecting non-TCP/UDP inbound traffic a small amount of memory is leaked with each packet. Depending on the volume of such traffic this may be a slow or fast leak.

Conditions:
CGNAT configured with inbound connections enabled or hairpinning enabled
Non-TCP/UDP traffic with a destination in the LSN Pool address space

Impact:
TMM might eventually run out of available memory. The aggressive mode sweeper might be triggered, causing connections to be killed. Eventually TMM restarts.

Workaround:
None.

Fix:
This release fixes a memory leak that occurred When rejecting non-TCP/UDP inbound traffic.


555272-8 : Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade

Component: Access Policy Manager

Symptoms:
Previously, F5 Client components were signed using SHA1 certificate. SHA1 is now considered insecure and Windows will reject components signed using a SHA1 certificate after March 31st 2016.

To support this new requirement, F5 has changed the client component signing certificates to utilize a higher security validation algorithm.

The result of this change is that clients utilizing client components built prior to these versions:

Big-IP 12.0.0HF1 or earlier
Big-IP 11.6.0 HF8 or earlier
Big-IP 11.5.4 (base release) or earlier

cannot Endpoint Security updates build 431 or greater.

If you require updated Endpoint Security (OPSWAT / EPSEC) builds greater than 431 you must upgrade to these versions:

Big-IP 12.1.0 or later
Big-IP 12.0.0HF2 or later
Big-IP 11.6.1 or later

Big-IP 11.5.4 HF1 or later

Conditions:
Running incompatible BIG-IP version with EPSEC build 431 or later.

Impact:
User will see certificate warnings and installation of client component updates may fail. The failure may occur multiple times.

Workaround:
Upgrade BIG-IP to the correct version.

Use the BIG-IP Web GUI's Software Management :: Antivirus Check Check Updates section to install an EPSEC build prior to 431.

Fix:
Updated signing certificate to a sha256 certificate. Client components and EPSEC binaries are now signed using the new, higher security certificate. Please note that upgrade to a HF in which client is signed using updated certificate is needed to install updated EPSEC releases. Please review the information carefully.


555057-3 : ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.

Component: Application Security Manager

Symptoms:
When using ASM REST to remove a signature set association from a policy (DELETE), the set is removed from all policies in the system.

Conditions:
ASM REST is used to remove a signature set association from a policy.

 DELETE /mgmt/tm/asm/policies/<ID>/signature-sets/<ID>

Impact:
All policies will lose their association to that signature set. This may leave some policies not enforcing all the Attack Signatures that they are expected to.

Workaround:
A DELETE can be issued to the collection endpoint: /mgmt/tm/asm/policies/<ID>/signature-sets utilizing the $filter parameter to delete only the desired sets.

Ex. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets?$filter=id eq '<ID>'

Fix:
When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.


555039-2 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration

Component: TMOS

Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop

Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.

Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.

Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.

Workaround:
None.

Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.


555006-3 : ASM REST: lastUpdateMicros is not updated when changing a Custom Signature

Component: Application Security Manager

Symptoms:
The lastUpdateMicros field is meant to be updated if a user changes a custom signature, but it is not.

Conditions:
REST client is used to look at/filter the signatures collection (/mgmt/tm/asm/sigantures)

Impact:
Checking for updated signatures does not return the expected result.

Workaround:
None.

Fix:
REST: The lastUpdateMicros field is now correctly updated after updating a user defined signature.


554993-2 : Profile Stats Not Updated After Standby Upgrade Followed By Failover

Component: Access Policy Manager

Symptoms:
1. The current active sessions, current pending sessions, and current established sessions counts shown in commands 'tmsh show /apm profile access' and 'tmctl profile_access_stat' become zero after failover.
2. The system posts an error message to /var/log/apm:
01490559:3: 00000000: Access stats encountered error: SessionDB operation failed (ERR_NOT_FOUND).

Conditions:
This issue happens when the following conditions are met:
1. The HA configuration is running a release prior to 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
2. A standby unit is upgraded to version 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
3. Failover is triggered.

Impact:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats remain zero after failover.

Workaround:
Upgrade all devices in the HA configuration to the same release and reboot them simultaneously.

Fix:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats now report correctly after failover.


554967-3 : Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets

Component: Local Traffic Manager

Symptoms:
A resolver sending a query with a small EDNS0 UDP buffer limit can lead to packet truncation. These response packets are flagged as truncated in the header, but the OPT record might be cut/missing leading some resolvers to consider the packet malformed.

Conditions:
Primarily via dynamic settings such as iRules on DNS_RESPONSE events adding new records, or DNSSEC record signing with responses over UDP.

Impact:
Some resolvers regard OPT-less truncated packets as malformed and cease follow-up requests via TCP or a larger EDNS0 UDP limit.

Workaround:
none

Fix:
Truncated DNSSEC or iRule DNS packets are RFC-compliant.


554928-1 : tmm eventually crashes when classification profile is configured on the virtual

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
classification profile configured on the virtual server;
many ssl/ftp/rtp/sip flows processed by the bigip

Impact:
Traffic disrupted while tmm restarts.

Workaround:
remove classification profile from the virtual

Fix:
Fixed after 11.6 HF6


554899-2 : MCPD core with access policy macro during config sync in HA configuration

Component: Access Policy Manager

Symptoms:
In high availability config sync, the destination mcpd might crash if the user does the following steps:
1. Manually edit bigip.conf file at source to remove an access policy item (my-ap-1_mac_mymac1) that calls a macro, from the original access policy (my-ap-1) to another access policy (my-ap-2);
2. Load the modified config into running config;
3. Delete the original access policy (my-ap-1) before manually starting the config sync.

The modified source configuration is sent to the destination during the manual incremental config sync, resulting in destination mcpd logging an error message:

err mcpd[5441]: 01020036:3: The requested access_policy_name (/Common/my-ap-1) was not found.

Immediately following the error message, the destination mcpd will crash and generate a core file.

Conditions:
Config sync is manual incremental, and the user manually edits /config/bigip.conf to modify the source configuration such that an access policy item with a macrocall is removed from the original access policy to another access policy, and then the original access policy is deleted, all before the manual config sync is started.

Impact:
During config sync, the destination BIG-IP system's mcpd crashes and restarts.

Workaround:
After removing the access policy item with a macrocall from the original access policy to another access policy and loading into the source running the configuration, do not delete the original access policy. Instead, start the config sync right away.

After this first config sync is successful, delete the original access policy at the source, and then start the second config sync to finish the operation.

Fix:
MCPD no longer cores with access policy macro during config sync in high availability configuration.


554774-2 : Persist lookup across services might fail to return a matching record when multiple records exist.

Component: Local Traffic Manager

Symptoms:
Persist lookup across services might fail to return a matching record when multiple records exist.

Conditions:
Persistence profile with 'match-across-services' enabled, and the configuration contains multiple records that correspond to the same pool.

Impact:
Connection routed to unexpected pool member.

Workaround:
None.

Fix:
The operation now continues searching persistence records when 'match-across-services' is enabled until the operation finds a record that corresponds to the same pool.


554769-4 : CPM might crash when TCLRULE_HTTP_RESPONSE is triggered.

Component: Local Traffic Manager

Symptoms:
TMM might crash if CONNFLOW_FLAG_L7_POLICY is not set in the connection flow flags, but the system still tries to call Centralized Policy Matching (CPM).

Conditions:
This occurs when TCLRULE_HTTP_RESPONSE is triggered from the server-side, if the server-side does not process the policy, and the connection flow flags do not have CONNFLOW_FLAG_L7_POLICY set.

Impact:
TMM/(CPM Module) might crash.

Workaround:
None.

Fix:
The system now adds the flag check of CONNFLOW_FLAG_L7_POLICY if it is not already set, so there is no crash in TMM or Centralized Policy Matching (CPM).


554761-5 : Unexpected handling of TCP timestamps under syncookie protection.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system experiences intermittent packet drops.

Despite being negotiated during TCP handshake, the BIG-IP system fails to present timestamp option in subsequent segments.

The BIG-IP system calculates invalid round trip time immediately after handshake, which might result in delayed retransmissions.

Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.

- The syncookie mode has been activated.

- Clients that support timestamps.

Impact:
Connection might be reset by remote TCP stack (e.g., NetBSD and FreeBSD), which requires timestamps to be maintained once negotiated.

Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.

Workaround:
Choose or create a TCP profile that has timestamps disabled.

Fix:
TCP Timestamps are now maintained on all negotiated flows.


554690-3 : VPN Server Module generates repeated Error Log "iface eth0 "... every 2 secs

Component: Access Policy Manager

Symptoms:
Chatty log messages seen in svpn.log file

Conditions:
Establish tunnel server and check svpn.log file (VPN server module) to see verbose logs

Impact:
Verbose logging having a general CPU and disk write impact.

Fix:
VPN Server Module doesn't generate repeated Error Log "iface eth0 (4)" every 2 secs


554626-1 : Database logging truncates log values greater than 1024

Component: Access Policy Manager

Symptoms:
The Logging agent truncates log values greater than 1024. If the log value size is greater than 4060, the field is empty or null.

Conditions:
Logging into local database with log values (such as session variables) greater than 1024. If this size is too high (greater than 4060), the field displays as empty or null in reports.

Impact:
The reporting UI displays null or empty fields when the logged value is too large in size, such as a huge session variable.

Workaround:
No workaround.

Fix:
This release handles large single log values.


554624-2 : NTP CVE-2015-5300 CVE-2015-7704

Vulnerability Solution Article: K10600056 K17566


554609-4 : Kernel panics during boot when RAM spans multiple NUMA nodes.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) crashes in the kernel during early boot.

Conditions:
This occurs when the following conditions are met:
* VE is running on Hyper-V.
* VE RAM is configured in a such a way that it spans multiple NUMA nodes.

Impact:
Kernel panic during boot.

Workaround:
No workaround.

Fix:
The kernel now properly aligns memory on multiple NUMA nodes, so there is no kernel panic during boot.


554563-3 : Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.

Component: TMOS

Symptoms:
Class of Service Queues (cosq) egress drop statistics are counted against both Drops In and Drops Out interface statistics.

Conditions:
This occurs for all cosq drops in response to excess egress traffic and MMU egress congestion.

Impact:
Any CoS queue egress drop is also counted against ingress drop stats, which could be interpreted incorrectly as doubled total drop stats.

Workaround:
None.

Fix:
The Drops In interface statistics no longer includes Class of Service Queues (cosq) egress drop counts, which is correct behavior.


554546-2 : Only first entry in 'Mandatory Words' list is effective

Component: Fraud Protection Services

Symptoms:
Despite adding two or more 'Mandatory Words' items, alerts are only sent on the first item.

Conditions:
Multiple 'Mandatory Words' items are configured. One of the items (not the top item) is injected into page.

Impact:
No 'Mandatory Words' alert sent (False negative).

Workaround:
None.

Fix:
The entire 'Mandatory Words' list is now checked.


554540 : RAT detection failure

Component: Fraud Protection Services

Symptoms:
When flash cookies are disabled, RAT detection fails.

Conditions:
Flash cookies disabled.

Impact:
RAT attacks are not reported to the alert server.

Workaround:
Enable flash cookie.

Fix:
RAT detection now works with regular cookies.


554537-2 : Failed alerts on Internet Explorer

Component: Fraud Protection Services

Symptoms:
Sending page data in alerts can cause alerts to fail.

Conditions:
This occurs under the following conditions:
-- 'attach HTML to alerts' enabled.
-- Alert is sent from a large HTML page.

Impact:
Missed alerts

Workaround:
Disable 'attach HTML to alerts'.

Fix:
If page data overwhelms alert sending, only partial page data is sent, so the alert now completes as expected.


554458 : No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports with reduced zeros in Session ID

Component: Access Policy Manager

Symptoms:
No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports

Conditions:
When Session ID has 1 or more leading zero

Impact:
Empty in the APM Session Variable report

Workaround:
Run "Session Variables" report. When enter session ID, prepend 0s if the session ID has less 8 chars. The total length of session ID is 8 chars.

Fix:
Session Variables report shows correctly.


554367-1 : BIG-IQ ASM remote logger: Requests are not be logged.

Component: Application Security Manager

Symptoms:
BIG-IQ ASM does not log requests for the first remote logger configured on the system.

Conditions:
No remote logger has been previously configured for ASM.

Impact:
No requests are sent to remote logger that was just configured.

Workaround:
This issue resolves itself after a few seconds when the remote destination is responsive.

Fix:
An issue with requests not being logged after configuring a new remote logger for BIG-IQ ASM has been fixed.


554340-4 : IPsec tunnels fail when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
When connection.vlankeyed db variable is disabled, if the data traffic coming out of IKEv1 tunnels that needs to be secured using IKEv2 tunnels lands on tmm's other than tmm0, it will be dropped. The system establishes the IKEv2 tunnel but the data traffic will not be secured.

Conditions:
This issue is seen when the interesting data traffic lands on tmm's other than tmm0. The reason for this issue is due to incorrectly creating a flow on another TMM that is the owner of the outbound SA (IKEv2 tunnel).

Impact:
The system drops the data traffic to be secured using IPsec and connections fail.

Workaround:
Disable the cmp in the virtual server configuration.

Fix:
Flow creation at the TMM that owns the outbound SA for the IKEv2 tunnel is properly handled. TMM can handle the inner traffic from IKEv1 tunnel and secure it over another IKEv2 tunnel.


554324-1 : Signatures cannot be updated after Signature Systems have become corrupted in database

Component: Application Security Manager

Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database.

Conditions:
Signature systems are corrupted in configuration database. This can occur after upgrading to v11.6.0, v11.6.1, or v12.0.0.

Impact:
Signatures cannot be updated.

Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:

mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"

Fix:
Signature System data corruption is corrected upon upgrade, and Signatures can be subsequently upgraded.


554295-3 : CMP disabled flows are not properly mirrored

Component: Local Traffic Manager

Symptoms:
A client connection to a virtual server configured for 'cmp-enabled no' and 'mirror enabled' will be dropped if the standby unit is promoted to active.

Conditions:
The virtual server is configured for 'cmp-enabled no' and 'mirror enabled' on multiple BIG-IP appliances peered in a high availability configuration.

Impact:
Mirroring does not work as expected on BIG-IP appliances.

Note: CMP is required on VIPRION chassis, so this expectation applies only to appliances.

Workaround:
Do not disable CMP on virtual servers that are mirrored.

Fix:
The system now supports mirroring connections between BIG-IP appliances in a high availability configuration on CMP-disabled virtual servers.

Note: If CMP is disabled, hardware syn cookie must also be disabled for virtual servers to mirror connections. This is expected behavior.


554228-5 : OneConnect does not work when WEBSSO is enabled/configured.

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.

Conditions:
WEBSSO and OneConnect.

Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.

Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections.


554041-5 : No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client loses all connectivity and an option to establish VPN is not available.

Conditions:
All of the following conditions must apply.
1) Edge Client is installed in "Always Connected" mode.
2) The Connectivity profile on server has location DNS list entries.
3) One of the DNS locations matches the DNS suffix set on the local network adapter.

Impact:
Client shows "LAN Detected" in the UI and does not try to connect to VPN.
All traffic to and from the user's machine is blocked.

Workaround:
This issue has no workaround at this time.

Fix:
Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks.


553976-1 : AJAX File uploads don't work in IE (import policy doesn't work)

Component: Application Security Manager

Symptoms:
You cannot import policies either XML or binary through the webui, but tmsh import works. When using the GUI you select the file and it gets stuck on "verifying".

The issue occurs only in when uploading using Internet Explorer.

Conditions:
Attempting to upload a policy using Internet Explorer.

Impact:
You cannot import any policy from the GUI.

Workaround:
Other browsers such as FireFox or Chrome work.

Fix:
You can now import policies (XML and binary) using the Configuration utility in addition to the command line.


553902-2 : Multiple NTP Vulnerabilities

Vulnerability Solution Article: K17516


553795-4 : Differing certificate/key after successful config-sync

Component: TMOS

Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.

2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.

Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.

2) High Availability failover systems configured with Manual Sync.

Impact:
1) An abandoned FIPS key is left behind.

2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.

Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Delete the FIPS key by-handle on the peer system(s).

2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).

Fix:
Systems now have the same certificate/key after successful config-sync of High Availability configurations.


553735-3 : TMM core on HTTP response with steering action .

Component: Policy Enforcement Manager

Symptoms:
TMM process will crash.

Conditions:
HTTP profile is not attached to a PEM virtual receiving the HTTP response. In this case on receiving a connection request from the client, BIGIP establishes server side connection without waiting for the HTTP request from the client. Meanwhile, a steering policy got installed. The server responds with HTTP request time out message and TMM cores trying to steer the existing connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Attaching an HTTP profile to the PEM virtual in question will avoid this issue.

Fix:
Issue has been fixed.


553734-1 : Issue with assignment of non-string value to Form.action in javascript.

Component: Access Policy Manager

Symptoms:
Exception in javascript code.

Conditions:
Attempt to assign non-string value to a Form.action in javascript code.

Impact:
Web application misfunction.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed for non string value types.


553688-4 : TMM can core due to memory corruption when using SPDY profile.

Component: Local Traffic Manager

Symptoms:
TMM corefiles containing memory corruption within 112-byte memory cache.

Conditions:
Virtual server using a SPDY profile encounters an internal error while processing a SPDY packet.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release contains a fix that prevents a double free on error within the SPDY component.


553649-3 : The SNMP daemon might lock up and fail to respond to SNMP requests.

Component: TMOS

Symptoms:
The SNMP daemon might lock up and fail to respond to SNMP requests.

Conditions:
If the SNMP configuration on the BIG-IP changes and the SNMP daemon restarts. This is a timing issue that might appear intermittently.

Impact:
The BIG-IP system stops responding to SNMP requests. You then cannot monitor the BIG-IP system via SNMP.

Workaround:
If the SNMP daemon is locked up, restart it by issuing the following command: bigstart restart snmpd.

Fix:
The SNMP daemon no longer locks up and become unresponsive when it is restarted.


553613-3 : FQDN nodes do not support session user-disable

Component: Local Traffic Manager

Symptoms:
FQDN nodes do not support session user-disable.

Conditions:
Configure a monitor with recv-disable string, and set node to session user-disabled. Monitor does not mark the node down for draining persistent connections.

Impact:
Unable to use session drain.

Workaround:
None.

Fix:
FQDN nodes now support session user-disable


553576-3 : Intermittent 'zero millivolt' reading from FND-850 PSU

Component: TMOS

Symptoms:
In rare instances, certain BIG-IP platforms may erroneously generate power supply error messages that indicate zero milli-voltage.
Specific symptoms include:
- SNMP alert 'bigipSystemCheckAlertMilliVoltageLow' detected.
- Front panel Alarm LED is blinking amber.
- Errors such as the following are logged:
emerg system_check[<#>]: 010d0017:0: Power supply #<x> meas. main outpu: milli-voltage (0) is too low.
[where <x> is the power supply location (either 1 or 2)]
- Errors such as the following may also be logged:
-- err chmand[<#>]: 012a0003:3: Sensor read fault for Power supply #<x> meas. main outpu : File sensor/LopSensSvc.cpp Line 1453.
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).

Note that this condition may affect either PSU 1 or PSU 2.

Conditions:
This may occur intermittently on BIG-IP 10000-/12000-series appliances (including 10000s/10200v, 10050s/10250v, 10055/10255, 10350v and 12250v models) with FND850 model DC power supplies.

Impact:
There is no impact; these error messages are benign.

Workaround:
None.

Fix:
Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.


553454-2 : Mozilla NSS vulnerability CVE-2015-2730

Vulnerability Solution Article: K15955144


553330-3 : Unable to create a new document with SharePoint 2010

Component: Access Policy Manager

Symptoms:
VPN users are unable to create a new document with SharePoint 2010

An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid

Conditions:
Create a new document using the"New Document button".

Impact:
User cannot create a new document with SharePoint 2010.

Workaround:
none

Fix:
You can create a new document with Microsoft SharePoint 2010.


553174-4 : Unable to query admin IP via SNMP on VCMP guest

Component: TMOS

Symptoms:
The admin IP address is not returned via ipAdEntAddr.

Conditions:
Query admin IP via SNMP on VCMP guest via ipAdEntAddr.

Impact:
Unable to obtain admin IP address via SNMP for VCMP guests.

Workaround:
none

Fix:
ipAdEntAddr will now return the admin IP address on a VCMP guest.


553146-2 : BD memory leak

Component: Application Security Manager

Symptoms:
BD memory increases. May reach a kernel 'OOM killer' scenario.

Conditions:
Usually a policy with missing content profiles (XML, etc.) on a post request that causes the POST to be parsed incorrectly and issue many parameter violations.

Impact:
High memory consumption on the system, swap memory usage, potential crashes.

Workaround:
Apply the correct content profiles.

Note: Valid requests typically do not have that many parameters in them. If you have requests that do, apply the 'apply value signature' on those big POSTs.

Fix:
This release fixes a memory leak in the Enforcer.


553063-1 : Epsec version rolls back to previous version on a reboot

Component: Access Policy Manager

Symptoms:
If administrator has installed multiple EPSEC packages, after a reboot the EPSEC version rolls back to the previously installed version.

Conditions:
The BIG-IP system needs to be rebooted for this issue to be seen, and multiple EPSEC packages must have been installed on the system before the reboot.

Impact:
OPSWAT version rolls back without prompting or logging. This might open up the end-point security issues that are supposed to be fixed by the latest installed OPSWAT package.

Workaround:
The workaround is to upload a dummy file in Sandbox.
1. Go to Access Policy :: Hosted Content :: Manage Files.
2. Upload any dummy file, even a 0 byte file. Change the security level to 'session'.

After this change, even if you reboot or shutdown-restart, the EPSEC version does not revert.

Fix:
The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart.


552937-1 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.

Component: Local Traffic Manager

Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.

Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.

Impact:
TMM core.

Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.

Fix:
The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.


552931-4 : Configuration fails to load if DNS Express Zone name contains an underscore

Component: Local Traffic Manager

Symptoms:
A configuration with a DNS Express Zone with an underscore in the name does not load, even though the gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.

Conditions:
-- Configuration setting gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
-- DNS Express Zone exists with an underscore in the name.

Impact:
Cannot load the LTM configuration when restarting BIG-IP system when DNS Express Zones that have an underscore character in the name.

Workaround:
Force the GTM configuration to load by sequentially running the following commands:
tmsh load sys config gtm-only.
tmsh load sys config.

Fix:
All FQDNs may now contain underscore character. The BIG-IP system now correctly load configurations that contain DNS Express Zones with underscores in the name.


552865-4 : SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.

Component: Local Traffic Manager

Symptoms:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, handshake might fail if the client sends an invalid signed Certificate Verify message.

Conditions:
When SSL client certificate mode is request, and the client sends an invalid signed Certificate Verify message to the BIG-IP system.

Impact:
The handshake does not ignore the invalid signed certificate verify message, and handshake might fail. SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. Regardless of whether the Certificate and Certificate Verify message is valid, the handshake should ignore the Certificate Verify signature error and let the handshake continue.

Workaround:
None.

Fix:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.


552585-3 : AAA pool member creation sets the port to 0.

Component: TMOS

Symptoms:
When the AAA server pool member is created (for Radius mode BOTH and for AD), the port is set to 0 (Any) as there are more than one ports for that pool member.

Conditions:
Create AAA pool member while creating an AAA RADIUS server or Active Directory server. The created pool member does not support the ability of having multiple port numbers and for that reason is updated with 0 (Any) as the port number for the pool member. If the user continues to modify using the Admin UI, the port changes made using tmsh will be overwritten again to 0.

Impact:
AAA pool member port is set to 0 (Any) rather than the port specified in the GUI. This is correct as the pool member does not support more and 1 port number.


552498-1 : APMD basic authentication cookie domains are not processed correctly

Component: Access Policy Manager

Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to pool members.

Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.

Impact:
Cookies assigned during the authentication handshake might not be sent to pool members.

Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.

Fix:
Domain fields in Set-Cookie headers found in 401 responses are processed correctly.


552488-1 : Missing upgrade support for AFM Network DoS reports.

Component: Application Visibility and Reporting

Symptoms:
When upgrading, the statistics of AFM Network DoS reports are not migrated correctly to the new version, leading to loss of data about the Client-IP addresses.

Conditions:
Upgrade from versions 11.4.x or 11.5.x to versions 11.6.x or 12.0.0.

Impact:
The IP Addresses information of AFM Network DoS is lost. However, new activity is collected correctly.

Workaround:
There is no workaround for this issue.

Fix:
This release provides upgrade support for AFM Network DoS reports.


552481 : Disk provisioning error after restarting ASM service.

Component: TMOS

Symptoms:
Disk provisioning error after restarting ASM service.
In newer BIG-IP software versions ASM uses a different application volume name. Older BIG-IP software versions identify the application volume as being owned by ASM, and allows ASM to be provisioned and start. However, in the older versions, ASM create the application volume so there will be two ASM application volumes. If ASM is restarted with bigstart or tmsh, or if the BIG-IP system is rebooted, provisioning does not allow ASM to start.

Conditions:
ASM provisioned on both pre-v12.0.0 and post-v12.0.0 versions.

Impact:
ASM does not start, and bigstart status asm indicates a disk provisioning error.

Workaround:
Follow these steps:
1. Boot into the affected version of BIG-IP software.
2. If DoS profiles are applied, they need to be removed from the virtual servers before the provisioning can be carried out. i.e:
# tmsh modify ltm virtual all profiles delete { DoS-A-profile }
# tmsh modify ltm virtual all profiles delete { DoS-B-profile }
.....
3. Run the command: tmsh modify sys provision asm level none.
4. Wait for unprovision to complete (do so by monitoring /var/log/asm).
5. Run the command: tmsh delete sys disk application-volume asmdata1.
6. Run the command: tmsh modify sys provision asm level nominal

Fix:
ASM starts successfully with no disk provisioning error after restarting ASM service using newer BIG-IP software.


552476-2 : Use of JavaScript's 'eval' function may be prohibited by site's content security policy

Component: Fraud Protection Services

Symptoms:
Websafe JavaScript does not run on sites that prohibit the use of 'eval' by using CSP headers.

Conditions:
CSP headers present that do not allow 'unsafe-eval'.

Impact:
Websafe JavaScript does not run and false positive 'component check' alerts are received in the dashboard.

Workaround:
None.

Fix:
Websafe JavaScript now runs as expected, so no false positive 'component check' alerts are received in the dashboard.


552352-2 : tmsh list display incorrectly for default values of gtm listener translate-address/translate-port

Component: Global Traffic Manager

Symptoms:
tmsh list displays incorrectly for default values of GTM listener translate-address/translate-port settings.

Conditions:
Using the tmsh list command to show translate-address/translate-port for GTM listener.

Impact:
tmsh list gtm listener does not display 'translate-address'/'translate-port' when it is set to enabled, but the command does show the values when it is set to disabled. The tmsh list gtm listener command should not show the default settings. This becomes an issue when used with the TMSH merge command, where the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. This might eventually result in failing traffic.

Workaround:
Use tmsh list with 'all-properties' instead.

Fix:
GTM Listener's translate-address and translate-port field are now always displayed in TMSH commands. This is because there are different defaults in GTM Listeners than the LTM virtual servers. When used with the TMSH merge command, the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. By always displaying this attribute, no matter what the value is, the merge will always be handled appropriately.


552198-5 : APM App Tunnel/AM iSession Connection Memory Leak

Component: Wan Optimization Manager

Symptoms:
A memory leak occurs when APM application tunnels or AM iSession connections are aborted while waiting to be reused.

Conditions:
The iSession profile reuse-connection attribute is true.
A large number of iSession connections are aborted while waiting to be reused.

Impact:
Available memory might be significantly reduced when a large number of iSession connections waiting to be reused are aborted.

Workaround:
Disable the iSession profile reuse-connection attribute. Restart TMM.

Fix:
This release fixes an APM App Tunnel/AM iSession connection memory leak.


552151-2 : Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected

Component: Local Traffic Manager

Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3.

Conditions:
This occurs when the system encounters errors during hardware compression handling. This occurs on the BIG-IP 5000-, 7000-, 10000-, and 12000-series platforms, and on VIPRION B22xx blades.

Impact:
Compression is (eventually) performed by software. This can result in high CPU utilization.

Workaround:
Disable compression if CPU usage is too high.

Fix:
Improved the device exception handling so that errors are correctly propagated to compression clients, thus preventing the progressive failure of the compression engine, and stopping the offload to software compression (which was driving up the CPU).


552139-2 : ASM limitation in the pattern matching matrix builtup

Component: Application Security Manager

Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.

Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.

Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).

Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.

Fix:
Fixed a limitation in the attack signature engine.


551999-2 : Edge client needs to re-authenticate after lost network connectivity is restored

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client restarts executing access policy after lost connectivity is restored. Usually that means Edge client will try to re-authenticate (if access policy is configured so) after lost network connectivity is restored.

Conditions:
Edge Client for Mac, APM with access policy with authentication configured.

Impact:
User needs to input credentials again.

Workaround:
Access policy can have "Save password" option enabled. In this case Edge Client caches the password based on password caching policy in connectivity profile and will not ask for password if cache is still valid.

Fix:
Edge Client for Mac now tries to restore session after lost network connectivity is restored.


551927-2 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition

Component: TMOS

Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, ltm sends packets to the client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.

Conditions:
fastl4 profile and asymetric routing on client side

Impact:
Return traffic could use the wrong vlan

Workaround:
none

Fix:
Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN


551893-2 : Alerts send from FPS plugin via HSL are sent in a malformed HTTP format

Component: Fraud Protection Services

Symptoms:
FPS alerts end with \r\n\r\n, HSL adds an extra \n.

Conditions:
FPS plugin send an alert via HSL.

Impact:
Alerts sent by FPS plugin via HSL are in malformed format with extra \n at the end.

Workaround:
None.

Fix:
One hard-coded \n was removed from the end of the FPS alerts format, so that they now end with \r\n\r. When alerts are sent via HSL, an extra \n is added and the final alert format is correct (\r\n\r\n).


551767-3 : GTM server 'Virtual Server Score' not showing correctly in TMSH stats

Component: Global Traffic Manager

Symptoms:
GTM server 'Virtual Server Score' is not showing correct values in TMSH stats. Instead, stats shows zero value.

Conditions:
You have a virtual server configured with a non-zero score.

Impact:
tmsh show gtm server server-name detail lists 'Virtual Server Score' as zero. Note that there is no impact to actual load balancing decisions. Those decisions take into account the configured score. This is an issue only with showing the correct information and stats.

Workaround:
None.

Fix:
TMSH now shows the correct value for 'Virtual Server Score' when you have a virtual server configured with a non-zero score.


551764-3 : [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform

Component: Access Policy Manager

Symptoms:
Successful execution of an Access Policy will result in the client receiving a HTTP status 500 error response when clientless mode is set. This error response is generated by APMD. This is a regression condition that occurs when the fix for bug 374067 is included.

Conditions:
-- The system has the fix for bug 374067.
-- Clientless mode is enabled.
-- BIG-IP platform is chassis platform.
-- The administrator does not override the Access Policy response with iRule command.

Impact:
Client receives an invalid response.

Workaround:
None.

Fix:
Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.


551742-2 : Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades

Component: TMOS

Symptoms:
In rare occurrences, BIG-IP hardware is susceptible to parity errors due to unknown source. This bug mitigates parity errors that occur in the SOURCE_VP table of the switch hardware, indicated with the following message in the ltm log:

Sep 15 12:12:12 info bcm56xxd[8066]: 012c0016:6: _soc_xgs3_mem_dma: SOURCE_VP.ipipe0 failed(NAK)

Conditions:
This occurs only on the BIG-IP 10000s/10200v/10250v platforms, and on the VIPRION B4300/B4340N and B2250 blades. The exact trigger of the parity error is unknown at this time.

Impact:
This impacts several series of BIG-IP products with hardware parity error mitigation capabilities.

Workaround:
Rebooting BIG-IP hardware should clear issues caused by hardware parity errors.

Fix:
A hardware parity error issue has been fixed.


551661-2 : Monitor with send/receive string containing double-quote may fail to load.

Component: TMOS

Symptoms:
When a monitor string contains contains \" (backslash double-quote) but does not contain a character that requires quoting, one level of escaping is lost at each save/load.

Note: Re-loading a config happens during licensing. If you decide to upgrade, first verify that you have an escaped quote in the monitor string. If you do, remove the re-licensing step from your MOP (Method of Procedure). The failure message for reloading the license with an escaped quote appears similar to the following example:

Monitor monitor_1 parameter contains unescaped " escape with backslash.

Conditions:
If the string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Monitors are marked down due to expected string not matching or incorrect send string. Potential load failure.

Workaround:
You can use either of the following workarounds:
-- Modify the content the BIG-IP system retrieves from the web server for the purposes of health monitoring, so that double quotes are not necessary.
-- Use an external monitor instead.

Fix:
If the monitor send-recv strings contain a double-quote ", character, the system now adds quotes to the input.

If a configuration contains '/"', does not reload the license before upgrade.


551614-2 : MTU Updates should erase all congestion metrics entries

Component: Local Traffic Manager

Symptoms:
MTU updates erase cwnd cache entries, but not ssthresh or RTT, while an MTU update generally indicates a path change, meaning that these values might be invalid.

Conditions:
TCP cached congestion metrics from a previous connection, and subsequently receives an ICMP PMTU message.

Impact:
Connection might use invalid congestion metrics.

Workaround:
Disable cmetrics-cache, accept the suboptimal cached values, or write an iRule to purge the entry after path change.

Fix:
MTU updates now erase all congestion metrics entries, which is correct behavior.


551612 : BIG-IP SSL does not support sending multiple certificate verification requests to the hardware accelerator at the same time in 11.6.0.

Component: Local Traffic Manager

Symptoms:
When SSL sends multiple certificate verification requests at the same time, the handshake is disconnected with 'bad certificate'.

Conditions:
SSL simultaneously sends multiple certificate verification requests.

Impact:
BIG-IP SSL does not support this case and the SSL handshake is disconnected with "bad certificate".

Workaround:
None.

Fix:
BIG-IP SSL now supports sending multiple certificate verification requests at the same time.


551481-3 : 'tmsh show net cmetrics' reports bandwidth = 0

Component: TMOS

Symptoms:
'tmsh show net cmetrics' reports bandwidth = 0

Conditions:
tcp profile enables cmetrics-cache.
connection involves at least 4 rtt updates.

Impact:
User cannot view cmetrics data.

Workaround:
For 12.0.0 and later, you can get this data using the ROUTE::bandwidth iRule. For earlier versions, there is no workaround.

Fix:
Properly compute bandwidth with the formula cwnd/rtt.


551454-5 : Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server

Component: Access Policy Manager

Symptoms:
Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server. This has no functional impact on end user.

Conditions:
End user specifies incorrect VPN server URL in edge client

Impact:
None. This has no functional impact on end user.

Workaround:
Specify correct server URL in edge client

Fix:
No Edge client caches results of probe query reducing number of queries sent to probe URL.


551303-3 : TMM may core during processing of a CCA-T.

Component: Policy Enforcement Manager

Symptoms:
TMM may core during processing of a CCA-T.

Conditions:
For every session there is Gx context and Main session Context. There are always stitched to same processing unit to have synchronous look ups when a flow arrives for the session. These contexts are mirrored on a different blades for high availability (HA).

The issue occurs when the following events happen.
1. Main session moveds to a new processing unit (Failover) trigger.
2. This session is marked for deletion by RAR from PCRF or RADIUS Stop.
3. Session delete is initiated from main session by sending a local message.
4. Gx context has not yet moved to this processing unit.
5. CCR-T was sent for this session after asynchronous lookup for the Gx context and we freed the local message. This is the bug. (See explanation below)
6. Gx context moved
7. PCRF sends CCA-T came back and tried to look up local message queued to acknowledge to main session.
8. Local message was deleted at step 5 and TMM cored.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release prevents freeing of the Gx context when a CCR-T is sent out even if the Gx session is remote (present on another tmm), which prevents the TMM core.


551287-4 : Multiple LibTIFF vulnerabilities

Vulnerability Solution Article: K16715


551260-2 : When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML Service Provider, and IdP-Connectors Single Sign On Service URL contains ampersand (&),
part of the URL may be truncated when user is redirected to IdP for authentication.

Conditions:
All conditions must be true:
- BIG-IP is used as SAML Service Provider
- Single Sign On Service URL property of IdP connector contains ampersand, e.g. https://idp.f5.com/saml/idp/profile/redirectorpost/sso?a=b&foo=bar
- User performs SP initiated SSO

Impact:
The query part of the redirect URL after ampersand will be lost when user is redirected to SSO URL with Authentication Request.

Fix:
Redirect URL is no longer truncated after ampersand sign.


551208-1 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.

Component: TMOS

Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.

Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435

Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.

Workaround:
None.

Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.


551189 : Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data

Component: Local Traffic Manager

Symptoms:
Upon repeatedly modifying the same HTTP cookie value (in the Set-Cookie header) within an iRule attached to a virtual server, the HTTP::cookie API may produce stale HTTP header data (e.g. HTTP Set-Cookie header and/or other HTTP headers).

Conditions:
LTM Virtual Server handling HTTP traffic, with iRule attached which modifies a given HTTP cookie value through the HTTP::cookie API, on ingress and/or egress traffic (through the HTTP_REQUEST and/or HTTP_RESPONSE events). An example use-case for producing the error would be encrypting and decrypting HTTP cookies via an iRule.

Impact:
Repeatedly altering the same HTTP cookie value in an iRule, via the HTTP::cookie API, may yield to an HTTP request/response with inconsistent HTTP header data, including but not limited to the Set-Cookie HTTP header.

Workaround:
None.


551010-7 : Crash on unexpected WAM storage queue state

Component: WebAccelerator

Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.

Conditions:
WAM configured on virtual with request queuing enabled

Impact:
Crash

Workaround:
none

Fix:
Gracefully recover from unexpected WAM storage queue state


550782-4 : Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit

Component: Local Traffic Manager

Symptoms:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache.

Conditions:
If standard DNS requests are made against a Validating Resolver DNS cache that points to a second BIG-IP which in turn contains a wideip in a signed zone

Impact:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache

Workaround:
N/A

Fix:
Update message encoding to depend on client DO bit.


550694-3 : LCD display stops updating and Status LED turns/blinks Amber

Component: TMOS

Symptoms:
The LCD display may stop updating and the Status LED may turn Amber and begin blinking on BIG-IP 2000, 4000, 5000, 7000, or 10000-series appliances.

Conditions:
The Status LED turns Amber if the LED/LCD module stops receiving updates from the BIG-IP host, and begins blinking Amber if the LED/LCD module does not receive updates from the BIG-IP host for three minutes or longer.
This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled.
Due to changes in BIG-IP v11.5.0 and later, the frequency and likelihood of this condition is greatly reduced, but may still occur under rare conditions.

Impact:
When this condition occurs, the front-panel LCD display does not display the current BIG-IP host status, and the Status LED blinks Amber. There is no impact to BIG-IP host operations, and no disruption to traffic.

Workaround:
This condition can be cleared by either of the following actions:
1. Press one of the buttons on the LCD display to navigate the LCD menus.
2. Issue the following command at the BIG-IP host console:
/sbin/lsusb -v -d 0451:3410.

Either action generates USB traffic, which triggers recovery from the USB stalled transfer condition.

Fix:
Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 2000, 4000, 5000, 7000, 10000 or 12000-series appliances.


550689-2 : Resolver H.ROOT-SERVERS.NET Address Change

Component: Local Traffic Manager

Symptoms:
The IPv4 and IPv6 addresses for H.ROOT-SERVERS.NET are changing on December 1st 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). The old addresses will be good for 6 months after the change, and then the IPv4 address will go completely offline, and the IPv6 address is subject to go offline as well. More details http://h.root-servers.org/renumber.html

Conditions:
DNS Resolver uses hard-coded root hints for H.ROOT-SERVERS.NET.

Impact:
Incorrect address for a root-server means no response to that query.

Workaround:
There are 12 other root-servers that also provide answers to TLD queries, so this is cosmetic, but the addresses still need to be updated to respond to the change.

Fix:
Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53).

For more information, see H-Root will change its addresses on 1 December 2015, available here: http://h.root-servers.org/renumber.html.


550669-1 : Monitors stop working - throttling monitor instance probe because file descriptor limit 65436 reached

Component: Local Traffic Manager

Symptoms:
Monitor checks stop working.

The ltm log file contains error messages similar to the following: 01060154:4: Bigd PID 7147, instance 0, throttling monitor instance probe because file descriptor limit 65436 reached.

Conditions:
- You have a monitor type configured that uses Tcl internally (for example, FTP, IMAP, POP3, SMTP monitors).
 
- You have monitor logging enabled for the pool members or nodes.
 
  tmsh list ltm pool <pool_name>
  members {
    ...
                <member> {
                  ...
      logging enabled
               
  tmsh list ltm node <node_ip>
    ...
    logging enabled

Impact:
Monitoring stops working; pool members are marked down when they are not.

Workaround:
No workaround if Tcl-using monitors are configured.
 
If pool member or node level monitor logging is configured, cease logging and restart bigd.
 
Disable monitor logging with appropriate commands on all pools and nodes necessary:
  tmsh modify ltm pool <pool-name> members modify { all { logging disabled }}
  tmsh modify ltm node <node-ip> logging disabled
 
Restart bigd:
  tmsh restart sys service bigd

Fix:
Resolved resource leak so monitors continue to work properly.


550596-3 : RESOLV::lookup iRule command vulnerability CVE-2016-6876

Vulnerability Solution Article: K52638558


550536-3 : Incorrect information/text (in French) is displayed when the Edge Client is launched

Component: TMOS

Symptoms:
Incorrect information/text (in French) is displayed when the Edge Client is launched.

Conditions:
Edge client is used in French locale.

Impact:
User sees grammatically incorrect text in French. This is a cosmetic error that has no impact on system functionality.

Workaround:
None.

Fix:
The correct information/text (in French) is now displayed when the Edge Client is launched.


550434-5 : Diameter connection may stall if server closes connection before CER/CEA handshake completes

Component: Service Provider

Symptoms:
Serverside connection stalls. Connection is not torn down and packets are not forwarded to serverside.

Conditions:
Selected pool member closes (via FIN) connection before sending CEA as part of Diameter handshake.

Impact:
Connection stalls until handshake timeout and then it is reset.

Workaround:
none

Fix:
Serverside diameter connections will be immediately reset if FIN is received before CEA (Capabilities-Exchange-Answer).


549971-5 : Some changes to virtual servers' profile lists may cause secondary blades to restart

Component: TMOS

Symptoms:
If a virtual server's ip-protocol is not set, then some changes to the list of attached profiles may cause a validation error on secondary blades. This will cause those blades to restart.

Conditions:
This may happen in some cases when changing the list of profiles attached to a virtual server, but does not happen if 'ip-protocol' was explicitly set by the user.

Impact:
mcpd will restart on secondary blades. This will cause most other daemons on those blades to restart as well, including the TMM. Traffic will be lost.

Workaround:
You should explicitly set the ip-protocol when changing the profiles of a virtual server. Then this bug will not occur.

Fix:
If a virtual server's ip-protocol was not set, then some changes to the list of attached profiles would cause a validation error on secondary blades. This would cause those blades to restart. This issue has been fixed.


549868-4 : 10G interoperability issues reported following Cisco Nexus switch version upgrade.

Component: Local Traffic Manager

Symptoms:
10G link issues reported with VIPRION B2250, B4300 blades and BIG-IP 10x00 appliances connected to Cisco Nexus switches.

Conditions:
Issues reported after version upgrade on Cisco switch to version 7.0(5)N1(1).

Impact:
The links might not come up.

Workaround:
Toggling the SFP+ interfaces reportedly usually restores link.

Fix:
The BIG-IP system's 10G link now consistently becomes active when it is connected to other switches.


549800-2 : Renaming a virtual server with an attached plugin can cause buffer overflow

Component: Local Traffic Manager

Symptoms:
Renaming a virtual server (essentially, moving one virtual server to a new location, which effectively renames it) might cause buffer overflow and potentially result in Failover.

Conditions:
The database variable 'mcpd.mvenabled' must be set to 'true'.
Also, when moving a virtual server, the new name must be longer than the original name.

Impact:
Buffer overflow and potentially failover.

Workaround:
Do not use the move command. Instead, issue a delete followed by a create command in a transaction.

Fix:
Renaming a virtual server now works as expected, and does not results in buffer overflow or failover.


549782-1 : XFV driver can leak memory

Component: Local Traffic Manager

Symptoms:
When the interface goes down, memory is not correctly freed.

Conditions:
the leak happens when the interface goes down

Impact:
Over a long enough period of time the BIG-IP can go out of memory and TMM needs to be restarted.

Workaround:
none

Fix:
The driver was corrected so that when the interface is brought down, all the xfrags currently in the ring buffer are freed.


549588-2 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it

Component: Access Policy Manager

Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.

Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.

Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.

Workaround:
No Workaround

Fix:
EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.


549543-3 : DSR rejects return traffic for monitoring the server

Component: TMOS

Symptoms:
System DB variable 'tm.monitorencap' controls whether the server monitor traffic is encapsulated inside DSR tunnel. If it is set to 'enable', monitor traffic is encapsulated, and return traffic is without the tunnel encapsulation. In such a case, the return traffic is not mapped to the original monitor flow, and gets rejected/lost.

Conditions:
System DB variable 'tm.monitorencap' is set to 'enable', and DSR server pool is monitored.

Impact:
Monitor traffic gets lost, and server pool is marked down.

Workaround:
None.

Fix:
The DSR tunnel flow now sets the correct underlying network interface, so that the return monitor flow can match the originating flow, which results in the DSR monitor working as expected.


549406-5 : Destination route-domain specified in the SOCKS profile

Component: Local Traffic Manager

Symptoms:
The SOCKS profile route-domain setting is supposed to control which route domain is used for destination addresses. It is currently used to identify the listener/tunnel interface to use when forwarding the traffic, but does not set the route domain on the destination address used by the proxy to determine how to forward the traffic.

Conditions:
When the virtual server receives a SOCKS request and the route-domain is not the default (0).

Impact:
SOCKS connection fails immediately and the system returns the following message to the client: Results(V5): General SOCKS server failure (1). Traffic is forwarded correctly only when the destination is route-domain 0. Other route domains might result in error messages and possible failed traffic.

Workaround:
Use a destination route-domain of 0 when working with the SOCKS profile.

Fix:
The system now uses the destination route-domain specified in the SOCKS profile. This allows the SOCKS profile to work correctly when the destination is not in route-domain 0.


549393-3 : SWG URL categorization may cause the /var/lib/mysql file system to fill.

Component: Application Visibility and Reporting

Symptoms:
Secure Web Gateway (SWG) URL categorization may cause the /var file system to fill. This might manifest in the following ways.

1. The /var/lib/mysql file system is full or approaching 100% utilization, as shown in the following example:

# df -h /var/lib/mysql
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg--db--vda-app.ASWADB.set.1.mysqldb
                       12G 11G 576M 95% /var/lib/mysql

2. The database and index files for SWG URL categorization have grown very large, as shown in the following example:

-- /var/lib/mysql/AVR/AVR_DIM_APM_SWG_URL.MYD: 8.1G <--- Database!
-- /var/lib/mysql/AVR/AVR_DIM_APM_SWG_URL.MYI: 765M <--- Index!

Conditions:
SWG is provisioned and configured to perform URL classification, and a large amount of web traffic is being proxied by the SWG system.

Impact:
This results in the following impacts: - SWG-related operations dependent on MySQL may fail. - Once the /var/lib/mysql file system reaches 100% utilization, other BIG-IP system functions that are dependent on the MySQL system may also experience issues.

Workaround:
The issue can be worked around by resetting the AVR statistics. You can find information on how to reset AVR statistics in SOL14956: Resetting BIG-IP AVR statistics, available at https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14956.html.

Impact of procedure: The procedure removes all Analytics data and resets the MySQL database.

Fix:
Secure Web Gateway (SWG) URL categorization no longer causes the /var file system to fill.


549329-1 : L7 mirrored ACK from standby to active box can cause tmm core on active

Component: Local Traffic Manager

Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.

Conditions:
HA active-standby configuration setup for L7 packet mirroring.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.


549283-3 : Add a log message to indicate transition in the state of Gx and Gy sessions.

Component: Policy Enforcement Manager

Symptoms:
Without a state transition indicator, it is difficult to determine if the Gx and Gy session is active and UP on the BIG-IP device.

Conditions:
Gx or Gy state transitions need to occur.

Impact:
Difficult to identify and debug issues related to Gx and Gy state transitions.

Workaround:
None needed. This is an improvement.

Fix:
Added a log message to indicate the state transitions for Gx and Gy sessions.


549108-1 : RDP resource 'Custom parameters' fail to accept parameters containing spaces or colon in the value

Component: Access Policy Manager

Symptoms:
Some RDP parameters may contain whitespaces or colon in the value, e.g.:
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.RDSFarm

The configuration utility will throw a validation error "01070734:3: Configuration error: apm resource remote-desktop rdp: Parse error on line 0: <parameter>"

Conditions:
This occurs when using RDP parameters containing spaces or colon in the value.

Impact:
Administrator is unable to configure the RDP resource as desired.

Workaround:
None.

Fix:
RDP parameters parsing has been refined to support values containing colons or whitespaces.


549086-8 : Windows 10 is not detected when Firefox is used

Component: Access Policy Manager

Symptoms:
Windows 10 is not detected when the Firefox browser is used.

Conditions:
Windows 10 and Firefox (at least versions 40 and 41).

Impact:
The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client.

Workaround:
There is no workaround.

Fix:
Now Windows 10 is properly detected with the Firefox browser.


548796-2 : Avrd is at CPU is 100%

Component: Performance

Symptoms:
When the Application Visibility and Reporting (AVR) module is being used, the avrd daemon can consume all CPU. The avrd log will contain error messages similar to Semaphore DB_Publisher_ready is not set, for xxxx seconds

Conditions:
This can occur when using the AVR module.

Impact:
Avrd gets to 100% CPU and stays there even when no traffic is being passed, which will impact system performance

Workaround:
Restarting tmm will temporarily mitigate this problem

Fix:
Avrd is no longer susceptible to consuming all CPU indefinitely even when traffic is not being passed.


548680-2 : TMM may core when reconfiguring iApps that make use of iRules with procedures.

Component: Local Traffic Manager

Symptoms:
TMM may core when reconfiguring iApps that make extensive use of iRules with procedures.

Conditions:
During the reconfiguration of more than one iApp by switching templates, prior and new templates to contain iRules with procedures of the same name.
After the second or later reconfiguration TMM may core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modify iApp template to generate procedures that have a unique name per iApp.

Fix:
TMM no longer cores when reconfiguring more than one iApp that contains iRule procedures of the same name.


548678-2 : ASM blocking page does not display when using SPDY profile

Component: Local Traffic Manager

Symptoms:
The ASM blocking page will not be displayed when using the SPDY profile.

Conditions:
Virtual configured with ASM and spdy profile and request is blocked by ASM.

Impact:
Request blocked page is not displayed.

Workaround:
If possible, disable the SPDY profile on virtual servers configured to use ASM.

Fix:
ASM will now correctly display its blocking page when the SPDY profile is enabled and an ASM blocking rule is triggered.


548583-3 : TMM crashes on standby device with re-mirrored SIP monitor flows.

Component: Local Traffic Manager

Symptoms:
Occasionally, the standby system with a SIP monitor crashes in a configuration where the active system contains a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled.

Conditions:
This occurs on an active-standby setup in which there is an L4 forwarding virtual server or SNAT listener configuration with a wildcard IP address and port, and with connection mirroring enabled. Also, the standby has a SIP monitor configured.

Impact:
Packets that are sent by the SIP monitor on the standby get routed back to the active unit (possibly due to a routing loop) and are then sent to the standby because of the wildcard mirrored configuration. tmm on standby might crash. When the crash occurs, the standby system posts the following assert and crashes: tmm failed assertion, non-zero ha_unit required for mirrored flow.

Workaround:
-- If a routing or switching loop is the reason the packets come back to the active unit, then the routing issues can be eliminated.
-- The mirroring of the wildcard virtual server or SNAT listener can be disabled.

Fix:
TMM no longer crashes on standby device with re-mirrored SIP monitor flows.


548563-2 : Transparent Cache Messages Only Updated with DO-bit True

Component: Local Traffic Manager

Symptoms:
When a transparent cache stores a message with DNSSEC OK (DO) bit TRUE and its TTL expires, the message is only updated when a new message arrives with DO-bit TRUE.

Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.

Impact:
When the DO-bit TRUE's cached message TTL expires, the general impact is DO-bit FALSE queries will be proxied until the message cache is updated with DO-bit TRUE.

Workaround:
None.

Fix:
The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.


548385-3 : iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results

Component: TMOS

Symptoms:
If the active folder is not same as the folder in which the query is being run, and the corresponding key/cert extension is not present in the name of the key/certificate file, the query result returns incorrect results.

Conditions:
This occurs when iControl calls that query key/cert from parent folder, and the name is missing the extension.

Impact:
The query result returns incorrect results.

Workaround:
You can use one of the following workarounds:
-- Change the filename to include the extension.
-- Change to the folder containing the iControl call you are executing.

Fix:
The system now correctly loads key/cert/csr/crl files without an extension, so iControl calls that query those files from parent folder, now return correct results.


548361 : Performance degradation when adding VDI profile to virtual server

Component: Access Policy Manager

Symptoms:
Performance degradation when adding VDI profile to virtual server

Conditions:
This occurs when using the VDI profile

Impact:
0.3s latency increase comparing with previous result

Workaround:
none

Fix:
Fixed 0.3s latency between client and server SSL hello if VDI profile is added to virtual server.


548239-3 : BGP routing using route-maps cannot match route tags

Component: TMOS

Symptoms:
When a route-map is used to redistribute routes into BGP, matching on the route tag fails.

Conditions:
Dynamic routing using BGP, redistribution into BGP using a route-map, route-map matches route tag.

Impact:
BGP may not get all prefixes from other routing protocols.

Workaround:
None.

Fix:
Route-maps used with BGP now correctly match route tags.


547732-1 : TMM may core on using SSL::disable on an already established serverside connection

Component: Local Traffic Manager

Symptoms:
TMM process may crash if the SSL::disable iRule command is used on a serverside with a connection that has already established SSL.

Conditions:
Use of the 'SSL::disable serverside' iRule command on a serverside connection that has already established SSL

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use SSL::disable on an event where the serverside SSL connection is already established.

Fix:
TMM no longer cores on using SSL::disable on an already established serverside connection, it will now log a warning Connection error: hud_ssl_handler:605: disable profile (80)


547657-1 : A TCL error in a DNS_RESPONSE iRule event can cause a tmm crash.

Component: Local Traffic Manager

Symptoms:
A TCL error, such as referencing an undefined variable, in a DNS_RESPONSE iRule event can cause a tmm crash. This can occur on a UDP listener with a DNS profile without datagram load balancing enabled. A DNS_REQUEST event, with any content, on the same listener is also required.

Conditions:
All of the following:

UDP listener with DNS profile without datagram load balancing.

A TCL error, such as referencing an undefined variable, in a DNS_RESPONSE iRule event.

A DNS_REQUEST iRule event with any content.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Either add datagram load balancing to the listener or correct the TCL errors that lead to the problem.

Fix:
The TCL error handling is now processed asynchronously which prevents the problem from occurring.


547546-3 : Add support for auto-update of MachineCertService

Component: Access Policy Manager

Symptoms:
Auto-update of MachineCertService wasn't implemented. If APM contains newer MachineCertService EdgeClient doesn't pick it up automatically.

Conditions:
Upgrading existing APM install.

Impact:
Since MachineCertService is not auto-updatable service redeployment is required.

Fix:
Added support of auto-update to MachineCertService.


547537-3 : TMM core due to iSession tunnel assertion failure

Component: Wan Optimization Manager

Symptoms:
TMM core due to "valid isession pcb" assertion failure in isession_dedup_admin.c.

Conditions:
Deduplication endpoint recovery occurs on a BIG-IP that has duplication is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none

Fix:
An iSession tunnel initialization defect has been corrected.


547532-2 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades

Component: TMOS

Symptoms:
Error messages similar to this are present in the ltm log:

-- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
-- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.

Conditions:
A chassis-based system with multiple blades. This can occur a few different ways:
- A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).
- A monitor defined in the Common partition is attached to an object from a partition where the default route domain is different.

Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.

Workaround:
There are two possible workarounds:

-- Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.

-- Do not use monitors from other partitions where the default route domain is different.

Fix:
The complete state for addresses on the primary blade is propagated to secondary blades.


547047 : Older cli-tools unsupported by AWS

Component: TMOS

Symptoms:
Older EC2 tools stopped working in some AWS regions.

Conditions:
This can happen in some AWS regions.

Impact:
BIG-IP high availability configurations may stop working in some AWS regions.

Workaround:
None.

Fix:
F5 Networks added the latest available version (1.7.5.1) of EC2 tools in this release/hotfix.


547038-2 : In very fast transactions, some detection data is missing

Component: Fraud Protection Services

Symptoms:
In very fast transactions, some automatic transaction detection data is missing.

Conditions:
Form submitted before page finishes loading.

Impact:
False positive automatic transaction alerts.

Workaround:
None

Fix:
Loss of data in the Automatic Transactions cookie can be prevented by initializing cookies earlier.


547000-4 : Enforcer application might crash on XML traffic when out of memory

Component: Application Security Manager

Symptoms:
Enforcer application might crash on XML traffic when out of memory.

Conditions:
This occurs when the system is out of memory.

Impact:
The BIG-IP system might temporarily fail to process traffic.

Workaround:
None.

Fix:
This release fixes a scenario where the system might crash when the XML parser ran out of memory.


546747-2 : SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets

Component: Local Traffic Manager

Symptoms:
Sometimes BIG-IP system responds with a fatal-handshake alert and closes the SSL session for a new connection when a ClientHello record is split between two or more packets.

If SSL debug logging is enabled, the system logs an error such as the following:
    01260009:7: Connection error: ssl_hs_rxhello:6210: ClientHello contains extra data (47).

Note: For information on SSL debug logging, see SOL15292: Troubleshooting SSL/TLS handshake failures at https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html.

Conditions:
This occurs when a SSL ClientHello record is split across multiple TCP segments, and the last segment is relatively small.

Impact:
SSL connections fail to complete with a handshake failure.

Workaround:
No workaround.

Fix:
SSL handshakes no longer fails to complete when the ClientHello is split across multiple TCP segments, and the last segment is relatively small.


546640 : tmsh show gtm persist <filter option> does not filter correctly

Component: Global Traffic Manager

Symptoms:
Following commands fail to return results even if there are matching records:
  # tmsh show gtm persist level wideip
  # tmsh show gtm persist target-type pool-member

Conditions:
This only happens when running the tmsh commands listed in the Symptoms.

Impact:
It is not possible to get a granular detail for persist stats.

Workaround:
Use GUI.

Fix:
Filters for the tmsh show gtm persist command now apply the filters correctly.


546410-2 : Configuration may fail to load when upgrading from version 10.x.

Component: TMOS

Symptoms:
After upgrade from 10.x to 11.5.3 HF2, configuration fails to load with the following error:
01070734:3: Configuration error: Invalid primary key on monitor_param object () - not a full path 2.

Conditions:
Configuration contains a user-created monitor (A) that inherits from user-created monitor (B). Monitor A appears first within the configuration files and monitor B does not have a 'destination' attribute.

Impact:
Configuration fails to load.

Workaround:
Re-order monitors such that Monitor B appears first, or add a 'destination' attribute (i.e., 'destination *:*') to monitor B.

Fix:
10.x upgrade now completes successfully, even when parent monitors appear later in the monitor list, or when there is no destination attribute in the child monitor.


546082-5 : Special characters might change input.

Component: iApp Technology

Symptoms:
Special characters by users might change the intended data.

Conditions:
Use of special characters.

Impact:
Incorrect or unwanted response.

Workaround:
None.

Fix:
Updated data handling to properly account for special characters.


546080-5 : Path sanitization for iControl REST worker

Vulnerability Solution Article: K99998454


545985-3 : ICAP 2xx response (except 200, 204) is treated as error

Component: Service Provider

Symptoms:
An ICAP status code from the ICAP server of 2xx (other than 200 or 204) is treated as an error, causing the reset of the ICAP connection and the service-down-action to be performed on the parent virtual server (as configured in the requestadapt or responseadapt profile). The RFC 3507 requires the ICAP client (BigIP) to handle the response normally (ie. like 200).

Conditions:
The ICAP server returns a 2xx status code that is not defined explicitly for ICAP.

Impact:
Transsactions involving an ICAP server that returns a non-IACP 2xx response do not work, and the service-down action is performed.

Workaround:
If possible, have the ICAP server return status code 200.

Fix:
An ICAP status code from the ICAP server of 2xx (other than 200 or 204) is treated as a normal 200 status code, thus the encapsulated HTTP request or response is returned to the HTTP client or server.


545810-1 : ASSERT in CSP in packet_reuse

Component: Local Traffic Manager

Symptoms:
Causes TMM to crash

Conditions:
This crash will happen on LTM virtuals that meet the following two configuration criteria:
- the virtual is configured with fasthttp profile.
- the virtual's enabled VLAN is mapped to the _loopback interface.

Impact:
Crash and restart of TMM

Workaround:
None

Fix:
Fixed the logic in determining if we are an L7 loopback connection. This way CSP receives only packets that it owns and can be re-used


545786-4 : Privilege escalation vulnerability CVE-2015-7393

Vulnerability Solution Article: K75136237


545783-3 : TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when forwarding an inbound connection and the flow sweeper tries to update the flow before the forwarding operation completes.

Conditions:
A small or over utilized LSN pool that creates inbound entries that require forwarding.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add more IP addresses to the LSN pool.

Fix:
TMM no longer crashes when forwarding inbound connections configured with an LSN pool


545762 : CVE-2015-7394

Vulnerability Solution Article: K17407


545745-2 : Enabling tmm.verbose mode produces messages that can be mistaken for errors.

Component: TMOS

Symptoms:
When tmm first starts, the system logs multiple messages containing the words "error:" and "best_error:" in the tmm log files when tmm.verbose is enabled, and hardware accelerators are present.

Conditions:
Must have an accelerator device, and enable tmm.verbose logging.

Impact:
The system posts messages that could be mistaken for errors. For example: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000. These are not errors, and may be safely ignored.

Workaround:
Ignore the lines with format similar to the following:

 en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000

Fix:
The cosmetic messages containing 'err' and 'best err' are no longer posted on initial tmm startup when tmm.verbose logging on hardware accelerated devices.


545704-2 : TMM might core when using HTTP::header in a serverside event

Component: Local Traffic Manager

Symptoms:
In certain circumstances TMM might core when using an HTTP iRule command in a HTTP_REQUEST_SEND serverside event.

Conditions:
- iRule with an HTTP command in a serverside event prior to the serverside being completely established, such as HTTP_REQUEST_SEND.
- OneConnect configured on the virtual server.

Impact:
The command might either return invalid value or lead to a condition where TMM might core.

Workaround:
Use the {clientside} Tcl command to execute on the client side.

Alternatively, you might use the HTTP_REQUEST_RELEASE event for HTTP inspection/modification on the server-side.

Fix:
TMM no longer cores when using HTTP iRule commands on the server-side of the HTTP_REQUEST_SEND event.


545558-1 : Send RAA when RAR is sent by PCRF and session is deleted immediately after its created.

Component: Policy Enforcement Manager

Symptoms:
BIGIP does not send RAA for certain sessions.

Conditions:
If session is created , CCR-I is send, CCA-I received and session is deleted immediately then RAA for RAR update from the PCRF for the session is not sent.

Impact:
PCRF has no way of knowing why RAA was not received for the session.

Workaround:
No workaround and this is extremely remote scenario where radius start and stop are received almost at the same time.


545450-3 : Log activation/deactivation of TM.TCPMemoryPressure

Component: Local Traffic Manager

Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.

Conditions:
TM.TCPMemoryPressure set to "enable".

Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.

Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.


544980-3 : BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.

Component: TMOS

Symptoms:
The size of /var volume is 500 MB instead of 3 GB for BETTER and BEST license bundles.

Conditions:
BIG-IP VE BETTER and BEST vm_bundle images.

Impact:
Not enough space in /var.

Workaround:
In the current volume:

1. Modify global_attributes file.
* The global_attributes file is located at /shared/.tmi_config, so modify global_attributes file by using vi command.

From:
{"TMI_VOLUME_FIX_VAR_MIB":"500","TMI_VOLUME_FIX_CONFIG_MIB":"500"}

To:
{"TMI_VOLUME_FIX_VAR_MIB":"3000","TMI_VOLUME_FIX_CONFIG_MIB":"500"}

2. Install version.

3. Modify global_attributes file to back original value.

4. Switchboot to newly installed volume.

5. To change /var to 3 GB and from tmsh, run the following command:
modify /sys disk directory /var new-size 3145728

6. Reboot.

Fix:
BIG-IP Virtual Edition now has 3GB of disk space for the /var software partition when deploying from OVA for the Better or Best license bundle


544913-6 : tmm core while logging from TMM during failover

Component: TMOS

Symptoms:
TMM crash and coredump while logging to remote logging server when an HA failover occurs.

Conditions:
The problem might occur when:
1. A log message is created as the result of errors that can occur during log-connection establishment.
2. An error occurs while attempting to connect to the remote logging server.
3. The Primary HA member fails over. The crash occurs on the HA member which was the Primary member prior to the failover.

Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.

Workaround:
Two possible workarounds are available:
1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs.
2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.

Fix:
Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.


544888-5 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.

Component: TMOS

Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.

Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.

Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.

Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.

Fix:
Once the TCP connection reaches established state, the idle timeout is now set to the value found in the associated profile. By default the profile timeout value is 300 seconds.


544481-5 : IPSEC Tunnel fails for more than one minute randomly.

Component: TMOS

Symptoms:
IPsec IKEv1: DPD ACK may be dropped when excessive DPD message exchange. This causes the IPsec tunnel to fail.

Conditions:
Excessive DPD message exchange.

Impact:
Connection resets.

Workaround:
None.

Fix:
Excessive DPD message exchange no longer causes the IPsec tunnel to fail.


544375-1 : Unable to load certificate/key pair

Component: Local Traffic Manager

Symptoms:
After creating SSL profile, 'could not load key/certificate file' appears in /var/log/ltm with profile name. Unable to connect to virtual with SSL profile.

Conditions:
Certificate uses sha1WithRSA or dsaWithSHA1_2 signature algorithm.

Impact:
Unable to load certificate.

Workaround:
None.

Fix:
Can now load certificates with sha1WithRSA or dsaWithSHA1_2 signature algorithm.


544325-3 : BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).

Component: Local Traffic Manager

Symptoms:
A BIG-IP UDP virtual server may not send an ICMP Destination Unreachable message Code 3 (port unreachable). As a result of this issue, you may encounter the following symptoms:

-- Client applications may not respond or appear to hang.
-- When attempting to troubleshoot the connectivity issue from remote devices, no ICMP diagnostic data is available from the BIG-IP system.

Conditions:
This issue occurs when the following condition is met: All pool members for the UDP virtual server are unavailable.

Impact:
In versions 11.3.0 through 11.4.1, the system silently drops the request. In versions 11.5.0 and later, the system sends back the ICMP message with type 13 ('administratively filtered').

Workaround:
None.

Fix:
LTM now sends back an ICMP Destination Unreachable message Code 3 (port unreachable), which is expected behavior.

Behavior Change:
In version 11.2.1 and earlier, the system responded to a request with an ICMP packet containing the type code 'port unreach' when a UDP virtual server pool member was down due to no available pool members. For the same scenario in versions 11.3.0 through 11.4.1, the system sends no ICMP packet. In versions 11.5.0 through this hotfix/release, the system sends an ICMP packet containing the 'administratively filtered' type code for the same scenario.

In this hotfix/release, the 11.2.1 behavior is restored. In this case, the system responds with an ICMP packet containing the type code set to 'port unreach'.


544028-5 : Verified Accept counter 'verified_accept_connections' might underflow.

Component: Local Traffic Manager

Symptoms:
Verified Accept counter 'verified_accept_connections' might underflow.

Conditions:
When the verified accept setting on a TCP profile is changed for an active virtual server.

Impact:
When the counter underflows, new connections on any verified-accept enabled virtual server are dropped. The counter will never recover.

Workaround:
Avoid changing the verified accept setting on a TCP profile for an active virtual server.

Fix:
This release corrects the issue in which the Verified Accept counter 'verified_accept_connections' might underflow.


543993-3 : Serverside connections may fail to detach when using the HTTP and OneConnect profiles

Component: Local Traffic Manager

Symptoms:
Serverside connection does not detach when using OneConnect profile

Conditions:
An HTTP/1.1 response without Content-Length header is received in response to an HTTP/1.0 HEAD request

Impact:
HTTP requests on the same connection are not LB'ed across pool members.

Workaround:
Remove OneConnect profile

Fix:
Ensure serverside detachment when handling HTTP responses to HEAD requests.


543924 : Update kernel to latest public RHEL6.4 kernel: 2.6.32-358.61.1.el6

Component: TMOS

Symptoms:
This is a major update from RHEL6.4 2.6.32-358.23.2 used in 11.6.0 releases (including all 11.6.0 hotfixes).

This includes many critical bugfixes and security fixes as of the last published kernel Redhat Security Advisory:

https://rhn.redhat.com/errata/RHSA-2015-1030.html

Note that there are some additional security fixes beyond RHSA-2015-1030.html which have been backported from upstream RHEL6 kernels: 6.5, 6.6 and 6.7.

This does not include later 6.4 kernel updates from Redhat which are only available for Redhat AUS customers:

https://rhn.redhat.com/errata/RHSA-2015-1211.html
https://rhn.redhat.com/errata/RHSA-2015-1643.html
https://rhn.redhat.com/errata/RHBA-2015-1843.html
https://rhn.redhat.com/errata/RHBA-2015-2005.html
https://rhn.redhat.com/errata/RHSA-2016-0004.html

Conditions:
This is a kernel-related update.

Impact:
Addresses many critical bugfixes and security fixes.

Workaround:
None needed.

Fix:
Updated kernel to 2.6.32-358.61.1.el6 [RHEL6.4].


543222-3 : apd may crash if an un-encoded session variable contains "0x"

Component: Access Policy Manager

Symptoms:
when a session variable value contains "0x" (for example 'value0x not encoded'),
apd process treat the value as HEX-encoded and tries to decode it.
decoding the not-encoded string causes apd to crash

Conditions:
session variable contains substring "0x"

Impact:
apd crash

Workaround:
None

Fix:
With this release:
1. Only values starting from 0x are treated as hex-encoded.
2. If hex decoding fails, apd does not crash.


543220-1 : Global traffic statistics does not include PVA statistics

Component: Local Traffic Manager

Symptoms:
Global traffic statistics shown in the GUI and in TMSH are not correct.

Conditions:
Hardware acceleration enabled.

Impact:
Statistics discrepancy in global traffic statistics.

Workaround:
None.

Fix:
Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH.


543208 : Upgrading v11.6.0 to v12.x in a sync-failover group might cause mcpd to become unresponsive.

Component: TMOS

Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:

01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..

Conditions:
-- Some systems in the trust are running a pre-12.x version of TMOS.
-- Some systems in a device group have been upgraded to 12.x.
-- A failover event occurs on traffic-group-1.
-- This appears to be most evident in APM configurations.

Impact:
mcpd on the devices running pre-12.x version may become unresponsive. Upgrade fails.

Workaround:
None.

Fix:
This release corrects an issue in which a group of devices in a trust domain could potentially cause mcpd to become unresponsive and log failure messages.


542860-4 : TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event

Component: TMOS

Symptoms:
TMM can crash when IPsec SA's are deleted using TMSH or racoonctl utility during HA Active to Standby or vice versa.

Conditions:
During the HA Active to standby or vice versa event, Use of TMSH or racoonctl utility to delete IPsec SA's can cause TMM crash. This is a race condition and can occur rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Running TMSH command or racoonctl utility to delete IPsec SA's during HA Active to Standby or vice versa event does not result in TMM crash and IPsec SA's will be deleted as per the request.


542742-2 : SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).

Component: TMOS

Symptoms:
SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).

Conditions:
Querying the OIDs.

Impact:
Unable to monitor the moving averages of the current connection counts as they return 0.

Workaround:
There is no known workaround.

Fix:
SNMP now reports valid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).


542724-1 : If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash

Component: Local Traffic Manager

Symptoms:
If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash.

Conditions:
This occurs when the following conditions are met:
  - There is an OCSP request in progress.
  - There is a configuration change.
  - The handshake is aborted.
  - The HTTP response for the OCSP request indicates a status code that is not 200.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes if there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions.


542640-2 : bigd intentionally cores when it should shutdown cleanly

Component: Local Traffic Manager

Symptoms:
Bigd can core instead of graceful shutdown under certain error conditions where a core is not needed.

Conditions:
Anything that caused bigd to shutdown under abnormal conditions.

Impact:
Bigd crash, core file created. Note that the shutdown scenario was already under error conditions, so this is not a sign that something has broken or failed outside that condition that caused the shutdown.

Fix:
Made bigd more selective about the situations where it self-cores on abnormal shutdown.


542586-3 : Fallback alert mechanism can result in page refresh in Internet Explorer 8

Component: Fraud Protection Services

Symptoms:
If browser sent alerts fail to be received, secondary sending mechanisms may cause page to refresh in browser.

Conditions:
Internet explorer 8 or older.
HTML page with websafe enabled.
HTML page contains a form.
Alert sent.
Alert receives failed response.

Impact:
HTML page refreshes in browser

Workaround:
None.

Fix:
Fallback alert mechanism no longer results in page refresh in older browsers.


542581-3 : Websafe alerts with HTML attached cause the page to run slowly

Component: Fraud Protection Services

Symptoms:
When "attach HTML to alerts" is enabled, large webpages can be caused to run slowly.

Conditions:
"Attach HTML to alerts" is enabled.
Page source is large.
Websafe alert is sent.

Impact:
Page may experience a noticeable delay in reacting to user actions.

Workaround:
Disbale "Attach HTML to alerts".

Fix:
HTML encoding for Websafe alerts is now faster and can be configured to send only a section of the page source.


542564-3 : bigd detection and logging of load and overload

Component: Local Traffic Manager

Symptoms:
The bigd process cannot detect overload, and does not log its load status. This makes it difficult to determine whether bigd is close to its limits.

Conditions:
The bigd process might reach limits when there is very high load with high probe rate (monitor instances per second).

Impact:
bigd might fail to service monitors in a timely fashion, when under extreme load, which might result in 'flapping' nodes/pool members (where the node/pool member goes down and back up even though the server itself has not gone down).

Workaround:
-- Increase the probe interval for monitors so they probe less often. -- Switch from more 'expensive' monitors (e.g., https) to simpler monitors (e.g., http, tcp, tcp half-open, icmp).

Fix:
This release provides modifications to peak performance to significantly reduce the chance of node flapping. In addition, the ability to monitor bigd load has been added.

Because bigd is not integrated with tmstats, the system logs load stats to the debug log file, /var/log/bigdlog. When debug logging is turned on, stats are mixed with the debug output. Load stats can be emitted independently with the following sys db var: modify sys db bigd.debug.timingstats value enable.

With this db variable enabled, the system emits bigd load data to the debug log periodically (every 15 seconds per bigd process). The columns correspond to these stats:
- load (0-100%) 1-minute mean.
- load (0-100%) 5-minute mean.
- number of monitor instances active for this bigd process.
- number of active file descriptors, 30-second average, this process.
- peak number of active file descriptors past 30 seconds, this process.

In addition, the system logs warning messages to /var/log/ltm when bigd reaches 80%, 90%, and 95% load levels. The system logs an overload error to /var/log/ltm when bigd detects it is overloaded. The load level indicating overload is in the bigd.overload.latency sys db variable, which is set to 98% load, by default.


542511-2 : 'Unhandled keyword ()' error message in GUI and/or various ASM logs

Component: Application Security Manager

Symptoms:
'Unhandled keyword ()' error message may appear in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log.
In the case of learning manager, it causes a crash of the latter. Learning manager process is then restarted ~15 seconds later.

Conditions:
ASM provisioned.
Session Awareness Tracking is enabled.

Impact:
Uninformative errors in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log.
Learning manager process restart.

Workaround:
None.

Fix:
Learning manager now handles the 'Unhandled keyword ()' exception in a graceful manner and does not crash.


542472 : SSL::disable for alerts does not take effect and first alert fails

Component: Fraud Protection Services

Symptoms:
Command 'SSL::disable serverside' fails when sending alerts.

Conditions:
The alert is received on an already established clientside TCP connection that has a current connection through to the regular virtual server pool member.

Impact:
Alert may take a very long time (more than 30 seconds) to receive a response from the alert server.

Workaround:
To resolve the issue, add a OneConnect profile to the virtual server, or use an iRule that performs an 'LB::detach' when a request is received for /rstats/.

Fix:
Command 'SSL::disable serverside' now completes successfully when sending alerts.


542347-1 : Denied message in audit log on first time boot

Component: TMOS

Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:

type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.

Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.

Impact:
This error message is benign and can be ignored.

Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.

Fix:
Fixed an erroneous error message in the audit log related to lastlog during manufacturing install.


542320-1 : no login name may appear when running ssh commands through management port

Component: TMOS

Symptoms:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"

Conditions:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"

Impact:
Display issue

Fix:
Properly display login name


542314-5 : TCP vulnerability - CVE-2015-8099

Vulnerability Solution Article: K35358312


542097-2 : Update to RHEL6 kernel

Component: TMOS

Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic

Conditions:
Running RHEL6 kernel under heavy disk load, more likely on a vCMP host

Impact:
Unexpected machine reboot causing loss of service

Workaround:
None.

Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:

jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()


541852-1 : ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails

Component: Application Security Manager

Symptoms:
The "validationFiles" is not allowed to be modified via a PATCH call and will fail validation.
Even if validationFiles is passed back in unmodified, the call still fails.

Conditions:
An ASM REST client attempts to PATCH the mgmt/tm/asm/policies/<ID>/xml-profiles/<ID> endpoint using "validationFiles"

Impact:
The XML Profile cannot be modified

Workaround:
The user can PATCH the object without supplying this field.
However if there were Validation Files before, then Bug 541406 will affect them, removing the existing Validation Files. The XML validation file association task would then need to be run again.

Fix:
ASM REST: The system correctly recognizes that the validationFiles field has not changed in value and does not fail the call.


541670-1 : Memory leak and potential crash bug in secure channel cookie handling

Component: Fraud Protection Services

Symptoms:
Under certain rare circumstances, the process handling secure channel cookies may leak memory. It may also result in underflow crashes in Tcl and other processes.

Conditions:
This occurs under rare conditions.

Impact:
Eventual out of memory condition or crash.

Workaround:
None.

Fix:
This release fixes a memory leak and potential crash bug in secure channel cookie handling.


541622-6 : APD/APMD Crashes While Verifying CAPTCHA

Component: Access Policy Manager

Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA

Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.

Impact:
Authentication service will be disrupted until APD/APMD is up again.

Fix:
Create one cURL session for each user session that requires CAPTCHA verification


541592-1 : PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions

Component: Policy Enforcement Manager

Symptoms:
Radius Start, Stop does not trigger any diameter traffic except DWR/DWA.

Conditions:
Diameter virtual reconfiguration and possibly any virtual configuration change might trigger this behavior.

Impact:
Subscriber sessions created by radius are not provisioned by the PCRF. Sessions that are deleted are also not reported to PCRF or Usage reports are also not reported.

Workaround:
Restarting TMM is the only work around for now.

Fix:
Issue has been fixed now. Even if diameter configuration is changed there should be no impact on CCR-I/U/T being stopped.


541571-3 : FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, ephemeral nodes that are force-deleted may not repopulate as expected.

Conditions:
Sync group, multiple FQDNs resolving to different IP addresses.
FQDNs deleted and re-created, with IP addresses swapped from deleted nodes to re-created ones.

Impact:
Ephemeral nodes may not repopulate as expected.

Workaround:
None.

Fix:
FQDN ephemeral nodes are now repopulated after being force-deleted and re-created with different IP addresses.


541569-3 : IPsec NAT-T (IKEv1) not working properly

Component: TMOS

Symptoms:
The incorrect source port is chosen for the IPsec/IKE NAT-T UDP encapsulated traffic. When IKE decides to float port when NAT device is detected, it should use port 4500 for both its source port and destination port.

Conditions:
NAT traversal is enabled on the IKE Peer configuration object and NAT device is detected during IKE negotiation.

Impact:
When NAT-T is enabled, IPsec tunnel cannot be established.

Workaround:
None.

Fix:
Now, when NAT-T is enabled, IPsec tunnel can be established as expected.


541549-4 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.

Component: TMOS

Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.

Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.

Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.

Workaround:
None.

Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.

Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.


541406-1 : ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request

Component: Application Security Manager

Symptoms:
Updating an XML Profile via ASM REST with a partial body (ex. just an updated description) removes all attached WSDL validation files as if it had also received:

"validationFiles": []

Conditions:
XML Profiles that utilize validation files are updated via REST

Impact:
If the full validation files structure is not re-iterated in the body, then the entire list of WSDL validation files will be emptied. This will cause the XML Schema to not be validated properly during enforcement.

Workaround:
Run the validation file association task again after updating the XML Profile

Fix:
ASM REST now correctly updates only specified fields on a PATCH request.


541320-6 : Sync of tunnels might cause restore of deleted tunnels.

Component: TMOS

Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.

Conditions:
Viewing tunnels after a full load sync.

Impact:
This might result in a deleted tunnel being restored to the configuration.

Workaround:
None.

Fix:
Sync of tunnels no longer causes restore of deleted tunnels.


541316-3 : Unexpected transition from Forced Offline to Standby to Active

Component: TMOS

Symptoms:
If a BIG-IP configuration is reset to default, and then restored from a saved UCS that was taken while the system was Forced Offline, the system will be restored to the Forced Offline state, but the state may not persist across reboots.

Conditions:
Restore a saved UCS that was created while the BIG-IP system was Forced Offline.

Impact:
System may unexpectedly go Active after a reboot.

Workaround:
None.

Fix:
Device forced offline remains forced offline after restoring a UCS and rebooting.


541231-2 : Resolution of multiple curl vulnerabilities

Vulnerability Solution Article: K16704 K16707


541156-2 : Network Access clients experience delays when resolving a host

Component: Access Policy Manager

Symptoms:
The DNS Relay proxy for Network Access clients operating in split-tunnel mode intercepts a client's DNS request for a non-matching host and will forward it to the client's local DNS server. If the client contains multiple NICs, one containing a down or invalid DNS server, this could cause a delay in resolving the host.

Conditions:
Network Access with the DNS Relay Proxy configured
A client machine has multiple NICs
One of the NICs has an invalid or down DNS server configured
Client attempts to resolve a host not matching the Network Access policy

Impact:
Clients will experience unusual delays (10+ seconds) when resolving hosts.

Workaround:
Clients can check their system setup and remove the affected interfaces that contain an invalid DNS server (virtual machine network adapters are becoming increasingly common and can exhibit this), or they can ensure that they are mapped only to valid DNS servers that can resolve the host.

Fix:
The DNS Relay proxy will now avoid sending DNS requests to down DNS servers for DNS requests that do not match the Network Access policy while Network Access is connected.


541134-2 : HTTP/HTTPS monitors transmit unexpected data to monitored node.

Component: Local Traffic Manager

Symptoms:
HTTP/HTTPS) monitors send unexpected data (crlfcrlf) after completion of TCP and/or SSL handshake.

Conditions:
HTTP/HTTPS monitor with a send attribute set to 'none'. HTTP/HTTPS monitors with a 'none' send string should complete the TCP handshake(+SSL handshake) and then close the connection without sending any data.

Impact:
A monitor configured with a 'none' send string sends a 4-byte string, \r\n\r\n (crlfcrlf), after completing the handshake. This is ignored by the monitored node, which might cause it to be marked down.

Workaround:
None.

Fix:
HTTP/HTTPS monitor no longer transmits any L7 data when send attribute is set to 'none'.


541126-4 : Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed

Component: Local Traffic Manager

Symptoms:
netHSM usage may fail for Safenet users with error message in the ltm log similar to the following:
warning tmm1[11930]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:9678: sign_srvkeyxchg (80).
info tmm1[11930]: 01260013:6: SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001.
warning pkcs11d[12005]: 01680022:4: Crypto operation [2] failed.
crit tmm1[11930]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 56 status: 0x1 : Cancel.

Conditions:
This may happen for any of the following conditions:
-- Restart pkcs11d without starting tmm immediately after.
-- Network connection between the BIG-IP and HSM is interrupted and then restored.
-- HSM is rebooted without being followed by a restart to pkcs11d and tmm.

Impact:
SSL handshake failure with a message similar to the following:

SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001.

Workaround:
For Safenet, always restart tmm after restarting pkcs11d. To do so, run the following commands:
bigstart restart pkcs11d
bigstart restart tmm

When the networking to HSM is restored or after a HSM reboot, always run the following commands:
bigstart restart pkcs11d
bigstart restart tmm

Fix:
After restarting pkcs11d, Safenet connections no longer fails with the message 'cannot locate key'.


540996-2 : Monitors with a send attribute set to 'none' are lost on save

Component: TMOS

Symptoms:
Monitors that have a send, recv, or recv-disable attribute set to 'none' are lost on configuration save.

Impact:
Monitor may send unexpected string.

Workaround:
None.

Fix:
Monitor send, recv, and recv-disable attributes now retains a 'none' value on configuration save.


540893-2 : Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.

Component: Local Traffic Manager

Symptoms:
Flows for a syncookie-enabled listener might occasionally receive a RST after responding correctly to a syncookie challenge.

Conditions:
-- Fast Flow Forwarding is enabled.

-- At least one tmm thread is heavily loaded but has not reached its syncookie thresholds, while at least one tmm thread is less heavily loaded but has met its syncookie threshold.

Impact:
Occasional clients take an incorrect path and have their valid syncookie ACKs rejected with a TCP RST and must retry.

Workaround:
Set db variable tmm.ffwd.enable = false.

Doing this may modestly reduce peak performance on CPU bound loads.

Fix:
Fixed occasional RST in response to valid syncookie ACKs when under uneven load.


540871-1 : Update/deletion of SNMPv3 user does not work correctly

Component: TMOS

Symptoms:
After creation of an SNMPv3 user via the GUI, SNMP operations for that user do not work if the admin subsequently modifies the user. Deletion of the SNMPv3 user also does not work correctly.

Conditions:
Save (even without modification) an SNMPv3 user after creation, or delete an SNMPv3 user.

Impact:
SNMP operations for that user do not work if the admin subsequently modifies the user. TMSH reports a deleted user as gone, but net-snmp does not process the deletion.

Workaround:
None.

Fix:
Using the GUI to update/delete SNMPv3 users now works as expected.


540849-5 : BIND vulnerability CVE-2015-5986

Vulnerability Solution Article: K17227


540846-5 : BIND vulnerability CVE-2015-5722

Vulnerability Solution Article: K17181


540778-3 : Multiple SIGSEGV with core and failover with no logged indicator

Component: Access Policy Manager

Symptoms:
A multimodule HA pair under high load experiences 3 failover events.

Conditions:
Configure HA pair for GBB multimodule testing (AFM, ASM, APM, GTM, LTM) and apply high concurrent load.

Impact:
Instability in HA. The current HA config under test has not had a unit remain active for more than ~12 hours.

Workaround:
None.

Fix:
Fix to free memory with same length as used for alloc using umem_alloc.


540767-2 : SNMP vulnerability CVE-2015-5621

Vulnerability Solution Article: K17378


540571-2 : TMM cores when multicast address is set as destination IP via iRules and LSN is configured

Component: Carrier-Grade NAT

Symptoms:
TMM may core when an iRule changes the destination address of a connection to use a multicast address such as 224.0.0.1. When the BIG-IP system looks up the route, it returns an internal route with no interface designed for use with multicast traffic. LSN expects to find an interface and crashes when it attempts to use the non-existent interface.

Conditions:
- CGNAT enabled and LSN pools configured on active virtual server that accepts traffic.
- On the same virtual server, an iRule is configured that changes the destination IP to a multicast address in the 224.0.0.0/24 network.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are two workarounds: -- Remove the offending iRule that is sending traffic to the 224.0.0.0/24 network. -- Prevent traffic from using that destination in the iRule.

Fix:
TMM no longer cores when multicast address is set as destination IP via iRules and LSN is configured. Now, the system fails connections when the route's IFC is null, which is correct behavior.


540568-2 : TMM core due to SIGSEGV

Component: Local Traffic Manager

Symptoms:
TMM may core due to a SIGSEGV.

Conditions:
Occurs rarely. Specific conditions unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed an intermittent tmm core related to Bug 540571.


540484-2 : "show sys pptp-call-info" command can cause tmm crash

Component: Carrier-Grade NAT

Symptoms:
Core when "show sys pptp-call-info" is called.

Conditions:
On BIG-IP with fastl4 virtual server forwarding PPTP GRE traffic, TMSH "show sys pptp-call-info" command can cause crash in TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not issue "show sys pptp-call-info" command on BIG-IP forwarding PPTP GRE traffic.

Fix:
Fixed crash from incorrectly matching PPTP ALG traffic in forwarding fastl4 virtual server.


540473-6 : peer/clientside/serverside script with parking command may cause tmm to core.

Component: Local Traffic Manager

Symptoms:
When the peer/clientside/serverside iRule contains parking commands, or in NTLM profiles (which utilize parking commands), tmm might core upon connection reuse.

Conditions:
1. The iRule used in peer/clientside/serverside contains a parking command.

2. The connection is reused. This might occur in OneConnect configurations, for example.

In configurations that do not have parking iRule commands, this issue might also occur when the NTLM profile is in use, as the NTLM profile also utilizes parking. Note: The NTLM profile might be deployed automatically if you are using a SharePoint iApp.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use parking commands in cases where the system might reuse the connection. If the issue occurs with the NTLM profile, do not use the NTLM profile, if possible.

Fix:
When the peer/clientside/serverside iRule contains parking commands, or when using NTLM profiles that utilize parking commands, tmm no longer cores upon connection reuse.


540390-2 : ASM REST: Attack Signature Update cannot roll back to older attack signatures

Component: Application Security Manager

Symptoms:
There is no way to roll back to an older attack signature update using the REST interface

Conditions:
REST is used to manage Attack Signature Updates on a BIG-IP device, and an older version than the currently installed file is desired to be installed.

Impact:
REST clients have no way to fully manage Attack Signature Updates for the BIG-IP

Workaround:
The GUI can be used to roll back to an earlier version

Fix:
The REST API now includes support for the "allowOlderTimestamp" field to the update-signatures task in order to allow rolling back to an older attack signature update using the REST interface.

POST https://<host>/mgmt/tm/asm/tasks/update-signatures/
{
  "allowOlderTimestamp": true,
  <Rest of body as usual>
}


540213-2 : mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary

Component: Local Traffic Manager

Symptoms:
When a secondary blade's mcpd starts up, it may continually restart, failing to load, when the primary blade has a certain configuration. The easiest way to reproduce this is to insert a new blade into an existing running cluster.

This will happen when a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default).

It is not possible to create such self IPs unless the DB variable is first enabled, the object is created, and then the DB variable is disabled.

In certain scenarios a secondary blade mcpd may go into a restart loop when receiving the configuration from the primary blade if ipv4 link local SelfIP addresses are in use enabled by DBKey config.allow.rfc3927.

Conditions:
This happens only on MCP startup on secondary blades, when a link local IPv4 self IP is configured, and when the DB variable config.allow.rfc3927 is set to disabled (which is the default).

Impact:
Secondary blade will not become part of the cluster and will not be able to process traffic. Continual log messages will show up on existing blades announcing that mcpd is continually restarting.

Workaround:
Enable the config.allow.rfc3927 DB variable on the primary to suspend this validation.

Fix:
When a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default), mcpd would previously fail to start on a newly inserted secondary blade. This no longer occurs.


539923-1 : BIG-IP APM access logs vulnerability CVE-2016-1497

Vulnerability Solution Article: K31925518


539822-4 : tmm may leak connflow and memory on vCMP guest.

Component: TMOS

Symptoms:
tmm may leak connflow and memory on vCMP guests.

Conditions:
This occurs on a vCMP guest when only one tmm is provisioned on the blade.

Impact:
tmm leaks memory and might eventually crash from an out-of-memory condition.

Workaround:
Provision more than one tmm.

Fix:
tmm no longer leaks connflows and memory on vCMP guests when only one tmm is provisioned.


539784-4 : HA daemon_heartbeat mcpd fails on load sys config

Component: TMOS

Symptoms:
A particular stage of validation can take longer than the ha-daemon heartbeat interval, and while nothing is actually wrong, the system responds as if there is an unresponsive daemon, so the system restarts it.

Conditions:
iRules must be present in the configuration that the system is loading.

Impact:
MCPd restarts.

Workaround:
On the BIG-IP system, run the command: tmsh mod sys daemon-ha mcpd heartbeat disabled.

Fix:
Added additional heartbeats during validation, so HA daemon_heartbeat mcpd no longer fails on load sys config.


539704-2 : Large ASM REST response causes all REST to hang

Component: Application Security Manager

Symptoms:
the REST framework hangs and becomes not responsive when ASM REST sends a big response for a REST call

Conditions:
asm provisioned
generate a REST call, to asm endpoint, that yields a large REST response.
This could be a REST call returning a large XML document, for an example.

Impact:
REST framework hangs and becomes not responsive

Workaround:
n/a

Fix:
We have placed safeguards to protect the REST framework.


539677-1 : The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file

Component: Policy Enforcement Manager

Symptoms:
/etc/wr_urldbd/bcsdk.cfg is not included in the .ucs file when saving the configuration.

Conditions:
using tmsh to save sys ucs <file_name>. The /etc/wr_urldbd/bcsdk.cfg is not saved in the file

Impact:
URLcat webroot configuration is not included in the ucs

Workaround:
no workaround

Fix:
After the fix, now tmsh save ucs command will save the /etc/wr_urldbd/bcsdk.cfg in the .ucs file


539466-2 : Cannot use self-link URI in iControl REST calls with gtm topology

Component: Global Traffic Manager

Symptoms:
The self-link URI cannot be used in iControl REST calls with gtm topology.

Conditions:
User issues iControl REST commands for gtm topology that include the self-link URI.

Impact:
The given command is not executed and the system posts the following error message: "Topologies must specify both regions: ldns: server:".

Workaround:
Do not use the self-link in iControl REST commands with gtm topology.

Fix:
You can now use self-link URI in gtm topology-related iControl REST commands.

Be sure to format the gtm topology OID string using the following rules:

1) Use only a single space between each item in the topology string.
2) Use a fully-pathed name for datacenter, isp, region, and pool objects.

For example:
"ldns: subnet 11.11.11.0/24 server: datacenter /Common/DC"


539344-1 : SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list

Component: Local Traffic Manager

Symptoms:
The Traffic Management Microkernel (TMM) process may produce a core file and restart when processing SPDY traffic.

As a result of this issue, you may encounter one or more of the following symptoms:

- The BIG-IP system fails over to the standby system if configured as a high-availability pair.
- The BIG-IP system generates a TMM core file to the /shared/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

- You associate a virtual server with a SPDY profile.
- The virtual server processes a SPDY client connection with more than two concurrent streams.
- The SPDY client connection stalls and is subsequently aborted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
TMM process no longer produces a core file and restart when processing SPDY traffic issue that occurred when a virtual server processed a SPDY client connection with more than two concurrent streams, and the SPDY client connection stalled and was subsequently aborted.


539270-6 : A specific NTLM client fails to authenticate with BIG-IP

Component: Access Policy Manager

Symptoms:
Specific NTLM client (such as Android Lync 2013) fails to authenticate with BIG-IP as it sends a particular NTLMSSP_NEGOTIATE which BIG-IP was not able to parse properly and throws an error. This effectively stops the authentication process, and this particular client never completes the authentication.

Conditions:
Specific NTLM client. It is not clear whether this issues affect a particular version of Android Lync 2013 or a particular Android version.

Impact:
Cannot complete the authentication, hence, not allowed to access protected resources.

Workaround:
No workaround exists for the affected clients.

Fix:
The BIG-IP system now processes NTLM requests for affected Lync clients, and users of the client are able to authenticate.


539229-7 : EAM core while using Oracle Access Manager

Component: Access Policy Manager

Symptoms:
Authentication with Oracle Access Manager can result in an exception while checking whether authentication is required. This is an intermittent issue.

Conditions:
This event can be triggered while using the Oracle Access Manager.

Impact:
An unhandled exception will cause EAM to core and possible access outage.

Workaround:
No workaround

Fix:
EAM handles exceptions gracefully during the authentication process when Oracle Access Manager is used.


539199-3 : HTML filter is truncating the server response when sending it to client

Component: TMOS

Symptoms:
The response to the client is truncated

Conditions:
When a server sends a compressed response to a flow that has html profile. It seems like compressed response may not be a prerequisite - it might just be bringing out the issue better due to asynchornous nature of inflating

Impact:
the response is truncated when it reaches the client.

Workaround:
None.

Fix:
No truncation of response to client,


539130-6 : bigd may crash due to a heartbeat timeout

Component: Local Traffic Manager

Symptoms:
bigd crashes and generates a core file.

The system logs entries in /var/log/ltm that are similar to the following: sod[5853]: 01140029:5: HA daemon_heartbeat bigd fails action is restart.

This issue is more likely to occur if /var/log/ltm contains entries similar to the following: info bigd[5947]: reap_child: child process PID = 9198 exited with signal = 9.

Conditions:
External monitors that run for a long time and are killed by the next iteration of the monitor. For example, the LTM external monitor 'sample_monitor' contains logic to kill a running monitor if it runs too long.

Impact:
bigd crashes and generates a core file. Monitoring is interrupted.

Workaround:
None.

Fix:
External monitors that run for a long time and are killed by the next iteration of the monitor now recover without bigd crashing and generating a core file.

Behavior Change:
bigd now logs child process exit messages in /var/log/bigdlog (so bigd.debug must be enabled) rather than in /var/log/ltm. This allows the logging to be controllable.

Successful command exits are also logged for completeness since this the log messages only appears when debugging is enabled.


539013-6 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution stops working on a Microsoft Windows 10 desktop when the VPN connection is established.

Conditions:
This occurs when the client system meets all of the following conditions:
- Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.47.167-HF1-ENG.iso.
- Running Microsoft Windows version 10.
- Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.

Impact:
User cannot access resources by DNS name.

Workaround:
Disable disconnected NICs that have a statically assigned IPv4 configuration.

Fix:
After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration.


538837-1 : REST: Filtering login pages or parameters by their associated URL does not work

Component: Application Security Manager

Symptoms:
When attempting to filter the collection of configured login pages by their URL, the full list is returned instead of the desired results.
The same problem exists for URL level Parameters.

Conditions:
The login-pages or parameters collection endpoints are queried with the following $filter: $filter=url/name eq '<URL NAME>'

Impact:
Incorrect results are returned to the REST client

Workaround:
None.

Fix:
REST $filter for associated URLs on login-pages and parameters endpoints now works correctly.


538784-3 : ICAP implementation incorrect when HTTP request or response is missing a payload

Component: Service Provider

Symptoms:
The ICAP request sent to the ICAP server always contains a payload even if the HTTP request or response to be modified does not contain one.

Conditions:
HTTP request or response does not contain a payload.

Impact:
If an HTTP request or response to be modified does not contain a payload, the ICAP client sends a zero-byte HTTP payload instead.

Workaround:
None.

Fix:
The system now correctly identifies an empty HTTP payload and sends the appropriate ICAP header, identifying that there is no HTTP payload included.


538761-4 : scriptd may core when MCP connection is lost

Component: TMOS

Symptoms:
Scriptd loses MCP connection may cause scriptd to core.

Conditions:
Unknown, Only known to reproduce in an F5 internal test.

Impact:
None known.

Fix:
A possible case of scriptd dumping core has been fixed.


538722-3 : Configurable maximum message size limit for restjavad

Component: Device Management

Symptoms:
if the client issues a request to iControl REST that results in a large amount of data (approx 200 MB), restjavad goes into an out-of-memory condition when attempting to serialize the response prior to returning it to the client.

Conditions:
A message is received by restjavad that is larger than the total free heap space. The most common cause is that the system sends a broard query to icrd, which returns a very large response (approx 200 MB).

Impact:
restjavad becomes unresponsive until it is rebooted.

Workaround:
This fix exposes the maximum message size limit and allows a Network operator to change it by posting to a new configuration worker. An example is included below. The actual value varies by installation - load, average message size etc. Set it too low and the clients will receive 5xx errors even though there is sufficient memory. Set it too high and dangerously-large messages do not get dropped and might cause an out-of-memory exception. 5 MB is a recommended starting value.

An example of setting the maximum message body size to 5kB (5000 bytes) on a machine called 'green.' The password needs to be changed appropriately.

curl -s -k -u admin:PASSWORD -H "Content-Type: application/json" -H
'Connection: keep-alive' -X PUT
"https://green/mgmt/shared/server/messaging/settings/8100" -d
'{"maxMessageBodySize": "5000" }'.

Fix:
There is now a configurable maximum message size limit for restjavad. Restjavad still reaches an out-of-memory condition if it receives very large messages (approx 200 MB), but there is now an option of setting a 'hard cap' that causes restjavad to discard these large messages, preventing the out-of-memory condition.


538708-3 : TMM may apply SYN cookie validation to packets before generating any SYN cookies

Component: Local Traffic Manager

Symptoms:
SYN cookie validation is applied when SYN cookies are not active

Conditions:
Internal TMM clock has overflowed and is near 0
ACK packet has been received that does not match an existing connection flow

Impact:
Validation can be applied to a listener/proxy that does not support SYN cookies which can lead to a tmm core.

Fix:
SYN cookie validation will not be applied if SYN cookies have not been activated.


538663-3 : SSO token login does not work due to remote role update failures.

Component: TMOS

Symptoms:
SSO token login does not work due to remote role update failures.

Conditions:
SSO between Enterprise Manager (EM) and a BIG-IP system using a third party authentication system, such as LDAP.

Impact:
Incorrect role assignment causing SSO login to not work. The system posts messages similar to the following:

-- notice mcpd[6165]: 01070829:5: Input error: Remote user message dropped (adm184789 in [All]) because duplicate partition.
-- err mcpd[6165]: 01070827:3: User login disallowed: User (adm184789) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.

Workaround:
Login using remote user credentials on the BIG-IP system. This properly updates the role for the remote user.

Fix:
SSO token login now works with the correct role assignments to a remote user.


538639-3 : P-256 ECDH performance improvements

Component: Local Traffic Manager

Symptoms:
Recent changes in the TLS clients to only use perfect forward secrecy (PFS) ciphersuites in default configuration may degrade TLS handshake rate on BIG-IP, may cause higher CPU utilization on the BIG-IP, or both.

An example of a recent change is Apple iOS's App Transport Security changes to only enable ECDH ephemeral ciphersuites (the ciphersuites with the ECDHE suffix).

Conditions:
Large portion of TLS client only offers *ECDHE* ciphersuites in their TLS CLientHello, the average size of the TLS session is small (e.g. in kilobytes), and the TLS session resumption is not used. In other words, the conditions such that the TLS handshakes likely negotiate ECDHE ciphersuites with short sessions.

Impact:
With this improvement, the TLS handshake rate with a ciphersuite ECDHE-RSA-AES128-GCM-SHA256 is expected to be ~50% higher on hardware platforms without Intel Cave Creek acceleration (released in 2015 and earlier). Internal testing has shown variations in the improvement between 20% and 80% with this enhancement. The comparison is against the current 12.0.x (or 11.6.x) release.

The performance of ECDSA with P-256 was also improved.

Conversely, previous versions of the BIG-IP will have correspondingly lower performance, or worse for older releases.

Workaround:
Order ciphersuite selection so that ECDH ciphersuites are least preferred.

One method to accomplish this is to ensure that the clientssl profile's cipherstring contains 'ecdhe:ecdhe_ecdsa' at the end of the list. This will only matter/needed when non-PFS cipherssuites are allowed in the profile and are offered by the client.

Fix:
Performance improvements for P-256 ECDH and ECDSA algorithms.


538603-2 : TMM core file on pool member down with rate limit configured

Component: Local Traffic Manager

Symptoms:
TMM may produce a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.

Conditions:
This occurs when the following conditions are met:
- service-down-action reselect.
- rate limit specified.
- traffic load balanced to pool members.
- traffic is over the rate for all pool members.
- all pool members go down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove rate-limit configuration.

Fix:
TMM no longer produces a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.


538255 : SSL handshakes on 4200/2200 can cause TMM cores.

Component: Local Traffic Manager

Symptoms:
When processing SSL handshakes in the crypto acceleration hardware, a BIG-IP 2000 or 4000 platform might experience a TMM core.

Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware. The issue is very unlikely to be seen other than on BIG-IP version 11.6.0 HF5 or on version 12.0.0 base install.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.


538195-1 : Incremental Manual sync does not allow overwrite of 'newer' ASM config

Component: Application Security Manager

Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration.
This precluded the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.

Conditions:
Devices are set up in an Incremental Manual Sync ASM-enabled group.

Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.

Workaround:
Make a spurious change on the device that has an older configuration and then push the changes to the peer.

Fix:
Older ASM configurations can now be pushed to a peer in an incremental sync manual device group.


538133-4 : Only one action per sensor is displayed in sensor_limit_table and system_check

Component: TMOS

Symptoms:
A list of sensors is displayed in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit. On the affected versions, each sensor item is displayed only once, even if multiple limits and actions are defined for the sensor. Additional limits and actions defined for the sensor are not displayed.

Conditions:
This problem occurs when the affected version of the BIG-IP software is running on the following hardware platforms:
BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances and VIPRION B2100, B2150, B2250 blades.

Impact:
The system does not show the complete set of defined sensor limits and corresponding BIG-IP system actions when there are multiple limits and actions defined. Only one action is displayed for each sensor.
The system_check utility will only evaluate sensor measurements against limits that appear in its sensor limit tables. Missing sensor limits will not be evaluated, and corresponding alerts will not be issued.

Workaround:
None.

Fix:
The system now shows a list of sensors in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit.


538024-3 : Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load

Component: TMOS

Symptoms:
Configuration fails to load with an error similar to the following: A port number or service name is missing for '/Common/any6%2.0'. Please specify a port number or service name using the syntax '/Common/any6%2.0:<port>'.

Conditions:
Configuration contains a virtual with destination address in the form of: any6%<route domain>.<port>.

Impact:
Configuration load failure.

Workaround:
None.

Fix:
The BIG-IP system now uses the correct port delimiter when parsing destination addresses containing a named wildcard service and non-default route domain.


537988-5 : Buffer overflow for large session messages

Component: Local Traffic Manager

Symptoms:
System with multiple blades may crash when when configured with functionality that utilizes SessionDB.

Conditions:
On a multi-blade machine, send an MPI message larger than 64K between blades (typically a session message).

Impact:
Core or potential data corruption.

Workaround:
None.

Fix:
There is no longer a buffer overflow for large session messages.


537964-4 : Monitor instances may not get deleted during configuration merge load

Component: Local Traffic Manager

Symptoms:
After performing a configuration merge load (for example, "tmsh load sys config merge ...") that changes an existing pool's monitor, old monitor instances may not get deleted.

This can result in a system generating monitor requests that are no longer part of the configuration. It can also result in the system logging messages such as the following:

err mcpd[8793]: 01070712:3: Caught configuration exception (0), Can't find monitor rule: 42.

Conditions:
Pools with monitors configured must exist. The merge load must replace the pool's monitor.

Impact:
Multiple monitor instances may be active on some pool members. This may result in incorrect monitoring status.

Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following:

1. Save and re-load the configuration to correct the incorrect information in mcpd:

    tmsh save sys config partitions all && tmsh load sys config partitions all

2. Restart bigd:

    On an appliance:
    bigstart restart bigd

    On a chassis:
    clsh bigstart restart bigd

Fix:
Ensure that all relevant monitor instances are deleted when replacing a pool's monitor.


537614-1 : Machine certificate checker fails to use Machine cert check service if Windows has certain display languages

Component: Access Policy Manager

Symptoms:
Machine certificate checker agent fails to use machine certificate checker service for Windows if it has certain display language, for example Polish.

In failed case logs contain:
2015-08-04,18:37:59:042, 924,756,, 1, , 330, CCertCheckCtrl::CheckPrivateKey, EXCEPTION caught: CCertCheckCtrl::CheckPrivateKey - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 85, UCredMgrService::RpcConnect, EXCEPTION - Failed to set binding handle's authentication, authorization and security QOS info (RPC_STATUS: 1332)
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 88, RPCConnector::Connect, EXCEPTION caught: UCredMgrService::RpcConnect - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \MCClient.h, 86, MCClient::Verify, Failed to perform PRC-call:error=1702

Conditions:
Windows with non-english display language
Machine certificate checker is supposed to use Machine Certificate Checker service

Impact:
Machine certificate checker cannot be passed using Machine cert service.

Workaround:
Switch display language to English.

Fix:
Machine certificate checker service works now with a display language other than English.


537553-6 : tmm might crash after modifying virtual server SSL profiles in SNI configuration

Component: Local Traffic Manager

Symptoms:
Modifying a Secure Sockets Layer (SSL) profile associated with a virtual server may result in the Traffic Management Microkernel (TMM) producing a core file. As a result of this issue, you may encounter one or more of the following symptoms:

-- BIG-IP system sends an invalid memory access segmentation fault (SIGSEGV) or floating point error (SIGFPE), signal to TMM, resulting in a stack trace that appears in the /var/log/tmm file.
-- TMM restarts and produces a core file in the /shared/core directory.
-- The BIG-IP system generates an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
panic: ../kern/umem.c:3881: Assertion "valid type" failed

Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. A configuration change is made that affects the virtual server. Among others:
-- Configuration is reloaded either manually or automatically after config sync.
-- Change is made to any of the SSL profiles configured on the virtual server.
-- SSL profiles are added or removed from the virtual server profile list.
-- Change is made to the virtual server.
-- Virtual server is deleted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Making SSL profile configuration changes now completes successfully.


537435-1 : Monpd might core if asking for export report by email while monpd is terminating

Component: Application Visibility and Reporting

Symptoms:
Core file is created by monpd if you try to export a report by email while monpd is terminating.

Conditions:
Very rare case that can happen if user asks to export report by email in the middle of monpd's graceful termination (due to restart or other reason) will cause core dump (not graceful termination).

Impact:
None

Workaround:
Fixed to code to avoid this behavior.

Fix:
Exporting a report by email in the middle of monpd's graceful termination (due to restart or other reason) will no longer cause a core dump.


537326-2 : NAT available in DNS section but config load fails with standalone license

Component: TMOS

Symptoms:
config load fails with error:
01070356:3: NAT feature not licensed.
Unexpected Error: Loading configuration process failed.

Conditions:
A NAT object is created for GTM/LC standalone license box.

Impact:
config fails to load.

Workaround:
none.

Fix:
Configuration loading no longer fails with a NAT in DNS section.


537106-3 : Component checks wait for page load

Component: Fraud Protection Services

Symptoms:
FPS component checks to not run until the entire page is ready, causing false-positive check-component alerts if the user navigates before load finishes

Conditions:
User navigates quickly between protected pages

Impact:
False positive component-check alerts

Workaround:
Filter false-positives in FPS dashboard

Fix:
Check Components now initializes as soon as FPS code runs and then updates when page is loaded.


537034 : PEM: CPU spike seen when iRule tries to update nonexistent sessions.

Component: Policy Enforcement Manager

Symptoms:
CPU spikes and remains high, eventually leading to TMM core.

Conditions:
iRule is used to update a session with policies for a session that does not exist.

Impact:
CPU spike. Traffic disrupted while tmm restarts.

Workaround:
Make sure the session exists if you plan to use iRules to update sessions with policies.

Fix:
CPU spike are no longer seen, even if iRule tries to update nonexistent sessions.


537000-2 : Installation of Edge Client can cause Windows 10 crash in some cases

Component: Access Policy Manager

Symptoms:
connecting to an APM box which has support for Windows 10 can cause the OS to crash. After reboot the next attempt will be successful

Conditions:
- Windows 10
- APM box supporting Windows 10
- user installed F5 VPN driver from an APM box, not supporting Windows 10

Impact:
User can lose some data

Workaround:
Before connecting old VPN driver instances must be manually removed using Device Manager

Fix:
Installation of BIG-IP Edge Client on Windows 10 does not cause system crash anymore.


536984 : Ensure min_path_mtu is functioning as designed.

Vulnerability Solution Article: K06223540


536746-3 : LTM : Virtual Address List page uses LTM : Nodes List search filter.

Component: TMOS

Symptoms:
LTM : Virtual Address List page doesn't have it's own filter but uses other object's filter like Node list or Access policy.

Conditions:
Specifying a search filter on the Nodes page and then navigating to the Virtual Address page.

Impact:
Displays an empty virtual server list or only the virtual address matching the node addresses.

Workaround:
Remove the filter on the LTM : Nodes List before viewing the LTM : Virtual Address List.

Fix:
Specifying a search filter on LTM : Nodes List no longer affects the output on LTM : Virtual Address List.

Virtual Address List now has its own fixed, general filter, and is not affected by filter settings on any other object.


536690-4 : Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)

Component: Local Traffic Manager

Symptoms:
When using features that require a process on the host to connect to a specific tmm within a chassis, those connections sometimes fail. This can result in improper behavior of the feature, such as failure to create sessions in APM.

Conditions:
Using a module and feature that requires host-tmm communication within a chassis.

Impact:
Possible service failure, such as disallowing entry to APM.

Workaround:
None.

Fix:
Host-to-tmm connections within a chassis no longer fail.


536575-1 : Session variable report can be blank in many cases

Component: Access Policy Manager

Symptoms:
For an access policy that includes On-Demand Cert Auth, Dynamic ACL, Per-App VPN, and other components, the Session Variable Report output can be blank.

Conditions:
On-Demand Cert Auth in an access policy.
DACL in access policy.
Per-App VPN access policy.

probably others.

Impact:
The Session Variable report is empty.

Workaround:
Check the session variable using command sessiondump.

Fix:
For an access policy that includes On-Demand Cert Auth, Dynamic ACL, or Per-App VPN, the Session Variable Report now shows session variables correctly.


536481-9 : F5 TCP vulnerability CVE-2015-8240

Vulnerability Solution Article: K06223540


536191-2 : Transparent inherited TCP monitors may fail on loading configuration

Component: Local Traffic Manager

Symptoms:
LTM monitor configuration may fail to reload from disk if the monitor name occurs alphabetically prior to the inherited-from monitor.

Conditions:
Monitor A inheriting from Monitor B, where both monitors are of type 'transparent'.

Impact:
Configuration from disk fails to load. System posts an error message similar to the following: 1070045:3: Monitor /Common/test1 type cannot have transparent attribute.
Unexpected Error: Loading configuration process failed.

Workaround:
Rename monitors so they occur in the required alphabetical order to support inheritance.

Fix:
Transparent inherited TCP monitors no longer fail on loading configuration.


535806-2 : Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE

Component: TMOS

Symptoms:
Not enough free disk space for live install of 12.0.0.

Conditions:
Initial install of BIG-IP VE GOOD 11.5.3. Upgrade to 12.0.0

Impact:
Unable to install 12.0.0 on 2nd slot.

Workaround:
Grow the virtual disk before installing 12.0.0.

Fix:
Increased the size of virtual disk so that there is enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE.


535759-3 : SMTP monitor might mark the server down even if the server answers the HELO message.

Component: Local Traffic Manager

Symptoms:
The SMTP monitor marks a server down even when the server responds with a 250 message to the HELO command.

Monitor debug output might show the following error messages:

-- ERROR: failed to complete the transfer, error code: 28 error message: Time-out. -- ERROR: failed to complete the transfer, error code: 56 error message: Recv failure: Connection reset by peer.

Conditions:
This occurs under any of the following conditions:

-- The monitored server does not close the TCP connection (does not send a FIN) after receiving a QUIT command from the client.

-- The server does not include the word 'Bye' in the 221 message in response to the 'quit' sent by the BIG-IP system.

-- The server issues a RST for any reason after the BIG-IP system has successfully received the 250 response to the HELO message.

Impact:
The monitored server is marked down when it is not.

Workaround:
None.

Fix:
SMTP monitor now considers the server up if it receives a successful response to the HELO command.


535544-5 : Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled

Component: TMOS

Symptoms:
Consider the listing of the ltm virtual vsach below.

The translate-port, translate-address properties are not listed. This implies that these properties are set to their default value of true. tmsh does not list default values. In case these are set to false, they will be listed.

(tmos)# list ltm virtual
ltm virtual vsach {
    destination 1.1.1.1:http
    mask 255.255.255.255
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    vs-index 3
}

Conditions:
Presence of a ltm virtual in the configuration with its destination port any (ex: x.y.z.w:any) and translate-port enabled. When listing this ltm virtual the translate-port, translate-address are not displayed.

Impact:
Cannot know the actual value of virtual::translate-port, translate-address attributes until the workaround is applied.

Workaround:
Explicitly list the property

(tmos)# list ltm virtual sach translate-port
ltm virtual vsach {
    translate-port enabled
}

Fix:
Post change the above mentioned properties will always be listed, irrespective if they have default value or not.


535246-6 : Table values are not correctly cleaned and can occupy entire disk space.

Component: Application Visibility and Reporting

Symptoms:
AVR data in MySQL might grow to fill all disk space.

Conditions:
This might occur when DNS table receives a large number of entries that are not being evicted when they are no longer needed.

Impact:
MySQL stops responding. Site might experience down time due to full disk.

Workaround:
If monitoring disk space and AVR data takes more than 70% of the space, reset AVR data by running the following commands sequentially: -- touch /var/avr/init_avrdb. -- bigstart restart monpd.

Fix:
In this release, the system handles AVR data in MySQL so that database size no longer grows beyond a certain point.


535188-3 : Response Pages custom content with \n instead of \r\n on policy import.

Component: Application Security Manager

Symptoms:
After importing policy with custom content on the Default Response Page, new lines are changed from \r\n to \n and it shouldn’t.

Conditions:
1. Create New Policy.
2. Go to Security : Application Security : Policy : Response Pages
3. On Default Response Page, change Response Type to 'Custom Response'.
4. Add 'Enters' to the 'Response Body' and save it.
(for example:
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected.
 Please consult with your administrator.<br><br>Your support



 ID is: <%TS.request.ID()%></body></html>).
5. View the REST state of the response page and see that the new lines presented by '\r\n'.
6. Export the policy to XML.
7. Import the policy back (replace the old policy).
8. Now the 'new lines' in the content of the response page presented by '\n' instead of '\r\n'.

Impact:
After importing policy with custom content on Default Response Page, new lines are changed from \r\n to \n and it shouldn't.

Workaround:
In GUI, Go to Security : Application Security : Policy : Response Pages, remove and add the 'Enters' and
click on 'Save' for the default response page.

Fix:
After importing a policy with custom content on the Default Response Page, new lines are no longer changed from \r\n.


535101-1 : Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile.

Component: Carrier-Grade NAT

Symptoms:
LSN configured in PBA mode can cause tmm to core if a connection needs to obtain resources from a remote tmm process. This occurs most frequently during heavy load or when there is a small translation space(low number of translation addresses) configured on the PBA lsnpool.

Conditions:
- LSN with PBA mode configured.
- udp_gtm_dns profile configured on the virtual server handling traffic.
- Heavy traffic or small translation space.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove udp_gtm_dns profile from the virtual server, and replace it with fast L4.

Fix:
LSN pool configured with PBA mode no longer crashes with heavy load and udp_gtm_dns profile configured.


534901-1 : VMware View HTML5 client may load/initialize with delays

Component: Access Policy Manager

Symptoms:
When HTML5 client is used to access VMware View remote desktops, it may sometimes take about 30 seconds to initialize.

Conditions:
APM Webtop with a VMware View remote desktop assigned available for HTML5 client launch.

Impact:
Slow HTML5 client initialization.

Workaround:
- Go to admin UI -> Local Traffic -> Profiles: Services: HTTP and create new http profile.
- Set Unchunk (or Rechunk) for "Response Chunking" option and save it.
- Assign this http profile to the Virtual Server.

Fix:
Fixed the handling of chunked responses coming during the HTML5 client load.


534886-1 : AFM Security checks were not being done for DNS over TCP

Component: Advanced Firewall Manager

Symptoms:
We had disabled DNS Query Filtering and DNS DoS checks for DNS over TCP.

Conditions:
DNS over TCP and either DNS DoS configured or DNS Query filtering configured.

Impact:
Query Filtering and DNS DoS feature was not present for DNS over TCP.

Workaround:
Use DNS over UDP.

Fix:
We have now enabled DNS Query filtering and DNS DoS checks regardless of the L4 protocol.


534804-2 : TMM may core with rate limiting enabled and service-down-action reselect on poolmembers

Component: Local Traffic Manager

Symptoms:
TMM may produce a core file when calculating the rate limit in certain circumstances.

Conditions:
VIP/pool configuration contains:
 - Pool configured with
    + Action On Service Down is set to Reselect
 - Pool members configured with
    + Connection Rate Limit is set

If all pool members go down, this can trigger the core

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove rate limit configuration.

Fix:
TMM no longer cores in certain conditions with rate limiting and service-down-action reselect on poolmembers


534795-1 : Swapping VLAN names in config results in switch daemon core and restart.

Component: Local Traffic Manager

Symptoms:
Changing names of configured VLANs directly in the configuration file and reloading results in a bcm56xxd switch daemon core and restart.

Conditions:
Applies to all switch based platforms, when modifying the VLAN names directly in the configuration file and reloading.

Impact:
Switch daemon drops core, restarts, and reconfigures the switch.

Workaround:
First delete any existing VLANs, and then recreate then with new names.

Fix:
Add additional protection and error logging for VLAN-name- and VLAN-ID-lookup failures in the switch daemon.


534755-1 : Deleting APM virtual server produces ERR_NOT_FOUND error

Component: Access Policy Manager

Symptoms:
When a APM virtual server is deleted on the active, the following error message will be seen in the APM log on the standby.

"Failed to delete profile stats namespaces"

Conditions:
This issue happens when a APM virtual is deleted on the active and the change is subsequently synced to the standby

Impact:
There is no functional impact.

Fix:
Access Filter now ignores the ERR_NOT_FOUND error when deleting the profile stats namespace.


534633-3 : OpenSSH vulnerability CVE-2015-5600

Vulnerability Solution Article: K17113


534630-5 : Upgrade BIND to address CVE 2015-5477

Vulnerability Solution Article: K16909


534582-4 : HA configuration may fail over when standby has only base configuration loaded.

Component: TMOS

Symptoms:
The active unit may fail over when only the base configuration is loaded on a standby system, and HA communications in the HA configuration is interrupted.

Conditions:
Only base configuration loaded on standby and HA communications are disrupted.

Impact:
Potential site outage.

Workaround:
Configure HA to use multiple network interfaces. Avoid loading only the base configuration on HA configurations.

Fix:
HA configuration no longer fails over when a standby system has only the base configuration loaded.


534490 : Fixed TMM crash when IRULE configuration is modified.

Component: Policy Enforcement Manager

Symptoms:
IRULE configuration modification may result in TMM crash.

Conditions:
When IRULE configuration is modified.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fixed TMM crash when IRULE configuration is modified.


534458-6 : SIP monitor marks down member if response has different whitespace in header fields.

Component: Local Traffic Manager

Symptoms:
In certain circumstances the SIP monitor may incorrectly mark a SIP pool member down. This is due to the comparison the monitor makes of the standard header fields in the SIP monitor request to the response.

Conditions:
SIP monitor and response differ in the use of whitespace in the header fields, for example, 'field:value' and 'field: value'.

Impact:
Unable to monitor the SIP pool member accurately using the standard SIP monitor because the pool member will be marked down.

Workaround:
Use other types of monitors, e.g., UDP.

Fix:
SIP monitor now correctly processes monitor responses when the use of whitespace in header fields differ.


534457-2 : Dynamically discovered routes might fail to remirror connections.

Component: Local Traffic Manager

Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.

Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.

Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.

Workaround:
Provide a static route instead of dynamic routes.

Fix:
Remirroring L4 connections using dynamic routes works correctly. (Note that when using dynamic routes it is not guaranteed that the active and standby systems will use the same routes; if the same routing is required on both active and standby fails over, there might be some dropped connections.)


534373-5 : Some Text on French Localized Edge client on windows has grammatical error

Component: Access Policy Manager

Symptoms:
Grammatically incorrect text is displayed in Edge Client UI localized for French language.

Conditions:
French Localized version of Edge Client is used.

Impact:
Branding.

Workaround:
None.

Fix:
Fixed grammar.


534323-1 : Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.

Component: Policy Enforcement Manager

Symptoms:
Session will be deleted and re-created when we update a new IP addr along with the original IP addr in the session.

Conditions:
It happens when we try to update a new IP addr with the existing IP addr for an existing session.

Impact:
Session replaced when updating a new IP along with the existing IP address.

Fix:
Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.


534251-1 : Live update with moving config breaks password-less ssh access

Component: TMOS

Symptoms:
Authorized_keys file changed with link to /var/ssh/admin/authorized_keys but file in /var/ssh/... not created.

Conditions:
Use clean tmos-bugs-staging based VM. Do Live install.
Do change boot location via GUI with 'Install Configuration' = 'Yes'

Impact:
breaks password-less ssh access

Workaround:
If save and load sys ucs before live install then file will be created in /var/.. and successfully moved to new volume.


534246-2 : rest_uuid should be calculated from the actual values inserted to the entity

Component: Application Security Manager

Symptoms:
BIG-IP computes the case-sensitive rest_uuid values for HTTP headers but stores the headers as case-insensitive.

Conditions:
This is an example:
1. Go to Security>>Application Security>>Headers>>HTTP Headers.
2. Choose 'Custom...' for the name of the header.
3. Create a custom header as follows use name 'Abc' with Capital letter.
4. Remember the ID generated in the JSON element.
5. Delete the header.
6. Create a new custom header and use the name 'abc'.

Actual Results:
The ID of 'abc' and the ID of 'Abc' are different.

Impact:
Two identical normalized values may have different rest_uuid.

Workaround:
N/A

Fix:
The REST "id" field is now calculated from the actual values inserted to the entity, and not on the user-input values.


534111-1 : [SSL] Config sync problems when modifying cert in default client-ssl profile

Component: Local Traffic Manager

Symptoms:
Config sync problems after modifying cert in default client-ssl profile when the profile is already active and in use on members in a high availability configuration.

Conditions:
Modify cert in default client-ssl profile and perform a config sync operation.

Impact:
After config sync, units in the sync group have different cert/key settings for client-ssl profiles. You can see this in the inherit-certkeychain setting, which changes from 'true' to 'false' after syncing the configuration with the changed default value.

Workaround:
1. Remove client-ssl definitions from bigip.conf on each unit.
2. Reload the config.
3. Synchronize the config.

Fix:
The system now correctly syncs the default client-ssl profile that was modified with a new cert and key, so the active and standby unit configurations now have the correct cert/key settings after config sync.


534090-2 : Node.js vulnerability CVE-2015-5380

Vulnerability Solution Article: K17238


534076-2 : SNMP configured trap-source might not be used in v1 snmp traps.

Component: TMOS

Symptoms:
As a result of a known issue, SNMP v1 traps with configured trap-source might fail to use the configured address, and will use the default management port IP address instead.

Conditions:
- SNMP v1 traps and destination configured.
- trap-source configured.

Impact:
Traps will have the incorrect agent-addr set, and SNMP configured trap-source might not be used.

Workaround:
None.

Fix:
SNMP v1 traps now correctly use the configured trap-source.


534052-3 : VLAN failsafe triggering on standby leaks memory

Component: Local Traffic Manager

Symptoms:
Memory is leaked when VLAN failsafe is active and sending ICMP probes.

Conditions:
VLAN failsafe active and sending ICMP probes on standby and configured with failsafe-action failover.

Impact:
Memory leak causing aggressive sweeper and eventually TMM crash on standby.

Workaround:
None.

Fix:
Memory is no longer leaked when VLAN failsafe is active and sending ICMP probes.


534021-5 : HA on AWS uses default AWS endpoint (EC2_URL).

Component: TMOS

Symptoms:
HA doesn't work on Government clouds on AWS.

Conditions:
AWS endpoints for government clouds are different compared to their public offerings. Amazon recommendation is to construct the end-point (EC2_URL) dynamically based on: [<service name>.<region>.<services/domain>] construct.

Impact:
HA doesn't work on Government clouds on AWS.

Workaround:
EC2 endpoint can be constructed dynamically by:
 - Query EC2 Metadata service for <DOMAIN> name (curl http://169.254.169.254/latest/meta-data/services/domain)
 - Read the instance <REGION> from /shared/vadc/aws/iid-document
 - Declare global variable EC2_URL by using above two values in following format:
   export EC2_URL="http://ec2.<REGION>.<DOMAIN>"

Fix:
BIG-IP HA on AWS dynamically constructs the EC2 service endpoint based on the domain-name and region attached with the running instance.


534018-1 : Memory leak while running some of PEM::session and PEM::subscriber commands.

Component: Policy Enforcement Manager

Symptoms:
When running an irule that has PEM::session info commands, it was observed that the memory consumption by the PEM module kept going up till and the system eventually ran out of memory.

Conditions:
Create an irule that has PEM::session info commands that run asynchronously and attach it to one of the virtuals in use.

Impact:
System runs out of memory.

Fix:
The memory leak while executing the commands - <PEM::session info /PEM::subscriber info/PEM::session config policy/PEM::subscriber config policy> has been fixed. The leak only occurs when these commands run asynchronously.


533929 : PEM::subscriber info irule command can cause tmm core

Component: Policy Enforcement Manager

Symptoms:
Running an irule script that contains the PEM::subscriber info command can result in a tmm core. If the command runs synchronously, the core will not be observed.

Conditions:
The core occurs only if the PEM::subscriber info command runs asynchronously.

Impact:
Traffic disrupted while tmm restarts.

Fix:
PEM::subscriber info commands no longer cause tmm to core.


533826-5 : SNMP Memory Leak on a VIPRION system.

Component: TMOS

Symptoms:
The snmpd image increases in size on a VIPRION system.

Conditions:
Run continuous snmpbulkwalk operations.

Impact:
The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building.

Workaround:
To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.

Fix:
The snmpd image no longer increases in size on a VIPRION system processor.


533820-5 : DNS Cache response missing additional section

Component: Local Traffic Manager

Symptoms:
Resolver cache lookups are missing authority and additional sections.

Conditions:
Resolver cache lookups could be missing the authority and additional sections for A and AAAA queries if the DO bit is also not set.

Impact:
If the requesting client needs the information that would normally be included in the authority or additional sections, it would have to make additional queries to acquire that data.

Workaround:
none

Fix:
The resolver cache now correctly includes the information available for the authority and additional sections if the information is available.


533813-3 : Internal Virtual Server in partition fails to load from saved config

Component: TMOS

Symptoms:
Loading a successfully configured internal Virtual Server from the config fails with the following message:

-- 01070712:3: Values (/part2/0.0.0.0%2) specified for Virtual Server (/part2/ICAP_request): foreign key index (name_FK) do not point at an item that exists in the database.

Conditions:
This occurs when the following conditions are met:
-- You are running a BIG-IP system with no configuration.
-- You have created an external VLAN with an interface.
-- You have created a non-default route domain, and associated it with a newly created VLAN.
-- You have created a virtual server, and configured a pool in a partition other than /Common.
-- You have saved the configuration.

Here is an example of how this might occur. Run the following commands.

- tmsh
- create net vlan external interfaces add { 1.2 }
- create net route-domain 2 vlans add { external }
- create auth partition part2 default-route-domain 2
- cd ../part2
- create ltm pool icap_pool members add { 10.10.10.10:8080 }
- create ltm virtual ICAP_request destination 0.0.0.0:0 mask 0.0.0.0 internal ip-protocol tcp profiles add { tcp } pool icap_pool
- save sys config
- load sys config partitions all verify.

Impact:
The operation creates a virtual server but cannot load it from saved config.

Workaround:
To work around this issue, you can use the Common partition to complete the configuration.

Fix:
You can now configure an internal virtual server in a partition and load the config successfully.


533808-1 : Unable to create new rule for virtual server if order is set to "before"/"after"

Component: Advanced Firewall Manager

Symptoms:
Not able to create a new rule for virtual server when the order is set to "before"/"after".

Conditions:
Happens only when the order is set to "before"/"after"

Impact:
Unable to create a new rule from the virtual server page


533790-4 : Creating multiple address entries in data-group might result in records being incorrectly deleted

Component: TMOS

Symptoms:
Using the GUI to create multiple address entries in data-group might result in records being incorrectly deleted

Conditions:
Creating multiple address entries in data-group

Impact:
Cannot add/remove IP addresses from existing data groups without affecting existing IP addresses through GUI.

Workaround:
Use TMSH to add/remove IP addresses from existing data groups.

Fix:
You can now use the GUI to add/remove IP addresses from a data-group IP address list without affecting other IP addresses.


533734-1 : DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION

Component: Policy Enforcement Manager

Symptoms:
Packet traces show DHCPv6 packets arriving via IPv6/IPv4 tunnel, are forwarded to the VIP but the packet is not forwarded to the backend server on VIPRION devices.

Conditions:
DHCPv6 packets arriving via IPv6/IPv4 tunnel interface on
a multi-bladed VIPRION system.

Impact:
The DHCP packet is not forwarded to the backend server.

Workaround:
Use a single-bladed system.

Fix:
The system now processes DHCP packets on the local blade instead of dropping them, if those packets come from a tunnel interface.


533723-4 : [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.

Component: Access Policy Manager

Symptoms:
The client-side HTML rewriter rewrites content within the "textarea" tag.

Conditions:
Web-application dynamically creates HTML content on the client side that contains the textarea tag.

Impact:
Web-application misfunction is possible.

Workaround:
There is no workaround at this time

Fix:
Content rewriting is suppressed on the client side for the textarea tag.


533658-5 : DNS decision logging can trigger TMM crash

Component: Global Traffic Manager

Symptoms:
Applying load balance decision logging to the DNS profile can cause TMM to crash when a query is load balanced to a last resort pool that is unavailable.

Conditions:
-- DNS load balance decision logging is enabled on the DNS profile,
A Wide IP is configured with a last resort pool.
-- The last resort pool is unavailable.
-- A query is load balanced to the last resort pool.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable decision logging for the DNS profile, or discontinue use of the last resort pool feature.

Fix:
DNS decision logging no longer causse TMM to crash when a last resort pool is configured for a Wide IP, that last resort pool is unavailable, and a query is load balanced to that last resort pool.


533566-1 : Support for View HTML5 client v3.5 shipped with VCS 6.2

Component: Access Policy Manager

Symptoms:
The upcoming release of VMware Horizon View Connection Server 6.2 introduces a few changes to the View HTML5 client.
This fix catches up with those changes to provide seamless support at APM side.

Conditions:
BIG-IP APM configured as PCoIP proxy and set up against VMware VCS 6.2 with HTML5 client installed.

Impact:
Launching View HTML5 client from APM webtop may not work properly.

Fix:
Added support for View HTML5 client v3.5 shipped with View Connection Server 6.2.


533562-1 : Memory leak in CGNAT can result in crash

Component: Carrier-Grade NAT

Symptoms:
tmm leaks cmp memory, resulting in crash.

'tmctl memory_usage_stat' reports very high cmp memory utilization.

Conditions:
Configure hairpin mode or inbound connection handling set to automatic.

Impact:
BIG-IP system might run out of memory and crash.

Workaround:
Avoid hairpin mode or inbound connection handling set to automatic.

Fix:
Fixed CGNAT memory leak that occurred when configured for hairpin mode or when inbound connection handling is set to automatic.


533513-1 : Data plane Listener summary does not show LSN translation correctly

Component: Policy Enforcement Manager

Symptoms:
When configuring a new data plane virtual server group, and CGNAT is licensed, you have the ability to select an address translation value of LSN, and then select an LSN pool. This is accepted and configured correctly, but when viewing the data plane group after this point, the address translation type shows as "{{renderSnatValue(listenerVs}}", and should show as "LSN"

Conditions:
Create a CGNAT LSN pool. Create a new PEM data plane listener, set the address translation to LSN, select the pool, save, then view the resulting group summary .

Impact:
Data plane Listener summary does not show LSN translation correctly

Workaround:
none

Fix:
Correct the UI so that it handles the LSN address translation type correctly.


533480-5 : qkview crash

Component: TMOS

Symptoms:
Qkview may crash or hang. You might see this error message in /var/log/ltm:

err mcpd[8003]: 0107134e:3: Failed while making snapshot:
(Failed to link files existing(/config/filestore/files_d/Common_d/...

Conditions:
Changing large configurations while running qkview or missing files from the /config/filestore/files_d/Common_d/external_monitor_d directory can cause qkview to crash or hang.

Impact:
You will be unable to generate a qkview file for support.

Workaround:
Make sure any iControl scripts that are making changes are allowed to complete.
If you deleted any external monitor files from /config/filestore/files_d/Common_d, restore the external-monitor file and re-run qkview.

Fix:
The system now handles running qkview while creating 20,000 or more pools or removing an external monitor from the /config/filestore/files_d/Common_d/external_monitor_d directory, so these conditions no longer cause qkview crash or hang issues.


533458-4 : Insufficient data for determining cause of HSB lockup.

Component: TMOS

Symptoms:
When an HSB lockup occurs only the HSB registers are dumped into the TMM log files for diagnosing the failure. There is no core file containing stats and the state of the HSB driver when the failure occurred to help diagnose the failure.

Conditions:
When an HSB lockup occurs.

Impact:
There is limited data is available for root cause analysis.

Workaround:
None.

Fix:
On HSB lockup, the system now generate a core file, which contains stats and the state of the HSB driver when the failure occurred to help diagnose the failure.


533422-2 : sessiondump is not reusing connections

Component: Access Policy Manager

Symptoms:
sessiondump opens a TCP connection to TMM. It really only needs to make one connection, but it was actually making one connection for each request. This is visible in a packet capture or by monitoring the number of sockets left in TIME_WAIT state

On a box that had 1000 sessions, a little over 1000 sockets were generated by the sessiondump call:
# netstat -a | grep memcache | grep TIME_WAIT | wc
      3 18 267
# sessiondump --allkeys 1> /dev/null
# netstat -a | grep memcache | grep TIME_WAIT | wc
   1054 6324 93806

Conditions:
This issue is most relevant when BZ511900 is present. That fix improved sessiondump performance by eliminating the amount of process forking. The connection reuse problem isn't really a visible problem until after that.

BZ 511900 was included in 12.0
BZ 533422 (this bug) was included with 12.1

So relevant to all 12.0 customers and to 11.x customers that request a hotfix with BZ 511900

Impact:
The extra connections have a minor throughput impact, because of the cost of establishing TCP 3WHS.

The more important impact is that on a large system (around 20k sessions or more), this will be creating a lot of sockets in a very short period of time. These sockets go into TIME_WAIT and are not immediately reusable. The box could run out of sockets and sessiondump will exit.

Fix:
The sessiondump utility now reuses the TCP connections.


533388-1 : tmm crash with assert "resume on different script"

Component: Local Traffic Manager

Symptoms:
In a rare race condition involving stalled server-side TCP connections on which a RST is received and a asynchronously executing client-side iRule for event CLIENT_CLOSED the tmm can crash with assert "resume on different script".

Conditions:
The conditions under which this assert/crash is triggered are hard to reproduce.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid asynchronously executing CLIENT_CLOSED iRules (e.g. those that use 'after' or 'table' or 'session' commands - this is not an exhaustive list).

Fix:
tmm no longer crashes with assert "resume on different script"


533336-2 : Display 'description' for port list members

Component: Advanced Firewall Manager

Symptoms:
Descriptions for port list's members are not displayed in GUI

Conditions:
Create a port list with 'description' set for its members (using tmsh).

When the portlist list page is accessed from GUI, the description set for the members (on tmsh) is not displayed.

Impact:
Users will not be able to see the description

Workaround:
Use tmsh to view the description for portlist members on tmsh

Fix:
Descriptions for port list members are now displayed in the GUI.


533307 : Increasing memory usage due to continual creation of authentication tokens

Component: Device Management

Symptoms:
The AuthTokenWorker creates new indexed state objects. Some are unable to be deleted because they are shared between instances. Generations of tokens build up, however the generational scavenger only runs when disk space is tight. Restjavad can run out of memory before the scavenger ever gets to run.

Conditions:
Tokens shared between instances

Impact:
Generations of tokens build up

Workaround:
N/A

Fix:
Add another trigger to the generational scavenger such that it also triggers when memory is tight as well as when disk space is tight.


533257-2 : tmsh config file merge may fail when AFM security log profile is present in merged file

Component: TMOS

Symptoms:
A config file merge into an existing config may fail with "unknown-property" message.

Conditions:
This can occur when you are doing a config file merge. The error encountered was with a parameter called "built-in enabled".

Impact:
All releases and modules are affected.

Workaround:
The offending parameter may be deleted from the merge file, however this may result in the value for the deleted parameter not set correctly in the existing config.

Fix:
Fixed a problem with tmsh config file merge failing when AFM security log profile is present in merged file.


533203 : TMM may core on resuming iRule if the underlying flow has been deleted.

Component: Policy Enforcement Manager

Symptoms:
TMM may core on resuming iRule if the underlying flow has been deleted.

Conditions:
A flow is deleted (RST from the other end is one way) while an iRule operating on that flow is parked. On resumption, the iRule accesses freed memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRules that may cause parking.

Fix:
TMM no longer cores on resuming iRule if the underlying flow has been deleted.


532911-2 : Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates.

Component: Local Traffic Manager

Symptoms:
Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates.

Conditions:
In server SSL profiles with 'Untrusted Certificate Response Control' set to ignore. When backend server sends self-signed untrusted certificate.

Impact:
The ltm log displays this error: Peer cert verify error: unable to verify the first certificate.

Workaround:
None.

Fix:
Ignore X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE certificate validation error message when serverssl profile sets 'Untrusted Certificate Response Control' to ignore.


532799-2 : Static Link route to /32 pool member can end using dst broadcast MAC

Component: Local Traffic Manager

Symptoms:
After assigning a static route to a node on a specific VLAN, ARPs are no longer generated, and all traffic to the node uses a broadcast (ff:ff:ff:ff:ff:ff) MAC.

Conditions:
Static VLAN route to a poolmember/node with a /32 mask.

Impact:
This can cause the monitors to fail and the poolmember/node to be marked down.

Workaround:
Use a non /32 mask or use a gateway route instead.

Fix:
The BIG-IP system now correctly uses ARP to determine the destination MAC of a host routed via a /32 vlan route.


532761 : APM fails to handle compressed ICA file in integration mode

Component: Access Policy Manager

Symptoms:
Citrix application or desktop cannot be started in integration mode with Citrix StoreFront 3.0

Conditions:
APM is configured for StoreFront 3.0 proxy and HTTP compression is enabled on the StoreFront server.

Impact:
Citrix application or desktop cannot be started.

Fix:
Now APM supports Citrix StoreFront 3.0 in integration mode with HTTP compression enabled on the StoreFront server.


532685-6 : PAC file download errors disconnect the tunnel

Component: Access Policy Manager

Symptoms:
Any failure to download PAC file is treated as fatal error. If edge client fails to download PAC file VPN connection cannot be established.

Conditions:
-PAC file cannot be downloaded by edge client

Impact:
Tunnel disconnects in case of PAC file download errors.

Workaround:
Fix infrastructure issues that result in PAC file download failure

Fix:
PAC file download and merging issues were considered critical before and Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.

Behavior Change:
PAC file download and merging issues were considered critical before and BIG-IP Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.


532559-4 : Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.

Component: TMOS

Symptoms:
If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'.

Conditions:
This condition could be caused by executing the following command when generating the configuration.

'tmsh modify ltm profile client-ssl clientssl defaults-from none'

Impact:
The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile.

Workaround:
Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile.

Fix:
Upgrade no longer fails if 'defaults-from none' is under profile '/Common/clientssl'.


532522-3 : CVE-2015-1793

Vulnerability Solution Article: K16937


532365-1 : lsndb cores with "Assertion `size < bin_key_size' failed"

Component: Carrier-Grade NAT

Symptoms:
When there are many entries in the session database and a user attempts to delete them with "lsndb del all", this can cause lsndb to core with "Assertion 'size < bin_key_size' failed".

The user may see lots of "Error: Connection to internal DB failed (err: Cannot assign requested address [99])" messages displayed to the console. In addition not all of the session database entries will be deleted.

Conditions:
- LSN is configured with persistence, inbound-connections automatic, or PBA enabled.
- There are over 100,000+ Session database entries (e.g. persistence, inbound, or PBA entries).
- User attempts to manually delete all entries with "lsndb del all"

Impact:
- Session database cannot be properly cleared using the lsndb util.

Fix:
lsndb no longer cores while deleting large amounts of session database entries.


532340-1 : When FormBased SSO or SAML SSO are configured, tmm may restart at startup

Component: Access Policy Manager

Symptoms:
Under unlikely circumstances, tmm threads may run into synchronization issue at startup initialization, causing BIG-IP Failover

Conditions:
- SAML SSO or Form Based SSO are configured.
- TMM is in process of starting (during reboot or for any other reason).

Impact:
Impact is BIG-IP will failover at start time.
If tmm has successfully started - no further impact will be observed.

Workaround:
Remove Form Based SSO, and SAML objects from configuration.

Fix:
A thread synchronization issue that caused tmm startup issues has been fixed.


532107-2 : [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted

Component: Local Traffic Manager

Symptoms:
If RTT value for nameserver cache reached the maximum value as 120000, even after executing 'delete ltm dns cache nameserver', BIG-IP still keeps the past maximum RTT value.

Conditions:
The RTT for the nameserver cache reached the maximum value of 120000.

Impact:
This can cause dns response failure.

Workaround:
Change size for nameserver-cache-count to reset the nameserver cache.
# tmsh modify /ltm dns cache resolver my_dns_cache nameserver-cache-count 16536

Fix:
Maximum RTT value for nameserver cache is now deleted when the nameserver cache is deleted, which is correct behavior.


532096-2 : Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used

Component: Access Policy Manager

Symptoms:
Machine Certificate Checker (client side) is not backward compatible with BIG-IP 11.4.1 and earlier when MatchFQDN rule is used

Conditions:
Machine Certificate checker agent uses MatchFQDN rule in Access Policy of BIG-IP version 11.4.1 and earlier.
New BIG-IP Edge Client (version greater than 11.4.1) is used against old BIG-IP.

Impact:
Machine Certificate checker agent may fail. Policy goes wrong way.

Fix:
Fixed issue causing Machine Certificate checker agent backward incompatibility.


532086-3 : Local Traffic Policy Rules Condition List select value to update with existing values.

Component: TMOS

Symptoms:
When viewing/editing Policy Rule, when selecting Conditions in the table, the Condition value is not updated with the existing values in the table.

Conditions:
A Policy with Rule(s) with defined Conditions where the Condition value is something other than the first value in the dropdown list, usually 'equals'. When a row in the table is selected, the Condition changes to the existing value in the table.

Impact:
This can cause confusion to the user when the values are not synchronized with the values in the table.

Workaround:
When the user saves, the original value is preserved. There is no adverse affect on the data other than it can be confusing.

Fix:
Local Traffic Policy Rules Condition List select value now updates along with existing values.


532030-3 : ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI

Component: Application Security Manager

Symptoms:
When importing a policy that utilizes a custom signature set, ASM checks whether that signature set is already exists on the system. If it does not exist, then it creates a new set.

When a set is created via REST it does not correctly set an internal field that does get set via creation by the GUI or XML import.

This causes unexpected behavior and extra signatures being created when a REST client, such as BIG-IQ, attempts to co-ordinate changes across devices utilizing import via XML and REST calls.

Conditions:
A Custom filter-based signature set is created by the GUI and then attached to a security policy.
The security is exported in XML format.

On a different device an identical signature set is created via REST.
The security policy is then imported on that device.

Impact:
Extraneous signature sets are created, and false differences appear with regards to which signature sets are attached to which policies across multiple devices.

Workaround:
As a workaround, custom filter-based signature sets should be created only via REST or only via GUI across multiple devices.

Fix:
Custom filter-based signature sets created using REST or the Configuration utility now have the same internal settings and match for XML security policy export/import.


532022-1 : tmm can crash when the reply pkt to a service flow request is a DoS pkt

Component: Advanced Firewall Manager

Symptoms:
tmm can crash

Conditions:
If a service flow (or any flow which does not have a listener) sends a request out and we get back a packet which needs to be counted towards a network DoS vector, it can cause the tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't configure AFM DoS vectors.

Fix:
A crash bug in DoS protection has been fixed.


531986-3 : Hourly AWS VE license breaks after reboot with default tmm route/gateway.

Component: TMOS

Symptoms:
In AWS Hourly instances, if a default gateway is added, the hourly license may fail, causing BIG-IP to fail to come up to a running state. Error messages will resemble the following:

Jul 6 19:26:14 ip-10-0-0-104 err mcpd[22186]: 01070734:3: Configuration error: MCPProcessor::check_initialization:
Jul 6 19:26:17 ip-10-0-0-104 err mcpd[22186]: 010717ff:3: [Licensing]: Failure in establishing instance identity.

Conditions:
Hourly instance in AWS with default tmm route added.

Impact:
BIG-IP VE will fail to fully start, rendering the instance unusable.

Workaround:
Temporary removal of default tmm route resolves this problem. The tmm route can be added back once MCPD is in the running state.

Fix:
The problem with default tmm route breaking Hourly licenses has been resolved. The default tmm route no longer affects the license check on Hourly billing Virtual Edition.


531983-5 : [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added

Component: Access Policy Manager

Symptoms:
Routing table is not updated correctly in connected state when new adapter is added to the system.

Conditions:
SSL VPN tunnel is established and new adapter is added to the system. For example, Wi-Fi connected when tunnel is established already over Ethernet adapter.

Impact:
Routing table might be corrupted.

Workaround:
Restart OS X.

Fix:
Routing table now updates correctly when new adapter is added to the system while SSL VPN tunnel is already established over an network adapter.


531979-3 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Component: Local Traffic Manager

Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.

Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:

SSL Record:
    Content Type: Handshake (22)
    Version: $LOWEST_VERSION
    Handshake Record:
        Handshake Type: Client Hello (1)
        Version: $HIGHEST_VERSION

The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.

Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.

For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.

Impact:
SSL handshake fails.

Workaround:
There is no workaround for this issue.

Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.


531910-1 : apmd, apd, localmgr random crash

Component: Access Policy Manager

Symptoms:
APMD, APD, and localmgr crash upon invalid mcpd request with certain DB variables.

Conditions:
This problem rarely happens: mcpd sends null db variables conncrtl.

Impact:
APMD, APD, and localmgr will crash.

Workaround:
There is no workaround.

Fix:
The problem was fixed by variable protection in related modules.


531883-2 : Windows 10 App Store VPN Client must be detected by BIG-IP APM

Component: Access Policy Manager

Symptoms:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box via client type agent

Conditions:
Windows 10 App Store VPN Client, BIG-IP APM , client type agent

Impact:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box

Fix:
Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box using the Client Type agent.


531809-2 : FTP/SMTP traffic related bd crash

Component: Application Security Manager

Symptoms:
Protocol Security: The Enforcer may crash upon FTP or SMTP traffic using remote logging.

Conditions:
FTP/SMTP traffic and remote logging assigned. Crash happens on a rare occasion.

Impact:
bd crash, traffic disturbance.

Workaround:
Remove the remote logging from FTP/SMTP.

Fix:
Protocol Security: The Enforcer no longer crashes upon FTP or SMTP traffic using remote logging.


531761-1 : Web navigation flow may be reset when main page responds with non-HTML content

Component: Advanced Firewall Manager

Symptoms:
In some web applications, the navigation flow may break (connection reset) if a main URL (login page, for example) is responding with a content that is not an HTML one, or if the response is dynamic, and occasionally not an HTML one.

Conditions:
Proactive Bot Defense is enabled on a DOS profile that is attached to a Virtual Server, and one of the main URLs of the web application (login page, home page, etc.) occasionally responds with a non-HTML content, blank content, or redirect response with no body.

Impact:
Users may experience a connection reset while navigating through the website, usually after several minutes.

Fix:
Connection resets are no longer experienced on normal web navigation of a site that is protected by the Proactive Bot Defense mechanism, and one of the main pages of the web application occasionally responds with a non-HTML content.


531705-2 : List commands on non-existent iRules incorrectly succeeds.

Component: TMOS

Symptoms:
In certain cases, issuing an iControl REST or tmsh list rule command on a non-existent iRule can return successfully with an empty list. Instead it should return an error that the specified iRule does not exist.

Conditions:
If any iRule happens to exist in a different folder than the current folder context.

Impact:
The user is unable to rely on receiving an error from tmsh or iControl REST if they query for iRules that do not exist.

Workaround:
There is no workaround.

Fix:
Issuing a list command for a non-existent iRule now successfully returns an error.


531576-1 : TMM vulnerability CVE-2016-7476

Vulnerability Solution Article: K87416818


531566-2 : A partial response arrives to the client when response logging is turned on

Component: Application Security Manager

Symptoms:
When response logging is turned on, the client receives only a partial response.

Conditions:
Response logging is turned on.
The response is chunked.

Impact:
The response arrives as chunked, but not all the chunks arriving, causing the client to wait for the traffic continuation.

Workaround:
N/A

Fix:
All chunks of a chunked response arrive when response logging is enabled.


531541-1 : Support Citrix Receiver 4.3 for Windows in PNAgent mode

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Windows 4.3 fails to authenticate in PNAgent mode in both integration and replacement configurations.

Conditions:
APM is configured for Citrix integration or replacement and Citrix Receiver for Windows 4.3 is used in PNAgent mode.

Impact:
Citrix Receiver for Windows 4.3 fails to authenticate.

Workaround:
Use Citrix Receiver for Windows 4.1 or 4.2.
Launch applications from Web.

Fix:
Now APM supports Citrix Receiver 4.3 for Windows in PNAgent mode.


531539-1 : The NTLM login is not recognized as failed login.

Component: Application Security Manager

Symptoms:
The NTLM login is not recognized as failed login.

Conditions:
-- A NTLM configured login page.
-- The username arrives in UTF-16 (as curl sends it) or in another encoding that cannot be converted.
-- The login fails.

Impact:
The brute force mitigation will not work in this case.

Workaround:
None.

Fix:
This release fixes an issue regarding login pages with the NTLM authentication type.


531529-1 : Support for StoreFront proxy

Component: Access Policy Manager

Symptoms:
Citrix Receivers fail to auth when APM is configured in the integration mode against Citrix StoreFront 3.0 in ICA patching mode

Conditions:
APM configured in the integration mode

Impact:
Storefront responds with "error-bad-request" error on ExplicitForms request from APM

Workaround:
N/A

Fix:
Support Citrix StoreFront 3.0 in ICA patching proxy mode


531526-2 : Missing entry in SQL table leads to misleading ASM reports

Component: Application Visibility and Reporting

Symptoms:
Some reports of ASM violations were generated with missing activity.

Conditions:
When there are many entities to report and some are getting aggregated, then the aggregated activity was not reported.

Impact:
Misleading reports of ASM activity.

Workaround:
None.

Fix:
Aggregated activity is now reported even when there are many entities to report and some are aggregated.


531483-2 : Copy profile might end up with error

Component: Access Policy Manager

Symptoms:
Copy profile might end up with error about two items are sharing the same agent

Conditions:
Very rare - long policy names, similar name parts

Impact:
Minor - you would need to choose different name for new policy

Fix:
Issue resolved.


530963-4 : BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms

Component: Local Traffic Manager

Symptoms:
The BIG-IP does not verify every byte in the Finished message of an TLS handshake but does properly validate the MAC of the Finished message.

Conditions:
* The BIG-IP platform contains a Cavium SSL accelerator card but the affected TLS connection is not accelerated by the Cavium SSL accelerator card.

The following list some examples when a TLS connection is not accelerated by the Cavium card:

* The ciphers used by the TLS connection are not fully accelerated in the Cavium card. For more information about ciphers that are fully hardware accelerated, refer to SOL13213: SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x)

* The BIG-IP platform does not contain a Cavium SSL accelerator card. The following list the BIG-IP platforms that do not contain a Cavium SSL accelerator card:
* BIG-IP 2000 platforms
* BIG-IP 4000 platforms
* BIG-IP Virtual Edition

Impact:
F5 believes the reported behavior does not have security implications at this time.

Workaround:
None.

Fix:
BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms.


530952-1 : MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'

Component: Application Visibility and Reporting

Symptoms:
MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'. Errors in monpd.log similar to the following:

[DB::mysql_query_safe, query failed] Error (error number 1615) executing SQL string ...

Conditions:
This is due to a MySql bug. For information, see 'Prepared-Statement fails when MySQL-Server under load', available here: http://bugs.mysql.com/bug.php?id=42041

Impact:
Monpd loses functionality

Workaround:
Restart monpd.

Fix:
Error number 1615, 'Prepared statement needs to be re-prepared', no longer occurs in the monpd.log.


530903-1 : HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade

Component: TMOS

Symptoms:
HA pair should remain in active/standby state after the software upgrade but instead goes into an active/active state.

Conditions:
Occurs in an active/standby HA pair which has a medium size configuration of pools and virtual servers (at least 30 objects total). The standby device is upgraded first and then it is rebooted. After reboot, the HA pair goes into an Active/Active state. Upgrades to 11.5.0 through 11.5.3 as well as to 11.6.0 are impacted.

Impact:
Active/Standby configuration is lost.

Workaround:
Reconfigure the HA pair back to active/standby.

Fix:
HA pair in a typical Active/Standby configuration now remain Active/Standby after a software upgrade.


530865-2 : AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)

Component: Advanced Firewall Manager

Symptoms:
Due to a related change in AFM ACL handling, global and route domain rule's were being logged (incorrectly) by the virtual server's AFM log profile (if it exists).

This is incorrect since the behavior has always been that Global and Route Domain AFM rule logging is controlled by global-network log profile only.

Conditions:
Global or Route Domain AFM ACL rule matches and logging is enabled. Also, the matched virtual server has a logging profile attached to it.

Impact:
This causes a regression (and inadvertent change in behavior) for Global and Route Domain AFM rule logging.

Workaround:
None

Fix:
With the fix, global and route domain AFM rule logging is controlled by global-network log profile (as has been the case since inception).


530829 : UDP traffic sent to the host may leak memory under certain conditions.

Vulnerability Solution Article: K00032124


530812-1 : Legacy DAG algorithm reuses high source port numbers frequently

Component: Local Traffic Manager

Symptoms:
A service on a pool member will receive connections frequently with a source port number above 65400, especially when the incoming connections to the Virtual IP listener are generated by test tools that increment their source port numbers sequentially. This could lead to premature SNAT port exhaustion, if SNAT is also being used.

Conditions:
The issue appears to be limited to the legacy DAG algorithm on the VIPRION PB100 and PB200 blades. All supported versions of BIG-IP will exhibit this issue on this hardware when this DAG algorithm is used. The problem is not exhibited when the incoming sessions' source port numbers have a reasonable amount of entropy (as one would normally see with real Internet traffic); however, the use of test tools, or even intentional malicious traffic may cause this issue to be seen.

Impact:
The issue could result in resource contention (such as SNAT pool port exhaustion), or problems with the pool member services distinguishing between sessions. A notable exception: Port reuse before TIME_WAIT expires is specifically NOT an impact of this issue.

Workaround:
To work around SNAT pool port exhaustion, increase the pool size, or change to auto-map. An iRule may be used to help pool member services better distinguish incoming sessions.

Fix:
The software emulation of the legacy DAG algorithm used on VIPRION PB100 and PB200 has been updated to more evenly distribute the source port numbers of sessions arriving at pool member services.


530800-1 : Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use.

Component: Access Policy Manager

Symptoms:
OWA displays error message when trying to send new email.
POST request size is more than 300Kb and POST data contains large "SCRIPT id=F5_helperDataStringsId" tag.
Due to this issue request data becomes large enough to be affected by Bug502269 in SSOv2. Therefore if SSOv2 is enabled in this Access Policy, request content will be corrupted and OWA server will respond with '400 Bad Request' code instead of sending email.

Impact:
Users can't send messages in some versions of OWA.

Fix:
Fixed an issue where extra data was added to some OWA2010 requests making it impossible to send messages in configuration with Form-based SSOv2.


530795-3 : In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may send ICMP messages that contain an incorrect tcp seq ack number in the embedded msg body.

Conditions:
FastL4 TCP virtual servers. Syncookie mode.

Impact:
The TCP connflow might be aborted if an ICMP message (such as More fragment) is received.

Workaround:
None.

Fix:
The BIG-IP system sends correct SEQ and ACK number in ICMP messages.


530773 : per-request policy logs frequently in apm logs

Component: Access Policy Manager

Symptoms:
Many logs from per-request policy execution framework are seen in APM logs

Conditions:
SWG is licensed and provisioned and response analytics agent is part of per-request policy.

Impact:
Many logs in APM and excessive logging might impact the performance too.

Workaround:
Remove /Common/All-Images from Response analytics agent in per-request policy.

Fix:
Correctly fixed the issue for excluded contents in response analytics agent, so these logs are not written frequently to APM logs.


530761-1 : TMM crash in DNS processing on a TCP virtual

Component: Local Traffic Manager

Symptoms:
TMM can crash while processing DNS requests on a TCP virtual server.

Conditions:
A TCP DNS virtual server combined with a DNS iRule that suspends and a client that closes its connection before receiving a response to its DNS request.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
While no true workaround exists, the situation can be avoiding by removing any one of the conditions above.

Fix:
TMM now properly handles DNS requests through a TCP virtual where the client closes the connection during iRule processing.


530697-2 : Windows Phone 10 platform detection

Component: Access Policy Manager

Symptoms:
Windows Phone 10 platform is not currently detected

Conditions:
Windows Phone 10 platform , BIG-IP APM system

Impact:
Windows Phone 10 platform is not detected correctly by BIG-IP

Fix:
Windows Phone 10 platform is detected correctly now.


530622-1 : EAM plugin uses high memory when serving very high concurrent user load

Component: Access Policy Manager

Symptoms:
EAM plugin cannot sustain high concurrent user load and will be killed by memory monitors. EAM is cored and restarted. Any requests coming during restart will not be served.

Conditions:
We found this issue in stress testing and reported by customers during high concurrent user load.

Impact:
As a result, EAM cored and restarted; users cannot authenticate during process restart.

Workaround:
No workaround.

Fix:
There was a memory usage issue in the EAM plugin that was caused by a huge object allocation for each connection. This issue is fixed by reducing the default size of client cert and payload arrays.


530598-1 : Some Session Tracking data points are lost on TMM restart

Component: Application Security Manager

Symptoms:
Session Tracking data points, that are added by ASM upon traffic, based on Session Tracking thresholds configuration, are lost when TMM restarts.

Conditions:
ASM Provisioned.
Session Tracking feature is ON.

Impact:
Session Tracking data points may be added by ASM upon traffic.
These are data points with action 'Block-All'.
These data points are lost when TMM restarts.

Workaround:
None.

Fix:
This release fixes the Session Tracking data points persistence, so that the 'Block-All' Session Tracking data points, which are added by ASM upon traffic, are not lost when TMM restarts.


530505-4 : IP fragments can cause TMM to crash when packet filtering is enabled

Component: Local Traffic Manager

Symptoms:
TMM can crash when an IP fragment is received and packet filtering is enabled.

Conditions:
This issue can occur when packet filtering is enabled and an IP fragment is received on the non-owning TMM.

To determine if packet filtering is enabled, then the packetfilter setting can be queried by using the 'tmsh list sys db packetfilter' command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable packet filtering.

Fix:
When packet filtering is enabled and an IP fragment is received on the non-owning TMM, TMM forwards the IP fragment without issue.


530431 : FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts

Component: Local Traffic Manager

Symptoms:
After upgrading to 11.6.0 HF5 the ephemeral fqdn node lists are no longer auto-populating.

Conditions:
Use the fqdn nodes feature.
Have correctly configured dns name-servers, and upgrade to 11.6.0 HF5

Impact:
The fqdn nodes feature is unusable and possible upgrades must be rolled back.

Workaround:
This issue has no workaround at this time.

Fix:
FQDN node lists now correctly auto-populate.


530356-2 : Some AVR tables that hold ASM statistics are not being backed up in upgrade process.

Component: Application Visibility and Reporting

Symptoms:
Some AVR tables that hold ASM statistics are not being backed up in the upgrade process when upgrading to a new version with ASM data present in AVR stat tables.

Conditions:
Upgrading to new version.

Impact:
Some ASM data is lost after upgrade.

Fix:
We now correctly back up AVR tables that hold ASM statistics that were previously not backed up when upgrading to a new version.


530242-3 : SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs

Component: TMOS

Symptoms:
When SPDAG is turned on VIPRION B2250 blades, the traffic imbalance among TMMs might be observed.

Conditions:
Enable SPDAG on VIPRION B2250 blades.

Impact:
The traffic imbalance can lower the throughput of VIPRION B2250 blades.

Workaround:
Adding or removing B2250 blades might mitigate the imbalance.

If you are running BIG-IP versions 11.6.1 or 11.6.1 HF1, add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes

Fix:
A new DAG hash is added for SPDAG on VIPRION B2250 blades, which can resolve the SPDAG traffic imbalance. The new DAG hash can be turned on by setting tmm tcl variable, dag::use_p8_sp_hash, to yes.

Add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes


530133-3 : Support for New Platform: BIG-IP 10350 FIPS

Component: TMOS

Symptoms:
Support for New Platform: BIG-IP 10350 FIPS, effective in 11.5.4 HF1

Conditions:
This details the new platform name.

Impact:
This is an added platform. There is no impact to the product.

Workaround:
None needed.

Fix:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.

Behavior Change:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.


530109-5 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Component: Access Policy Manager

Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.

Impact:
OCSP auth might fail as wrong URL is used.

Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.

Fix:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.

Behavior Change:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.


529977-1 : OSPF may not process updates to redistributed routes

Component: TMOS

Symptoms:
When routes redistributed into OSPF are rapidly added and removed, OSPF may not reflect all of the updates in its LSA database.

Conditions:
External routes, such as kernel or static, redistributed into OSPF being rapidly added and removed. This my happen when using Route Health Injection and enabling/disabling a virtual address.

Impact:
The OSPF may have stale or missing LSAs for redistributed routes.

Workaround:
Identify the OSPF process ID for the affected route domain using "ps | grep ospfd" and terminate it using the kill command.

This disrupts dynamic routing using OSPF.

Fix:
The OSPF LSA database correctly reflects the state of redistributed routes after rapid updates.


529920-7 : Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit

Component: Local Traffic Manager

Symptoms:
TMM crashes on the standby unit.

Conditions:
This is a standby-only failure. Connection mirroring on a OneConnect virtual server can lead to a TMM crash during connection establishment.

Impact:
TMM restarts, and the standby is not available for failover. When the standby unit comes back up it does not have the mirrored flows from the active unit, so failover results in loss of those connection flows.

Workaround:
None.

Fix:
Connection mirroring on a OneConnect virtual server now successfully recovers from a TMM crash during connection establishment, so no mirrored connection flows are lost.


529903-1 : Incorrect reports on multi-bladed systems

Component: Application Visibility and Reporting

Symptoms:
Reports on multi-bladed systems might contain incorrect data, if the blades are active at different times, and do not share the same level of history. A report appears on a different time range than expected.

Conditions:
Example:
A setup with 3 blades, and 2 are down while the active 1 receives traffic for a full day. Later the 2 down blades go up. The resulting report for 'last day' contains data only for the previous hour, even though traffic has been passing through it for the last day.

Impact:
Report not as expected.

Workaround:
None.

Fix:
Reports on multi-bladed systems are now displayed correctly even when the blades are active at different times, and do not share the same level of history.


529900-1 : AVR missing some configuration changes in multiblade system

Component: Application Visibility and Reporting

Symptoms:
Some DB variables affect the behavior of AVR, but if they are modified in a multiblade system, then not all blades will be aware of the change, which later leads to errors in functionality.

Conditions:
Multiblade system, having one of the following changes:
1. New primary blade is selected.
2. Change to AVR max number of entities in the DB.

Impact:
Data might not be loaded into the DB, or not be queried correctly.

Workaround:
Restart of monpd solves the problem.

Fix:
Configuration changes in multiblade systems are now treated correctly.


529899-1 : Installation may fail with the error "(Storage modification process conflict.)".

Component: Local Traffic Manager

Symptoms:
On chassis, installation may fail with the error "(Storage modification process conflict.)".

Conditions:
This happens when deleting a boot location and then quickly installing new software to that boot location.

Impact:
Minimal; the installation can be restarted.

Workaround:
Delete the failed volume and restart the installation.

Fix:
On chassis, there was one possible case where the installation would occasionally fail with the error "(Storage modification process conflict.)". This case has been fixed.


529897-1 : Diameter monitor logging displays hex when monitor failing instead of the AVP which the monitor is failing on.

Component: Local Traffic Manager

Symptoms:
Failed diameter monitor logging displays hex instead of the AVP on which the monitor failed.

Conditions:
Logging is enabled on a pool member which is being checked by a diameter monitor, and the monitor is failing.

Impact:
Difficult to determine the reason for the diameter monitor failure.

Workaround:
None.


529640 : Improvements in building Cloud images

Component: TMOS

Symptoms:
Improvements in building Cloud images.

Conditions:
Building Cloud images.

Impact:
Internal

Workaround:
N/A

Fix:
Improvements in building Cloud images.


529634-2 : Crash observed with HSL logging

Component: Policy Enforcement Manager

Symptoms:
In some cases, we see a crash with HSL logging.

Conditions:
Configure a HSL endpoint with session reporting. This crash is observed when multiple sessions are configured with hsl session reporting.

Impact:
Tmm cores.

Fix:
The crash was due to variables shared across threads. Changed this to a per thread variable.


529610-1 : On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db

Component: Application Security Manager

Symptoms:
When session tracking actions are enabled in ASM policy, an HTTP request may be blocked based on HTTP session or username and illegal traffic that has been sent from this session. The blocked request is reported in the security events log, but there is no option to release the username using the Configuration utility.

Conditions:
High availability (HA) setup, and ASM with Session tracking actions enabled.

Impact:
Usernames and HTTP sessions are blocked by ASM without an option to release them from the Configuration utility.

Workaround:
Stop and start tmm on all devices in the HA group by running the following commands:
-- bigstart stop tmm
-- bigstart start tmm

Fix:
Using the Configuration utility, BIG-IP system administrators can now release blocked usernames and sessions. This is done on the Session Tracking Status screen.


529587 : Errornous JS injections

Component: Fraud Protection Services

Symptoms:
JS was injected into pages with any "Content-Type" and it broke functionality of some pages.

Conditions:
Page "Content-Type" is not "text/html".

Impact:
Page functionality may be broken.

Fix:
The FPS plugin now injects JavaScript only in responses where the value of the header "Content-Type" starts from "text/html".


529573 : CSS attribute name

Component: Fraud Protection Services

Symptoms:
CSS attribute name was configured in the profile, but not passed to JavaScript where the hard-coded default value was used.

Conditions:
Default value of CSS attribute name is changed in the profile.

Impact:
False positive CSS alerts.

Workaround:
Do not change default value of CSS attribute name.


529535-4 : MCP validation error while deactivating a policy that is assigned to a virtual server

Component: Application Security Manager

Symptoms:
When deactivating a security policy via REST, and the policy is assigned to a virtual server, then BIG-IP reports the following error:
----------------------------
"MCP Validation error - 01071726:3:
Cannot deactivate policy action '/Common/<VS_name>'. It is in use by ltm policy '/Common/<L7_policy_name>'.",
----------------------------

However, the security policy becomes inactive and remains assigned to virtual server.

This will cause the virtual server to stop processing network traffic, and there will be the following errors in 'bd.log':
----------------------------
BD_MISC|ERR |Jun 24 12:53:35.698|17566|src/acc_reject_policy.c:0165|Account id 10 has no reject policy configured. Cannot get data
----------------------------

Conditions:
ASM provisioned, with a security policy assigned to a Virtual Server, then the security policy is deactivated via the REST API

Impact:
An inactive security policy remains assigned to a Virtual Server

Workaround:
Deactivate the security policy via GUI at:
'Security :: Application Security : Security Policies : Active Policies':

Fix:
The deactivation of a security policy using the REST API now removes the association of the deactivated policy from the virtual server, resulting in no errors and consistent configuration state.


529510-2 : Multiple Session ha state changes may cause TMM to core

Component: TMOS

Symptoms:
The cause of the crash is due to multiple session ha state changes in session_ha_peer_status in a very short period of time. On the active unit when the peer comes back up the session ha state changes to SESSION_HA_RESEND_NEEDED. This state change requires a call to session_ha_marker_reset to prevent the session sweeper from queueing the session ha marker when it is already in the session ha marker queue. Queueing the marker when it's already queued results in corruption of the queue which is caught by the QUEUEDEBUG_TAILQ_INSERT_TAIL macro.

Conditions:
Multiple session HA state changes

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Remove session ha maker when peer comes back up.


529509-5 : BIND Vulnerability CVE-2015-4620

Vulnerability Solution Article: K16912


529484-4 : Virtual Edition Kernel Panic under load

Component: TMOS

Symptoms:
Virtual Edition instances may crash with a kernel panic under heavy traffic load.

Conditions:
Virtual Edition instances passing 10 Gbps of traffic on interfaces that support LRO.

Impact:
When the issue occurs the Virtual Edition instance will reboot.

Workaround:
Disable LRO on the underlying hypervisor, if possible.

Fix:
Virtual Edition instances now stays active when instances passing 10 Gbps of traffic on interfaces that support LRO.


529460-7 : Short HTTP monitor responses can incorrectly mark virtual servers down.

Component: Global Traffic Manager

Symptoms:
Despite successful probe response, BIG-IP DNS marks virtual server down.

Conditions:
HTTP server sends HTTP response that is shorter than 64 bytes.

Impact:
Virtual servers are incorrectly marked down.

Workaround:
Modify server response or use a TCP monitor.

Fix:
BIG-IP DNS HTTP/1.x monitor probe now requires 17, rather than 64 bytes of response payload, so HTTP monitor responses HTTP response that is shorter than 64 bytes no longer incorrectly mark virtual servers down.


529414-1 : PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon

Component: Policy Enforcement Manager

Symptoms:
Some subscriber sessions getting deleted as soon they are created even if there is no trigger to delete these sessions

Conditions:
Fatal-grace time too low and PCRF connection going down for a long period of time and then coming up later.

Impact:
Subscribers traffic is not policed as the corresponding sessions are deleted as soon as they are created.

Workaround:
Make sure Fatal-grace timer is disabled.

Fix:
Issue is fixed now. Fatal Grace time expiry will not cause sessions to be deleted as soon as they are created.


529392-2 : Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script

Component: Access Policy Manager

Symptoms:
Windows 10 and Internet Explorer 11 is not determined in case of DIRECT rule is used to connect to BIG-IP in proxy autoconfig script configured locally.

Conditions:
Local proxy autoconfig scrip, DIRECT rule for BIG-IP virtual server, Internet Explorer 11.

Impact:
Internet Explorer 11 is not detected properly.

Fix:
Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP.


529141-5 : Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error

Component: TMOS

Symptoms:
Upgrade from 10.x fails with the error 'emerg load_config_files: '/usr/libexec/bigpipe load' - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line 67): 012e0020:3: The requested item (myclientssl {) is invalid (profile_arg ` show ` list ` edit ` delete ` stats reset) for 'profile'."

Conditions:
Attempting to upgrade from 10.x to 11.6.1 or specific 11.5.3 and 11.5.4 engineering hotfixes with custom Certificate and Key in the clientssl profile.

Impact:
Unable to upgrade successfully and BIG-IP will be inoperative. You will be unable to log into the BIG-IP GUI. The error signature in /var/log/ltm will exist, and /config/bigip.conf will probably not exist.

Workaround:
Delete the following line from all ssl profiles in /config/bigpipe/bigip.conf: inherit-certkeychain false.

To complete the upgrade, run the following command: /usr/libexec/bigpipe load.

After config load is successful, run the following command:
tmsh save sys config && tmsh load sys config.

Fix:
Upgrade from 10.x now completes successfully with a valid clientssl profile, and produces no BIGpipe parsing error.


528987-3 : Benign warning during formatting installation

Component: TMOS

Symptoms:
The system posts a benign warning during formatting installation: warning: array conf_write could not find data disk.

Conditions:
This occurs during formatting installation.

Impact:
This is a benign error message that does not indicate an issue with the system. You can safely ignore it.

Workaround:
None needed. This is a cosmetic message.

Fix:
This benign warning during formatting installation has been eliminated: warning: array conf_write could not find data disk.


528881 : NAT names with spaces in them do not upgrade properly

Component: TMOS

Symptoms:
When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load.

Conditions:
The BIG-IP system must be configured with NATs that have spaces in their names. When an upgrade is performed to 11.5.0 through 11.5.3 or to 11.6.0 this can be triggered.

Impact:
The configuration does not load on the upgraded system.

Workaround:
Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ).

Fix:
NAT names with spaces in them now upgrade properly.


528808-3 : Source NAT translation doesn't work when APM is disabled using iRule

Component: Access Policy Manager

Symptoms:
Source NAT translation does not happen and server-side connection fails.

Conditions:
ACCESS::disable iRule is added to the virtual server.

Impact:
Proxy's server-side connection fails.

Workaround:
Do not use the ACCESS::disable iRule command.

Fix:
Restore the source address translation correctly even if an iRule has disabled APM.


528787-1 : PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code.

Component: Policy Enforcement Manager

Symptoms:
PEM responds with RAA with DIAMETER_SUCCESS code even though session has been deleted.

Conditions:
Diameter virtual is down, then RADIUS sessions are deleted via tmsh, then the Diameter virtual is brought back up

Impact:
PCRF might be misled as it thinks session exists.

Workaround:
Make sure PCRF sends RAR with at least 1 policy and the PEM will responds with RAA with unable to comply

Fix:
PEM will send RAA with UNABLE_TO_COMPLY code if session is marked for deleted.


528768-1 : Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication

Component: Access Policy Manager

Symptoms:
The BIG-IP system applies standard fully qualified domain name (FQDN) validation for Active Directory server FQDN. Unfortunately, Microsoft allows non-standard FQDN as well. (https://technet.microsoft.com/en-us/library/cc959336.aspx)
At Non RFC strictness level, Active Directory allows additional "_" characters to be used everywhere in the DNS name. AD server that has "_" in its DNS name cannot be used for domain join operation for creating machine account or for authentication AD server for NTLM authentication.

Both Multibyte and Any Character strictness level predictably can cause problem to our internal code; we do not support them.

Conditions:
AD server DNS name contains "_".

Impact:
Cannot be used for domain join for machine account creation or for target authentication server for NTLM authentication.

Workaround:
To work around the problem, you can rename the Active Directory server.

Fix:
Now an Active Directory server DNS name that contains an underscore (_) can be used for a machine account and NTLM authentication.


528739-1 : DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses.

Component: Local Traffic Manager

Symptoms:
DNS Caching might use cached data from ADDITIONAL sections of previous lookups in the ANSWER section of responses.

Conditions:
This occurs when using DNS Caching.

Impact:
The data from the ADDITIONAL section might be used in the ANSWER section of DNS responses. The data might be stale or incorrect.

Workaround:
None.

Fix:
The DNS Cache now correctly ignores data from the ADDITIONAL section when constructing the ANSWER section.


528736-1 : When tcp connection is aborting tmm can crash with "hud_oob consumed" message

Component: Local Traffic Manager

Symptoms:
TMM crashes with "hud_oob consumed" message in the log.

Conditions:
This is a rarely occurring edge case. It can be seen when tcp has been aborted and messages exist in an internal queue.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Tcp aborts correctly when there are messages in an internal queue.


528734-2 : TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.

Component: Local Traffic Manager

Symptoms:
In a Standard virtual server, a data segment will be retransmitted when an ICMP Type 3, Code 4, message with an MTU (greater than or equal to 0) is received. The retransmission occurs until there are no ICMP Type 3, Code 4 messages, a connection times out, or an ACK is received.

Conditions:
Router or client sends ICMP frag messages with random MTU values. It can be increasing, decreasing, same, or 0 MTU.

Impact:
Packets might fill up the pipe and cause a minor outage.

Workaround:
None.

Fix:
TCP drops the second or later ICMP Type 3, Code 4 message. If the second packet is a valid ICMP packet, the downstream router will send another ICMP Type 3, Code 4 message.


528727-1 : In some cases HTML body.onload event handler is not executed via portal access.

Component: Access Policy Manager

Symptoms:
Internet Explorer 7 (and any newer version in compatibility mode) ignores inline body.onload event handler if it is already assigned in previously executed script. This may prevent execution of user-defined body.onload event handler in some cases if the page is accessed using Portal Access.

Conditions:
The problem occurs under these conditions:
Internet Explorer version 7 or newer in compatibility mode, and HTML page with inline body.onload event handler _and_ <script> or <meta> tags before <body> tag.

Impact:
Web application may work incorrectly.

Workaround:
It is possible to change the HTML page in an iRule converting inline body.onload event handler into an explicit JavaScript function assigned to the body.onload event using the attachEvent() call.

Fix:
Now HTML inline body.onload event handler is executed correctly in all cases if the page is accessed through Portal Access.


528726-3 : AD/LDAP cache size reduced

Component: Access Policy Manager

Symptoms:
When AD or LDAP Query module built a group cache, that cache contained an unnecessary attribute that was never used.

Conditions:
AD/LDAP Query module is configured with option that requires building of a local group cache.

Impact:
apd process size grows significantly after group cache is built. If several different caches are maintained at the same time, the process size can hit the 4 GB limit.

Fix:
Removed an unnecessary attribute from cache. As a result, the group cache size and APD process size have been reduced.


528715-1 : rare tmm crash when ipother irule parks

Component: Policy Enforcement Manager

Symptoms:
TMM System may crash under rare condition for traffic that goes through IPOther virtual with an iRule script that parks the data flow. This occurs rarely, and it will only happen if a data flow that goes through IPOther VIP is aborted when an iRule is parked on the same flow. When the iRUle resumes, the IPOther VIP forward the original packet and tmm may crash when PEM uses the freed data of the flow that is already freed.

Conditions:
With PEM licensed/enalbed, associate an iRule script with iRule command that will park (e.g., the table command) against the IPOther virtual. At last, the data traffic that goes through PEM IPOther virtual get aborted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
A possible workaround is not to use iRule command that will park in the iRule script that is attached to IPOther virtual. For example, there are information that could be retrieved by PEM::session command instead of using table command. If iRule command that will cause parking must be used, then this fix along with the fix of bug 484278.

Fix:
The crash has been fixed and the should no longer be observed.


528701-2 : Sessiondump does not accept single dash options

Component: Access Policy Manager

Symptoms:
sessiondump switched to double dash options like `sessiondump --list` and was no longer backward compatible with single dash options like `sessiondump -list`

Conditions:
This bug is only applicable if BZ 511900 is being integrated to an engineering hotfix for an 11.x version.

BZ 511900 was included in 12.0 and improved sessiondump performance but broke backward compatibility. However, the regression was identified during the 12.0 development, and was fixed before 12.0 released.

Impact:
Minimal impact. Only applies to customers that request and receive an engineering hotfix that includes BZ 511900 to get a faster sessiondump.

Functionality is the same, but utility scripts that were using the old commands will need to be updated to the new ones

Workaround:
Use the double dash option. The option names have not changed, and the functionality of sessiondump has not changed.

Fix:
It now accepts both double and single dash options.


528675-2 : BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired

Component: Access Policy Manager

Symptoms:
Edge Client can stuck in "disconnecting..." state if connected through with captive portal session and captive portal session expired. This happens when BIG-IP EDGE client keep HTTP connection to captive portal probe URL alive.

Conditions:
BIG-IP EDGE Client for Windows connecting to BIG-IP APM on network with active captive portal.
Captive portal session expired before user terminate active Network Access connection.

Impact:
When user run into this condition BIG-IP EDGE client for Windows cannot connect to BIG-IP APM server without restart.

Workaround:
User can exit and restart BIG-IP EDGE client.

Fix:
Captive portal detection request modified to properly close HTTP connection.


528548-2 : @import "url" is not recognized by client-side CSS patcher

Component: Access Policy Manager

Symptoms:
Not rewriten links from CSS.

Conditions:
CSS which contains:
@import "url"
 or
@import 'url'

Impact:
Unmangled requests resulting in error and customer confusion. Wrong rendering of pages.

Workaround:
Custom iRule can be used. No general workaround exists.

Fix:
Fixed CSS rewriting for:

 @import "URL"
  and
 @import 'URL'


528499 : AFM address lists are not sorted while trying to create a new rule.

Component: Advanced Firewall Manager

Symptoms:
AFM address lists are not sorted while trying to create a new rule.

Conditions:
Seen only in the rule creation page.

Impact:
AFM address lists are not sorted in the rule creation page.

Workaround:
none

Fix:
AFM address lists are now sorted in the rule creation page.


528498-5 : Recently-manufactured hardware may not be identified with the correct model name and SNMP OID

Component: TMOS

Symptoms:
The model names and corresponding SNMP OIDs of BIG-IP and VIPRION hardware may not be identified correctly.

1. Under the 'tmsh show sys hardware' command, the 'Type' field under 'System Information' may show the alphanumeric Platform Identifier (e.g., C113) instead of the BIG-IP/VIPRION model name (e.g., 4200v).

2. The SNMP sysObjectID OID (1.3.6.1.2.1.1.2.0) may show a value of 'F5-BIGIP-SYSTEM-MIB::unknown' instead of the model-specific identifier.

Conditions:
This problem may occur when running older BIG-IP software releases on BIG-IP or VIPRION hardware platforms that were manufactured after the BIG-IP software release.

Each BIG-IP software release contains a database used to map platform hardware part numbers to BIG-IP or VIPRION model names.
If a BIG-IP or VIPRION hardware platform is manufactured after this BIG-IP software release, this new hardware may contain updates that result in a minor revision to its platform hardware part number.
If this revised platform hardware part number is not found in the database included in the BIG-IP software release, its corresponding model name cannot be determined.
The SNMP sysObjectID OID value is based on the resolved model name. If the model name cannot be determined, the SNMP sysObjectID OID returns 'F5-BIGIP-SYSTEM-MIB::unknown'.

Impact:
Unable to identify recently-manufactured BIG-IP or VIPRION hardware platforms.

Workaround:
1. Identify the hardware platform by its Platform ID, and correlate this to the Platform Name using SOL9476: The F5 hardware/software compatibility matrix at https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9476.html.

2. Query the SNMP F5-BIGIP-SYSTEM-MIB::sysPlatformInfoName.0 object to obtain the hardware identifier, and correlate this to the Platform Name (e.g., from the 'Platform support' in the appropriate BIG-IP software Release Notes).

Fix:
BIG-IP software correctly identifies recently-manufactured BIG-IP or VIPRION hardware platforms with the correct model name and SNMP sysObjectID OID.


528432-2 : Control plane CPU usage reported too high

Component: Local Traffic Manager

Symptoms:
The system CPU usage is reported as the higher of the data plane averaqe and the control plane average. In certain cases, the control plane average was being calculated at about double.

Conditions:
When the data plane CPU usage was lower than the control plane CPU usage. This can occur when there is little client traffic flowing through the BIG-IP but the control plane is busy, say installing software.

Impact:
Typically, since client traffic drives data plane CPU usage, control plane CPU usage is less than data plane CPU usage at normal client loads.

Workaround:
This can safely be ignored at low data plane usage and will not be evident when data plane usage increases.

Fix:
The calculation of the control plane CPU usage no longer includes other CPUs.


528407-4 : TMM may core with invalid lasthop pool configuration

Component: Local Traffic Manager

Symptoms:
In certain circumstances, TMM may core if the unit is configured with an invalid, non-local lasthop pool,

Conditions:
1) BIG-IP system with VIP and lasthop pool with non-local pool member.
2) Sys db tm.lhpnomemberaction set to 2.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure lasthop pool to use local members/addresses.

Fix:
TMM no longer cores with an invalid lasthop pool configuration.


528310 : Upgrade failure when CertKeyChain exists in non-Common partition

Component: TMOS

Symptoms:
Pre-11.6.0 configuration may fail to load on a BIG-IP system running version 11.6.0 (or greater).

Conditions:
Configuration contains a SSL profile with an explicit Certificate Key Chain in a non-Common partition.

Impact:
This issue leads to a configuration load failure.

Workaround:
This issue has no workaround at this time.

Fix:
Certificate Key Chain will inherit its partition from the parent SSL profile on creation.


528276-7 : The device management daemon can crash with a malloc error

Component: TMOS

Symptoms:
The device management daemon can core if a timeout condition occurs during an iControl query. The daemon recovers and proceeds with the operation.

Conditions:
A timeout can occur during an iControl query and in some instances this can cause a core.

Impact:
The daemon crashes and recovers.

Workaround:
This issue has no workaround at this time.

Fix:
The device management daemon no longer causes a crash when a timeout condition occurs during an iControl query.


528247-1 : PEM: New Requested units empty for when used units matches granted service units

Component: Policy Enforcement Manager

Symptoms:
Requested Service Units field in CCR-U message in Gy will be empty for certain rating group requests in MSCC AVP

Conditions:
If used Service units matches exactly with granted service units. (Extremely rare!)

Impact:
RSU being empty might trigger OCS allocating incorrect granted service unit for the rating group

Workaround:
Work around is to ignore Requested service Unit AVP if zero by the OCS or just use used service units AVP since RSU is empty.

Fix:
This issue is fixed now. RSU will be not be empty even if used service units matches Granted service units AVP.


528238-1 : Quota Policy Added multiple times will lead to reset of Subscriber flows

Component: Policy Enforcement Manager

Symptoms:
Subscriber flows getting reset when session is provisioned to do Gy quota management.

Conditions:
If a same policy with quota management action is added multiple times to the session through RAR (or CCA-u) then after 32 installs, any flow for the session is reset.

Impact:
Flows getting reset means subscribers having issue with using service.

Workaround:
PCRF should make sure that for the session same policy is not being added to multiple times.

Fix:
Issue has been fixed now. Even is same Policy is added multiple Times for the subscriber, flows are not reset.


528071-1 : ASM periodic updates (cron) write errors to log

Component: Application Security Manager

Symptoms:
ASM periodic updates (run via cron) write errors to log when ASM is not provisioned.

Conditions:
ASM is not provisioned.

Impact:
Errors appears in ASM logs.

Fix:
Errors no longer appear in ASM logs when ASM is not provisioned.


528031-3 : AVR not reporting the activity of standby systems.

Component: Application Visibility and Reporting

Symptoms:
When working in Active/Standby configurations, the standby system is completely ignored when generating an AVR report. The standby system might have been an active system in the past, so its statistics should also be counted.

Conditions:
Configuration with Active and Standby systems.

Impact:
Some historical activity might not be reported by AVR.

Workaround:
None.

Fix:
We added device group support, and the user can now choose the device group to query from.


528007-6 : Memory leak in ssl

Component: Local Traffic Manager

Symptoms:
An intermittent memory leak was encountered in SSL

Conditions:
This can occur under certain conditions when using Client SSL profiles

Impact:
The amount of memory leaked is quite small, but over time enough memory would leak that TMM would have to reboot.

Workaround:
none

Fix:
An intermittent memory leak in SSL was fixed


527992-2 : tmm might crash with 'DHCP:dhcp_server_flow_connect' error when the server flow is already connected to a different client.

Component: Policy Enforcement Manager

Symptoms:
When the DHCP server flow is trying to connect to the same client flow that is already connected and not released, there might be a tmm crash.

Conditions:
This can occur when using the dhcpv6 profile.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes with 'DHCP:dhcp_server_flow_connect' error when the server flow is already connected to a different client.


527861 : When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.

Component: Application Security Manager

Symptoms:
When around 500 entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.

Conditions:
When around 500 entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen.

Impact:
The Configuration utility becomes unresponsive.

Workaround:
None.

Fix:
We limited the number of entities displayed on the "Illegal Meta Character in Value" manual traffic learning screen to a realistic limit in order to prevent the Configuration utility from becoming unresponsive.


527799-9 : OpenSSL library in APM clients updated to resolve multiple vulnerabilities

Vulnerability Solution Article: K16674 K16915 K16914


527762-1 : TLS vulnerability CVE-2015-4000

Vulnerability Solution Article: K16674


527742-4 : The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system

Component: Local Traffic Manager

Symptoms:
When creating a clientSSL profile at the active BIG-IP system, its inherit-certkeychain field is true by default, however, it appears to be false on the standby BIG-IP system.

Conditions:
BIG-IP systems are deployed as high-availability (HA) configuration.

Impact:
All units in an HA configuration should have the same configuration and the same behavior. Mismatching units in the HA configuration might lead to unexpected mismatching behavior.

Workaround:
None.

Fix:
With the fix, the inherit-certkeychain field of a newly created client SSL profile is set correctly on a standby BIG-IP system.


527725-1 : BigIP crash caused by PSC::ip_address iRule is fixed

Component: Policy Enforcement Manager

Symptoms:
When using PSC::ip_address iRule to get the ip list for DHCP-based subscriber discovery and RADIUS Authentication message, BigIP crashed and restarted.

Conditions:
Using PSC::ip_address iRule to get ip address list in DHCP-based subscriber discovery and RADIUS Authentication messages

Impact:
Causing bigip tmm to restart


527639-2 : CVE-2015-1791 : OpenSSL Vulnerability

Vulnerability Solution Article: K16914


527638-2 : OpenSSL vulnerability CVE-2015-1792

Vulnerability Solution Article: K16915


527637-2 : PKCS #7 vulnerability CVE-2015-1790

Vulnerability Solution Article: K16898


527633-2 : OpenSSL vulnerability CVE-2015-1789

Vulnerability Solution Article: K16913


527630-1 : CVE-2015-1788 : OpenSSL Vulnerability

Vulnerability Solution Article: K16938


527537 : CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled

Component: TMOS

Symptoms:
Elevated CPU with CGNAT when carrying the same load between 11.5 and 11.6

Conditions:
CGNAT lsn-pools
high number of concurrent connections
persistence = address-port and/or
inbound enabled

Impact:
Elevated CPU = reduced capacity

Fix:
Change the sessionDB sweeper to reduce the amount of work it does managing large bins.


527292-1 : BigIP crash caused by PSC::user_name iRule is fixed

Component: Policy Enforcement Manager

Symptoms:
When using PSC::user_name iRule to get user name for DHCP-based subscriber discovery and RADIUS Authentication messages, BigIP crashed and restarted. And the log is also showing garbage information.

Conditions:
Using PSC::user_name iRule to get user name in DHCP-based subscriber discovery and RADIUS Authentication messages

Impact:
Causing bigip tmm to restart

Fix:
After the fix, no more crash when using PSC::user_name iRule


527289-1 : TMM crashes with core when PSC::ip_address iRule is used to list IPs

Component: Policy Enforcement Manager

Symptoms:
TMM crashes with core when trying to readPSC::ip_address list

Conditions:
iRule is used to list IPs after setting it with the same iRule

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fix crash caused by PSC::ip_address PSC::user_name iRules


527149-3 : FQDN template node transitions to 'unknown' after configuration reload

Component: Local Traffic Manager

Symptoms:
A FQDN node that was available becomes 'unknown' after configuration load or reload.

Conditions:
This occurs in configurations containing FQDN nodes.

Impact:
An FQDN node template stays 'unknown' after configuration load or reload. This does not affect resolution or generation of ephemeral nodes.

Workaround:
None needed. This is cosmetic only.

Fix:
A FQDN node that was available now stays available after configuration load or reload.


527145-4 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Component: TMOS

Symptoms:
Occasionally SOD core dumps on shutdown during memory cleanup.

Conditions:
System shutdown. Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
Minimal additional impact on services because a shutdown was already in process.

Workaround:
None.

Fix:
Daemon no longer cores on shutdown due to internal processing error.


527094-1 : iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata.

Component: TMOS

Symptoms:
GET on tm/ltm/data-group/internal/dg-name might show the following record entries -

...
"records": [
...
    {
      "name": "triple",
      "partition": "single",
      "subPath": "double",
      "data": "three"
    },
...
  ]
}

In actuality, the identifiers of the record are not pathed, and hence the 'partition' and 'subPath' properties do not make any sense.

Conditions:
Performing a GET operation on a device group, for example: GET tm/ltm/data-group/internal/dg-name.

Impact:
Misinformation in the API output. This is a cosmetic issue only. Ignore the 'partition' and 'subPath' properties.

Workaround:
None.

Fix:
iControl REST: the records collection in tm/ltm/data-group/internal/ now returns the correct data for the "name" object, and no longer returns the "partition" and "subPath" objects.


527076-1 : TMM crashes with core when PSC::policy iRule is used to set more than 32 policies

Component: Policy Enforcement Manager

Symptoms:
iRules used to set 32 or more polices

Conditions:
iRule containing 32 or more polices

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Check added to validate number of policies contained in iRule.


527075 : Update domain availability default settings

Component: Fraud Protection Services

Symptoms:
The Domain Availability feature default settings were not the latest from the research team.

Sometimes resulted in an ERR_INSECURE_RESPONSE error in the browser's debugging console.

Conditions:
Some varieties of Citadel were not detected.

Impact:
Some varieties of Citadel were not detected.

Workaround:
Receive updated settings from F5 Websafe representative.

Fix:
New Domain Availability defaults are imported.


527027-4 : DNSSEC Unsigned Delegations Respond with Parent Zone Information

Component: Local Traffic Manager

Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Workaround:
None

Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.


527024-3 : DNSSEC Unsigned Delegations Respond with Parent Zone Information

Component: Local Traffic Manager

Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Workaround:
None

Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.


527021-1 : BIG-IQ iApp statistics corrected for empty pool use cases

Component: TMOS

Symptoms:
BIG-IQ statistics gathering fails for HTTP iApps. The stats are collected periodically by an iCall script. A bug in the script causes a failure when the pool member count = 0.

Conditions:
The virtual has an empty pool (a common use case in SDN).

Impact:
Causes out-of-memory errors in scriptd.

Fix:
BIG-IP iApps now correctly provide statistics to BIG-IQ in empty-pool use cases.


527016-1 : CLASSIFICATION_DETECTED irule event results in tmm core

Component: Policy Enforcement Manager

Symptoms:
If an irule script which uses the CLASSIFICATION_DETECTED is used, then it may result in a tmm core.

Conditions:
Configure an ltm irule with CLASSIFICATION_DETECTED event, and the body of the script contains atleast one irule command that runs asynchronously.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Using the CLASSIFICATION_DETECTED irule event does not cause tmm to core.


527011-6 : Intermittent lost connections with no errors on external interfaces

Component: Local Traffic Manager

Symptoms:
Intermittent lost connections to virtual servers or pool nodes with no observable errors on external interfaces.
Errors are observed on internal interfaces using 'tmos show net interface -hidden'

Conditions:
Normal operation. This can occur on BIG-IP 8950, 11000, and 11050 platforms.

Impact:
Lost connections

Workaround:
None.

Fix:
An issue with intermittent lost connections with no errors on the external interface has been corrected.


526974-1 : Data-group member records map empty strings to 'none'.

Component: TMOS

Symptoms:
When empty string is applied to a data-group member record, it is being converted to 'none'.

Conditions:
Record type is string.

Impact:
Data-group records data is set to string 'none', literally, even though user input an empty string ''.

Workaround:
None.

Fix:
Data-group member records no longer map empty strings to 'none'.


526856-1 : "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency

Component: Application Security Manager

Symptoms:
"Use of uninitialized value" appears as a warning rarely upon UCS installation due to ASM signature inconsistency.

Conditions:
UCS file is installed with internal ASM signature inconsistency.

Impact:
"Use of uninitialized value" warning appears in output.

Fix:
"Use of uninitialized value" warning no longer appears upon UCS install.


526817-4 : snmpd core due to mcpd message timer thread not exiting

Component: TMOS

Symptoms:
snmpd might occasionally experience a thread deadlock conditions and would be restarted (with a core dump) by sod.

Conditions:
This can occur during a SNMP configuration change.

Impact:
snmpd occasionally becomes unresponsive for the duration of the configured snmpd heartbeat timeout.

Workaround:
After a SNMP configuration change on the BIG-IP system, the deadlock timing issue can avoided by manually restarting snmpd.

Fix:
snmpd no longer becomes unresponsive for the duration of the configured snmpd heartbeat timeout during configuration changes.


526810-5 : Crypto accelerator queue timeout is now adjustable

Component: Local Traffic Manager

Symptoms:
In order to diagnose crypto queue stuck errors, the timeout value for stuck crypto accelerator queues may now be adjusted using the crypto.queue.timeout DB variable.

The timeout value may be specified in milliseconds using the crypto.queue.timeout DB variable. The default value is 100 milliseconds.

Conditions:
This is only needed if you are getting errors in /var/log/ltm with this signature: crit tmm1[9829]: 01010025:2: Device error: crypto codec qa-crypto0-1 queue is stuck.

Impact:
Adjusting the queue timeout may help in certain configurations where SSL acceleration is the performance bottleneck.

Fix:
The crypto accelerator queue timeout may now be specified in milliseconds using the crypto.queue.timeout DB variable.


526786-1 : Session lookup fails

Component: Policy Enforcement Manager

Symptoms:
1. Existing session S1 is created with IP1 and IP2

2. Session get replaced by S2 with IP1 and IP2 address. Delete being called for S1.

3. IP1 will be master so IP2 will be forwarded to remote TMM to set mapping.

4. Remote TMM will lookup for existing mapping for IP2, find session S2. Tries to lookup for Session S2.

5. Before lookup is complete, S2 gets deleted

6.Now callback for S2 lookup will be a failure

Conditions:
Remote TMM will lookup for existing mapping for IP2, find session S2. Tries to lookup for Session S2.

Impact:
Callback fails

Workaround:
N/A

Fix:
Fix IP mapping set when session being replaced gets deleted


526774 : Search in FW policy disconnects GUI users

Component: Advanced Firewall Manager

Symptoms:
GUI disconnects due to a timeout when doing search on the active rules page with a large number of context objects.

Conditions:
wildcard search in active rules page with lots of objects causes GUI to hang

Impact:
Makes the BOX unusable

Workaround:
The query to search for matches was optimized to omit context objects that did not have any rules.

Fix:
The query to search for matches was optimized to omit context objects that did not have any rules.


526754-2 : F5unistaller.exe crashes during uninstall

Component: Access Policy Manager

Symptoms:
f5unistaller.exe crashes, dmp points to a double free in SGetRegistryAsString function

Conditions:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\DisplayName contains 0 length data

Impact:
f5unistaller crashes

Workaround:
Using the crash dump created. PD can determine the value of * from there if data is placed into the DisplayName key - it will no longer trigger this defect


526699-6 : TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.

Component: Global Traffic Manager

Symptoms:
A BIG-IP DNS system configured with an iRule that makes use of the command nodes_up in its ip_address :: port version might lead to a crash.

Conditions:
- BIG-IP DNS iRule processing traffic with nodes_up IP/Port command.
 - IP/Port references an invalid LTM virtual server.
 - Client sends requests to the BIG-IP DNS wide IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify correct IP/Port in the nodes_up iRule command

Fix:
TMM no longer crashes when using an incorrect IP/Port in a nodes_up BIG-IP DNS iRule.


526677-1 : VMware Horizon HTML5 View access client can not connect when using View Connection Server running version 6.1.1

Component: Access Policy Manager

Symptoms:
When an APM & Horizon v6.1.1 deployment is configured to use an APM Full Webtop, the HTML5 client will not correctly launch. A new tab will open and the user will see a HTTP 405 error on that page.

Conditions:
View Connection Server backend is running version 6.1.1.

Impact:
HTML5 Client access will stop working.

Fix:
Starting with the 6.1.1 release of View Connection Server, the communication protocol used by the View HTML5 client has changed.
 
This change breaks BIG-IP APM's HTML5 View client implementation. As such, APM users cannot use this client to access their View Desktop.

This fix implements the new View communication protocol to support launching of the View HTML5 client from an APM Full Webtop.


526637-4 : tmm crash with APM clientless mode

Component: Access Policy Manager

Symptoms:
A condition that occurs when using APM in clientless mode can cause a rare tmm crash

Conditions:
Only occurs on 11.5 and later, and while using clientless mode 3. This crash has been very difficult to reproduce.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none

Fix:
tmm will no longer crash in APM clientless mode; it now sends a reset.


526617-1 : TMM crash when logging a matched ACL entry with IP protocol set to 255

Component: Access Policy Manager

Symptoms:
When TMM finds a matching ACL entry while enforcing the ACL, and that ACL entry is configured to produce a log entry as well, and the IP protocol for that packet is 255, then TMM crashes.

Conditions:
1. Log is enabled for that ACL entry.
2. IP protocol is set to 255

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ACL logging

Fix:
TMM no longer crashes when logging a matching ACL entry for IP datagram with protocol set to 255.


526578-1 : Network Access client proxy settings are not applied on German Windows

Component: Access Policy Manager

Symptoms:
Network Access client proxy settings are not applied on German Windows with Internet Explorer 10 under obscure conditions.
If APM address is not in the Trusted Sites List, then this issue has good reproducibility.
Windows shows empty fields in proxy settings UI of Internet Explorer.

Conditions:
Client machine has Windows with German localization.
Client machine has Internet Explorer 10.
APM is not in trusted sites list or other obscure conditions.

Impact:
Network Access works in unexpected way: client ignores proxy settings.

Workaround:
Run IE under administrator
Update to IE11

Fix:
Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer.


526514-1 : Open redirect via SSO_ORIG_URI parameter in multi-domain SSO

Vulnerability Solution Article: K26738102


526492-2 : DNS resolution fails for Static and Optimized Tunnels on Windows 10

Component: Access Policy Manager

Symptoms:
When Static and Optimized Tunnels are used on Windows 10 desktop, accessing a backend server by hostname will fail.

Conditions:
1. Windows 10 desktop
2. Static or Optimized Tunnels are used

Impact:
No access to backend servers using hostnames.

Workaround:
none

Fix:
DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10.


526419-1 : Deleting an iApp service may fail

Component: TMOS

Symptoms:
Deleting an iApp service may fail with an error message like this:

01070712:3: Can't load node: 839 type: 4

Conditions:
Unknown.

Impact:
You can't delete an iApp.

Workaround:
Save the configuration. Edit the relevant configuration file to remove the iApp service. Reload the configuration.

Fix:
Deleting an iApp service formerly could fail with an error message like this:

01070712:3: Can't load node: 839 type: 4

This is no longer possible.


526368-1 : The number of IPv4 addresses per Gx session exceeds the limit of 1

Component: Policy Enforcement Manager

Symptoms:
TMM may crash when it detects the number of IPv4 addresses per Gx session exceeds the limit of 1.

Conditions:
Number of IPv4 addresses per Gx session exceeds the limit of 1

Impact:
TMM crash

Workaround:
N/A

Fix:
Reprovision session only if PPE session ID set


526367-3 : tmm crash

Component: Local Traffic Manager

Symptoms:
tmm cores and restarts

Conditions:
It is not known what causes this, but it is related to use of DTLS in the serverssl profile.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to dtls.


526295-3 : BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id

Component: Policy Enforcement Manager

Symptoms:
When using a PEM iRule to create a session with calling-station-id and called-station-id, the BIG-IP system will crash in debug mode.

Conditions:
1. PEM is provisioned.
2. BIG-IP system is running in debug mode.
3. PEM iRule is used to create session with calling-station-id and called-station-id.

Impact:
The BIG-IP system crashes.

Workaround:
Creating PEM sessions with iRules that do not have calling-station-id and called-station-id. And add the two attributes using separately using PEM info iRule

Fix:
With the fix, the problematic iRule is now working as expected and does not cause any crash.


526277-1 : AFM attack may never end on AVR dos overview page in a chassis based BIGIP

Component: Advanced Firewall Manager

Symptoms:
In a BIGIP chassis, it is possible that the AFM "attack started" event and "attack stopped" event happen on two different slots of the chassis. In that case avrd is not able to detect and report "attack stopped" event and the user would continue to see "attack ongoing" in the DoS Overview Page.

Conditions:
This will only happen in a BIGIP chassis based system with multiple slots, and if the AFM DoS "attack started" and "attack stopped" events are given to different slots.

Impact:
User will get confused when he see that the AFM DoS Overview Page still shows the attack as ongoing when it has actually stopped.

Workaround:
No workaround

Fix:
With this change the bug has been fixed and now the AFM DoS Overview Page will always know when a attack has stopped.


526275-1 : VMware View RSA/RADIUS two factor authentication fails

Component: Access Policy Manager

Symptoms:
VMware View client fails to authenticate with APM configured for RSA/RADIUS two factor authentication.

Conditions:
APM is configured for VMWare View proxy with RSA or RADIUS two factor authentication and VMware View client is used.

Impact:
User sees a confusing error message.

Workaround:
Click "OK" on an error message "The username or password is not correct. Please try again.". Enter valid AD credentials and login again.

Fix:
Now APM correctly handles VMware View RSA/RADIUS two factor authentication.


526162-7 : TMM crashes with SIGABRT

Component: Application Security Manager

Symptoms:
TMM crashes with SIGABRT (sod crashes the tmm). This error appears in the LTM logs:
HA daemon_heartbeat tmm fails action is go offline down links and restart

Conditions:
IP reputation is turned on, and the IP reputation database is reloaded.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
We fixed a rare scenario where TMM was halted when the IP reputation daemon was loading a new IP reputation database.


526124 : Parameter matching inconsistency

Component: Fraud Protection Services

Symptoms:
Sometimes valid parameters from request are not matched to configured protected parameters. May work correctly in one browser while failing to work in another.

Conditions:
Request is bigger than one xfrag and parameter name is divided between two xfrags.

Impact:
Configured parameter won't be matched.

Workaround:
Remove unimportant cookies or add dummy cookies in order to shift parameter name inside the request. May resolve the issue. Differ between browsers.


526084-3 : Windows 10 platform detection for BIG-IP EDGE Client

Component: Access Policy Manager

Symptoms:
The session.client.platform variable contains "Win8.1" for BIG-IP Edge Client on Windows 10.

Conditions:
n/a

Impact:
n/a

Workaround:
n/a

Fix:
BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10.


526031-2 : OSPFv3 may not completely recover from "clear ipv6 ospf process"

Component: TMOS

Symptoms:
Open Shortest Path First version 3(OSPFv3) Link link-state advertisements (LSAs) may not be re-originated from the BIG-IP system if a neighboring router sends the LSA back to the BIG-IP system.

Conditions:
Blade failover occurs on a chassis, 'clear ipv6 ospf process' is run, or ospf6d crashes.

Impact:
Routes from Link LSAs generated by the BIG-IP may be missing in the OSPFv3 network.

Workaround:
Disable OSPFv3 on the BIG-IP system until the Link LSA has been purged from the network. To do so, remove OSPFv3 from the route domain for approximately 10 seconds and then add it back.

Fix:
Link LSAs are correctly re-originated by the BIG-IP system when the LSAs are sent to the BIG-IP by a neighbor router.


525989-2 : A disabled blade is spontaneously re-enabled

Component: Local Traffic Manager

Symptoms:
If a secondary blade in a 'ready' state becomes primary and then quickly is disabled, it does not send a cluster packet for ten seconds. A new primary, therefore, is not elected for ten seconds (the heartbeat timeout), instead of the expected time (immediately). The other blades, including the new primary, never receive the message that the blade was set to disabled, so the blade is be re-enabled without the user requesting it.

Conditions:
This occurs only if the blade disable operations occur very shortly after the primary blade is moved.

Impact:
A blade that the user expects to be disabled is spuriously re-enabled. User interfaces to access configuration, such as tmsh and the GUI might hang for the ten-second interval. The system posts an error message similar to the following: load_config_files: '/usr/bin/tmsh -n -g load sys config partitions all base' - failed. -- Unexpected Error: Saving and loading configuration is only allowed on the primary slot.

Workaround:
Wait ten seconds after disabling a blade before disabling another blade.

Fix:
A previously disabled blade is no longer spuriously re-enabled if the primary blade is moved around quickly.


525958-11 : TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.

Component: Local Traffic Manager

Symptoms:
In a specific combination of events TMM may core.

Conditions:
This occurs when the following conditions are met:
  - Load balancing a flow to an ip_tuple (e.g., the Tcl 'node' command).
  - That address is not directly connected.
  - The matched route is a gateway pool that contains a pool member that is not reachable.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure correct routing to all destinations with reachable next hops.

Fix:
TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop.


525882-2 : SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate.

Component: Local Traffic Manager

Symptoms:
SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate causing TMM memory leakage over time.

Conditions:
clientssl in use with the client presenting a certificate for verification.

Impact:
TMM memory leak.

Workaround:
None.

Fix:
Client certificate verification now releases all references and the memory leak no longer occurs.


525860-2 : PEM: Duplicate sessions formed with same IP

Component: Policy Enforcement Manager

Symptoms:
For a single IP address we see 2 sessions in the system when we do pem_sessiondump --list.

Conditions:
Create a static subscriber configuration without the IP address and send radius start to create session with 2 IP address. Delete the master IP (first one) and send radius start with same IP.

Impact:
Duplicate sessions creates confusion as to which session is the active one used for an IP.

Workaround:
Make sure radius stop is received for both the IP addresses before sending a new one.

Fix:
Issues has been fixed now. No more duplicate sessions for the same IP address.


525708-1 : AVR reports of last year are missing the last month data

Component: Application Visibility and Reporting

Symptoms:
Reports are missing the latest data collected for them. Each report-type is missing a different portion of the data which is relative to the report-type. This issue becomes very noticeable when creating long-term reports. For example, a 'last-year' report might omit the last month data, 'last-month' report might omit the last week data, and so on.

Conditions:
Every report that is done on a long history time range.

Impact:
The presented data can be confusing and misleading.

Fix:
A new data aggregation mechanism was inserted, so that all reports include activity up to the last hour.
There is an option to make it available even for the last 5 minutes, although that might lead to too much CPU and disk load every 5 minutes.
There is also an option to turn off this new aggregation mechanism if you are not interested in accurate long-history reports, and the aggregation task that takes place once an hour is too heavy for this machine.


525675 : SSL with forward proxy can leak memory

Component: Local Traffic Manager

Symptoms:
Under some conditions, SSL with forward proxy might leak memory.

Conditions:
Forward proxy is enabled on a BIG-IP system that is running multiple TMM instances.

Impact:
Service degradation leading to an eventual reboot.

Workaround:
None.

Fix:
SSL with forward proxy no longer leaks memory.


525672-2 : tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup.

Component: Local Traffic Manager

Symptoms:
tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup.

Conditions:
- Virtual server (vs1) configured with SSL forward proxy.
- vs1 is attached to an iRule which has following events and actions:
  CLIENT_ACCEPTED does TCP::collect, CLIENT_DATA does TCP::release. CLIENTSSL_CLIENTHELLO does SNI lookup.

Impact:
Double SNI lookup happens instead of single lookup. tmm memory leak and eventual out-of-memory.

Workaround:
None.

Fix:
SSL with forward proxy no longer leaks memory.


525633-1 : Configurable behavior if PCRF returns unknown session ID in middle of session.

Component: Policy Enforcement Manager

Symptoms:
If PEM sends CCR-U, and PCRF responds with CCA-U (PCRF lost session), PEM ignores the response and sends CCR-U.

Conditions:
PCRF lost session (reboot/failover) and responds to session update requests with unknown session ID.

Impact:
Session remains for a long period of time with PCRF not acknowledging.

Workaround:
To enable PCRF can get the context back, it is recommended that you delete the session on the PEM end (configurable), and also recreate the same session (configurable).

When PCRF indicates that the session ID unknown, set the following Sys db variable to TRUE to have PEM delete the session: tmm.pem.diameter.application.trigger.delete.onPeer.failure.

To have PEM recreate the session, set the following Sys db variable to TRUE: tmm.pem.session.ppe.recreate.afterPeerFailure.

Fix:
PCRF no longer returns unknown session ID in middle of session.


525595 : Memory leak of inbound sockets in restjavad.

Component: Device Management

Symptoms:
restjavad might run out of memory due to inactive sockets piling up in memory. The symptom will be 'Out of memory' messages in the /var/logrestjavad.0.log and any new rest calls will fail. The URL that fails is random.

Conditions:
Occurs after a few hours of use.

Impact:
Memory leak of inbound sockets in restjavad. restjavad becomes inoperative.

Workaround:
Restart restjavad with the following command:
bigstart restart restjavad.
Note: You can run the command periodically from a cron script.

Fix:
Inbound sockets in restjavad no longer causes a memory leak.


525562-1 : Debug TMM Crashes During Initialization

Component: Access Policy Manager

Symptoms:
Debug version of TMM (tmm.debug) generates core file and fails to start up.

Conditions:
This issue happens when running debug version of TMM on a multi-blade chassis/vCMP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to use default version of TMM (tmm.default)

Fix:
Removed unnecessary debug assert statements from TMM.


525557 : FQDN ephemeral nodes not re-populated after deleted and re-created

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, ephemeral nodes that are force deleted may not repopulate as expected.

Conditions:
This issue occurs when there is a Sync group and multiple FQDNs resolve to the same IP address.

Impact:
Ephemeral nodes may not repopulate as expected.

Workaround:
This issue has no workaround at this time.

Fix:
FQDN ephemeral nodes are now repopulated after force deletion.


525522 : Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains

Component: Advanced Firewall Manager

Symptoms:
A redirect loop may happen for some users, when the Proactive Bot Defense feature is enabled, and the deployment consists of multiple domains.

Conditions:
Proactive Bot Defense is enabled on a DOS profile that is assigned to a Virtual Server, and the deployment consists of multiple domains.

Impact:
Some users may occasionally be blocked from accessing certain URLs of a website due a redirect loop that could happen. In most cases, a page-refresh attempted by the user will load the page properly.

Workaround:
Applying the following iRule will workaround the problem:

when HTTP_REQUEST {
   if { [HTTP::cookie exists "TSPD_101_R0"] } {
      if { [HTTP::cookie exists "TSPD_101"] } {
         HTTP::cookie remove "TSPD_101"
      }
   }
}

Fix:
Occasional redirect loops caused by the Proactive Bot Defense mechanism no longer occur when multiple domains are deployed.


525478-2 : Requests for deflate encoding of gzip documents may crash TMM

Component: WebAccelerator

Symptoms:
When searching for documents in the gzip cache, if a document has been cached with gzip encoding but a non-deflate compression method (i.e., CM != 0x08) and the client has requested deflate compression, TMM may crash.

Conditions:
-- WAM/AAM enabled on VIP.
-- HTTP compression enabled on VIP.
-- Document served with gzip encoding and non-deflate compression.
-- Document has entered the gzip cache.
-- Client HTTP request specifies deflate encoding.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that only the deflate method is used in gzip-compressed documents that will be cached by WAM/AAM. With most web servers this is the default behavior and cannot be changed.

Alternatively, remove the 'Accept-Encoding: deflate' header using an iRule so that no clients can request deflate encoding.

Fix:
Correctly handles requests for deflate compression of cached gzip documents with non-deflate compression methods.


525448-1 : Max TPS is always 0

Component: Application Visibility and Reporting

Symptoms:
When checking "Max TPS and Throughput" in analytics profile we expect to see the Max TPS metric in
Statistics ›› Analytics : HTTP : Transactions
view-by: Virtual Servers
Measurement: Max TPS
The bug is that it is always 0.

Conditions:
Always

Impact:
Max TPS showing 0 instead the valid number

Fix:
Max TPS showing the real number


525429-12 : DTLS renegotiation sequence number compatibility

Component: Access Policy Manager

Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.

Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.

Impact:
The current APM client is not compatible with new OpenSSL libary.

Fix:
The APM client is now compatible with both the old and new OpenSSL library.


525416-1 : List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed.

Component: Policy Enforcement Manager

Symptoms:
IPs show up in an order that is not expected.

Conditions:
Occurs always

Impact:
Nothing functional.

Workaround:
None

Fix:
Added code to display the IP addresses in the order they were added to the session.


525384-2 : Networks Access PAC file now can be located on SMB share

Component: Access Policy Manager

Symptoms:
Network Access web components or Edge Client fail to download PAC file if it is located on SMB share as
file:////pac.file.hoster.local/config.pac.

Conditions:
Network Access with Client Proxy Settings Enabled,
PAC file path is set to somewhere on SMB share.

Impact:
Impossible to configure Network Access with PAC file located on SMB share.

Workaround:
Put PAC file to HTTP server, configure Network Access accordingly.

Fix:
Now Network Access components can obtain PAC file from SMB share.


525322-7 : Executing tmsh clientssl-proxy cached-certs crashes tmm

Component: Local Traffic Manager

Symptoms:
tmm crash while executing "tmsh clientssl-proxy cached-certs" command

Conditions:
ssl forward proxy virtual with a clientssl profile name longer than 32 characters which includes the partition name as well. (/Common/<profilename> -> has length more than 32 chars).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Keep the profile name lengths less than 32 chars, or do not run the command until fixed.

Fix:
The "tmsh clientssl-proxy cached-certs" command will now run successfully with profile name lengths longer than 32 characters.


525283-1 : Add obfuscator tuning tools

Component: Fraud Protection Services

Symptoms:
Difficult for F5 consultants to debug Websafe module.

Conditions:
N/A

Impact:
Difficult for F5 consultants to debug Websafe module.

Workaround:
None

Fix:
Tools have been added to help consultants fine-tune the FPS obfuscator for better performance.


525232-1 : PHP vulnerability CVE-2015-4024

Vulnerability Solution Article: K16826


525175-1 : Fix a crash issue when querying SSP with multi-ip.

Component: Policy Enforcement Manager

Symptoms:
TMM crash when querying SSP with multi-ip configured.

Conditions:
TMM crash when querying SSP with multi-ip configured.

Impact:
TMM crash

Workaround:
N/A

Fix:
Fix TMM crash when querying SSP with multi-ip configured.


524960-2 : 'forward' command does not work if virtual server has attached pool

Component: Local Traffic Manager

Symptoms:
The iRule 'forward' command does not result in connections being routed to the proper destination if the virtual server has an attached pool.

Conditions:
Virtual server with:
  - Pool.
  - iRule that issues 'forward' commands.

Impact:
Connections are routed to pool member instead of destination determined by network routes.

Workaround:
Remove pool assigned to virtual server and select the pool using an iRule with a 'pool' command when 'forward' command is not issued.

Fix:
'forward' command releases previously selected pool member to enabled connection to be routed based on packet destination, as expected.


524909-2 : Windows info agent could not be passed from Windows 10

Component: Access Policy Manager

Symptoms:
APM endpoint check action "Windows Info agent" was not able to detect Windows 10 clients.

Conditions:
n/a

Impact:
n/a

Workaround:
n/a

Fix:
Now BIG-IP APM support Windows Info action on Windows 10 clients.


524791-3 : non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0

Component: TMOS

Symptoms:
Interrupted poll() function in RemoteMcpConn.cpp functions non_blocking_receive and send is not properly handled.

Conditions:
Run a script processing async transactions in parallel with a script running basic REST calls.

Impact:
Either icrd_child will lock up or various calls will fail with 'operation canceled' response messages.

Workaround:
none


524780-1 : TMM crash when quering the session information

Component: Policy Enforcement Manager

Symptoms:
TMM crash when quering the session information using "tmsh show pem sessiondb subscriber-id "

Conditions:
Using tmsh show pem sessiondb subscriber-id to query session information

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Restore the display order of the multiple IP based on the order they are added


524756 : APM Log is filled with errors about failing to add/delete session entry

Component: Access Policy Manager

Symptoms:
APM log is filled with the following error when the issue occurs:

May 21 16:34:16 bigip4013mgmt err tmm2[20158]: 01490558:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND)

Conditions:
If a session times out before it completes policy evaluation, APM will still attempt to delete its marker from the established session namespace and, hence, results in ERR_NOT_FOUND error

Impact:
There is no functional impact. However, APM log may become useless if the volume of the error is big.

Fix:
Access Filter now skips session marker deletion if the timed-out session is not in established state.


524753-1 : IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip

Component: TMOS

Symptoms:
IPsec tunnel interface presents IPsec service via the regular network interface. Inherently, the self-IP address should allow external hosts to connect to the BigIP via TCP/UDP to this IP address. However, the connection is hairpinned back to the IPsec tunnel interface.

Conditions:
Create IPsec tunnel interface and assigned a self-IP with "allow-service all" so that the self-IP may accept external connections. At the other end of the IPsec tunnel, try TCP connection using "telnet", observe the "telnet" command fail.

Impact:
BigIP cannot accomplish certain services provided on the BigIP host, such as BGP over TCP.

Workaround:
A iRule can be created to forward the external connection on the IPsec tunnel self-IP to the host IP 127.0.0.1. Example,

ltm virtual http_host {
    destination 10.99.0.11:80
    ip-forward
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        fastl4_stateless { }
    }
    rules {
        local_node
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
}
ltm rule local_node {
    when CLIENT_ACCEPTED {
         node 127.0.0.1 80
    }
}

10.99.0.11 is the self-IP of the IPsec tunnel interface.

Fix:
BigIP can properly handle TCP/UDP connections to the BigIP over IPsec interface using its tunnel self-IP.


524748-1 : PCCD optimization for IP address range

Component: Advanced Firewall Manager

Symptoms:
Pccd blob size grow too big with large scale policy configuration. Which cause slow compilation and serialization.

Conditions:
large scale policy configuration.

Impact:
Slow compilation/serialization and large pccd blob.

Workaround:
N/A

Fix:
With PCCD ip address range optimization, PCCD will reduce it's compilation/serialization time and blob size.


524666-3 : DNS licensed rate limits might be unintentionally activated.

Component: Local Traffic Manager

Symptoms:
DNS licensed rate limits might be unintentionally activated.

Conditions:
This might occur with a license in which DNS services is unlimited, but BIG-IP DNS (formerly GTM) is limited.

Impact:
DNS licensed rate limits might be unintentionally activated. Rate counters will activate, even though rates are unlimited, which unnecessarily uses CPU cycles. Also, features that indirectly look at rate flags such as hardware DNS, might deactivate improperly even though rates are unlimited.

Workaround:
None.

Fix:
DNS licensed rate limits are now handled as expected.


524641-1 : Wildcard NAPTR record after deleting the NAPTR records

Component: Local Traffic Manager

Symptoms:
There is a dns query issue when adding/deleting a NAPTR record through the Zonerunner.

Conditions:
After deleting a specific NAPTR record, the previously added wildcard NAPTR record will fail for wildcard dig queries and the system does not show the correct subdomains.

Impact:
Wildcard NAPTR record call fails after deleting the NAPTR records.

Workaround:
None.

Fix:
Wildcard NAPTR record call now completes successfully after deleting the NAPTR records.


524606-1 : SElinux violations prevent cpcfg from touching /service/mcpd/forceload

Component: TMOS

Symptoms:
'cpcfg' fails when copying configurations to an adjacent boot location.

Conditions:
11.5.3 and 11.6.0 installed on two boot locations

Impact:
'cpcfg' cannot be used

Workaround:
re-install software to target volume. configuration will be properly rolled forward as final step in software installation

Fix:
Corrected parameter count mismatch


524605-2 : Requests/responses may not be fully delivered to plugin in some circumstances

Component: Local Traffic Manager

Symptoms:
If a plugin disables itself when encountering a request or response it is not interested in, subsequent requests or responses on the same connection may not be fully delivered to the plugin, causing the plugin and/or user application to function incorrectly.

Conditions:
The one known case where this occurs is when the WebSafe module is deployed and user applications being processed on WebSafe connections make use of POST requests.

Impact:
WebSafe connections may not function correctly. The problem is intermittent and depends on both the application and browser behaviors.

Workaround:
None.

Fix:
Plugins now receive the full request/response when additional requests/responses on the same connection after encountering a request/response it is not interested in.


524490-4 : Excessive output for tmsh show running-config

Component: TMOS

Symptoms:
The tmsh show running-config displays many default configuration items. Although the output does display the user-configuration items as expected, it is not expected to include default configuration items in the output.

Conditions:
tmsh show sys running-config.

Impact:
The presence of excessive default configuration items makes the tmsh show running-config output parsing difficult.

Workaround:
None.

Fix:
tmsh show sys running-config shows minimal default configuration.


524428-1 : Adding multiple signature sets concurrently via REST

Component: Application Security Manager

Symptoms:
Adding multiple ASM signature sets concurrently in REST actions causes deadlock.

Conditions:
Multiple ASM signature sets are added concurrently using REST.

Impact:
Some signature set REST add actions will fail due to deadlock.

Workaround:
Wait until signature set add action has completed in REST before issuing the next add.

Fix:
Multiple signature sets can be added concurrently using REST.


524409-1 : Fix TMSH show and reset-stats commands for multi-ip sessions defect.

Component: Policy Enforcement Manager

Symptoms:
TMSH show and reset-stats commands doesn't work properly for multi-ip sessions.

Conditions:
Sessions are multi-ip sessions with at least on ipv6 addr.

Impact:
reset-stats does not clear individual IP stats

Workaround:
N/A

Fix:
Fix TMSH pem sessiondb show and reset-stats commands with all-properties option.
The pem_session_mult_ip_data_stats struct doesn't include the ipv6 prefix length information.


524374-1 : TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule

Component: Policy Enforcement Manager

Symptoms:
TMM may crash under race condition, that if there is PEM flow reporting with format script that contains iRules accessing info from/to different TMMs gets executed when there is already an iRule executed and access different iRules on top of a connection/flow, and the connection/flow is reset.

The fix will not execute the format script if it sees an irule is already parked for that flow. As a result, no log message will be sent in this case. In the versions before the fix, the user may have seen a log with stale info, or might see duplicate logs. After the fix, no log will be sent out in the situation described above.

Conditions:
1. PEM flow reporting is enabled with format script that contains iRules access info from/to different TMMs
2. an iRule script that will access info from/to different TMM (that is, it will be parked on the connection/flow) is being executed and parked on the connection/flow
3. the connect/flow is reset
4. the PEM flow reporting with format script in #1 gets executed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
A patch will be needed for such tmm crash under race condition, when PEM flow reporting with format script are required along with iRules.

Fix:
The issue is fixed by making sure that PEM flow reporting with format script will not be executed if it detects another iRule script is already parked on the flow. However, given this is quite rare race condition, the PEM flow reporting with format script will be triggered again when reporting condition (volume or time based) is met and there is no concurrent iRule scripted parked.


524326-4 : Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips

Component: TMOS

Symptoms:
Current configuration validation will allow a user to delete the last (only remaining) IP address on a GTM server. However, since a GTM server cannot be created/loaded without at least one IP address, the configuration will fail to load.

Conditions:
User has deleted the last IP address on a GTM server.

Impact:
Configuration load will fail. If the GTMs are in a sync group, this will also break sync because the config change cannot be loaded by any GTM.

Workaround:
User must either delete the server from the config if it has no more valid IPs, or must add at least one IP to the server's IP address list.

Fix:
Extended MCPD validation to ensure any deleted GTM link/GTM server addresses do not leave parent objects without addresses.


524300-2 : The MOS boot process appears to hang.

Component: TMOS

Symptoms:
When a BIG-IP 2000 series or BIG-IP 4000 series device is booted into MOS (either manually or as a result of a user running the image2disk utility), the MOS boot process appears to hang. In reality, MOS boots successfully, but loses its connection to the BIG-IP system's serial console.

Conditions:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS.

Impact:
If you booted into MOS manually, you cannot carry out the tasks that you had set out to do. You must reset the device (either physically or via the AOM menu) to recover it.

If the system booted into MOS automatically (as a result of a user running the image2disk utility to perform a clean installation), the installation completes successfully and the system reboots correctly at the end of the installation. However, you cannot see and follow the re-imaging process because of this issue. In this case, you can watch the (seemingly hung) serial console until the system reboots by itself.

Workaround:
You can work around this issue by performing a temporary installation of BIG-IP version 12.0.0 to a new boot slot.
No further action is required. This temporary installation of BIG-IP version 12.0.0 can be deleted once completed.
This temporary installation of version 12.0.0 has the effect of upgrading MOS to a version which resolves this issue.

Fix:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS now retains its connection to the serial console.


524198-1 : PEM: Invalid HSL log generated when when session with static subscriber deleted.

Component: Policy Enforcement Manager

Symptoms:
Invalid HSL logs generated when static subscriber session is deleted

Conditions:
HSL logging configured in the subscriber policy and static subscriber session is deleted.

Impact:
Invalid HSL log lines will create discrepancy.

Workaround:
Manually filter out these lines from HSL logs.

Fix:
Issues has been fixed now. NO more extra lines in HSL logs.


524185 : Unable to run lvreduce

Component: TMOS

Symptoms:
Unable to run lvreduce command due to missing program 'blockdev'. (The missing program 'blockdev' is part of the util-linux-extras package.)

Conditions:
Attempting to reallocate disk resources when upgrading a vCMP system.

Impact:
Cannot reallocate the vmdisks app volume.

Workaround:
Acquire the /sbin/blockdev executable from a different BIG-IP device running version 11.6.0-HF6 or 12.x, and install it on the BIG-IP device affected by this issue.

Note: If the receiving system is a multi-blade VIPRION, you must install the file on each blade.

If you do not have a suitable donor device available, you can contact F5 Support, who will be able to supply the executable to you.

Note: Using a blockdev executable from another source is not recommended.

Fix:
The blockdev utility is now present, so you can run the lvreduce command to reallocate the vmdisks app volume.


524032-1 : Control sending alerts during the source integrity learning process

Component: Fraud Protection Services

Symptoms:
False positive alerts might be sent while source integrity learning process.

Conditions:
Learn mode is configured for a tag, and URL's content is dynamic.

Impact:
Source integrity low severity alerts will be sent on every mismatch, before a mature valued has learned.

Fix:
The sending of low score alerts during the source integrity learning process is now controlled by a DB variable.


524004-1 : Adding multiple signatures concurrently via REST

Component: Application Security Manager

Symptoms:
Adding multiple ASM signatures concurrently in REST actions causes deadlock.

Conditions:
Multiple ASM signatures are added concurrently using REST.

Impact:
Some signature REST add actions will fail due to deadlock.

Workaround:
Wait until signature add action has completed in REST before issuing the next add.

Fix:
Multiple signatures can be added concurrently using REST.


523995-2 : IPv4 link-local addresses can cause TMM crash when used in conjunction with ECMP routes

Component: Local Traffic Manager

Symptoms:
TMM can crash and ECMP routes via IPv4 link-local addresses may not work correctly.

Conditions:
This happens only for specific IP range with dynamic routing and multiple next hops.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using 169.254 prefix.

Fix:
ECMP routes are working correctly and TMM does not crash


523922-4 : Session entries may timeout prematurely on some TMMs

Component: TMOS

Symptoms:
In certain scenarios, session entries may not be refreshed when the TMM that owns the entry is used to process the connection.

Conditions:
When the TMM owning the session entry is a different one to the TMM handling the connection and the entry is retrieved, for example via irule, "session lookup uie"; the timeout will be extended.

When the TMM owning the entry and the one handling the connection is the same, then the entry may not have its timeout changed and lead to premature removal.

Impact:
Different TMMs may behave differently and cause confusion when using the session table.

Workaround:
None

Fix:
Session table entries now consistently get their timeout values touched in all scenarios.


523867-3 : 'warning: Failed to find EUDs' message during formatting installation

Component: TMOS

Symptoms:
The following message may appear on the console:

warning: Failed to find EUDs
warning: Failed to get volume id for EUD

Conditions:
This warning occurs during a formatting installation.

Impact:
No impact. The message was intended to be logged at the 'info' level.

Workaround:
N/A

Fix:
The 'warning: Failed to find EUDs' diagnostic message during installation has been changed from a warning to info


523863-2 : istats help not clear for negative increment

Component: TMOS

Symptoms:
The help for the istats command line tool was not clear on how to specify a negative increment for a gauge iStat.

Conditions:
Try to increment a gauge iStat by a negative amount using the istats command line tool.

Impact:
Bash shell would print a cryptic error and the help did not clarify how to make it work

Workaround:
Research bash shell options for the cryptic error.

Fix:
The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.


523854-1 : TCP reset with RTSP Too Big error when streaming interleaved data

Component: Service Provider

Symptoms:
RTSP connection containing interleaved streams is aborted mid-stream, causing loss of data. This occurs when there is packet loss and retransmission due to an unreliable connection. A RST is sent by BIG-IP with cause "Too big".

There is an RTSP profile parameter Maximum Header Size. When the RTSP filter receives a burst of reassembled stream data that exceeds this size, it aborts with that RST cause. When this parameter is raised above the value of parameter Maximum Queued Data, that parameter is exceeded and the RST cause is "Hudfilter abort". When both parameters are raised much higher, an abort is less likely, but can still occur with cause "Out of memory" (which is a false report as the system is not out of memory).

Conditions:
RTSP profile configured.
Interleaved stream.
Packet retransmissions due to an unreliable connection.

Impact:
RTSP traffic is interrupted or dropped
TCP session is reset with a cause of "Too Big" or "Hudfilter abort".

Workaround:
Set both the Maximum Header Size and Maximum Queued Data values to a value greater than 64 KB. This reduces the likelihood of failure, but is only a partial workaround.

Fix:
RTSP interleaved traffic passes reliably, even over an unreliable connection experiencing packet retransmission.


523803 : Support two-factor authentication for Citrix Receivers in StoreFront proxy mode

Component: Access Policy Manager

Symptoms:
Citrix Receivers do not detect 2-factor authentication when connecting to APM.

Conditions:
APM is configured as StoreFront proxy and 2-factor authentication is used.

Impact:
Citrix Receivers do not detect 2-factor authentication.

Workaround:
To enable 2-factor authentication, put a Variable Assign agent in front of the Logon Page in VPE with the following expression: session.citrix.client_auth_type = expr {"1"}.

Fix:
Added support for two-factor authentication for Citrix Receivers in StoreFront proxy mode.

Behavior Change:
Two-factor RSA+AD auth for Citrix Receiver clients now requires a new VPE configuration when APM is configured in StoreFront Integration mode. Note: To avoid a potential issue, if Citrix Receiver was already configured against APM, the Receiver accounts must be recreated.


523642-5 : Power Supply status reported incorrectly after LBH reset

Component: TMOS

Symptoms:
On BIG-IP appliances with the Backplane Micro-Controller Hybrid (LBH) type of Always-On-Management device, Power Supply status reporting and enumeration may function incorrectly if the LBH resets due to a watchdog reboot or other cause.

Conditions:
This may occur on BIG-IP 2000-/4000-series, BIG-IP 5000-/7000-series, and BIG-IP 10000-/12000-series platforms.

Impact:
Resets of the LBH device occur very rarely.
When this issue occurs, the status reporting and enumeration of appliance power supplies may be inaccurate.
Errors may be reported when attempting to obtain sensor values from non-present power supplies.
Power supply presence, status and identification may be reported incorrectly following power supply removal or reinsertion.

Workaround:
To work around this issue and restore correct reporting of power supply status, you can restart the chmand process. To do so, perform the following procedure:

Impact of workaround: Restarting the chmand process also restarts core BIG-IP system daemons such as TMM. Running this procedure interrupts traffic processing.

1.Log in to the BIG-IP command line.
2.To restart the chmand process, type the following command:
bigstart restart chmand.

Fix:
Power Supply status is now reported correctly after LBH reset.


523527-6 : Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.

Component: TMOS

Symptoms:
If you are directly upgrading from version 10.x to version 11.2.0 or later with a working dynamic routing protocols configuration may encounter that the routing protocol is disabled on upgrade to 11.2.0 or later.

Conditions:
- Upgrade from 10.x to 11.2.0 or later.
- Routing protocol enabled in tmrouted dbkeys.
- No route domain 0 (zero) (RD0) configuration, that is defaults of all VLANs in RD0, no comment, leading to no existing configuration in bigip_base.conf

Impact:
Routing protocol information is missing from RD0, ZebOS is not running (although configured).

Workaround:
There are several workarounds to this issue:
  - Causing the RD0 configuration to exist by adding a comment to the 10.x description field and saving prior to upgrade.
  - Re-adding the routing protocol to the RD0 configuration after the upgrade.
  - Perform an intermediate upgrade from 10.x to 11.0.0 or 11.1.0 prior to upgrading to an 11.2.0 or later version.

Fix:
Routing protocols are now correctly configured on Route Domain 0 (zero) (RD0) after upgrade to version 11.2.0 or later.


523513-3 : COMPRESS::enable keeps compression enabled for a subsequent HTTP request.

Component: Local Traffic Manager

Symptoms:
COMPRESS::enable keeps compression enabled for a subsequent HTTP request.

The response for the first HTTP request enables the compression, but it is not used since the payload is empty. For the second HTTP request (whose URI indicates that it is not supposed to be compressed), the system still compresses the response because the first request did not disable compression.

Conditions:
Subsequent HTTP requests in the same TCP connection.
- First HTTP response contains empty payload and enabling the compression.
- Second HTTP response still gets compressed.

Impact:
Unintended compression for subsequent HTTP responses.

Workaround:
Disable compression in the else case manually in the iRule using COMPRESS::disable.

Fix:
Compression is now disabled after an HTTP response with empty payload for iRule-based enabling.


523471-2 : pkcs11d core when connecting to SafeNet HSM

Component: Local Traffic Manager

Symptoms:
Very occasionally, using the SafeNet hardware security module (HSM) results in a pkcs11d core.

Conditions:
This occurs when the SafeNet HSM is used. Because of the rare and intermittent nature of the issue, other required conditions are not known.

Impact:
pkcs11d cores, and HSM-based SSL traffic fails. This occurs as a result of the SafeNet library. It is not a BIG-IP system-specific issue.

Workaround:
None.

Fix:
The SafeNet library has been updated, and pkcs11d no longer cores intermittently.


523465-2 : Log an error message when firewall rule serialization fails due to maximum blob limit being hit.

Component: Advanced Firewall Manager

Symptoms:
Prior to fix, if AFM rule serialization fails due to OOM condition in pktclass-daemon, it's not identifiable if the failure is due to Out of Memory condition or the Max Blob limit being reached. Both the errors were logged as OOM in /var/log/ltm

Conditions:
AFM rule serialization fails due to max blob limit

Impact:
Hard to isolate the problem that serialization failed due to max blob limit

Workaround:
None

Fix:
With the fix, AFM rule serialization failure due to max blob limit is logged appropriately in /var/log/ltm making it easier to identify the cause of the failure.


523434 : mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object

Component: TMOS

Symptoms:
mcpd on secondary blades may restart and log an error of the following form: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_http_virtual_data_source) object ID (44). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_http_virtual_data_source status:13)... failed validation with error 17237812.

Conditions:
The exact conditions under which this occurs are not well understood. The immediately triggering event is a change in the cluster's primary blade.

Impact:
All services on an affected blade restart.

Workaround:
None.

Fix:
mcpd on secondary blades may restart and log an sflow_http_virtual_data_source error after a change in the cluster's primary blade.


523431-2 : Windows Cache and Session Control cannot support a period in the access profile name

Component: Access Policy Manager

Symptoms:
An access profile name containing a period will not work when using Windows Cache and Session Control. For example '/Common/test.profile' will not work. When evaluating the access policy, an end-user will be redirected to an error page.

Conditions:
Applies to any APM with Windows Cache and Session Control.

Impact:
Access Profile names cannot include a dot.
Invalid name: '/Common/profile.name'
Valid name: '/Common/profile_name'

Fix:
One of the PHP files for cache control has a regex that looks for invalid access profile names. This regex had previously flagged any profile name with a period to be invalid. The regex has been updated to allow periods.


523390-2 : Minor memory leak on IdP when SLO is configured on bound SP connectors.

Component: Access Policy Manager

Symptoms:
Several bytes of memory are leaked when SAML SSO is executed on BIG-IP system, configured as an Identity Provider (IdP), when the Service Provider (SP) connector has single logout (SLO) configured.

Conditions:
BIG-IP is used as Identity Provider, and SLO is configured for bound SP Connector.

Impact:
Several bytes of memory are leaked.

Workaround:
To work around the problem, disable SLO on SP connectors.

Fix:
Fixed memory leaks in SAML Identity Provider (IdP) when when SLO is configured in a Service Provider (SP) connector.


523327-2 : In very rare cases Machine Certificate service may fail to find private key

Component: Access Policy Manager

Symptoms:
Non-elevated client component is able to find certificate but not the key, while machine cert service/F5 Elevation Helper fails to find certificate.

f5certhelper.txt (helper) or logterminal.txt (in windows\temp folder for service) contains:
1, , 0, , EXCEPTION - CCertInfo::FindCertificateInStore: CertFindCertificateInStore failed with error code: 80092004

Conditions:
IE/Edge Client is not running under Admin user.
Special certificate is used.

Impact:
User fails to pass access policy.

Workaround:
Run IE/BIG-IP Edge Client under administrator.

Fix:
Now both service and elevation helper can find those specific certificates.


523313-1 : aced daemon might crash on exit

Component: Access Policy Manager

Symptoms:
When the aced process is going to exit (daemon shutdown/restart), it might generate a core file intermittently.

Conditions:
This issue occurs when aced daemon shuts down.

Impact:
This causes a core file to be generated.

Workaround:
This issue has no workaround at this time.

Fix:
The aced process no longer intermittently generates a core file.


523305-1 : Authentication fails with StoreFront protocol

Component: Access Policy Manager

Symptoms:
Wyse fails to authenticate through APM

Conditions:
Wyse fails to auth through APM when it configured for SF proxy protocol

Impact:
Authentication fails

Workaround:
N/A

Fix:
Support StoreFront Protocol for Wyse client


523296-1 : TMM may core when using iRule custom actions in PEM policies

Component: Policy Enforcement Manager

Symptoms:
TMM shall core

Conditions:
When using custom iRule actions in a PEM policy, triggering a use of the action or modifying the action will cause the TMM to reset.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using custom iRule actions in PEM policies.

Fix:
Freeing of memory for storing the custom action was done to a different pool than whence it was allocated; used the correct free routine.


523261-1 : ASM REST: MCP Persistence is not triggered via REST actions

Component: Application Security Manager

Symptoms:
Some REST calls that affect Security policies should be persistent to BIG-IP config files after their completion (create, delete, association to virtual servers, and changing language encoding), but are not.

Conditions:
REST API is being used to manage Security Policies.

Impact:
If the device is restarted configuration may be lost.

Workaround:
Any other action that will persist configuration (like an ASM config change through the GUI, or any LTM configuration change).

Fix:
Configuration is now correctly persisted when required after ASM REST actions.


523260-1 : Apply Policy finishes with coapi_query failure displayed

Component: Application Security Manager

Symptoms:
GUI actions to apply policy appear to fail with an error message regarding coapi_query.

Conditions:
Unknown.

Impact:
The policy is correctly applied locally, the coapi_query error message occurs after the commit.
This error, however, prevents correct behavior for device group synchronization of the change.

Workaround:
Use REST API to apply the policy:

POST https://<MGMT_IP>/mgmt/tm/asm/tasks/apply-policy
{
  "policy": {
        "fullPath": "/Common/<POLICY_NAME>"
    }
}

Fix:
This release fixes an error that intermittently caused the Apply Policy action to fail.


523222-6 : Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.

Component: Access Policy Manager

Symptoms:
Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.

If an access policy has Redirect ending, the Citrix HTML5 client will fail to start with HTTP 400 error.

Conditions:
Citrix Storefront configured in integration mode through APM.

Impact:
HTML5 client not usable for this sort of integration

Fix:
Fixed Citrix HTML5 handling code so that it works fine with the Redirect endings in access policies.


523201-2 : Expired files are not cleaned up after receiving an ASM Manual Synchronization

Component: Application Security Manager

Symptoms:
If a device only receives full ASM sync files from its peers, it never performs cleanup of files that are no longer needed.

Conditions:
An ASM manual synchronization device group is being used.

Impact:
May eventually lead to disk space exhaustion.

Workaround:
None.

Fix:
Files are now correctly cleaned up after loading a new configuration.


523158-2 : In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails

Component: Access Policy Manager

Symptoms:
In rare case when dn is returned with cn= in lower case VPE is failing to match groupnames

Conditions:
Server that returns cn in low case

Impact:
Group mapping doesn't work

Workaround:
No workaround.

Fix:
Fixed to support CN in both upper & lower cases.


523125 : Disabling/enabling blades in cluster can result in inconsistent failover state

Component: TMOS

Symptoms:
Not all blades in the cluster agree about the high availability (HA) status.

Conditions:
Disabling and enabling blades in a chassis that is configured to use HA Groups can sometimes result in a blade staying in standby even though the other blades in the chassis have gone active.

Impact:
When the blades disagree about active/standby state, traffic might be disrupted.

Workaround:
None.

Fix:
Disabling/enabling blades in cluster no longer results in inconsistent failover state.


523079-2 : Merged may crash when file descriptors exhausted

Component: Local Traffic Manager

Symptoms:
The merged daemon crashes.

Conditions:
The limit on file descriptors is exceeded.

Impact:
Merged crashes leaving a core file. The collection of system stats and merging of blade stats will not work until merged restarts.

Workaround:
Monitor the system file descriptor use and avoid exceeding the limit.

Fix:
Fixed a crash bug in Merged.


523032-6 : qemu-kvm VENOM vulnerability CVE-2015-3456

Vulnerability Solution Article: K16620


522997-3 : Websso cores when it tries to shutdown

Component: Access Policy Manager

Symptoms:
Websso core file is generated when it is in the process of shutting down.

Conditions:
Websso can be shutdown and restarted for many reasons. For example, when provisioning happens or when a mcpd or tmm process restarts.

Impact:
The impact is minimal because Websso cores during shutdown and will be restarted correctly.

Workaround:
No workaround

Fix:
Websso now handles shutdown events gracefully, and no core file is generated.


522934 : Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy

Component: Policy Enforcement Manager

Symptoms:
Some PCRF's require subscription ID in all CCR messages over Gx/Gy for easier session management.

Impact:
Some PCRF's will not work properly with PEM if subscription ID is not specified in CCR-u and CCR-T messages.

Workaround:
Set sys db varaible Tmm.diameter.application.encode.subscriber.id.in.all.ccr to True to see Subscription ID in CCR-u and CCR-T messages as well. By default it is set to True.


522933-1 : diam_app_process_async_lookup may cause TMM crash

Component: Policy Enforcement Manager

Symptoms:
TMM may crash

Conditions:
TMM may crash with diam_app_process_async_lookup when the traffic is triggered to the virtual which has gx profile

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fix double free for serdes message


522878-1 : Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access.

Vulnerability Solution Article: K82679059


522871-1 : [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)

Component: TMOS

Symptoms:
Nested wildcard deletion deletes all of the objects (matched or not matched).

Conditions:
Use deletion in a nested TMSH command. For example:

tmsh modify gtm server GTM1 virtual-servers delete {f*}

This deletes all virtual servers even if none of the servers match. The same issue applies to pool members.

Impact:
All objects are deleted, instead of those targeted for delete.

Workaround:
None.

Fix:
Nested wildcard deletion now deletes matched objects only.


522837-1 : MCPD can core as a result of another component shutting down prematurely

Component: TMOS

Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.

Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.

Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.

Workaround:
None.

Fix:
Ensured that connections are not deleted twice when shutting down, so mcpd no longer cores.


522791-2 : HTML rewriting on client might leave 'style' attribute unrewritten.

Component: Access Policy Manager

Symptoms:
In some cases, the 'style' attribute of HTML tag containing CSS styles is not rewritten.

Conditions:
This happens when HTML is added to a page using document.write or assignment to innerHTML.

Impact:
Images added with inline CSS styles are not displayed.
Direct requests to the backend are sent from browser.

Workaround:
Use an iRule to rewrite the 'style' attribute before adding HTML to the page.

Fix:
The HTML 'style' attribute is correctly rewritten for any tag.


522784-2 : After restart, system remains in the INOPERATIVE state

Component: Local Traffic Manager

Symptoms:
After restarting, it is normal for the system to remain in some state other than "Green/Active" for a few minutes while the system daemons complete their initialization.

During this time the following advanced shell command may produce one or more lines of output:

# bigstart status | grep waiting

However, if this condition persists for more than five minutes after access to the root shell via the management interface is available, then you may be experiencing this defect.

Conditions:
BIG-IP versions 11.5.x, 11.6.x or 12.0.x that have received the fix for bug 502443 but *not* 522784, may experience this issue. There are no officially supported BIG-IP releases that have this condition.

Impact:
As long as the system remains in the INOPERATIVE state, neither LTM nor ASM will function.

Workaround:
In order to work around this problem, de-provision ASM.

Fix:
Resolves a deadlock at startup, when LTM and ASM are provisioned, that may occur as a result of the fix for 502443.


522579-1 : TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM

Component: Policy Enforcement Manager

Symptoms:
TMM memory leak. Memory consumption of TMM increases constantly and never reduces.

Conditions:
RAR messages with session-release cause received from PCRF for sessions where PEM does not have.

Impact:
Memory leak and eventually TMM will have to be restarted.

Workaround:
Make sure RAR messages are not sent for sessions which are non-existent in PEM

Fix:
This issues has been fixed now. No more memory leaks when RAR messages with session-release AVP set for non-existent sessions in PEM


522332-1 : Configuration upgrade of httpclass which has the 'hosts' attribute done incorrectly

Component: TMOS

Symptoms:
A config with the deprecated 'httpclass' which has the 'hosts' attribute, on an upgrade to later version, gets converted to an LTM policy with the attributes 'http-host host values (value)'.

Conditions:
Needs a config with the 'httpclass' in it, which has the hosts attribute. F5 has replaced the HTTP Class profile with the introduction of the Local Traffic Policies feature in BIG-IP 11.4.0. During an upgrade to BIG-IP 11.4.0, if your configuration contains an HTTP Class profile, the BIG-IP system attempts to migrate the HTTP Class profile to an equivalent local traffic policy. You can find more information in SOL14409: The HTTP Class profile is no longer available in BIG-IP 11.4.0 and later, available here: https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14409.html.

Impact:
The policy tries to match only the 'host' part of the HTTP Host header. The policy should be trying to match 'all' (that is, 'host' and 'port') instead. Note: F5 has replaced the HTTP Class profile with the introduction of the Local Traffic Policies feature in BIG-IP 11.4.0. During an upgrade to BIG-IP 11.4.0, if your configuration contains an HTTP Class profile, the BIG-IP system attempts to migrate the HTTP Class profile to an equivalent local traffic policy.

Workaround:
Manually edit the config after upgrade to convert 'http-host host' to 'http-host all', for example:
http-host
   host <======
   values { tempbus.ladpc.net.il:3433 }
}

to

http-host
    all <======
    values { tempbus.ladpc.net.il:3433 }
    }

Fix:
Fixed the upgrade script to convert using the attribute 'all' instead of 'host'


522310-3 : ICMP errors cause the associated FastL4/TCP connection to be reset

Component: Local Traffic Manager

Symptoms:
When there are ICMP unreachable errors, the associated FastL4/TCP connection is reset by the BIG-IP.

Conditions:
There is an end to end connection from a client to server via BIG-IP and there is an ICMP error from the BIG-IP to pool member.

Impact:
FastL4/TCP connection from the client to BIG-IP will be reset.

Fix:
Provide a DB variable "TM.FastL4_rst_on_icmp" which is enabled by default. When enabled, the connection will be reset on ICMP errors. If the DB variable is disabled, ICMP errors will not result in the connection being torn down by the BIG-IP.


522268-2 : hostagentd memory leak on VCMP hosts

Component: Device Management

Symptoms:
hostagentd may leak memory on BIG-IPs with VCMP provisioned.

Conditions:
VCMP provisioned with VCMP guests deployed.

Impact:
hostagentd will grow to consume all available host memory, which may eventually affect other services and overall system performance.

Workaround:
None.

Fix:
This release resolves the memory leak that occurred when publishing VCMP host statistics to guests.


522231-3 : TMM may crash when a client resets a connection

Component: WebAccelerator

Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.

Conditions:
1) AAM must be provisioned.
2) A response to the requested URL must be cached and fresh.
3) Client resets a connection immediately after the request is done and the response has not started to serve.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Install the fix.

Fix:
Fix removes the condition when AAM starts to serve the response to the already aborting connection.


522147-2 : 'tmsh load sys config' fails after key conversion to FIPS using web GUI

Component: Local Traffic Manager

Symptoms:
Web GUI does not save config after key conversion to FIPS

Conditions:
On a Cavium-FIPS BIG-IP, create a normal key and then covert to FIPS using web GUI

Impact:
'tmsh load sys config' fails

Workaround:
Two possible workarounds:
1) Run 'tmsh save sys config' after the key conversion to FIPS using web GUI
2) Convert normal key to FIPS using tmsh instead of web GUI

Fix:
Web GUI is now fixed to properly save config after key conversion to FIPS


522141-1 : Tmm cores while changing properties of PEM policies and rules.

Component: Policy Enforcement Manager

Symptoms:
If a policy with session reporting is configured on the bigip, and the policy is changed to remove this action, then a tmm core is observed rarely.

Conditions:
This core only occurs when session reporting is configured, and while traffic is being processed, this policy is modified to remove the session reporting action.

Impact:
This core occurs rarely, and hence would not have a significant impact.

Fix:
Deleting a session reporting action will not cause a tmm core.


522140-1 : Multiple IP is not added through iRule after setting the state of a session to provision by iRule

Component: Policy Enforcement Manager

Symptoms:
Provisioning an iRule may not add multiple IP's when state is set to provisioned

Conditions:
iRule with multiple IP's may not get added when provisioned

Impact:
IP's not present in the session

Workaround:
N/A

Fix:
Release the call back ctx connflow after setting session state asynchronously.


521835-2 : [Policy Sync] Connectivity profile with a customized logo fails

Component: Access Policy Manager

Symptoms:
Policy sync failed with a customized logo in connectivity profile.

Conditions:
Configure a customized logo on the connectivity profile.
Associate the profile with the access profile through a virtual server.
Start a policy sync.

Impact:
Policy Sync fails.

Workaround:
Keep the default logo for connectivity profile. After syncing to target, customize directly on the devices.

Fix:
A user can include a customized logo in a connectivity profile and sync it.


521774-3 : Traceroute and ICMP errors may be blocked by AFM policy

Component: Local Traffic Manager

Symptoms:
ICMP error packets for existing connections can be blocked by AFM policy. Diagnostics that use ICMP error messages, such as traceroute, may fail to display information beyond the AFM device.

Conditions:
The AFM policy has a rule to drop or reject that can match the IP header of ICMP messages going from a router IP address back to the client or server IP address that sent the original packet.

Impact:
Network diagnostics such as traceroute through an AFM device will not display information from routers between the AFM device and the destination IP address.

Workaround:
If possible and allowed, create an AFM rule matching the affected ICMP packets with an action of accept-decisively.


521773-2 : Memory leak in Portal Access

Component: Access Policy Manager

Symptoms:
Memory consumption of "rewrite.*" processes is growing constantly.
On manually taken core file, result of following command is large (more than 100000).
zcat <core-file.gz> | strings -n 15 | grep "^/f5-w-" | wc -l

Conditions:
Memory leaks in cases when POST request content could be modified by Portal Access (for example, xml).

Impact:
Rewrite processes may use all available memory on the box and then cause 'Out of memory' condition and failover.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed a memory leak of request urls in rewrite plug-in.


521763-1 : Attack stopped and start messages should not have source/dst ip addresses in log messages

Component: Advanced Firewall Manager

Symptoms:
We don't want attack and stop messages to have srcip/dstip in DoS logging but in the code we were printing that.

Conditions:
dstip/srcip were getting logged when the attack was started/stopped in DoS AFM code.

Impact:
Attack start and stop log messages in DoS will not have srcip and destip.

Workaround:
None

Fix:
Attack stopped and start messages are logged as NULL


521711-4 : HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual

Component: Local Traffic Manager

Symptoms:
If the client sends a non-keepalive CONNECT request (in HTTP 1.0 with no Connection header, in 1.1 with Connection: close) to a OneConnect-enabled virtual server, HTTP forces the connection closed by sending FIN on both client and server flows, even if the server responds with a 200. If the connect is successful, HTTP should leave flows open regardless of the HTTP headers.

Conditions:
- HTTP and OneConnect profiles are attached to the virtual server.
- Client sends a non-keepalive CONNECT request (either 1.0/no-Connection-Header request or 1.1/'Connection: close' header.
- Server responds to the CONNECT request with successful 200 OK.

Impact:
HTTP adds a Connection: close header when responding to the client after a successful response is received from the server. In addition, HTTP closes the connection by sending FIN on both client and server flows. If the server responds to the CONNECT request with 200 OK, the connection should remain open.

Workaround:
You can use the following iRule to work around this issue:

   when HTTP_REQUEST {
      if { [HTTP::method] eq "CONNECT" } {
        HTTP::disable
      }
   }

Fix:
HTTP now keeps the connection open if client sends a non-keepalive request and server responds with 200 OK on One-Connect enabled virtual. This is correct behavior.


521683-1 : PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs

Component: Policy Enforcement Manager

Symptoms:
PEM session is not replaced with a new one when for the subscriber

Conditions:
When the same radius start message is sent 3 times and more.

Impact:
Session not being replaced will still be applying old policy for the session.

Workaround:
Make sure radius stop is being for the subscriber before a new radius start is sent.

Fix:
Issue has been fixed now. Session should be replaced when any number of radius start messages are received associated to the subscriber,


521655-2 : Session hangs when trying to switch state to provisioned

Component: Policy Enforcement Manager

Symptoms:
iRule sessions may hang when switching state

Conditions:
Applying iRule to a client data virtual may cause state to hang

Impact:
Session state will hang

Workaround:
N/A

Fix:
Release the call back ctx connflow after setting session state asynchronously


521556-1 : Assertion "valid pcb" in TCP4 with ICAP adaptation

Component: Service Provider

Symptoms:
TMM crashes with assertion "valid pcb" in tcp4.c

Conditions:
Virtual server with request-adapt or response-adapt profile.
Congested client or TCP small window (flow-control is active).
Multiple HTTP requests in a single client connection.
More likely with iRules that park.

Impact:
Intermittent crash under load.

Fix:
Assertion "valid pcb" does not occur.


521548-6 : Possible crash in SPDY

Component: Local Traffic Manager

Symptoms:
In very rare circumstances related to SPDY protocol handling together with a compression profile a crash may occur.

Conditions:
This is very rare and the exact circumstances are unclear, It involves SPDY, a compression profile and a congested client connection and a stream being reset by the browser (using a RST_STREAM frame).

Impact:
Very rarely a crash may occur.

Workaround:
Don't apply the compression profile.

Fix:
A sporadic crash when using SPDY together with a compression profile no longer occurs.


521538-2 : Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known

Component: Local Traffic Manager

Symptoms:
After failover of an L4 flow that is using keep-alive, the keep-alive transmissions do not resume after traffic has flowed through the BIG-IP system.

Conditions:
Using HA mirroring of L4 connections, with keep-alive enabled on the profile for TCP. After a failover, there was traffic before the flow timed out, then the traffic becomes idle. If there is no traffic after failover, the correct sequence numbers are unknown, then this is expected behavior: the flow times out due to inactivity. If there is traffic after failover, the correct TCP sequence numbers are known; if there is traffic after failover, and then the flow becomes idle, keep-alive transmissions should resume.

Impact:
Flows after failover with TCP keep-alive age out and expire even if traffic is available to set the sequence numbers. Depending on the configuration options, subsequent packets may reset or transparently create a new flow (if TCP loose initiation is enabled).

Workaround:
None.

Fix:
Keep-alive transmissions now resume after failover of flows on an L4 virtual, when the sequence number is known


521522-3 : Traceroute through BIG-IP may display destination IP address at BIG-IP hop

Component: Local Traffic Manager

Symptoms:
When performing traceroute through a BIG-IP device, the traceroute utility may display the destination IP in place of the hop where BIG-IP is located, instead of a Self IP address of the BIG-IP device at that hop.

Conditions:
No return route for the client IP address exists on the BIG-IP device.

Impact:
There is no impact to the performance of traffic through the BIG-IP device. The impact occurs only when reading and interpreting the results of a traceroute utility.

Workaround:
If possible and allowed, add route entry for the traceroute client subnet.

Fix:
Traceroute through BIG-IP now displays a Self IP address of the BIG-IP device at that hop. This is correct behavior.


521506-2 : Network Access doesn't restore loopback route on multi-homed machine

Component: Access Policy Manager

Symptoms:
Network Access on Windows doesn't restore loopback route for one adapter on multi-homed (Ethernet + Wi-Fi) machine.

Conditions:
This issue happens if:
1. Network Access was established via Ethernet
2. Ethernet cable was unplugged
3. Network Access reconnects using Wi-Fi
4. Ethernet cable is plugged in back

Impact:
Minor routing issues may occur if one special loopback is removed. To restore this route affected adapter should be disabled and enabled.

Fix:
Fixed issues causing improper routing table management.


521455-2 : Images transcoded to WebP format delivered to Edge browser

Component: WebAccelerator

Symptoms:
The Microsoft Edge browser does not support, and cannot render WebP format images. The AAM image optimization framework improperly classifies the Edge browser as being capable of supporting WebP and delivers WebP-transcoded images to such clients.

Conditions:
The AAM system's image optimization as well as the "optimize for client" setting must both be enabled, and the associated acceleration policy and application associated with one or more virtual servers.

Impact:
Some images will fail to render on the Edge browser.

Workaround:
Disable the "optimize for client" attribute in the applicable policies' acceleration assembly settings.

Fix:
Transcoded WebP images are no longer served to the Edge browser.

By default, transcoded JPEG-XR is also no longer served to the Edge browser, but the db variable ccdb.allow.edge.jpegxr may be used to override this.


521408-3 : Incorrect configuration in BigTCP Virtual servers can lead to TMM core

Component: Local Traffic Manager

Symptoms:
An incorrect configuration on an irule associated to a BigTCP virtual server can lead to TMM to core.

Conditions:
The following circumstances are needed:
   - BigTCP Virtual server
   - FastL4 profile with syncookies enabled.
   - Invalid iRule that will fail to execute, on LB_FAILED
   - Syncookie currently activated in that moment.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Correct or remove the irule event and coring will no longer occur.

Fix:
TMM now correctly handles the specific scenario to no longer core.


521370-3 : Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8

Component: Application Security Manager

Symptoms:
Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8, which results in suggestions for allowing meta-characters that cannot be accepted.

Conditions:
Auto-Detect Language policy is created, and then set to UTF-8 encoding.

Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.

Fix:
Auto-Detect Language policy no longer contains disallowed high ASCII meta-characters.


521336-6 : pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core

Component: Local Traffic Manager

Symptoms:
The retry of pkcs11d initialization might post misleading error messages and eventually result in a pkcs11d core.

Conditions:
When pkcs11d retries to wait for other services such as tmm or mcpd.

Impact:
After the system reboots, the /var/log/ltm shows initialize errors and the /var/log/daemon.log shows pkcs11_initialize messages: -- err pkcs11d[6247]: 01680002:3: Pkcs11 Initialize error (this is misleading; pkcs11d is actually retrying). -- err pkcs11d[6247]: Nethsm: pkcs11_initialize C_GetSlotList error 0x00000000, number of slots 0.

Workaround:
Retry pkcs11d restart when tmm and mcpd are both ready.

Fix:
The retry of pkcs11d initialization no longer posts misleading error messages when pkcs11d retries to wait for other services such as tmm or mcpd.


521272 : Fixed memory leak in restjavad's Authentication Token worker

Component: Device Management

Symptoms:
There is a memory leak that causes the Authentication Token worker to run Out of Memory after approximately 27,000 token requests, when running with 96 MB image on a BIG-IP system. Any service might receive the OutOfMemory exception, so the external symptoms might vary (e.g., Socket failure, Bad Gateway, and others). To identify this issue, check for Out Of Memory exceptions in /var/log/restjavad.0.log.

Conditions:
This usually occurs when scripting against the rest interface. On a vCMP guest, guestagentd generates an authentication token every 90 seconds so that hostagentd on the vCMP hypervisor can make periodic REST calls to the guest. This info is used to populate the 'tmsh show vcmp health' stats.

Impact:
It takes a long time to log in 27,000 times, when logons come in through the GUI.

Workaround:
Restart restjavad after 10,000 tokens. To stop auth token generation on vCMP guests, on the hypervisor run the commands: -- tmsh modify vcmp guest all capabilities add { stats isolated-mode }. -- bigstart restart hostagentd

Fix:
Fixes a memory leak in Authentication Token mechanism in restjavad.


521270-2 : Hypervisor might replace vCMP guest SYN-Cookie secrets

Component: TMOS

Symptoms:
Traffic suddenly stops passing on platforms in vCMP mode when SYN-cookie mode is triggered.

Occasionally, under HW-SYN-Cookie mode, HW-SYN-Cookie validation can fail, which triggers the software SYN-Cookie procedure, which does succeed.

Under vCMP guest, you might notice hwalgo_accept increasing under TMCTL table epva_hwvipstat. If this packet's destination is the local high-layer TCP stack, there is no functional impact. Otherwise, there might be a performance impact.

Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, which causes the connection issue.

Conditions:
vCMP provisioning setup.

Impact:
Under vCMP guest, you might notice hwalgo_accept increased under TMCTL table epva_hwvipstat, which, if under HW-SYN-Cookie mode, everything will be validated automatically by FPGA instead.

You might also notice hwalgo_invalid, if the FPGA used
the updated secret for SYN-Cookie generation from the hypervisor, and when guest and hypervisor secret index overlaps.

Even though guest and hypervisor secret index might not be the same, the history secret might be updated by hypervisor, which might trigger additional hwalgo_accept.

Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, so the error rate could be higher.

Workaround:
On the vCMP hypervisor, run the following commands.

1. echo "EPVA::enable_secret_diag true" > /config/tmm_init.tcl.
2. bigstart restart TMM.

On a multiple blade system, you must run these commands on all blades.

Fix:
Hypervisor no longer replaces vCMP guest SYN-Cookie secrets.


521204-1 : Include default values in XML Policy Export

Component: Application Security Manager

Symptoms:
XML Policy Export does not include some entities, unless their values are different from the system's default settings

Conditions:
ASM provisioned
export security policy in XML format

Impact:
XML Policy Export does not include some entities, unless their values are different from the system's default settings

Workaround:
n/a

Fix:
We now exclude defaults from XML policy export only when exporting a minimal XML.


521183-1 : Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5

Component: Application Security Manager

Symptoms:
Upgrade fails with this error:
---------------------
The de-escalation period can be either zero or greater than or equal to the escalation period
---------------------

Conditions:
ASM is provisioned.
Active DoS profile exists with 'Prevention Duration' set to a value less than 5.

Impact:
Upgrade fails with this error:
---------------------
The de-escalation period can be either zero or greater than or equal to the escalation period
---------------------

Workaround:
Set the 'Prevention Duration' to at least 'Maximum 5 seconds' in all active DoS profiles.

Fix:
We fixed the upgrade process to work with active DoS profiles that have the 'Prevention Duration' setting set to a value less than 5.


521144-5 : Network failover packets on the management interface sometimes have an incorrect source-IP

Component: TMOS

Symptoms:
After reboot, network failover packets might be transmitted with an internal source address, on the 127/8 network.

Conditions:
This problem might occur if the members of a device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.

Impact:
If there are intervening firewalls or routers that drop packets with improper/unroutable source addresses, then the members of the device group cannot communicate on this channel.

Workaround:
Remove the management-route from tmsh, and add a static route to the Linux kernel routing table. For example:

  # tmsh delete sys management-route 10.208.101.0/24
  # tmsh save sys config
  # echo "10.208.101.0/24 via 10.208.102.254 dev eth0" > /etc/sysconfig/network-scripts/route-eth0
  # reboot

Fix:
Network failover packets on the management interface now have the correct source-IP when device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.


521036-2 : Dynamic ARP entry may replace a static entry in non-primary TMM instances.

Component: Local Traffic Manager

Symptoms:
In a very rare occasion, a dynamic ARP entry may replace a static entry in non-primary TMM instances. When the BIG-IP system attempts to send packets to an address, "tmsh show net arp" lists two entries for the address: one static and the other shows up as "incomplete" status.

Conditions:
The issue is due to a very rare race condition, and the BIG-IP system is configured with a static ARP entry.

Impact:
The issue may impact traffic flow if traffic goes through non-primary TMM instances.

Workaround:
There is no workaround but the issue is very rare to occur.

Fix:
Dynamic ARP entry no longer replaces a static entry in non-primary TMM instances.


520924-4 : Restricted roles for custom monitor creation

Vulnerability Solution Article: K00265182


520732-3 : XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty

Component: Application Security Manager

Symptoms:
Default entities (File types, Parameters, URLs, Cookies, Signatures, Redirection Domains and Brute Force Log-In URLs) are added to the policy upon XML policy import.

Conditions:
ASM policy with entities of some type (File types, Parameters, URLs, Cookies, Signatures, Redirection Domains and Brute Force Log-In URLs) deleted (all entities of that type).

Export it to XML and then import that XML back - the default entities are added.

Impact:
XML policy import adds default entities if the relevant element list (in policy XML doc) is specified and empty.

Workaround:
The relevant element list (in the policy XML doc), that is specified and empty, should be completely removed (from the policy XML doc).

Fix:
ASM no longer adds default entities if the relevant element list (in the policy XML document) is specified and empty.


520705-5 : Edge client contains multiple duplicate entries in server list

Component: Access Policy Manager

Symptoms:
Edge client contains multiple duplicate entries in the server list.

Conditions:
Edge client with duplicate entries in connectivity profile.

Impact:
Edge client shows duplicate entries.

Workaround:
Do not create duplicate entries in connectivity profile

Fix:
BIG-IP Edge Client for Mac doesn't show duplicate entries in the servers list.

Behavior Change:
BIG-IP Edge Client for Mac no longer shows duplicate entries in the servers list.


520642-3 : Rewrite plugin should check length of Flash files and tags

Component: Access Policy Manager

Symptoms:
Portal Access Flash patcher could crash or apply incorrect modifications on some malformed Flash files.

Conditions:
This occurs when a Flash file is truncated or contains incorrect length value in file or tag headers.

Impact:
It may cause a crash and restart of Portal Access services.

Fix:
Rewrite plugin now correctly processes Adobe Flash files with invalid length in file or tag header.


520640-2 : The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.

Component: TMOS

Symptoms:
Using the string returned in the options_seq field by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option method can result in an 'Invalid zone option syntax...' error.

Conditions:
Use of the string returned by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option() method.

Impact:
Strings returned in the options_seq field by the iControl Management.Zone.get_zone method cannot be used in the Management.Zone.set_zone_option() method unless they are reformatted consistent with the format expected by the Management.Zone.set_zone_option() method.

Workaround:
Use the GUI to set the zone options. Alternatively, modify the strings returned in the options_seq field by the iControl Management.Zone.get_zone method to a format consistent with those expected by the Management.Zone.set_zone_option() method. For example, modify options_seq to have each option as a single string (rather than the masters string, which is returned as 3 separate options strings).

Fix:
The iControl Management.Zone.get_zone_v2() method returns a value in the options_seq field in a format that is consistent with the format expected by the Management.Zone.set_zone_option() method.


520585-2 : Changing Security Policy Application Language Is Not Validated or Propagated Properly

Component: Application Security Manager

Symptoms:
After changing the Application Language for a Security Policy and pushing the changes over a manual sync device group, the device group's status immediately returns to "Changes Pending".

Additionally calls through the REST interface erroneously allowed a client to change the language for a policy where it was already set.

Conditions:
A Security Policy was set to "Auto-Detect" the Application Language, and then set to a specific encoding.
Or an application language is already set and is changed through the REST API.

Issue is seen most prominently in a device group when ASM sync is enabled on a Manual Sync Failover Group

Impact:
1) The change to encoding is not seen if looking at the result in tmsh.

2) In a manual sync group, after the change has been pushed to its peers, the change is correctly written to the MCP configuration when it is loaded. This appears as a new pending change from the peer device, and the device group appears out of sync again.

Workaround:
Push another sync from the peer to the original device.

Fix:
Changes to Language encoding are now validated and propagated correctly.


520540-1 : Specific iRule commands may generate a core file

Component: Local Traffic Manager

Symptoms:
Accessing the information within a HTTP Authorization header via the HTTP::username, HTTP::password (or other method), may cause the TMM to generate a core file on some requests.

Conditions:
iRule that makes use of the HTTP::username, HTTP::password commands, or the sflow feature.

Impact:
Traffic disrupted while TMM generates a core file.

Workaround:
Modify iRule to manually truncate the size of the HTTP Authorization header.

Fix:
HTTP::username, HTTP::password iRule commands, and the sflow feature no longer generate a core file.


520466-2 : Ability to edit iCall scripts is removed from resource administrator role

Vulnerability Solution Article: K16728


520413 : Aberrant behavior with woodside TCP congestion control

Component: Local Traffic Manager

Symptoms:
Potential tmm core.

Conditions:
Woodside congestion control along with multiple profile options enabled and certain traffic may cause an issue where tmm may core.

Impact:
With woodside and other necessary options, TMM may core. Without woodside, or the other necessary options, which has negative performance implications and might trigger other unexpected behaviors.

Workaround:
Switching from woodside to illinois congestion control avoids issue.

Fix:
Woodside congestion control along with multiple profile options enabled and certain traffic no longer causes an issue where tmm may core.


520405-4 : tmm restart due to oversubscribed DNS resolver

Component: Local Traffic Manager

Symptoms:
A max-concurrent-queries configuration setting significantly above default can lead to a situation that causes tmm to restart in certain traffic loads.

Conditions:
DNS cache resolver configured with max-concurrent-queries setting significantly above default.

Impact:
tmm is restarted.

Workaround:
Set the max-concurrent-queries configuration value closer to default.

Fix:
A max-concurrent-queries configuration setting significantly above default no longer leads to a situation that causes tmm to restart in certain traffic loads.


520390-1 : Reuse existing option is ignored for smtp servers

Component: Access Policy Manager

Symptoms:
If policy is imported with reuse existing objects option and there is appropriate SMTP server, the newly imported policy would create and use a new one instead reusing the existing one.

Conditions:
Always

Impact:
Minor - easy to fix after import

Workaround:
Open assignment and reuse existing SMTP server, then delete old one.

Fix:
Reuse existing option works properly for SMTP servers.


520380-6 : save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory

Component: TMOS

Symptoms:
Unit demonstrates behaviors consistent with out-of-memory condition. 'top' and 'ps' may show multiple tmsh processes waiting to run.

Conditions:
Enable auto-sync and save-on-auto-sync.

Impact:
Low memory condition may result in system instability.

Workaround:
None.

Fix:
Enabled auto-sync and save-on-auto-sync no longer causes out-of-memory condition.


520349 : iControl portal restarts

Component: TMOS

Symptoms:
iControl portal can restart during EM discovery.

Conditions:
EM discovery/device refresh

Impact:
iControl portal restarts causing an outage of using iControl


520298-2 : Java applet does not work

Component: Access Policy Manager

Symptoms:
Web applications may work incorrectly through Portal Access if they use Java applets.

Conditions:
Website uses Java applet that is loaded with deprecated <applet> HTML tag.

Impact:
Websites can't use Java applets.

Fix:
Java applets now work correctly through Portal Access.


520280-1 : Perl Core After Apply Policy Action

Component: Application Security Manager

Symptoms:
Apply policy causes a perl core
Further apply policy do not work

Conditions:
ASM provisioned.
LTM provisioned.
An ASM policy exists that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.

Impact:
Apply policy causes a perl core and ASM config event dispatcher crash.
ASM config event dispatcher then is not restarted and remains down.
Further apply policy do not work.

Workaround:
Make sure that if an ASM policy exists that is referenced by an LTM (L7) policy then such LTM (L7) policy is assigned to some LTM virtual server.
one can create a dummy LTM virtual server for that purpose.

Fix:
Perl no longer cores and crashes ASM config event dispatcher in the case of an apply policy to an ASM policy that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.


520277-2 : Components validation alert

Component: Fraud Protection Services

Symptoms:
Components validation alert is a special case where field client_request_uri is filled with referrer value (configured as protected URL). In addition referrer value is sent in field http_referrer.

Conditions:
FPS plugin sends components validation alert.

Impact:
Incorrect info in alerts.

Workaround:
None.

Fix:
Now client_request_uri has current URL and http_referrer has referrer value.

Behavior Change:
Now client_request_uri has current URL and http_referrer has referrer value.


520205-3 : Rewrite plugin could crash on malformed ActionScript 3 block in Flash file

Component: Access Policy Manager

Symptoms:
The rewrite plugin crashes. The following log message is in the log:
../fm_patchers/abc/abcScanner.cpp:70: void abc::abcScanner::has(size_t): Assertion `GetRemaining() >= (ssize_t)l' failed.

Conditions:
Input file is truncated or contains invalid bytecode instructions at the end of doabc/doabcdefine tag.

Impact:
Portal Access services restart.

Fix:
Rewrite plugin no longer crashes on truncated or malformed Adobe Flash files with incorrect ActionScript 3 method body blocks.


520145-3 : [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy

Component: Access Policy Manager

Symptoms:
Policy sync fails with out-of-memory error on target device with big and complex policy.

Conditions:
Profile of big size, for example, excessive use of ACL resource.

Impact:
Policy Sync fails.

Fix:
APM allows a user to sync a large and complex policy.


520118-2 : Duplicate server entries in Server List.

Component: Access Policy Manager

Symptoms:
There are multiple entries in the server list, possibly with different connection strings.

Conditions:
Client ends up with duplicate entries in the server list if it connects to different virtual servers that have the same aliases in the connectivity profile.

Impact:
Duplicate server entries in Server List.

Workaround:
Avoid duplicate aliases across connectivity profiles on servers that client connects to.

Fix:
Single entry in the server list.


520105-3 : Possible segfault during hardware accelerated compression.

Component: Local Traffic Manager

Symptoms:
Segfault and core-dump of tmm when using gzip, deflate, or zlib hardware accelerated compression compress or decompress operations.

Conditions:
Requests for compression on the hardware accelerator might cause a segfault.

Impact:
Tmm restarts when the issue is encountered.

Workaround:
Disable hardware accelerated compression.

Fix:
Cancelled flow contexts involving a compression context no longer segfault when the in-flight operation completes.


520090-1 : Flows are closed as expired rather than closed gracefully.

Component: Fraud Protection Services

Symptoms:
Flows are closed as expired rather than closed gracefully.

Conditions:
BIG-IP is passing about 400 requests per second, which causes system congestion.

Impact:
Response timeouts.

Workaround:
None.

Fix:
The BIG-IP now closes TCP connection after requests for FPS JavaScript.


520088-2 : Citrix HTML5 Receiver does not properly display initial tour and icons

Component: Access Policy Manager

Symptoms:
When trying to connect with Citrix HTML5 Receiver, the initial tour screen does not display properly.

Conditions:
APM is configured for Citrix replacement mode and Citrix HTML5 Receiver client 1.4-1.6 is used.

Impact:
Issues with GUI user experience. User is presented with an improperly formatted page without icons.

Workaround:
1. Open /config/bigip.conf for edit.
2. Replace 'content-type text/plain' with 'content-type text/css' in HTML5Client(.*).css sections.
3. Replace 'content-type text/plain' with 'content-type text/javascript' in HTML5Client(.*).js sections/
4. Save the file.
5. From the console, type the following command: tmsh load sys config.

Fix:
Now APM correctly sets content type of CSS and JavaScript files when configuring Citrix HTML5 client bundle.


519966-2 : APM "Session Variables" report shows user passwords in plain text

Component: Access Policy Manager

Symptoms:
APM Session Variables report shows user passwords in plain text.

Conditions:
Has password session variable.

Impact:
It is not safe to show users' password in plain text.

Fix:
APM Session Variables report masks user passwords, displaying ************ instead.


519877 : External pluggable module interfaces not disabled correctly.

Component: TMOS

Symptoms:
External pluggable module interface may show link UP status, when administratively disabled.

Conditions:
Disable any external pluggable module interface that is connected to an enabled peer interface.

Impact:
Disabled external pluggable module interface may link UP and potentially pass traffic.

Fix:
Software fix prevents disabled external pluggable module interface from being re-enabled, as a result of periodic linkscan operations.


519864-3 : Memory leak on L7 Dynamic ACL

Component: Access Policy Manager

Symptoms:
There is a memory leak on Dynamic ACL with regard for HTTP related configuration such as HTTP host name, and HTTP URI path in ACL entry. The leaks occurs for every session as these entries are generated per session bases.

Conditions:
This occurs when using L7 Dynamic Access Control Lists.

Impact:
TMM memory usage increases.

Workaround:
Use static ACL whenever possible.

Fix:
L7 Dynamic ACL is no longer leaking memory.


519746-1 : ICMP errors may reset FastL4 connections unexpectedly

Component: Local Traffic Manager

Symptoms:
FastL4 connections may be reset when receiving an ICMP packet

Conditions:
ICMP packet with an embedded TCP packet is received on an ePVA accelerated flow

Impact:
Connection is reset

Fix:
TCP sequence numbers embedded in an ICMP packet are no longer validated on ePVA accelerated flows.


519723 : dnatutil utility needs update because DAG changed.

Component: Carrier-Grade NAT

Symptoms:
dnatutil utility needs update because DAG changed.

Conditions:
CGNAT configured

Impact:
STDERR: dnatutil: Newer version of the utility is required to process the data (required daglib id: 5666df06f3570ad26976e607e02f71f7).

Workaround:
None

Fix:
dnatutil utility has been updated because DAG changed.


519510-3 : Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware

Component: TMOS

Symptoms:
TCP throughput might be severely impacted for traffic traversing a tagged VLAN and BCM57800/BCM57810 NIC on BIG-IP VEs.

The 'rxbadsum' counts increase as received LRO'd traffic is ignored by TMM.

Conditions:
1. Traffic traverses a tagged VLAN.

2. This issue might be related to systems using Broadcom BCM57800 or BCM57810 NICs. However in general, the required condition is reception of packets with VLAN header are received in uNIC driver.

Impact:
Potential throughput drop during a high volume of data transfer.

Workaround:
You can use either of the following workarounds:

1. Avoid using tagged VLANs.

2. Run the following commands on the ESX hypervisor to disable LRO/GRO system-wide, followed by a reboot.

-- esxcli system settings advanced set -o /Net/Vmxnet2HwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet3HwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet2SwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet3SwLRO -i 0.
-- esxcli system settings advanced set -o /Net/VmxnetSwLROSL -i 0.

Fix:
Change in L4 packet header offset, resulting from VLAN header insertion, is being accounted for to verify checksum.


519506-1 : Flows dropped with initiate data from sever on virtual servers with HTTP

Component: Policy Enforcement Manager

Symptoms:
Accepted Events held when HTTP is present on the hudchain

Conditions:
HTTP present on on hudchain

Impact:
Data flows dropped

Workaround:
N/A

Fix:
Enable checking of HTTP state and pass Accepted events


519415-3 : apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )

Component: Access Policy Manager

Symptoms:
If you want to change timeout values for server-side initiated flows inside Network Access tunnels, ephemeral listeners ignore irules.
There seems to be a workaround for this through tmsh (not ui) by attaching iRules (related-rules) to main virtual that gets run on ephemeral listeners. (These ephemeral listeners are created by Network Access tunnels for lease-pool IPs.) The command for this is (for example):
 tmsh modify ltm virtual vs_dtls related-rules { idle_time }

The problem here was APM Network Access used to ignore the related-rules on main virtual and the rules weren't triggered.

Conditions:
APM Network access use case.

Impact:
Related rules on main virtual are not applied to ephmeral listeners; (these ephemeral listeners are created by Network Access tunnels for lease-pool IPs).

Workaround:
none.

Fix:
iRules get executed on Ephemeral listeners.


519407-1 : PEM session lookup by subscriber ID in TMSH fails if same IP is being used to create session with different subscriber ID

Component: Policy Enforcement Manager

Symptoms:
IF an existing session is being replaced by new session with same IP address but different subscriber ID then if we try to lookup the session based on new subscriber ID from tmsh, then lookup will fail.

Conditions:
Existing session replaced by new session with same IP and different subscriber ID.

Impact:
Lookup for new session fails and replacing of new session will fail too.

Fix:
This issue has been fixed and should work as expected.


519372 : vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files.

Component: TMOS

Symptoms:
Extremely large and increasing number of files present, of the form /var/run/tmstats-rsync.*. This is a memory-backed directory, and these files are never automatically moved or deleted, hence the vCMP guest may eventually experience swap and out of memory conditions.

Conditions:
vCMP guests upload statistics to the VCMP host periodically. In a small percentage of vCMP guests which have large configurations, these statistics take up an unusually high amount of space. This is not an error, but it exceeds the 6 MB limit that the host accepts. The host's refusal to accept the file triggers behavior in the guest that logs the condition to /var/run/tmstats-rsync.*. If the file size never decreases, this happens repeatedly and indefinitely.

Impact:
In swap and low memory conditions, the vCMP guest suffers performance problems and instability.

Workaround:
To work around this issue, you can disable guest health statistic collection on the vCMP host. To do so, perform one of the following procedures: Disabling statistic collection for the tmsh show vcmp health command.

Impact of workaround: This procedure affects values returned by the tmsh show vcmp health stats command.

1. Log in to the command line of the vCMP host. If the device is a VIPRION, ensure you are logged in to the primary blade.
2. To disable statistic collection, type the following command: tmsh modify vcmp guest all capabilities add { stats-isolated-mode }.

Fix:
The /var/run/tmstats-rsync.* files are no longer generated. Instead, statistics are kept in the vCMP guest to track failures to send stats to the host. You can see these by running the following command in the guest: tmctl -d blade vcmpd/rsync_stat. If the guest is a multi-slot guest on a VIPRION platform, this command shows separate stats for each slot it's run on.


519257-2 : cspm script isn't injected in text/html chuncked response

Component: Application Visibility and Reporting

Symptoms:
The BIG-IP Client Side Performance Monitoring (CSPM) script does not get injected in chunked response causing the "Page load time" feature to not work properly.

Conditions:
This happens for chunked (large) web pages.

Impact:
The "Page load time" feature does not work properly and page load time stats do not exist for these responses.

Workaround:
None known

Fix:
Page load time is displayed correctly even for chunked responses.


519217-4 : tmm crash: valid proxy

Component: Local Traffic Manager

Symptoms:
tmm might crash in extremely rare circumstances when a virtual server is used during an update. Standard process is for virtual servers to be unavailable until the configuration update is complete; there are extremely rare circumstances when it is possible for a connection to use a virtual server before it is ready.

Conditions:
This requires that traffic is running during a configuration update, including a config sync from an HA peer. There must be a virtual server or configuration that uses a second virtual server while traffic is running: these include vip-on-vip using iRules and WAM prefetch, but might include other internal conditions.

Impact:
Traffic disruption, possible failover to another device if HA is configured. If using keepalive or other means to keep the connection alive, then a long amount of time might pass between the creation of the invalid flow and any impact from the error.

Workaround:
None.

Fix:
If a virtual server is used during an update (that is, before the virtual server is ready), an error message is now posted to tmm log files, and a small amount of memory is used each time this message is logged.


519216-4 : Abnormally high CPU utilization from external SSL/OpenSSL monitors

Component: TMOS

Symptoms:
The BIG-IP system may experience high CPU utilization when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.

Conditions:
External SSL monitors using OpenSSL. This includes but is not limited to EAV, ldap, sip, soap, firepass, snmpdca, real-server, wmi, virtual-location.

Builtin monitors are not affected, e.g., https, inband.

Impact:
High CPU utilization reported with potential performance degradation.

Workaround:
To work around this issue, you can use a different type of monitor to obtain pool member availability status.

Impact of workaround: Performing the recommended workaround should not have a negative impact on your system.

Fix:
The CPU utilization is reduced when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.


519198-3 : [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user

Component: Access Policy Manager

Symptoms:
Failed to sync a policy in non-Common partition as a non-default admin user.

Conditions:
Log in as different admin user than the default "admin".
Sync a policy that was created in a non-Common partition..

Impact:
Policy Sync fails

Workaround:
Log in as default "admin" user.

Fix:
APM allows a user to log in as any admin user to sync policy in any partition.


519081-1 : Cannot use tmsh to load valid configuration created using the GUI.

Component: TMOS

Symptoms:
Cannot use tmsh to load a valid configuration created using the GUI.

Conditions:
This occurs with the following configuration: 1) Configure server with :* members. 2) Configure member-specific gateway-icmp monitor for the :* member. 3) Assign any L4/7 monitor at the server level. (http/tcp, etc., with the default '*:*' destination in the monitor).

Impact:
Although the configuration is valid, it fails to load with error: err iqsyncer[16456]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17237538 result_message '01070622:3: The monitor /Common/my-tcp-half has a wildcard destination service and cannot be associated with a node that has a zero service.' }

Workaround:
Remove the parent TCP monitor.

Fix:
The server configuration of :* members now loads without error using tmsh.


519068-3 : device trust setup can require restart of devmgmtd

Component: TMOS

Symptoms:
Depending on the order of operations, the device trust might enter a state in which the device trust connections between devices are continuously reset and messaging about self-signed certificates.

Conditions:
This occurs when devices are being added to and deleted from the device trust.

Impact:
This prevents devices from being able to communicate with each other. The device trust goes to Disconnected and cannot synchronize.

Workaround:
A restart of the devmgmtd daemon clears any stale cached information that it has. However, the administrator may still need to reset the device trust (remove devices from the trust and re-add them).

Fix:
The system now correctly resets device trust when devices are being added to and deleted from the device trust.


519059-3 : [PA] - Failing to properly patch webapp link, link not working

Component: Access Policy Manager

Symptoms:
Any attribute URL in a HTML content is rewritten as "javascript:location=..." if is <base> tag is situated before the tag with the attribute, a content hint is not set in the HTML rules for the attribute and it's not the cookieless mode.

Conditions:
Webapp link is not properly patched.

Impact:
Rewritten links are not accessible.

Fix:
WebApp links are now properly rewritten.


519053-1 : Request is forwarded truncated to the server after answering challenge on a big request

Component: Application Security Manager

Symptoms:
Large requests (over 5K) arrive truncated to the server when web scraping bot detection is enabled, or a brute force/session opening attack is ongoing with client-side mitigation.

Conditions:
The request size is between 5k-10k.
Web scraping bot detection is turned on, or a brute force/session opening attack is ongoing with client-side mitigation.

Impact:
The client side challenge mechanism causes a truncation of the request forwarded to the server. Only the first 5k of the request arrives to the server.

Workaround:
Change the internal parameter size max_raw_request_len to 10000.

Fix:
The system's client-side challenge mechanism no longer truncates large requests (those over 5K) forwarded to the server.


519022-2 : Upgrade process fails to convert ASM predefined scheduled-reports.

Component: Application Visibility and Reporting

Symptoms:
Upgrade from versions prior to 11.5 fail, if the scheduled report is using the predefined settings named: Top alerted and blocked policies.

Conditions:
There is a scheduled report that is using the predefined settings named: Top alerted and blocked policies. It can be triggered on upgrade to versions prior to 11.5.4, 11.6.1, and 12.0.0

Impact:
Upgrade process fails.

Workaround:
None.

Fix:
A scheduled report using the predefined settings named: 'Top alerted and blocked policies' no longer causes upgrades from versions prior to 11.5 to fail. The upgrade process now renames the predefined report-type to the correct one and thus the upgrade process does not fail anymore.


518981-2 : RADIUS accounting STOP message may not include long class attributes

Component: Access Policy Manager

Symptoms:
The class attribute should be sent back to RADIUS server unmodified.
However, if the RADIUS server is configured to send lots of long class attributes, the BIG-IP system might drop them when sending accounting stop message.

Conditions:
The BIG-IP system is configured with an Access Policy that contains RADIUS Acct agent. The
RADIUS server is configured to send class attributes with total size of greater than 512bytes.

Impact:
RADIUS Accounting server doesn't receive STOP message when user session is over.

Fix:
Previously, the BIG-IP system would not send an accounting stop message if class attributes were more than 512 bytes total size. Now, BIG-IP system sends the accounting stop message, but does not include class attributes.


518967-1 : Possible error when parsing for certain URL categorization input.

Component: Policy Enforcement Manager

Symptoms:
The system might encounter an error when parsing for certain URL categorization input.

Conditions:
Enable PEM URL categorization to categorize the URLs from traffic processed by PEM virtual servers.

Impact:
TMM restart, with potential service interruption during the TMM restart.

Workaround:
None.

Fix:
The parsing mechanism for the URL input has been fixed to handle multiple corner cases of the URL categorization.


518663-1 : Client waits seconds before page finishes load

Component: Application Visibility and Reporting

Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will "promise" to the client a CSPM injection in the response by adding to the Content-length header.
If the response contains no <html> tag, AVR will "change its mind" and won't inject the JavaScript, causing the client to wait for the missing bytes until timeout.

Conditions:
Page-load-time is enabled in the AVR profile,

Impact:
Client waits many seconds until timeout.

Fix:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will "promise" to the client a CSPM injection in the response by adding to the Content-length header.
If no <html> tag is found in the response, the system now injects empty spaces to fill in the missing bytes in order to prevent the client from timing out.


518583-2 : Network Access on disconnect restores redundant default route after looped network roaming for Windows clients

Component: Access Policy Manager

Symptoms:
Windows Network Access restores redundant default route if client roaming from networks in loop e.g.:
NetworkA -> NetworkB -> NetworkA.

Conditions:
* Connect NIC to NetworkA
* Connect to VPN
* Roam to another wifi network SSID (NetworkB)
* Roam back to the original wifi SSID in step #1 (NetworkA)

Impact:
Incorrect default route may cause routing issues on client machine if metric of interfaces connected to NetworkB is lower than metric of interfaces connected to NetworkA

Workaround:
N/A

Fix:
Fixed issue causing redundant default route under described conditions.


518573 : The -decode option should be added to expressions in AD and LDAP group mapping.

Component: Access Policy Manager

Symptoms:
-decoded option is needed.

Conditions:
upgrade to 11.6.0

Impact:
in 11.6.0, if you create a rule to match an AD group in an "AD group resource assign" it will create something like this in the bigip.conf:
expression "expr { [mcget -decode {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }"

Prior to 11.6.0 the generated config was:
expression "expr { [mcget {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }"

The upgrade script does not take care of adding the "-decode" option which result in no groups being displayed in the VPE after an upgrade to 11.6.0

Workaround:
No workaround

Fix:
issue resolved, the -decode and lower string comparison added to expressions in AD and LDAP Group Mapping during upgrade.


518550-3 : Incorrect value of form action attribute inside 'onsubmit' event handler in some cases

Component: Access Policy Manager

Symptoms:
Incorrect value of 'action' form attribute may be used inside 'onsubmit' event handlers if original 'action' is an absolute path.

Conditions:
HTML form with absolute path in 'action' attribute;
'onsubmit' event handler for this form.

Impact:
Web application may work incorrectly.

Workaround:
There is no general workaround. But if 'action' value can be converted to relative path or to full URL (with host), this can be done using iRule.

Fix:
Now value of form 'action' attribute is correct inside event handlers.


518432 : [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation

Component: Access Policy Manager

Symptoms:
TLS tunnel freezes on Mac and Linux in case of SSL renegotiation.

Conditions:
TLS tunnel on Mac and Linux and SSL renegotiation happens

Impact:
Tunnel freezes and user cannot pass data traffic.

Workaround:
Restart session with BIG-IP

Fix:
Tunnel no longer freezes on SSL renegotiation on MAC and Linux.


518283 : Cookie rewrite mangles 'Set-Cookie' headers

Component: TMOS

Symptoms:
'Set-Cookie' headers are syntactically invalid.

Conditions:
Rewrite profile and 'Set-Cookie' header has 'Expires' attribute before 'Path' attribute.

Impact:
'Set-Cookie' headers in the client side become syntactically invalid (two 'Path' values that can be contradictory, plus a broken 'Expires' string).

Workaround:
Put the 'Path' attribute before 'Expires' attribute.

Fix:
The 'Expires' attribute is now properly parsed.


518275-2 : The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file

Vulnerability Solution Article: K48042976


518260-1 : Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message

Component: Access Policy Manager

Symptoms:
NTLMSSP_TARGET_INFO flag is set on NTLMSSP_CHALLENGE message that is generated by ECA, although Target Info attribute itself is included. Certain NTLM clients may ignore the target info attribute due to this issue, and fall back to use NTLM v1 authentication. With ActiveDirectory default configuration this is not an issue. However, if you had specifically required NTLMv2 in your policy, then the authentication will never succeed due to mismatch of the protocol.

Conditions:
This occurs when NTLMv2 is set to required and NTLMv1 is denied in your ActiveDirectory policy.

Impact:
Users cannot authenticate.

Fix:
NTLM client that depends on NTLMSSP_TARGET_INFO flag can complete NTLM authentication using NTLMv2 protocol.


518086-6 : Safenet HSM Traffic failure after system reboot/switchover

Component: Local Traffic Manager

Symptoms:
SafeNet hardware security module (HSM) Traffic failure after system reboot/switchover.

Conditions:
Restart of services on primary or secondary blade.

Impact:
Now traffic will fail. There will be no pkcs11 connection on new primary blade.

Workaround:
The workaround is to restart pkcs11d on the secondary blade.

Fix:
Wait and try SafeNet hardware security module (HSM) communication when MCPD is fully loaded.


518039-1 : BIG-IQ iApp statistics corrected for partition use cases

Component: TMOS

Symptoms:
When the f5.http iApp is deployed in a partition, the icall script fails to get stats because it assumes the application is in /Common.

Conditions:
iApps are running in an administrative partition.

Impact:
BIG-IQ customers fail to get statistics from iApps running on BIG-IP.

Fix:
Certain iApps deployed by BIG-IQ now provide statistics.


518020-11 : Improved handling of certain HTTP types.

Component: Local Traffic Manager

Symptoms:
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.

Conditions:
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server.

If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later.

F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.

Impact:
This has the potential to exhaust the number of connections at the backend.

Workaround:
Mitigations:
1) iRule that can drop the connections after a specified amount of idle time.
2) iRule to validate the request line in an iRule and fix it.
3) Tuning of profile timeouts
4) ASM prevents this issue.

Fix:
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.


517988-2 : TMM may crash if access profile is updated while connections are active

Component: Access Policy Manager

Symptoms:
The BIG-IP system has a virtual server with an access profile. There is live traffic using that virtual. If the access profile is updated, enforcement of certain behaviors on the live traffic may end up accessing stale profile data, and result in a crash.

Conditions:
If an access profile is attached to a virtual server, and the profile is updated while the virtual has active connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
(These are untested...)

Without HA, (1) disable virtuals using access profile, (2) delete any active connections on the virtuals, (3) update access profile, and, (4) enable virtuals.

With HA, (1) update access profile on standby, (2) failover to the standby, and (3) sync the configuration.

Fix:
Upon access profile update, cleanup of the previous profile data is deferred until there are no active connections referencing it.


517872-1 : Include proxy hostname in logs in case of name resolution failure

Component: Access Policy Manager

Symptoms:
It's hard to troubleshoot cases when proxy name resolution failure happens.

Conditions:
Troubleshooting is required in proxy name resolution area.

Impact:
Network Engineer has problems with identifying root cause.

Fix:
Now proxy hostname is printed to logfile when resolution fails.


517846-2 : View Client cannot change AD password in Cross Domain mode

Component: Access Policy Manager

Symptoms:
View Client cannot change Active Directory password in Cross Domain mode.

Conditions:
1. Access policy for View Client uses Cross Domain authentication.
2. View Client user trying to log into APM belongs to a different AD domain than the one configured in AD Auth agent (cross-domain auth).
3. User's password is expired.

Impact:
User cannot change expired password, so cannot use VMware View.

Workaround:
None.

Fix:
View Client can now change AD password in Cross Domain mode, as expected.


517790-1 : When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped

Component: Local Traffic Manager

Symptoms:
Non-HTTP traffic can have the server-side send data outside the usual request-response pairing. (Either before a request, or extra data after a response is complete.)

If so, HTTP will reject the connection as the server state is now unknown. However, if HTTP is acting as a Transparent proxy, switching to pass-through mode and disabling HTTP may be a better course of action.

Conditions:
Non-HTTP data sent to the server-side not belonging to a response.

Impact:
Banner protocols, where the a server will respond before seeing any data will not pass through the Transparent HTTP proxy.

Non-HTTP protocols that start with a pseudo-HTTP response, followed by extra data will reject the connection when the extra data is seen.

Workaround:
It may be possible to use HTTP::disable to disable the HTTP filter when some signature of the non-HTTP protocol is seen.

Fix:
The transparent HTTP profile's passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode.


517613-1 : ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps

Component: Local Traffic Manager

Symptoms:
ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps.

Conditions:
Create a ClientSSL profile (p1) with user-defined key/certificate/chain.
Create another clientSSL profile (p2) with all default fields.
Modify p2 to have the defaults from p1.

Impact:
GUI shows the right key/certificate/chain in p2, whereas tmsh shows p2 to have default key and certificate.

Workaround:
None.

Fix:
ClientSSL profile now has the correct key/certificate/chain when multiple profiles are created with differing key/certificate/chain values.


517582-3 : [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.

Component: Global Traffic Manager

Symptoms:
Cannot delete a region even though it is not referenced by any record.

Conditions:
This occurs after a failed attempt to delete a region that is referenced by a record.

Impact:
Hard to manage topology regions.

Workaround:
Restart mcpd.

Fix:
Can now delete regions after failed deletion.


517580-3 : OPT-0015 on 10000-series appliance may cause bcm56xxd restarts

Component: TMOS

Symptoms:
Changing configuration (enable/disable/auto-negotiation) on copper SFPs on 10000-series appliance might cause an internal bus to hang. Symptoms are bcm56xxd process restarts, and the interfaces may show as unknown.

Conditions:
Only copper SFPs OPT-0015 on 10000-series appliances exhibit this problem.

Impact:
The bcm56xxd process restarts, and the interfaces may show as unknown.

Workaround:
To work around this issue, follow these steps:
1) Force the system offline.
2) Reboot the system.
3) Release the system's offline status.

Fix:
The bcm56xxd daemon detects a bus problem and resets the bus to recover communications with SFP transceivers.


517564-1 : APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port

Component: Access Policy Manager

Symptoms:
Starting from BIG-IP APM 11.6.0, there is a new feature called LDAP Group Resource Assign agent. The agent relies on a group list that is retrieved at AAA > LDAP Server > Groups configuration page.
AAA LDAP Server fails to update the group list when the backend LDAP server is configured to use a port other than 389 (the default port).

Conditions:
Backend LDAP server is configured to use a non-default port (a port other than 389).
LDAP Group Resource Assign agent is added to an Access Policy.

Impact:
It is impossible to update group list from LDAP server.
LDAP Group Resource Assign agent does not provide a list of LDAP groups for easy configuration.

Fix:
LDAP groups can now be retrieved from an LDAP server that uses a non-default port (a port other than 389).


517556-3 : DNSSEC unsigned referral response is improperly formatted

Component: Local Traffic Manager

Symptoms:
When DNSSEC signs an unsigned referral response, the contained NSEC3 resource record has an empty type bitmap. Type bitmap should contain an NS type.

Conditions:
DNSSEC processing an unsigned referral response from DNS server.

Impact:
DNSSEC referral response is not RFC compliant.

Workaround:
None.

Fix:
NS type added to NSEC3 type bitmap, so that DNSSEC unsigned referral response is properly formatted.


517510-1 : HTTP monitor might add extra CR/LF pairs to HTTP body when supplied

Component: Local Traffic Manager

Symptoms:
When supplying HTTP containing body text to the HTTP monitor, the system might append extra CR/LF pairs to the end.

Conditions:
HTTP monitor with text specifying HTTP body text.

Impact:
This may cause malformed POST or PUT messages.

Workaround:
Limited work-around entails providing an alternative HTTP health check that does not require PUTting or POSTing a body.

Fix:
The HTTP monitor has been fixed to avoid adding additional CR/LF pairs, except for the case where only headers are supplied and there are insufficient CR/LF supplied to terminate the headers.


517465-4 : tmm crash with ssl

Component: Local Traffic Manager

Symptoms:
Under some rare conditions, a problem with SSL might cause TMM to crash.

Conditions:
An SSL alert is sent during the SSL handshake.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None known

Fix:
A tmm crash related to alerts during a SSL handshake failure has been fixed.


517441-5 : apd may crash when RADIUS accounting message is greater than 2K

Component: Access Policy Manager

Symptoms:
If the RADIUS Acct agent is configured for an access policy, and there are a lot of attributes with total size greater than 2K, apd may crash.

Conditions:
RADIUS Acct agent is configured and an AP
with numerous attributes in RADIUS Acct request

Impact:
service becomes unavailable while restarting apd process

Fix:
The maximum size of RADIUS packet is now set to 4K (RFC2865).
If the total size of attributes is greater than 4K, the packet will be truncated to 4K.


517388-7 : Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.

Component: TMOS

Symptoms:
The system recognizes and displays to the user a few relative distinguished names (RDNs): division name, state name, locality name, organization name, country name, and common name.

Conditions:
RDNs other than those in the subject/issuer are not parsed correctly.

Impact:
Parsing the DN (for subject or issuer) might combine fields that result in RDN values that are longer than allowed. This causes issues when trying to store these in Enterprise Manager (EM) database.

Workaround:
None.

Fix:
All relative distinguished names (RDNs) are now parsed as expected. Previously, the system correctly parsed RDNs for division name, state name, locality name, organization name, country name, and common name. Now, the system correctly parses all RDNs.


517282-7 : The DNS monitor may delay marking an object down or never mark it down

Component: Local Traffic Manager

Symptoms:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.

Conditions:
A DNS monitor with no configured recv string and the monitor receives an ICMP error other than port unreachable.

Impact:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.

Workaround:
Supply an appropriate recv string to the monitor definition:
  tmsh modify ltm monitor dns mydns recv 10.1.1.1

Or add another monitor to the object:
  tmsh modify ltm pool dnspool monitor min 2 of { mydns gateway_icmp }

Fix:
DNS monitor should mark server down when getting ICMP admin prohibited error. This is correct behavior.


517245-2 : A request that should be blocked was forwarded to the server

Component: Application Security Manager

Symptoms:
A request that should be blocked is forwarded to to the server.

Conditions:
The following conditions -
1. The "do nothing" header content profile on the request URL OR the request is longer than the max buffer size. while the exceed buffer length violation is turned off. (both cases causes an ignore payload state).
2. An irule or session tracking is assigned on the virual server.

Impact:
In case the request should have been blocked, it will arrive to the server.

Workaround:
N/A

Fix:
We fixed a scenario where a request that should have been blocked still reached the server.


517209-7 : tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable

Component: TMOS

Symptoms:
The tmsh save sys config file /var/tmp or /shared/tmp or a relative path to these directories (for example, /config/../shared/tmp) saves the scf with the specified real path. However, since the /var/tmp directory is used internally by BIG-IP daemons, some functionality may be rendered unusable till the /var/tmp symlink to /shared/tmp is restored.

Conditions:
Saving the sys config file /var/tmp or /shared/tmp (or a relative patch to one of these directories).

Impact:
Some system functionality may be rendered unusable.

Workaround:
Use the following commands to delete the scf and restore the symlink: -- rm -f /var/tmp. -- ln -s /shared/tmp /var/. -- bigstart restart.

Fix:
The /var/tmp or /shared/tmp are now invalid paths for the tmsh save sys config file command.


517178-2 : BIG-IP system as SAML Service Provider cannot process some messages from SimpleSAMLphp under certain conditions

Component: TMOS

Symptoms:
When the BIG-IP system is used as Service Provider with SimpleSAMLphp as Identity Provider, processing of signed artifact response messages from IdP may fail with following error: Digest of SignedInfo mismatch.

Conditions:
- BIG-IP system is configured as SP.
- Artifact binding is used for SSO.
- Artifact response message from IdP is signed.

Impact:
User SSO may not work.

Workaround:
Use POST binding instead of Artifact.

Fix:
The BIG-IP system configured as SAML Service Provider can now correctly process messages from SimpleSAMLphp so that user SSL works as expected.


517146-1 : Log ID 01490538 may be truncated

Component: Access Policy Manager

Symptoms:
Log ID 01490538 may appear truncated in /var/log/apm. It is supposed to say "Configuration snapshot deleted by Access".

Conditions:
Access profile snapshots are timing out and being deleted by the system.

Impact:
Most likely just corrupted log messages. A very slight chance of a crash, due to the string terminator being written to the wrong location in memory.

Workaround:
No workaround.

Fix:
Log ID 01450538 prints correctly to /var/log/apm now.


517124 : HTTP::retry incorrectly converts its input

Component: Local Traffic Manager

Symptoms:
The HTTP::retry iRule converts its input into UTF8. If the input is a bytearray using some other locale, then bytes with the high-bit set may be corrupted.

The resulting corrupted request will then be sent to the server as the retried request.

Conditions:
The input to HTTP::retry is a TCL bytearray rather than a TCL string. The output from some commands i.e. HTTP::payload is a bytearray. Strings are in the UTF8 format, Bytearrays are not.

Impact:
Non-ascii characters may be corrupted when HTTP::retry is used.

Fix:
The HTTP::retry command no longer corrupts input that isn't in the UTF8 format.


517083-1 : Some autodiscovered virtuals may be removed from pools.

Component: Global Traffic Manager

Symptoms:
As part of a larger effort to refine Virtual Server Auto Discovery and monitoring, several changes were made to improve cross version interoperability and Virtual Server matching.

As part of these fixes, an error was introduced which caused some virtual servers to be deleted and rediscovered. This removed them from the Pool they were assigned to, which can cause load balancing errors.

Conditions:
This can occur with Virtual Servers that were originally specified on a pre-folder aware version of BIGIP, such as 10.2.x.

When they are discovered by a folder aware version, they may be deleted from the GTM config and re-added with "/Common/" prepended to the name.

Impact:
Some virtual servers will be removed from Pools. The virtual server will be deleted and recreated, but not added back to the pool.

This will result in incorrect load balancing decisions.

Workaround:
Changing the GTM config to add the virtual servers back to the pool will resolve the issue.

Fix:
The discovery and monitoring of virtual servers has been made more robust to deal with cases of multiple GTM VSes pointing at the same LTM virtual, as well as naming/folderization issues.


517053-2 : bigd detection and logging of load and overload

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with a very large number of monitor instances (multiple thousands) probing at relatively fast intervals, BIG-IP may not be able to keep up with its servicing load. This can be indicated by pool members being marked down/up (flapping) that were not actually having connectivity problems.

Conditions:
Heavy monitor instance probe rate (monitor instance probes per second).

Impact:
When overloaded, bigd is unable to probe consistently which may result in odd or unpredictable pool member up/down behavior.

Workaround:
The main way to mitigate overload issues is either to reduce the number of monitor instances, to increase the probe time to probe less often, and/or to switch monitored pool members/nodes to simpler, lower-overhead monitor (i.e. ICMP instead of HTTP, or HTTP instead of HTTPS).

Fix:
This particular fix does not change the problem or mitigation steps. Rather, it helps detect when overloading has occurred.

When it has been determined that overloading has occurred, a message will be logged to /var/log/ltm to indicate this. By default, the overload message will be triggered if the main 1/10 second (100 ms) loop takes, on average, more than 150 ms to service. This overload threshold value can be adjusted with the new Bigd.Overload.Latency sys db variable. The variable indicates the number of ms latency at which servicing the 100 ms main loop is considered overload.

In addition, main loop latency logging has been added to /var/log/bigdlog. The latency information will be logged every 15 seconds. The main loop latency information will be logged whenever Bigd.Debug is enabled, or if the new sys db variable Bigd.Debug.TimingStats is enabled. The new Bigd.Debug.TimingStats variable allows the main loop latency stats to be emitted even if other debug information, which can be quite verbose, is suppressed.

The main loop latency information is such:
insts, avg-5m mean-5m stddev5, avg-1m mean-1m stddev1
insts: # of active monitor instances being monitored
avg-5m: weighted decaying average loop latency over 5 minutes
mean-5m: mean average loop latency over 5 minutes
stddev5: standard deviation of loop latency over 5 minutes
avg-1m: weighted decaying average loop latency over 1 minute
mean-1m: mean average loop latency over 1 minute
stddev1: standard deviation of loop latency over 1 minute

Once again, these average/mean values are measuring the 100 ms service loop, which under normal circumstances should always complete in close to 100 ms. When the value rises above 100 ms, that means we are not able to service all our monitor instances in a timely fashion.


517048-1 : BSD regex library vulnerability CVE-2015-2305

Vulnerability Solution Article: K16831


517020-5 : SNMP requests fail and subsnmpd reports that it has been terminated.

Component: TMOS

Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.

Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.

Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.

Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.

Fix:
SNMP requests handling has been improved to ensure that requests no longer fail after a number of days.


517019-1 : AVR-HTTP (and Application DoS): Detection of pool-member is sometimes incorrect

Component: Advanced Firewall Manager

Symptoms:
AVR sometimes detects the incorrect BIG-IP module that created a response to an HTTP transaction.

Conditions:
Using AVR HTTP profile or Application DoS, and having a transaction that was responded to by a BIG-IP modules, such as DoS, Cache, iRules, and so on.

Impact:
1. AVR report an incorrect module.
2. Application DoS is using this information for its decisions, and thus can choose a mitigation action that is different from the desired one.

Workaround:
None.

Fix:
The detection of the internal module is done correctly, so that the correct mitigation action is chosen.


516995-3 : NAT traffic group inheritance does not sync across devices

Component: TMOS

Symptoms:
When a NAT object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.

Conditions:
This is relevant for any setup with multiple devices in a CMI failover device group.

Impact:
The inherited-traffic-group property must be manually maintained on all devices.

Workaround:
Enable the 'full sync' option instead of using incremental sync.

Fix:
NAT traffic group inheritance now syncs across devices using incremental sync.


516839-3 : Add client type detection for Microsoft Edge browser

Component: Access Policy Manager

Symptoms:
Microsoft Edge browser cannot be detected by Client Type action item agent in access policy.

Conditions:
Microsoft Edge browser, Client Type action item agent in access policy on BIG-IP APM.

Impact:
Microsoft Edge browser is not detected by Client Type action item and the webtop might not display properly or might display resources that are not supported.

Fix:
Improvement: Microsoft Edge browser is now detected properly and only supported resources are shown on the webtop now. All components that require ActiveX are not supported.


516816-4 : RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.

Component: Local Traffic Manager

Symptoms:
RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.

Conditions:
The key cert pair type matches one of the following combinations:
1. RSA key/DSA-signed cert.
2. RSA key/ECDSA-signed cert.

Impact:
When this kind of key/cert pair is configured in a Client SSL profile that is used by a virtual server, the SSL handshake to the virtual server fails.

Workaround:
Do not use this kind of 'hybrid' key/cert pair in the Client SSL profile. Instead, use the combination such as RSA key/RSA-signed cert, EC key/ECDSA-signed cert, or DSA key/DSA-signed cert.

Fix:
An RSA key with DSA-signed or ECDSA-signed cert no longer fails the SSL handshake. You can now configure those in the Client SSL profile and the SSL handshake completes as expected.


516685-2 : ZoneRunner might fail to load valid zone files.

Component: Global Traffic Manager

Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.

Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.

Impact:
The user cannot load a zone file via the GUI.

Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI.

Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.

Fix:
ZoneRunner now successfully loads zone files that contain $TTL directives, blank lines, comment-only lines, or some combination of the above.


516680-2 : ZoneRunner might fail when loading valid zone files.

Component: Global Traffic Manager

Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.

Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.

Impact:
The user cannot load a zone file via the GUI.

Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI.

Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.

Fix:
ZoneRunner will no longer crash when parsing zone files containing $TTL directives, blank lines, comment-only lines, or some combination of the above.


516669-1 : Rarely occurring SOD core causes failover.

Component: TMOS

Symptoms:
Spontaneous failover occurs rarely due to a SOD core dump.

Conditions:
Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
When SOD cores, all traffic groups fail over to another device. Non-mirrored flows will be interrupted.

Workaround:
None.

Fix:
Errors in handling memory have been fixed to prevent allocation failure.


516618-5 : glibc vulnerability CVE-2013-7424

Vulnerability Solution Article: K16472


516598-1 : Multiple TCP keepalive timers for same Fast L4 flow

Component: Local Traffic Manager

Symptoms:
Multiple TCP keepalive timers for same Fast L4 flow.

Conditions:
Fast L4 profile with TCP Keepalive option enabled.

Impact:
TMM core.

Workaround:
Disable TCP Keepalive option from the Fast L4 profile.

Fix:
Prevent starting multiple TCP keepalive timer for the same fastL4 flow


516540-3 : devmgmtd file object leak

Component: TMOS

Symptoms:
Under certain circumstances, devmgmtd might leak file descriptors.

Conditions:
This might occur when attempting to add a device to trust by specifying a hostname instead of an IP address, where this hostname is not valid.

Impact:
devmgmtd may restart, logging an error that it has 'too many open files'. Although the failed reaction is correct (restarting because there is an existing error condition), the system presents an error message that does not indicate the issue.

Workaround:
None.

Fix:
devmgmtd no longer leaks file descriptors in a certain error path (which would sometimes cause it to dump core).


516523-2 : Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group

Component: Application Security Manager

Symptoms:
ASM is only supposed to request a Full Sync if there has been a Manual Full Sync request, or if an incremental / auto sync indicates that the state is inconsistent with that of its peers.

The system was mistakenly requesting a Full Sync on every config change in an Auto-Sync, Full Sync group even when it was in a consistent state.

Conditions:
A Device Group is configured with Auto-Sync, Full Sync, and ASM enabled.

Impact:
Noise on the network, extra CPU usage, Policy Builder restarting on receiving peer.

Workaround:
Disable "Full Sync" on the device group

Fix:
The system no longer requests a Full ASM Configuration Sync on every full auto sync in a device group.


516522-1 : After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.

Component: Application Security Manager

Symptoms:
After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.

Conditions:
1) ASM is provisioned and there is a redirect URL configured on any pre-11.4.x.
2) Upgrade to 11.4.x, 11.5.3, or 11.6.0. This does not occur in 11.5.4, 11.6.1, or 12.0.0 and beyond.

Impact:
The configured redirect URL location is empty.

Workaround:
None.

Fix:
The configured redirect URL location is now preserved after upgrade from any pre-11.4.x to 11.4.x through 12.0.0.


516462-2 : Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines

Component: Access Policy Manager

Symptoms:
Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines.

Conditions:
Client Windows machine roams between different networks (Wi-Fi or Ethernet) when the BIG-IP system has configured split-tunneling.

Impact:
Excluded address space routes are not applied.

Fix:
Fixed reason causing this issue; now excluded address routes are applied correctly even if a client machine roams between different networks.


516408-1 : SSL reports certificate verification OK even verification returns failure for pcm=request.

Component: Local Traffic Manager

Symptoms:
When peer certificate mode (PCM) is configured as request, even if the certificate is invalid (certificate verification returns failure), SSL returns OK.

Conditions:
Client authenticate is configured with pcm=request.

Impact:
SSL returns the incorrect verification result.

Workaround:
None.

Fix:
Client authentication is configured with peer certificate mode (PCM) is configured as request, SSL now returns the correct verification result.


516322-7 : The BIG-IP system may erroneously remove an iApp association from the virtual server.

Component: TMOS

Symptoms:
The BIG-IP system may erroneously remove an iApp association from the virtual server.

Conditions:
This might occur when merging configurations in tmsh, in iControl when using Management.ChangeControl.put_config, and during incremental sync when the iApp is modified, but there is no modification to the virtual server.

There are two sets of conditions under which this issue might occur:
1. iApp, virtual server, and persistence profile are configured and associated prior to merge.

2. - High availability pair defined over a Device Group with Incremental Sync specified (that is, Full Sync is disabled).
- iApp with one or more virtual servers deployed on one or more peers.
- iApp is reconfigured on one of the peers with no modification of the Virtual Server configuration.
- Config sync to a peer unit.

Impact:
This removes iApp association with the virtual server.

Workaround:
To work around this issue, you should add the affected virtual server name to the list of commands during the merge process.

For example, you should add ltm virtual server iApp-test_vs { } to the tmsh merge script during the merge process:

cli admin-partitions { update-partition Common } ltm persistence source-addr /Common/put-config-test { app-service none defaults-from /Common/source_addr mirror enabled timeout 300 } ltm virtual iApp-test_vs { }

Fix:
Modifying a persistence profile while updating a partition during a merge config no longer disassociates the iApp from the virtual server.


516320-2 : TMM may have a CPU spike if match cross persist is used.

Component: Local Traffic Manager

Symptoms:
TMM may have a CPU spike.
A few(very few) connections may fail.

Conditions:
1) Match cross persist is used.
2) Long idle time out makes the symptom worse.
3) Persist HA makes the symptom worse.

Impact:
TMM may have a CPU spike.
A few(very few) connections may fail.

Workaround:
Avoid using match across persist.

Fix:
Match across persistence no longer causes CPU spike.


516292-1 : Incorrect handling of repeated headers

Component: Local Traffic Manager

Symptoms:
If a http/2 request, forwarded to an http/1.1, produces a response that has the same header occurring more than once, the http/2 response would be encoded incorrectly and can't be processed by the http/2 browser.

Conditions:
Responses that contain the same header (with possibly different values) more than once.

Impact:
Browser fail to process responses.

Workaround:
For the set-cookie header there is no work-around because each cookie requires its own header. For other headers, an iRule could potentially be used to concatenate the values of repeated headers.

Fix:
The http/2 protocol handling now correctly encodes repeated headers.


516219-4 : User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled

Component: Access Policy Manager

Symptoms:
Connection is reset when user tries to log on to an APM virtual server. APM log shows ERR_NOT_FOUND while getting profile license.

Conditions:
The issue happens if slot 1 in a VIPRION 4800 chassis is not occupied or is occupied but not enabled.

Impact:
User logon failure.

Workaround:
Detach APM access profile from the virtual server and then reattach it.

Fix:
Access policies now work properly in VIPRION 4800 with no slot1.


516179-1 : Woodside falsely detects congestion

Component: Local Traffic Manager

Symptoms:
The TCP profile Congestion Control Woodside falsely detect congestion and might reduce its own performance.

Conditions:
High-bandwidth, low-delay connections (i.e., a large congestion window).

Impact:
Performance impact when using the Woodside congestion control algorithm, and TMM might crash.

Workaround:
Use a TCP profile Congestion Control other than Woodside.

Fix:
The Woodside congestion control algorithm now correctly detects congestion without false alarms.


516075-6 : Linux command line client fails with on-demand cert

Component: Access Policy Manager

Symptoms:
Linux command line client fails with On-Demand Cert Auth.

Conditions:
End user needs to be running Linux command line client and the On-Demand Cert Auth agent.

Impact:
Depending upon the access policy, the user might fail to log in and establish a Network Access connection.

Workaround:
none

Fix:
Linux command line client works with On-Demand Cert Auth now.


516073 : Revised AWS Setup Guide

Component: TMOS

Symptoms:
tmsh is now the default shell for AWS VE.
Documentation revised to remove "tmsh" from all tmsh command line entries.

Conditions:
Log in to an SSH session with the AWS VE. Initiate any tmsh command by starting the entry with "tmsh."

The result is a syntax error.

Impact:
No tmsh commands can be executed. Without the ability to revise the AWS virtual machine (VM) password using tmsh, the VM can not be used.

Workaround:
Omit the word "tmsh" from command entries.

Fix:
Documentation revised to clarify tmsh command entries.


516057-3 : Assertion 'valid proxy' can occur after a configuration change with active IVS flows.

Component: Service Provider

Symptoms:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), and a new connection is initiated during the update, the TMM can assert 'valid proxy' and crash.

If there were are no preexisting active connections, the assertion does not occur, but connections initiated during the configuration update might be in a bad state and cause unpredictable effects.

Conditions:
1. Active flows exist on an internal virtual server (IVS). Necessary to trigger the assertion.
2. A configuration update or sync affecting that IVS is in
progress.
3. A new connection is initiated to that IVS during the update.

Impact:
This is intermittent and rarely encountered. When all preexisting connection flows on this IVS tear down, a 'valid proxy' assertion can trigger and cause a TMM crash and restart, resulting in lost connections across the BIG-IP system or blade. New IVS connection flows initiated during the configuration update might be in a bad state and exhibit unpredictable effects, even if there is no crash.

Workaround:
Try to avoid configuration changes affecting any IVS while connections are active. This is intermittent so most likely will not manifest, even with active connections.

Fix:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), new connections fail and log an error message indicating that the IVS is not ready for connections. If the connections are to an ICAP server, the BIG-IP system performs the service-down-action configured in the request-adapt or response-adapt profile of the virtual server that attempted to initiate the connection. There are no assertions or unpredictable effects. Any new connections that failed for this reason may be retried after the configuration update is complete.


515943-2 : "Session variables" report may show empty if session variable value contains non-English characters

Component: Access Policy Manager

Symptoms:
"Session variables" report may show empty if session variable value contains non-English characters

Conditions:
For active session only.

Impact:
User cannot see the Session Variable information for active session.

Workaround:
Use English characters for network configuration, such as host name, user name...

Fix:
"Session variables" report shows correct information for any language characters.


515817-2 : TMM may not reset connection when receiving an ICMP error

Component: Local Traffic Manager

Symptoms:
Connection is not reset after receiving an ICMP error

Conditions:
TMM receives an ICMP error after sending a TCP/SYN on a FastL4 virtual

Impact:
Delayed shutdown of connection

Fix:
TMM will now reset FastL4 connections when receiving an ICMP error in response to TCP/SYN.


515797-1 : Using qos_score command in RULE_INIT event causes TMM crash

Component: Global Traffic Manager

Symptoms:
TMM crashes when the iRule with qos_score command in RULE_INIT event is added to a wide IP.

Conditions:
Configured iRule with qos_score command in RULE_INIT event that is added to a wide IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation: Do not use qos_score command in RULE_INIT event.

Fix:
qos_score command is disallowed in RULE_INIT event.


515759-3 : Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time

Component: Local Traffic Manager

Symptoms:
tmm memory growth over time.

Conditions:
Conditions leading to this issue include: one or more virtual servers, NATs, SNATs, or LSNs with more than four VLANS in a vlan allow or vlan deny list.

Impact:
tmm memory usage can grow over time eventually causing memory exhaustion.

Workaround:
Mitigation: Minimize the number of VLANs in the VLAN list for virtual servers, NATs, SNATs and LSNs. Minimize the number of configurations changes to Self-IPs, virtual servers, NATs, SNATs and LSNs.

Fix:
Configuration objects with more than four vlans in vlan list no longer causes memory utilization to increase over time.


515736-4 : LSN pool with small port range may not use all ports

Component: Carrier-Grade NAT

Symptoms:
When LSN pool port range is small, some ports may not be used for translation.

Conditions:
LSN pool port range is small.

Impact:
Even though free ports are available, they are not used for translation and the connection fails

Workaround:
Set the LSN pool port range to default value of 1025 - 65535


515728-5 : Repeated BD cores.

Component: Application Security Manager

Symptoms:
The bd process crashes and produces a core file in the /var/core directory.

Conditions:
It is not known what conditions trigger the crash.

Impact:
Traffic disrupted while bd restarts.

Fix:
Fixed a bd core related to tcl processing


515667-4 : Unique truncated SNMP OIDs.

Component: TMOS

Symptoms:
When a BIG-IP generates SNMP OID-required truncation in order to stay within the OID max length limit of 128, the truncated OID is not always consistent or unique.

Conditions:
An SNMP table has a unique index (key) consisting of one or more table attributes of various types. String type index attributes with values lengths approaching or exceeding 128 characters expose this truncation issue.

Impact:
SNMP get, get-next, and set commands might fail or even operate on incorrect data when the target OID is not consistent or unique.

Workaround:
The long string values triggering this issue are typically identified as user-supplied names that were introduced as part of BIG-IP configuration. Often these names can be reconfigured to a shorter length.

Fix:
Truncated OIDs are now appended with a unique check-sum value that remains unchanged from one query to the next.


515646-1 : TMM core when multiple PPTP calls from the same client

Component: Carrier-Grade NAT

Symptoms:
TMM can core when there are multiple PPTP calls arrive from the same client.

Conditions:
PPTP ALG VS with CGNAT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when multiple PPTP calls arrives from the same client.


515638 : 5% drop in Webroot cloud lookup performance with mixed upper/lowercase URLs

Component: Policy Enforcement Manager

Symptoms:
When Webroot cloud lookup is enabled, and URL inputs cannot be categorized by the local Webroot database managed on the BIG-IP system because the URLs contain a mix of upper/lowercase characters, there may be 5% drop in the Webroot cloud lookup performance.

Conditions:
If Webroot cloud lookup is enabled, and all URLs are unknown to the local databasedand consist of a mix of upper/lowercase letters.

Impact:
There could be 5% drop for Webroot cloud lookup performance in this case. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Workaround:
None.

Fix:
The issue has been fixed by improving/optimizing URL normalization prior to Webroot cloud lookup.


515562-1 : Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned.

Component: Advanced Firewall Manager

Symptoms:
When AFM is not not licensed or provisioned, the user might still be able to enable Sweep and Flood.

Conditions:
Enable Sweep and Flood vector when AFM is not not licensed or provisioned.

Impact:
TMM might crash.

Workaround:
Avoid configuring Sweep and Flood vectors when AFM is not licensed or provisioned

Fix:
Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned, user should avoid configuring sweep and flood vectors when AFM is not licensed or provisioned.


515482 : Multiple teardown conditions can cause crash

Component: Local Traffic Manager

Symptoms:
When iRules direct the teardown of a TCP connection after some delay, another event might tear down the connection during the delay. When the iRule-directed abort finally arrives, the system crashes.

Conditions:
(1) An iRule or other cross-layer message can trigger a ABORT after teardown.

(2) The TCP profile has settings that invoke the correct TCP implementation:
(a) 11.5.x: mptcp is enabled
(b) 11.6.x: mptcp, rate-pace, or tail-loss-probe are enabled, OR TCP uses Vegas, Illinois, Woodside, CHD, CDG, Cubic, or Westwood congestion control.

Impact:
TMM crashes.

Workaround:
Suspend iRules with this behavior.

Fix:
When receiving ABORT commands, TCP catches cases where the connection is already closed.


515449-1 : bd agent listens on all addresses instead of the localhost only

Component: Application Security Manager

Symptoms:
bd agent listens on all addresses instead of the localhost only.

Conditions:
ASM provisioned.

Impact:
bd agent might crash in reponse to a simple telnet request from an external connection.

Workaround:
None.

Fix:
bd agent now listens on localhost only.


515433-1 : BD crash on specific signature sets configuration.

Component: Application Security Manager

Symptoms:
A BD crash, failover and/or traffic interruption.

Conditions:
Two different signature sets with different sizes (i.e, number of signatures in a set) are assigned to two different security policies. The issue relates to a scenario where there is traffic that generates a lot of violations/staging or suggestions.

Impact:
A BD crash, a failover, and/or traffic interruption.

Workaround:
Assign the same set(s) to all the security policies.

Fix:
Crash issue that is related to a specific configuration was fixed.


515387 : Update EPSEC package to latest verified in 11.6.0 branch

Component: Access Policy Manager

Symptoms:
EPSEC was out of date and we are updating to the latest.

Impact:
EPSEC contains old package and some endpoint security checks like machine cert, antivirus, firewall might fail.

Fix:
11.6.0 branch contains most recent verified EPSEC package.


515345-1 : NTP Vulnerability

Vulnerability Solution Article: K16505


515322-1 : Intermittent TMM core when using DNS cache with forward zones

Component: Local Traffic Manager

Symptoms:
TMM can intermittently crash when using the DNS cache resolver.

Conditions:
When a cache configuration is "removed" there are conditions where a refcount is not properly managed that would lead to memory being deleted before the last user is done with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
TMM will no longer intermittently core when using the DNS cache resolver.


515190-2 : Event Logs -> Brute Force Attacks can't show details after navigating to another page

Component: Application Security Manager

Symptoms:
After using the pagination mechanism on the Brute Force Attacks screen, the user is unable to open the attack details.

Conditions:
Navigate to another page on Event Logs -> Brute Force Attacks

Impact:
The user is unable to see the brute force attack details.

Workaround:
N/A

Fix:
The pagination mechanism was fixed on the Brute Force Attacks screen.


515187-2 : Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.

Component: Advanced Firewall Manager

Symptoms:
Certain ICMP packets (such as ICMPv6 Destination Unreachable) match twice against Global and Route-Domain ACL rules.

Conditions:
AFM provisioned and licensed.

Create a Global and/or Route Domain ACL policy with a rule matching ICMP traffic. Send ICMP packet such as Destination Unreachable.

Impact:
Global and Route-Domain ACL rules are evaluated twice under conditions specified above. This causes the rule counters to be incremented by 2 (instead of 1) and may cause double logging if enabled.

Workaround:
None

Fix:
ICMP traffic is now evaluated only once against Global and Route-Domain ACL rules.


515112-1 : Delayed ehash initialization causes crash when memory is fragmented.

Component: Advanced Firewall Manager

Symptoms:
When first using a new feature (fpm, firewall) under memory fragmentation conditions, if the feature uses an ehash table, TMM may crash.

Conditions:
Severe memory fragmentation, where contiguous allocations are not satisfied, combined with initial use of a new feature.

Impact:
TMM crashes.

Workaround:
Utilize all features shortly after TMM comes up, so all initial allocations are performed.

Fix:
Certain allocations are no longer delayed. Delayed allocations which fail retry with smaller sizes, possibly reducing performance.


515072-4 : Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased

Component: Local Traffic Manager

Symptoms:
When a virtual server has priority groups and connection limit configured, if the connection limit is reached and is increased while the member is limited, then subsequent connections will be reset rather than allowed.

Conditions:
Using priority groups and a non-zero connection limit, with one of the following load balancing methods: least-connections-member, least-sessions, ratio-member, ratio-least-connections-member, ratio-session. The issue occurs when the connection limit is adjusted higher when the connection limit is reached on the high-priority pool.

Impact:
New connections are reset without being able to send traffic.

Workaround:
If it is feasible to adjust the priorities, adjust the connection limit to its initial value, and adjust the priority groups so that the traffic currently on the limited pool drains out. When the pool has no connections, increase the limit to restore the correct priorities.

Fix:
Make pool member eligible for load balancing if its not connection limited after modifying its connection limit.


515033 : [ZRD] A memory leak in zrd

Component: Global Traffic Manager

Symptoms:
Memory leaks for zrd when performing wide IP alias updating.

Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh, there is a small memory leak in zrd. Although this memory leak is small for any one change, it could be noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.

Impact:
Memory leak after multiple wide IP alias create/update operations.

Workaround:
If the zrd memory usage is negatively impacting system performance, you can restart zrd and clear out the memory usage by running the command: bigstart restart zrd.

Fix:
Memory no longer leaks for zrd when performing wide IP alias updating.


515030-1 : [ZRD] A memory leak in Zrd

Component: Global Traffic Manager

Symptoms:
Memory leaks for zrd when performing multiple wide IP alias updating.

Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh there is a small memory leak in zrd. This memory leak is not significant for any one change, but it might become noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.

Impact:
Memory leak after multiple wide IP alias updates.

Workaround:
Although there is no workaround, you can mitigate potential system performance impacts by restarting zrd, which clears out the memory usage. To do so, run the command: bigstart restart zrd.

Fix:
Memory no longer leaks in zrd when performing multiple wide IP alias updating.


514912-3 : Portal Access scripts had not been inserted into HTML page in some cases

Component: Access Policy Manager

Symptoms:
If HTML page contains forms with absolute action paths, Portal Access scripts must be inserted into this page. But if there are no other reasons to include them, these scripts were not included.

Conditions:
HTML page which consists of the form with absolute action path, for instance:

<form action='/cgi-bin/a.gci">
</form>

Impact:
The form can not be submitted because browser fires JavaScript error.

Workaround:
It is possible to use iRule to insert Portal Access scripts into rewritten HTML page.

Fix:
Now Portal Access scripts are inserted into HTML page if it contains forms with absolute action path.


514838-1 : TMM Crash on Relative URL

Component: WebAccelerator

Symptoms:
When a relative path that starts with ../ is presented to WAM, the code that attempts to rewrite the URL into an absolute, regular form potentially causes TMM to crash.

Conditions:
AAM profile on VIP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
An iRule that removes or modifies the URL path to be non-relative, or at least to start with a forward slash will protect WAM from this issue.

Fix:
Fix for relative paths that do not start with a forward slash, but do include parent directory references.


514785-2 : TMM crash when processing AAM-optimized video URLs

Component: WebAccelerator

Symptoms:
TMM might crash when processing HTTP requests for certain types of AAM-optimized videos.

Conditions:
AAM-enabled VIP with video optimization and IBR enabled by AAM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable AAM processing of AAM-optimized video URLs.

Fix:
TMM no longer crashes when processing HTTP requests for certain types of AAM-optimized videos.


514726-4 : Server-side DSR tunnel flow never expires

Component: TMOS

Symptoms:
TMM cores and memory exhaustion using Direct Server Return (DSR). DSR establishes a one-way tunnel between the BIG-IP system and the back-end servers using the clients' IP addresses as the tunnel local-address on the BIG-IP system. These flows never expire.

Conditions:
BIG-IP virtual servers using DSR tunnels to send client traffic to the server.

Impact:
Server-side DSR tunnel flow never expires. Because the DSR tunnels use client's IP address as the tunnel local-address and the server's IP address as the tunnel remote-address, a single DSR setup might introduce as many tunnels as the clients' requests. When these tunnels do not expire, the BIG-IP system memory resource might be used up eventually, causing TMM cores.

Workaround:
None.

Fix:
Individual DSR tunnels are removed after the corresponding client's user flows expire.


514724-1 : crypto-failsafe fail condition not cleared when crypto device restored

Component: TMOS

Symptoms:
If a crypto device fails, the crypto-failsafe fail condition will not be cleared when the crypto device is restored.

Conditions:
This issue affects systems with failed crypto devices that are restored.

Impact:
In an HA pair, the failing unit will fail over, but it will always stay down.

Workaround:
To restore the crypto-failsafe HA fail status, restart tmm by issuing a 'bigstart restart tmm'. Note that on a VIPRION system, this command must be run on the appropriate blade.

Fix:
Allowed the crypto device to be restored and not keep the crypto-failsafe HA status in the fail state.


514636-1 : SWG Category Lookup using Subject.CN results in a crash if the certificate presented does not have a Subject.CN.

Component: Access Policy Manager

Symptoms:
When accessing HTTPS websites (via SWG) that present a certificate without a CN in the subject, a TMM crash occurs.

Conditions:
SWG explicit or transparent proxy using Category Lookup in the per-request access policy with Subject.CN as input. The crash only happens when accessing a site that has no CN in the Certificate's subject - this is not a common condition.

Impact:
This results in a TMM crash and failover.

Workaround:
Use Category lookup with SNI as input.

Fix:
When Category Lookup is configured to use Subject.CN as input, if the certificate subject does not contain a CN, APM processes the error correctly by logging an error.


514604-1 : Nexthop object can be freed while still referenced by another structure

Component: Local Traffic Manager

Symptoms:
Use after free of the Nexthop object may cause memory corruption or tmm core.

Conditions:
This can happen if the proxy connection takes some time to complete, creating a large enough time window where the nexthop object might be freed.

Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.

Workaround:
None.

Fix:
Management of nexthop object reference counting is more consistent.


514571-1 : Apply policy operation hangs

Component: Application Security Manager

Symptoms:
Apply policy operation hangs. The system logs the following messages in /ts/log/asm_config_server.log:
----------------
F5::SetActive::Impl::send_update_core,,Still waiting for response from bd_agent (XXX seconds)
----------------
Where 'XXX' is ever growing...

High CPU usage, by the 'asm_config_server' process, while the apply policy is stuck.

Conditions:
ASM provisioned.

Apply policy is executed (manually or automatically, by Policy Builder for an example).

bd/bd_agent are restarted (for any reason) during the apply policy operation.

Impact:
Apply policy operation hangs.

Workaround:
Use one of the following commands:
-- bigstart restart asm.
-- pkill -f asm_config_server.

Fix:
Apply policy operation now has a timeout threshold, which prevents the apply policy operation from hanging.


514521 : Rare TMM Cores with TCP SACK and Early Retransmit

Component: Local Traffic Manager

Symptoms:
In certain isolated cases, TCP profiles with Early Retransmit and SACK enabled will cause a TMM Crash.

Conditions:
The connection is not in fast recovery but a SACK hole has been retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable Early Retransmit in the TCP profile.

Fix:
Early retransmit now handles corner cases where the SACK scoreboard is empty.


514450-4 : VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.

Component: TMOS

Symptoms:
In a VXLAN tunnel, a remote MAC address movement from one endpoint to another does not trigger ARL updates across all TMMs. As a result, some TMMs may contain stale ARL entries which can impact traffic forwarding. Also, when using 'tmsh show net fdb tunnel', there is a duplicated MAC address associated with different endpoints in the same tunnel.

Conditions:
When a remote MAC address is moved from one endpoint to another. For example, when a BIG-IP system in an HA setup configured with a masquerading MAC address changes its state from 'standby' to 'active'.

Impact:
This issue could impact traffic forwarding in VXLAN tunnels.

Workaround:
Although there is no complete workaround, you can mitigate the situation by making sure that the network is properly configured so that every device uses a unique MAC address. For example, in a network with an HA setup, try not to use masquerading MAC addresses.

Fix:
This version of software more consistently handles the condition of a remote MAC address being moved from one endpoint to another.


514313-1 : Logging profile configuration is updated unnecessarily

Component: Application Security Manager

Symptoms:
Logging profile configuration is updated in the ASM data plane unnecessarily, due to changes in pool member state.

Conditions:
Pool member state changes frequently.

Impact:
Unnecessary logging profile configuration updates are sent to ASM data plane.

Fix:
Logging profile configuration is updated in the ASM data plane only when it is modified, and not unnecessarily.


514277-1 : Provide a way to enable connection bar for Citrix desktops only

Component: Access Policy Manager

Symptoms:
When connection bar is enabled via Custom Parameters in a Citrix resource it's applied to both applications and desktops.

Conditions:
APM is configured for Citrix replacement mode and connection bar is enabled via Custom Parameters in a Citrix resource.

Impact:
Connection bar is displayed for applications where it may not be needed.

Fix:
APM now enables connection bar for Citrx desktops by default. This can be disabled by specifying ConnectionBar=0 in Custom Parameters of the Citrix Remote Desktop resource.


514246-3 : connflow_precise_check_begin does not check for NULL

Component: Local Traffic Manager

Symptoms:
Currently connflow_precise_check_begin does not check for NULL for its parameters while hudproxy has plenty of places where it calls connflow_precise_check_begin with NULL.

Conditions:
Connection Rate Limit is configured

Impact:
This leads to NULL pointer dereference and subsequent tmm crash

Workaround:
This issue has no workaround at this time.

Fix:
Fix NULL pointer dereference in connflow_precise_check_begin


514236-1 : [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses

Component: Global Traffic Manager (DNS)

Symptoms:
IP addresses associated with a BIG-IP DNS server object may not be viewable from the Configuration utility.

Conditions:
This issue occurs when all of the following conditions are met:

-- You use the Configuration utility to create a BIG-IP DNS server object with one or more IP addresses.
-- You then use the Configuration utility to add one or more IP addresses to a BIG-IP DNS server object.
-- You use the Traffic Management Shell (tmsh) to add one or more additional IP addresses to the BIG-IP GTM server object.
-- From the Configuration utility, you navigate to DNS :: GSLB :: Servers :: [BIG-IP DNS Server Name] and then view the BIG-IP DNS server object IP addresses in the Address List box.

Impact:
Only the BIG-IP GTM server object IP addresses that are added from the tmsh utility display in the Configuration utility. After tmsh modifies the BIG-IP DNS server by adding another IP address, the GUI fails to show those IP addresses previously added using the GUI.

Workaround:
Use tmsh to create and modify IP addresses on BIG-IP DNS servers. Or use only the Configuration utility or only the tmsh utility to create and modify BIG-IP GTM server object IP addresses.

Fix:
GUI now adds the partition prefix to device-name for BIG-IP DNS Server IP addresses, so IP addresses associated with a BIG-IP DNS server object are now viewable from the Configuration utility.


514220-1 : New iOS-based VPN client may fail to create IPv6 VPN tunnels

Component: Access Policy Manager

Symptoms:
Newer iOS-based VPN client does not provide MAC address during IPCP negotiation. This prevents the IPv6 VPN tunnel from getting established.

Conditions:
It affects only iOS-based IPv6 VPN connection requests.

Impact:
This impacts only IPv6 VPN tunnel requests from iOS-based devices.

Workaround:
None.

Fix:
Newer iOS-based VPN clients can successfully create IPv6 VPN tunnels.


514117-1 : Store source port higher than 32767 in Request Log record

Component: Application Security Manager

Symptoms:
Any Request Log record for request with source port higher than 32767 will have source port equal to 32767.

Conditions:
Request Log record get wrong source port when source port value of request higher than 32767.

Impact:
Request Log record has wrong source port if source port value higher than 32767.

Workaround:
There is no workaroud

Fix:
The Request log record now gets the correct source port even when the source port value of the request is higher than 32767.


514108-1 : TSO packet initialization failure due to out-of-memory condition.

Component: Local Traffic Manager

Symptoms:
TCP Segmentation Offload (TSO) packet initialization failure due to out-of-memory condition with the message: packet is locked by a driver.

Conditions:
This is related to tmm running out of memory while configured with TSO, on BIG-IP or VIPRION platforms which implement the HSB (High Speed Bridge) device in hardware.

This problem may occur on all currently-supported BIG-IP or VIPRION platforms EXCEPT the following:
BIG-IP 2000-/4000-series appliances.
BIG-IP 1600, 3600 appliances.

Impact:
TMM posts the assert message: packet is locked by a driver, then crashes.

Workaround:
Disable TSO (for more information, see SOL15609: Overview of TCP Segmentation Offload, available here: https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15609.html):

To enable or disable TSO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcpsegmentationoffload value <enable | disable>

Note: After modifying the tm.tcpsegmentationoffload database variable, you must restart the TMM daemon by running the bigstart restart tmm command. Restarting TMM temporarily interrupts traffic processing. F5 recommends running this command only during a maintenance window.

Fix:
TCP Segmentation Offload (TSO) packet is now cleared correctly with no packet-locked message.


514093-1 : Allow request logs to be filtered by destination IP

Component: Application Security Manager

Symptoms:
Request Log: Missing useful filter by Destination IP.

Impact:
Missing a useful filter.

Fix:
Filter by Destination IP was added to the Request log.


514061-4 : False positive scenario causes SMTP transactions to hang and eventually reset.

Component: Application Security Manager

Symptoms:
Upon specific SMTP traffic, connection hangs and eventually resets.

Conditions:
SMTP profile with 'protocol security' turned on is attached to the virtual server, and the response is processed in bulk.

Impact:
Connection hangs and eventually resets.

Workaround:
None.

Fix:
This release fixes a scenario in which SMTP transactions were hanging and blocked upon specific traffic.


513974-7 : Transaction validation errors on object references

Component: TMOS

Symptoms:
MCP validation error when adding/removing reference and adding/deleting an object in the same transaction.

Conditions:
During device group config sync, iControl transactions, and tmsh operations. For example, delete and create the same virtual server and specify a profile/VLAN, or remove a profile from a virtual server and then delete the profile in the same transaction.

Impact:
Validation error. The system posts an error similar to the following: transaction failed: 01020066:3: The requested virtual server profile (/Common/vs1 /Common/http1) already exists in partition Common. When deleting, the message is: 01020036:3: The requested virtual server profile (/Common/vs1 http1) was not found.

Workaround:
The removal of the object reference must be done in a separate transaction. For example, if you want to delete a profile that is being used, create one transaction removing it from virtual servers, then a second transaction deleting the profile.

Fix:
The system now supports adding/removing a reference and the object in a single transaction.


513969-3 : UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running

Component: Access Policy Manager

Symptoms:
UAC prompt is shown for machine cert check for non-limited users, even if Machine Cert Check service is running on client Windows machine.

Conditions:
Current user is non-limited.
Machine Cert Check service is running.
User tries to pass Access Policy.

Impact:
Non-limited user has to press 'ok' in UAC window.

Fix:
Now Machine Certificate Check service is used for certificate verification even for non-limited users.


513953-1 : RADIUS Auth/Acct might fail if server response size is more than 2K

Component: Access Policy Manager

Symptoms:
RADIUS authentication or accounting fails when a response from the backend server is bigger than 2048 bytes

Conditions:
Response from backend server is bigger than 2048 bytes

Impact:
RADIUS Auth/Acct agent failed.

Fix:
Now RADIUS Auth and RADIUS Acct agents can successfully parse packets of sizes up to 4K, which is the maximum allowed RADIUS packet size. At the moment the BIG-IP system does not support RADIUS packet fragmentation.


513916-5 : String iStat rollup not consistent with multiple blades

Component: TMOS

Symptoms:
An iStat of type string does not merge consistently in a multi-bladed chassis, so the value read on different blades at the same time may differ.

Conditions:
The iStat must be of type string, and the chassis must have multiple blades.

Impact:
The value of the iStat after the merge differs on different blades.

Workaround:
Use clsh to write the string iStat value to all blades together.

Fix:
The rollup of strings is based on a timestamp of the last update, but this value was not preserved through the first level of merge so the second level done on each blade was arbitrary. Now, the value is preserved, so the iStat value for multiple blades is correct.


513860-1 : Incomplete support for special characters in input field names

Component: Fraud Protection Services

Symptoms:
When HTML input fields with special character in their names were configured for data integrity, false positive alerts were sent

Conditions:
HTML fields with special characters in their names.

Impact:
False positive automatic transactions (data integirty) alerts.

Workaround:
Do not configure data integrity checks on fields with special characters in the name.

Fix:
Encoding was fixed and now special characters are supported.


513822-1 : ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page

Component: Application Security Manager

Symptoms:
When setting the responseActionType, such as "default" or "soap-fault", to a value that has an expected related unmodifiable responseContent value, the expected responseContent is not set.
As a result an empty response page is returned when ASM blocks a request.

Conditions:
Via ASM REST a client changes the responseActionType from "custom" to "default" or "soap-fault".

Impact:
An empty response page is returned when ASM blocks a request.

Workaround:
The alternate response body can be set explicitly via REST

Fix:
Expected responseContent is now set when changing responseActionType to a static content type like "default" or "soap-fault" using ASM REST.


513795-1 : HTML5 client is not available on APM Full Webtop when using VMware Horizon 6.1

Component: Access Policy Manager

Symptoms:
When Horizon v6.1 is deployed using an APM Full webtop, the option to launch the View HTML5 client is missing.

Conditions:
VMware Horizon and VMware View agents have been upgraded to v6.1 (v3.4 for clients) or a new v6.1 deployment.

Impact:
Users are not able to use HTML5 View client to launch View remote desktops from an APM full webtop.

Workaround:
An alternative access methods are available as a temporary workaround to provide access for Horizon users. Administrators can have users use the native VMware View clients instead of using the APM full webtop with the HTML5 View client.

Fix:
Starting with release v6.1 of VMware Horizon, the public API that APM uses for integration with View Connection Server has changed.

This caused an issue where the View HTML5 client was no longer available to launch View desktops when deployed on an APM Full Webtop.

The option to launch a View HTML5 client is now available again on the APM Full Webtop.


513763 : Slow response from GUI when listing Event Logs

Component: Application Security Manager

Symptoms:
Slow GUI performance in Request Log for Internet Explorer browser.

Conditions:
IE8-IE11 used

Impact:
Slow GUI performance in Request Log for Internet Explorer browser.

Workaround:
You can remove all columns with IP in configuration or reduce number of entries per page

Fix:
GeoIP tooltip library rewritten to improve performance in all browsers.


513706-2 : Incorrect metric restoration on Network Access on disconnect (Windows)

Component: Access Policy Manager

Symptoms:
The metric after Network Access disconnect differs from metric before Network Access for default route.

Conditions:
Using Network Access on Windows systems.

Impact:
A multi-home environment might experience routing issues after disconnecting Network Access, for example, by default traffic might go through Wi-Fi instead of wired networks.

Workaround:
Disable and enable the network adapter.

Fix:
Fixed an issue causing incorrect metric restoration on Network Access on disconnect.


513659-3 : AAM Policy not all regex characters can be used via the GUI

Component: TMOS

Symptoms:
Cannot specify certain regex syntax when configuring Client IP for 'Matching' or 'Validation' rules in an AAM Policy.

Conditions:
Adding regex characters such as \, [, ], ^, $ to an existing policy. Parentheses appear to be allowed, but do not save the information correctly.

Impact:
Cannot use the GUI to configure the policy with certain regex strings. The system posts the following error message: The field Value has invalid characters.

Workaround:
Use tmsh, and escape special wild-card characters with '\':

For example at add 10.[0-9]$:
modify wam policy Drafts/test_policy nodes modify { t1 { matching modify { client-ip { values replace-all-with { 10.\[0-9\]$ } } } } }.


513649-4 : Transaction validation errors on object references

Component: TMOS

Symptoms:
If certain objects are deleted then created within the same transaction, transaction errors might occur.

Conditions:
This is exclusive to transactions either via iControl, tmsh cli transaction, or a device group config sync. An object must be deleted and re-created in the same transaction. The object that was deleted must have configured references to other objects. For example, a virtual server can reference a profile or a VLAN. If it does, and there is a virtual server delete-and-create operation in the same transaction, mcpd fails to clean up the join reference on delete and complains when it tries to recreate it.

Impact:
Unnecessary mcpd validation failure. The system posts an error message similar to the following: 01020066:3: The requested virtual server profile (/Common/vs1 /Common/tcp) already exists in partition Common.

Workaround:
If a user needs to delete and re-create an object, perform the delete in one transaction and the create in a subsequent transaction.

Fix:
Attempts to delete and recreate objects within the same transaction now complete successfully.


513646-1 : APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer

Component: Access Policy Manager

Symptoms:
APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer.

Conditions:
APM(ACCESS)/SWG.

Impact:
This results in rare TMM crashes/cores. The backtrace from cores usually point to the timer.

Fix:
APM(ACCESS)/SWG filter operation no longer results in orphaned timers.


513565-1 : AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept.

Component: Advanced Firewall Manager

Symptoms:
Existing flows are not re-evaluated against Virtual Server AFM policies in Kill-on-the-fly if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.

Conditions:
AFM provisioned and licensed.

Have a Global AFM (or route domain) rule with action = Accept Decisive and also have a virtual server AFM rule.

Initial flow will be allowed due to global AFM rule action being Accept-decisively and will not be matched against Virtual Server Rule.

Now, modify the global AFM rule action to Accept. This should trigger Kill-on-the-fly to re-evaluate all existing flows against AFM policies.

Impact:
Existing flows bypass Virtual Server AFM Policy match evaluation in the sweeper under the conditions specified above.

Workaround:
None

Fix:
With this fix, existing flows will be evaluated against virtual server ACL policy if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.


513545-1 : '-decode' option produce incorrect value when it decodes a single value

Component: Access Policy Manager

Symptoms:
When a session variable set by AD/LDAP module is HEX-encoded, it is possible to decode it with the -decode option for the mcget command. The option works correctly when the session variable contains multiple values (such as | 0xABCD | 0xDCBA |), but it does not work properly with a single encoded value (such as0xABCD).

Conditions:
The problem occurs under these conditions: the -decode option is specified when retrieving a HEX-encoded variable, and the session variable contains only one value/

Impact:
As a result, the access policy does not follow the expected branch rule.

Workaround:
While decoding a single value, the mcget command produces a result like
EncodedValueDecodedValue. For example, for encoded string 0x616161, the result of the operation will be 616161aaa.

It is possible to write a Tcl expression in the Variable Assign agent that truncates the left half of the string and leaves aaa, the decoded value only.

Fix:
The -decode option works as expected for single-value and multi-value session variables.


513530-4 : Connections might be reset when using SSL::disable and enable command

Component: Local Traffic Manager

Symptoms:
Enable/disable of SSL filter in quick succession might cause connection reset.

Conditions:
SSL filter is disabled then quickly re-enabled.

Impact:
Connection is unexpectedly reset/lost.

Workaround:
Do not re-enable SSL filter immediately after disabling it.

Fix:
SSL::disable command no longer incorrectly flags a connection as disabled when enable/disable SSL filter in quick succession.


513464-1 : Some autodiscovered virtuals may be removed from pools.

Component: Global Traffic Manager

Symptoms:
As part of a larger effort to refine Virtual Server Auto Discovery and monitoring, several changes were made to improve cross version interoperability and Virtual Server matching.

As part of these fixes, an error was introduced which caused some virtual servers to be deleted and rediscovered. This removed them from the Pool they were assigned to, which can cause load balancing errors.

Conditions:
This can occur with Virtual Servers that were originally specified on a pre-folder aware version of BIGIP, such as 10.2.x.

When they are discovered by a folder aware version, they may be deleted from the GTM config and re-added with "/Common/" prepended to the name.

Impact:
Some virtual servers will be removed from Pools. The virtual server will be deleted and recreated, but not added back to the pool.

This will result in incorrect load balancing decisions.

Workaround:
Changing the GTM config to add the virtual servers back to the pool will resolve the issue.

Fix:
The discovery and monitoring of virtual servers has been made more robust to deal with cases of multiple GTM VSes pointing at the same LTM virtual, as well as naming/folderization issues.


513454-3 : An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts

Component: TMOS

Symptoms:
The snmpwalk will fail and the mcpd daemon could be restarted.

Conditions:
The configuration must be large so that the number of configured items related to the snmpwalk are in the tens of thousands.

Impact:
Failure to read SNMP data, mcpd restart and temporary loss of service.

Workaround:
Spread the configuration among more BIG-IPs or avoid running snmpwalks.

Fix:
Cache internal query data to optimize statistical queries.


513403-1 : TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.

Component: Advanced Firewall Manager

Symptoms:
TMM asserts when certain ICMP packets are classified by AFM and match rules at the Global and Route Domain context with logging and log-translations enabled.

Conditions:
This might occur in the following configurations: -- AFM Rule Logging is enabled and Log Translations is enabled in Log Profile, -- Server side AVR Statistics collection is enabled under Security :: Reporting. -- Certain ICMP packets (such as multicast ICMP echo) are classified and match AFM rules at Global and Route Domain contexts.

Impact:
TMM crashes (assert). Traffic disruption due to TMM process crashing.

Workaround:
Disabling log-translations in AFM Logging Profile configuration can prevent the TMM crash for these types of ICMP packets.

Fix:
TMM crash (assert) for certain ICMP packets when classified by AFM and logging is enabled with log-translations has been fixed.


513382-13 : Resolution of multiple OpenSSL vulnerabilities

Vulnerability Solution Article: K16317


513319-4 : Incorrect of failing sideband connections from within iRule may leak memory

Component: Local Traffic Manager

Symptoms:
When using sideband connections within iRules, the internal TMM memory structures might leak if the sideband destination is not reachable (routing, etc.).

Conditions:
Unreachable sideband destination that lead to failures of the sideband connection creation, e.g. destination is not reachable via routing.

Impact:
Gradual memory usage in TMM, which can lead to aggressive memory sweeper and eventual failover/outage. This might manifest in gradual increment of TMM memory usage in graphs, particularly, the following: -- High number of connfails in tmctl sb_stats. -- High number of allocated memory in tmctl sb_cache.

Workaround:
Correct possible reachability issues to the sideband destination.

Fix:
TMM no longer leaks memory when the sideband destination is unreachable.


513294-8 : LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances

Component: TMOS

Symptoms:
The following issues may be observed on BIG-IP 5000-/7000-series appliances:
1. When a system shuts down due to a over temperature condition, the name of the sensor that triggered the shutdown does not display.
2. Unable to configure AOM IP address using the DHCP Menu Option, with the system responding with the message: Error: Failed to configure AOM management port.
3. TMOS may log a critical alarm for the 0.9 volt sensor even though the voltage is in the nominal range.

Conditions:
BIG-IP 5000-/7000-series appliances with LBH firmware versions prior to v3.07 may experience each of the above issues under the following corresponding conditions:
1. Over temperature, thermal shutdown.
2. When trying to configure an IP address for AOM using the N - Configure AOM network option.
3. When the host is powered off using the AOM menu, the LBH will detect an under voltage condition for all non-standby voltage rails.

Impact:
The impacts of these issues are:
1. The user cannot determine which sensor triggered the thermal shutdown.
2. Unable to configure the AOM address using DHCP.
3. There will be a single ltm log message indicating this critical alarm, however the voltage reported in the log message will be in the nominal range.

Workaround:
Corresponding workarounds include:
1. None.
2. None.
3. Do not power cycle the host with the AOM menu. This error does not occur with an AC power cycle.

Fix:
LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances now works as expected.


513288-5 : Management traffic from nodes being health monitored might cause health monitors to fail.

Component: Local Traffic Manager

Symptoms:
Management traffic from nodes being health monitored might cause health monitors to fail.

Conditions:
Health monitor checking node_ip:port where 1024 is less than or equal to port, which is less than 65536. Node periodically connects back to management service on self IP (e.g., iControl, GUI, SSH).

Impact:
Traffic is not sent to the node while the monitor is failing.

Workaround:
None.

Fix:
Management traffic from nodes being health monitored no longer causes health monitors to fail.


513283-1 : Mac Edge Client doesnt send client data if access policy expired

Component: Access Policy Manager

Symptoms:
If an access policy expires (for example, if a user took too long to enter password ) then BIG-IP Edge Client displays a new page with link "Start a New session". Clicking this link causes Edge Client for Mac to be detected as browser by BIG-IP APM.

Conditions:
Edge Client fpr <ac, access policy expires.

Impact:
Edge Client is detected as browser.

Workaround:
Click disconnect button and Connect buttons on Edge Client.

Fix:
APM no longer detects BIG-IP Edge Client for Mac as a browser when a user clicks "Start a New session" on access policy expired page.


513243-1 : Improper processing of crypto error condition might cause memory issues.

Component: Local Traffic Manager

Symptoms:
Improper processing of a crypto error condition might cause memory issues.

Conditions:
Error when processing certain crypto commands.

Impact:
The error might cause TMM to crash.

Workaround:
None.

Fix:
If certain crypto commands return an error, but memory is allocated successfully, the system now completes the operation as expected.


513215 : Only one of the TMMs load the classification library after an IM package upgrade

Component: Traffic Classification Engine

Symptoms:
Not all traffic is processed by the classification library from the newly installed IM package.
Flows that go through TMM that didn't load the new library will continue being classified by the old library.

Conditions:
This occurs when updating the classification library.

Impact:
Possible misclassification of some of the flows since they will be processed by the old library.

Workaround:
run the following command after the upgrade
'bigstart restart tmm'

Fix:
The fix addresses the problem by loading the library on all TMMs.


513213-5 : FastL4 connection may get RSTs in case of hardware syncookie enabled.

Component: Local Traffic Manager

Symptoms:
Occasionally, ACK is sent to server without SYN, connection get RST.

Conditions:
1) FastL4 virtual server.
2) Hardware syncookie enabled.
3) Might more commonly occur with forwarding virtual servers.
4) Often happens when egress router has ARP timeout.

Impact:
Some connections will be dropped.

Workaround:
Configure a static ARP to all neighbors (routers) to avoid most issues.

Fix:
An issue with hardware syncookies and FastL4 connections has been resolved.


513201-6 : Edge client is missing localization of some English text in Japanese locale

Component: Access Policy Manager

Symptoms:
Edge Client is missing localization of some English text in Japanese locale.

Conditions:
Edge Client in Japanese locale

Impact:
Edge Client shows some text in english

Fix:
BIG-IP Edge Client is correctly localized for Japanese locale.


513142-3 : FQDN nodes with a default monitor may cause configuration load failure

Component: Local Traffic Manager

Symptoms:
Attempting to load a configuration containing FQDN nodes, a default-node-monitor and non-Common partitions can fail due to invalid partition reference.

Conditions:
Node in a non-Common partition and a default-node-monitor configured.

Impact:
Configuration fails to load. The system posts an error message similar to the following: 01070726:3: Node /Common/name.of.fqdn.node in partition Common cannot reference monitored object /Common/name.of.fqdn.node /Common/partition1 in partition another_partition.

Workaround:
If possible, use FQDN nodes only in the Common partition.

Fix:
FQDN nodes with a default monitor no longer cause configuration load failure.


513098-1 : localdb_mysql_restore.sh failed with exit code

Component: Access Policy Manager

Symptoms:
In certain scenarios, deleting a dynamic user entry from memory does not clear the entry from the underlying table.

Conditions:
This might occur when a dynamic user record is marked for deletion but has not yet been removed when the dynamic user representing that record is re-authenticated.

Impact:
Over time, the table grows in size due to stale records.

Fix:
Orphaned dynamic user records are now correctly deleted.


513083-1 : d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server.

Component: Access Policy Manager

Symptoms:
When tmm is running out of memory because of overload or other conditions and if APM is configured, tmm could potentially crash.

Conditions:
tmm is already running out of memory

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
This issue has been fixed.


513034-1 : TMM may crash if Fast L4 virtual server has fragmented packets

Vulnerability Solution Article: K17155


512999-1 : LDAP Query may fail if user belongs to a group from foreign domain

Component: Access Policy Manager

Symptoms:
LDAP Query might fail if a user belongs to a group from a foreign domain.

Conditions:
This occurs when LDAP Query is configured with the option Fetch groups to which the user or group belong, and the user belongs to a group from a foreign domain.

Impact:
Login fails. LDAP Query fails with error: Referral, 0000202B: RefErr: DSID-03100747, data 0, 1 access points ref 1: 'example.domain'.

Workaround:
None.

Fix:
Do not try to resolve group membership if the group belongs to a foreign domain.


512954-2 : ospf6d might leak memory distribute-list is used

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv3 and the Routing Information Base (RIB). The leak may lead to a crash unrelated to memory exhaustion.

Conditions:
OSPFv3 in use with a distribute-list, and LSAs in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospf6d crashes interrupt all dynamic routing using OSPFv3.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.

Fix:
ospf6d no longer crashes when a distribute-list is configured.


512734 : Socket error when Webroot cloud lookup is enabled under stress condition

Component: Policy Enforcement Manager

Symptoms:
When Webroot cloud lookup is enabled and the BIG-IP system is under stress load with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system, the wr_urldbd daemon may return the socket error 'EAI_AGAIN error'. As a result, some of the Webroot cloud lookups are not performed, and relevant URLs are categorized as UNKNOWN.
After a large number of cloud lookups, the daemon runs out of sockets. The cloud queries do not go through. URLs get categorized as UNKNOWN.

Conditions:
If Webroot cloud lookup is enabled while there is heavy traffic with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system.

Impact:
Due to the socket error under stress load for Webroot cloud lookups relevant URLs could be categorized as UNKNOWN. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Workaround:
None.

Fix:
This issue has been fixed by releasing sockets properly, so that the wr_urldbd will recover from temporary socket exhaustion.


512668-1 : ASM REST: Unable to Configure Clickjacking Protection via REST

Component: Application Security Manager

Symptoms:
The REST API for URLs was missing a field for Clickjacking Protection configuration.
When trying to configure that Rendering in Frames should only be allowed from a single URL, there is no field to specify that URL.

Conditions:
REST API is being used to configure Clickjacking Protection for URLs.

Impact:
A REST API client is unable to correctly configure protection that is meant to only be allowed from a specified URL.

Workaround:
Configure via GUI instead of REST.

Fix:
We added this missing field for REST to specify the "only-from" clickjacking URL: "allowRenderingInFramesOnlyFrom".


512663 : Added urlcatblindquery iRule command

Component: Policy Enforcement Manager

Symptoms:
The PEM module lacks the ability to query the customDB that is encrypted using an iRule command. When the urlcatblindquery iRule is used, PEM will not try to parse the input, rather it will allow direct queries against the customDB and categorize the input accordingly.

Conditions:
This is a special enhancement that only applies when the new urlcatblindquery iRule is used in one specific PEM use case.

Impact:
This has no impact to existing PEM URL Categorization features and it's behavior.

Fix:
The new iRule comamnd, urlcatblindquery is added to support existing use cases.


512616-1 : BD crash during brute force attack on cluster environement

Component: Application Security Manager

Symptoms:
A BD crash happens when there is a brute force attack on a blade environment.

Conditions:
Brute force attack, blade environment.

Impact:
BD crash, traffic sessions reset, failover.

Workaround:
N/A

Fix:
The blade system no longer experiences a BD crash when a brute force attack happens.


512609 : Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses

Component: Advanced Firewall Manager

Symptoms:
A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) matches any IPv6 traffic which is correct, but also matches any IPv4 traffic which is incorrect.

Conditions:
Network Firewall Rule with wildcard IPv6 source or destination address ::0 or 0::0/0.

Impact:
IPv4 traffic will match.

Workaround:
None

Fix:
A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) no longer incorrectly matches any IPv4 traffic.


512490-3 : Increased latency during connection setup when using FastL4 profile and connection mirroring.

Component: Local Traffic Manager

Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.

Conditions:
FastL4 profile with connection mirroring.

Impact:
Slight delay during connection setup.

Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.

Fix:
Disable Nagle algorithm on TCP/HA profile to improve performance.


512485-3 : Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding

Component: TMOS

Symptoms:
In VXLAN overlays, unicast frames are flooded (via multicast or unicast replication) when the destination MAC address is known and the remote endpoint is unknown. Upon receiving a flooded unicast frame, the BIG-IP system might forward the frame again to yet another endpoint. Eventually an additional L2 hop might be introduced between the sender and the receiver. This applies to both the multicast and the multipoint (unicast replication) configurations of VXLAN.

Conditions:
This affects deployments with three or more VXLAN endpoints.

Impact:
The introduction of an additional hop adds unnecessary latency.

Fix:
In this release, the system does no L2 forwarding of encapsulated frames received from one endpoint and destined to another within the same overlay (VXLAN VNI/Tunnel), so no extra hop is added.


512383-3 : Hardware flow stats are not consistently cleared during fastl4 flow teardown.

Component: Local Traffic Manager

Symptoms:
The PVA stat curr_pva_assist_conn is not being updated properly for certain Fast L4 flows.

Conditions:
1) Fast L4 virtual server.
2) PVA-acceleration enabled.

This occurs when the connection flow is not created because UDP traffic arrives at an undefined port on the virtual server. The curr_pva_assist_conn value is incremented though there are no active PVA flows.

This can also occur when LTM gets ICMP unreachable messages from the serverside.

Impact:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', show invalid counts. If the hardware SYN cookie protection is on, the SYN cookie protection may be activated when it is not supposed to.

Workaround:
None.

Fix:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', now show the correct counts.


512378-1 : Changing per request policy in the middle of data traffic can cause TMM to crash

Component: Access Policy Manager

Symptoms:
Changing per request policy while BIG-IP serving the user requests can cause TMM to restart. This makes the TMM services unavailable until TMM is back.

Conditions:
Administrator has to change the per-request policy while TMM serving user requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change per-request policy in planned scheduled maintenance window where there is no user traffic expected.

Fix:
TMM does not crash and administrator can change per-request policy any time now.


512345-2 : Dynamic user record removed from memcache but remains in MySQL

Component: Access Policy Manager

Symptoms:
When the system fetches a dynamic user record from MySQL and places the record into memcache, the record might remain there in an unmodified state for ten days.

Conditions:
This occurs when a dynamic user record is removed from memcache but remains in MySQL, due to an intermittent race condition between apmd/memcache and localdbmgr.

Impact:
Dynamic user, if locked out, remains in memcache for ten days. During this interval, the dynamic user record is unusable.

Workaround:
The Admin can remove the user by deleting the associated memcache record.

Fix:
Now APM handles the condition in which a dynamic user record is removed from memcache but remains in MySQL due to an intermittent race condition between apmd/memcache and localdbmgr.


512245-7 : Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname

Component: Access Policy Manager

Symptoms:
Machine certificate agent checker on client might extract wrong certificate based on LocalHostName if it is not same as hostname. Machine certificate agent checker might fail.

Conditions:
BIG-IP APM with machine certificate agent.

Impact:
Machine certificate check might fail

Fix:
Machine Cert Auth agent passes on OS X 10.8 and OS X 10.9.


512148-1 : Self IP address cannot be deleted when its VLAN is associated with static route

Component: Local Traffic Manager

Symptoms:
A self IP address cannot be deleted when its VLAN is associated with a static route

Conditions:
The self IP address' VLAN is associated with a static route.

Impact:
Self IP address cannot be deleted.

Workaround:
Temporarily remove the static route entries, delete the self IP, and then add the static route entries again.

Fix:
A self IP now can be deleted even when its VLAN is associated with a static route, as long as at least one self IP exists on that VLAN. If the static route is IPv4, then an IPv6 self IP does not meet the requirement, and vice versa.


512130-4 : Remote role group authentication fails with a space in LDAP attribute group name

Component: TMOS

Symptoms:
Remote role group authentication fails if there is a space in attribute name of remote-role role-info.

Conditions:
This occurs when the auth remote-role role-info attribute name contains a space character.

Impact:
LDAP authentication fails.

Workaround:
Remove space characters from LDAP attribute group name.

Another option is to use '\20' in place of spaces in the remote-role's role-info member-of attribute, for example:

memberOf=CN=Some Big Group,CN=Users,DC=DOMAIN,DC=COM

becomes:

memberOf=CN=Some\20Big\20Group,CN=Users,DC=DOMAIN,DC=COM

Fix:
Remote role group authentication now succeeds as expected with a space in LDAP attribute group name.


512119-2 : Improved UDP DNS packet truncation

Component: Local Traffic Manager

Symptoms:
UDP responses from the DNS cache were not truncated properly. This is primarily seen in DNS tools, such as dig or Wireshark that would mark the response as malformed. Regular resolver clients handled the responses correctly noting the tc bit in the response header.

Conditions:
UDP DNS responses larger than the size requested by the client, typically 512 bytes.

Impact:
Packets may be flagged as malformed by DNS packet analyzers. There are no known issues with regular DNS client resolvers.

Workaround:
None

Fix:
The DNS Cache now properly fills in response data and handles truncation as expected.


512069-2 : TMM restart while relicensing the BIG-IP using the base license.

Component: Policy Enforcement Manager

Symptoms:
TMM restart while relicensing the BIG-IP on base license expiration.

Conditions:
- Provisioning the following modules:
LTM, AFM, PEM, CGNAT, ASM, FPS, APM, AVR, GTM

- Base license should have expired

Impact:
Results in a TMM restart

Fix:
TMM restart has been resolved. Relicensing is not an issue.


512062-2 : A db variable to disable verification of SCTP checksum when ingress packet checksum is zero

Component: Local Traffic Manager

Symptoms:
BIG-IP system drops SCTP INIT multi-homing message with checksum 0x00000000.

Conditions:
This occurs when the SCTP packet's verification tag is 0x00000000 and the checksum also is 0x00000000.

Impact:
System drops these SCTP packets.

Workaround:
None.

Fix:
Added a db variable to disable verification of SCTP checksum when ingress packet's checksum is zero. The current default behavior is not changed if this db variable is not enabled.


512054-1 : CGNAT SIP ALG - RTP connection not created after INVITE

Component: Service Provider

Symptoms:
The client has no audio when it makes a call.

Conditions:
This occurs when a client initiates a call with a CSeqID value greater than 64 KB.

Impact:
The BIG-IP system fails to create a media channel for audio/video traffic.

Workaround:
None.

Fix:
The BIG-IP system now correctly creates a media channel for audio/video traffic when the CSeqID value greater than 64 KB.


512016-1 : DB variable added to determine DNS UDP truncation behavior.

Component: Local Traffic Manager

Symptoms:
There is no option to change the DNS UDP truncation value to something other than 512 bytes.

Conditions:
Using DNS UDP truncation.

Impact:
Certain network topologies that might require the UDP DNS to be passed through or have a higher limit cannot configure for it.

Workaround:
None.

Fix:
There is now a DB variable to control DNS UDP truncation behavior: dns.udptruncate. When dns.udptruncate is enabled, UDP DNS responses are truncated if the response is larger than 512 bytes. When dns.udptruncate is disabled, the message is not truncated, and the full message is received. If the client specifies a non-default size via EDNS, the message is truncated if the response is larger than the specified size regardless of the value of dns.udptruncate.

Behavior Change:
There is now a DB variable to control DNS UDP truncation behavior: dns.udptruncate. When dns.udptruncate is enabled, UDP DNS responses are truncated if the response is larger than 512 bytes. When dns.udptruncate is disabled, the message is not truncated, and the full message is received. If the client specifies a non-default size via EDNS, the message is truncated if the response is larger than the specified size regardless of the value of dns.udptruncate.


512001-1 : Using REST API to Update ASM Attack Signatures Fails

Component: Application Security Manager

Symptoms:
The Attack Signature Update task remains in "STARTED" status.

Conditions:
ASM REST API is being used with the /mgmt/tm/asm/tasks/update-signatures endpoint.

Impact:
REST API cannot be used to trigger an immediate download of new Attack Signatures.

Workaround:
Use scheduled updates or GUI to update Attack Signatures.

Fix:
REST Update Signatures Task now works correctly.


512000-1 : Event Log Filter using Policy Group isn't accurate

Component: Application Security Manager

Symptoms:
Request Log - filter by policy group does not work.

Conditions:
At least one policy group created and used.

Impact:
Request Log - filter by policy group does not work.

Workaround:
N/A

Fix:
Request Log - filter by policy group now works correctly.


511961-1 : BIG-IP Edge Client does not display logon page for FirePass

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client cannot display FirePass logon page: "Connecting..." status; instead, Edge Client displays blank pages. As a result, clients cannot use the latest BIG-IP Edge Client for Mac with FirePass.

Conditions:
Firepass and APM-supplied build of BIG-IP Edge Client for Mac.

Impact:
User cannot log in to Firepass if using BIG-IP Edge Client for Mac.

Workaround:
Update to latest client

Fix:
Clients using the BIG-IP Edge Client for Mac supplied with this APM release can continue to log in and do not get stuck at a "Connecting..." screen.


511947-1 : Policy auto-merge of Policy Diff

Component: Application Security Manager

Symptoms:
Running auto-merge on the Diff of two policies fails.

Conditions:
Running auto-merge on the Diff results of two policies.

Impact:
Policies cannot be auto-merged after viewing Diff.

Workaround:
None.

Fix:
The auto-merge functionality of Policy Diff now works as expected.


511900-2 : 'sessiondump -allkeys' command hangs

Component: TMOS

Symptoms:
'sessiondump -allkeys' command hangs and does not display all the entries when the number of sessions is very large, for example, 100,000 sessions.

Conditions:
With a setup where there are 100,000 sessions, running a 'sessiondump -allkeys' command.

Impact:
The operation hangs.

Workaround:
None.

Fix:
Sessiondump has been restructured. Now, performing a 'sessiondump -allkeys' command completes as expected, for example, in approximately 2 minutes in the case of 100,000 sessions.


511893-5 : Client connection timeout after clicking Log In to Access Policy Manager on a Chassis

Component: Access Policy Manager

Symptoms:
Clients connecting via Edge Client or Network Access to Access Policy Manager running on a chassis will experience a connection timeout after clicking Log In

Conditions:
1. Two or more blades chassis with APM provisioned
2. Create Portal Access/NA. start > logon page > portal resource (portal webtop, resource)> Allow.
3. Create access session using browser.

Impact:
Access session never finishes and browser does not render portal.

Workaround:
None

Fix:
BIG-IP Access Policy Manager running on a chassis will correctly process the client's Log In command.


511873 : TMM core observed during SSL cert-related tmsh execution.

Component: Local Traffic Manager

Symptoms:
A crash could be seen when SSL forward proxy is enabled.

Conditions:
TMM core observed during SSL cert-related tmsh execution.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a core observed when SSL forward proxy is enabled.


511854-4 : Rewriting URLs at client side does not rewrite multi-line URLs

Component: Access Policy Manager

Symptoms:
Exception posted when rewriting multi-line URLs on the client side.

Conditions:
Using multi-line URLs in client-side JavaScript code.

Impact:
Web-application logic might not work as expected. The system might post a message similar to the following: Unable to get property '2' of undefined or null reference.

Workaround:
None.

Fix:
This release fixes client-side URL rewriting for multi-line URLs.


511651-3 : CVE-2015-5058: Performance improvement in packet processing.

Vulnerability Solution Article: K17047


511648-2 : On standby TMM can core when active system sends leasepool HA commands to standby device

Component: Access Policy Manager

Symptoms:
On standby system TMM can core after it comes up when the active system sends leasepool HA commands to the standby device.

Conditions:
This occurs on standby systems when the active system sends it leasepool HA commands.

Impact:
Traffic disrupted while tmm restarts.

Fix:
On a standby system, TMM no longer cores after it comes up when an active system sends leasepool HA commands to the standby device.


511534-1 : A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,

Component: WebAccelerator

Symptoms:
When loading an AAM policy, the tmm compiles the rules to an internal structure that is efficient for execution. Some conditions however may cause this process to take too long and the tmm gets halted before the system has finished compiling the policy.

Conditions:
The compilation time increases dramatically when regular expressions are used on more than one or 2 operands.

Since you can have conditions on many different path-segments (e.g. the 1st, 2nd, 3rd, etc), using regular expression on path-segments are a likely way to trigger this condition.

Impact:
The compilation time increases dramatically when regular expressions are used on more than one or two operands.

Since conditions might exist on many different path-segments (e.g., the 1st, 2nd, 3rd, etc.), using regular expression on path-segments is a likely way to trigger this condition.

Workaround:
None.

Fix:
Now, you can prevent AAM policy compilation from taking too long by turning the regular expression into plain matches using the '\' character to escape those symbols that turn a string into a regular expression. For example, previously, 'favicon.ico' was treated as a regular expression because '.' means 'any character'. Now the user can specify 'favicon\\.ico' (double '\' required by tmsh), which causes the '.' to mean the period character, thus avoiding the (unintended) regular expression.


511527-2 : snmpd segmentation fault at get_bigip_profile_user_stat()

Component: TMOS

Symptoms:
snmpd can core dump due to segmentation fault with the error snmpd[<pid>]: segfault at 0 ip <ip> sp 00000000ff8bec50 error 4 in bigipTrafficMgmt.so

Conditions:
An uncommon race condition.

Impact:
None. snmpd is automatically restarted.

Fix:
A check was added to gracefully handle the race condition and prevent core dump.


511517-1 : Request Logging profile cannot be configured with HTTP transparent profile

Component: Local Traffic Manager

Symptoms:
Cannot configure both a Request Logging profile and an HTTP transparent profile on the same virtual server.

Conditions:
HTTP transparent profile is attached to a virtual server.

Impact:
Request Logging profile cannot be configured on the same virtual server.

Fix:
The system now supports a simultaneously configuring both a Request Logging profile and an HTTP transparent profile on a single virtual server.


511488-1 : Correlation restarting on a multi-bladed vCMP guest

Component: Application Security Manager

Symptoms:
The following error will appear in ASM log:

Watchdog detected failure for process. Process name: correlation, Failure: Insufficient number of threads

Conditions:
ASM provisioned on a multi-bladed vCMP guest

Impact:
Correlation daemon endlessly restarting

Workaround:
N/A

Fix:
To prevent endless restarting, correlation is now disabled on a multi-bladed vCMP guest.


511478-2 : Possible TMM crash when evaluating expression for per-request policy agents.

Component: Access Policy Manager

Symptoms:
TMM might crash when evaluating expressions in per-request policy agents and possible loss of service.

Conditions:
APM is licensed and per-request policy is attached to the virtual. Per-request policy have agents which have configured expressions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove expressions from agent in per-request policy.

Fix:
Applied a different mechanism to evaluation agent's expression to fix this possible crash.


511477-2 : Manage ASM security policies from BIG-IQ

Component: Application Security Manager

Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.

Conditions:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.

Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.

Workaround:
None.


511441-3 : Memory leak on request Cookie header longer than 1024 bytes

Component: Access Policy Manager

Symptoms:
Memory leak on request Cookie header longer than 1024 bytes.

Conditions:
Client is sending 'Cookie' request header with more than 1024 bytes of data to APM Portal Access host.

Impact:
Memory used by 'rewrite' process keeps increasing and leads to 'out of memory' logs and possibly failover.

Fix:
Portal Access no longer leaks memory on large Cookie request headers from the client.


511406-1 : Pagination issue on firewall policy rules page

Component: Advanced Firewall Manager

Symptoms:
Firewall policy rules page shows only the first 100 rules in the policy.

Conditions:
This is an issue when there are more than 100 rules configured in a policy.

Impact:
User is only able to see the first 100 rules in the policy

Fix:
Firewall policy rules page is now able to view more than 100 rules.


511326-2 : SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.

Component: Service Provider

Symptoms:
The BIG-IP system does not forward messages when configured as SIP ALG with translation.

Conditions:
The BIG-IP system is configured as SIP ALG with translation, and the subscriber sends a SUBSCRIBE message to receive a notification.

Impact:
The Subscriber does not receive any notification regarding the subscribed events.

Workaround:
None.

Fix:
The BIG-IP system now correctly forwards messages when configured as SIP ALG with translation.


511196-1 : UMU memory is not released when remote logger can't reach its detination

Component: Application Security Manager

Symptoms:
UMU memory is printed in the bd.log as being held although there is no traffic in the system.

Conditions:
Remote logger has an unreachable detination

Impact:
Some memory is wasted and is not released for a long time

Workaround:
Fix the remote logger configuration, or the network issue

Fix:
We fixed UMU memory slow releases that occurred when the remote logger's destination was unreachable.


511187-1 : bd crash with large configuration changes while under load

Component: Application Security Manager

Symptoms:
A bd crash happened

Conditions:
It is not known what series of changes triggered the crash, but it was observed while under load and making changes to hundreds of profiles.

Impact:
Traffic disrupted while bd restarts

Workaround:
N/A

Fix:
Fixed a bd crash that happens upon configuration change with very large deployments.


511130-3 : TMM core due to invalid memory access while handling CMP acknowledgement

Component: Local Traffic Manager

Symptoms:
Rarely, TMM might core due to invalid memory access while handling a CMP acknowledgement.

Conditions:
Memory is not validated before handling a CMP acknowledgement.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Memory is now validated before handling a CMP acknowledgement.


511064-1 : Repeated install/uninstall of policy with usage monitoring stops after second time

Component: Policy Enforcement Manager

Symptoms:
Usage monitoring as required by the policy stops working.

Conditions:
Policy configured with usage monitoring is installed/uninstalled multiple times within a session.

Impact:
Usage reporting stops working.

Workaround:
None.

Fix:
The system now correctly handles the case in which a policy with usage monitoring is installed and removed multiple times.


511057-5 : Config sync fails after changing monitor in iApp

Component: Local Traffic Manager

Symptoms:
Unable to modify a pool monitor and delete it in the same transaction.

Conditions:
A pool must have the monitor associated with it before the tmsh transaction, and must be the same as the monitor being deleted in the transaction.

Impact:
Unable to submit multiple changes in a single transaction.

Workaround:
Modify the pool monitor and delete it in separate transactions.

Fix:
Monitor modification and deletion can now happen in the same transaction.


510979-1 : Password-less SSH access after tmsh load of UCS may require password after install.

Component: TMOS

Symptoms:
Should an account such as admin have password-less SSH access, after loading the UCS config or doing a live install and moving the config, SSH access no longer works without a password.

Conditions:
User has .ssh/authorized_keys file owned with uid=0.

Impact:
tmsh load sys ucs config replaces the uid ownership of /home/user_name/.ssh/authorized_keys incorrectly, which prevents SSH access without passwords.

Workaround:
Create a directory in /var/ssh for each user, move .ssh/authorized_keys there, and then link to the moved file in the ~/.ssh directory. In that case, UCS load affects the link, but not the linked file, so password-less SSH access is maintained.

Note: A UCS file taken after the workaround will not include the file /var/ssh/<username>/authorized_keys. If you have a plan to load the UCS on a different unit, for example, for the purposes of RMA, please save the file individually.

Fix:
Password-less SSH access is now maintained after tmsh load (or install and move config) of UCS.


510923-2 : TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered.

Conditions:
Disabled the secondary blade.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes after the secondary blade is disabled.


510921-1 : Database monitors do not support IPv6 nodes

Component: Local Traffic Manager

Symptoms:
Unable to monitor IPv6 nodes.

Conditions:
Pool configured with a DB monitor (MySQL, MSSQL, Oracle or Postgres) and IPv6 nodes.

Impact:
IPv6 nodes are reported down and do not receive traffic.

Fix:
Database monitors now support monitoring IPv6 nodes.


510888-1 : [LC] snmp_link monitor is not listed as available when creating link objects

Component: Global Traffic Manager

Symptoms:
GUI: snmp_link is not listed from Available monitor list when creating link objects. TMSH: snmp_link is not shown when using TAB to show monitor options when creating link objects.

Conditions:
When creating GTM link objects.

Impact:
Cannot determine whether snmp_link monitor can be used. Must manually input snmp_link to associate snmp_link to a link object.

Workaround:
Through tmsh, manually type snmp_link as monitor when creating link objects.

Fix:
snmp_link monitor is now listed as available when creating link objects.


510837-2 : Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. bigip sends bad client key exchange.

Component: Local Traffic Manager

Symptoms:
BIG-IP SSL when serves as a SSL client and the ciphers used are ECDHE_ECDSA or DHE_DSS, it will send a bad client key exchange to SSL server in server initiated renegotiation.

Conditions:
BIG-IP acts as a SSL client and the ciphers used are ECDHE_ECDSA or DHE_DSS in server initiated renegotiation.

Impact:
SSL handshake failed. The SSL server may reset the SSL connection with an error:
digest check failed, or ssl handshake failed.

Workaround:
Do not use ciphers ECDHE_ECDSA or DHE_DSS.

Fix:
BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS in server initiated renegotiation where BIG-IP acts as a client.


510811-1 : PEM::info irule does not take effect if used right after PEM::session config policy irule

Component: Policy Enforcement Manager

Symptoms:
Using the PEM::info irule to set the session attribute right after PEM::session config policy irule set the referential policy does not work. The session attribute is not set correctly in this case.

Conditions:
Use the PEM::session config policy irule and PEM::info irule one after the other.

Impact:
PEM::info irule does not set the session attribute as expected.

Workaround:
Putting a delay, "after 10" in between these two irules in the irule script.

Fix:
After the fix, the PEM::session info irule is setting the pem session attribute correctly, even using immediately after the PEM::session config policy irule.


510721-1 : PEM::enable / PEM::disable iRule errors out with an error message

Component: Policy Enforcement Manager

Symptoms:
When trying to use PEM::enable and PEM::disable irule, error message is shown, indicating the irule procedure is undefined.

Conditions:
Using PEM::enable or PEM::disable irule in the irule script

Impact:
PEM::enable and PEM::disable irule cannot be used.

Fix:
Add correct validation to the PEM::enable and PEM::disable irule. After the fix, the irules can be used, no more error message.


510720-1 : iRule table command resumption can clear the header buffer before the HTTP command completes

Component: Local Traffic Manager

Symptoms:
iRule table command resumption can clear the header buffer before the HTTP command completes.

Conditions:
An HTTP request was attempted with an iRule table command that resumed after parking.

Impact:
Results in a SIGABRT. The header names might intermittently output incorrectly, and report empty names and/or parts of the request line.

Workaround:
This issue has no workaround at this time.

Fix:
iRule resumption after halting now works correctly.


510709-1 : Websso start URI match fails if there are more than 2 start URI's in SSO configuration.

Component: Access Policy Manager

Symptoms:
If more than 2 start URIs are configured, start URI parsing does not work correctly. This results in no start URI match and websso failure.

Conditions:
SSO error happens only if there are more than 2 start URIs configured in the SSO configuration.

Impact:
SSO V1(websso) fails for configured start URI due to start URI mismatch.

Workaround:
No workaround

Fix:
Websso config start URI parsing was wrong when there are multiple lines in start URI configuration. Websso start URI parsing is fixed.


510638-1 : [DNS] Config change in dns cache resolver does not take effect until tmm restart

Component: Local Traffic Manager

Symptoms:
Config change in DNS cache resolver does not take effect until tmm restart.

Conditions:
Make changes to LTM DNS cache resolver.

Impact:
Changes made to DNS cache resolver are not in effect until tmm restarts. For example, changes to the DNS cache resolver's parameters Max. Concurrent Queries and Allowed Query Time
do not load into the system until tmm restarts.

Workaround:
Restart tmm after making changes, or create a new DNS cache profile.

Fix:
Config change in DNS cache resolver now take effect immediately and no longer require tmm restart.


510597-3 : SNAT Origin Address List is now stored correctly when first created

Component: TMOS

Symptoms:
Creating a SNAT under Local Traffic :: Address Translation : SNAT List and specifying an address list under origin, there is no host or network SNAT type to select from.

Conditions:
This occurs in this scenario: 1. Create a SNAT and specify an address list with a /24 mask and update.
2. Run the command: tmsh list ltm snat SNAT_created.

Impact:
A /32 IP address will show instead. For
example, 1.1.1.0/24 will be translated to 1.1.1.0/32.

Fix:
SNAT Origin Address List is now stored correctly when first created.


510596-6 : Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty

Component: Access Policy Manager

Symptoms:
DNS resolution can break for a Linux client when the "DNS Default Domain Suffix" setting is empty in a Network Access configuration in APM.

Conditions:
BIG-IP Edge Gateway, Linux CLI and empty "DNS Default Domain Suffix" in Network Access configuration

Impact:
DNS resolution might not work on Linux

Workaround:
Configure "DNS default domain suffix" in network access configuration

Fix:
DNS resolution on Linux works now even when the "DNS Default Domain Suffix" setting in the Network Access configuration is empty.


510580-5 : Interfaces might be re-enabled unexpectedly when loading a partition

Component: TMOS

Symptoms:
Loading of a set of partitions not including Common might re-enable interfaces that were previously disabled.

Conditions:
Loading of a set of partitions not including Common.

Impact:
Interfaces might be unexpectedly reenabled. (It is expected that 'load sys config partitions { anotherpartition }' will only affect objects in the /anotherpartition folder.)

Workaround:
None.

Fix:
Loading of a set of partitions not including Common no longer re-enables interfaces that were previously disabled.


510559-6 : Add logging to indicate that compression engine is stalled.

Component: TMOS

Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3. If the compression engine stalls, there is no logging-trail to indicate there is a problem.

Conditions:
This occurs when the system encounters errors during hardware compression handling and the compression engine stalls.

Impact:
Compression completely stalls, or CPU can be driven up by software-based compression. No indication of what the issue is.

Workaround:
Disable compression, or select 'software only' compression.

Fix:
Previously, if the compression engine stalled, there would be no logging-trail to indicate there was a problem. This release adds logging and stats for detecting a compression engine stall.


510499-2 : System Crashes after Sync in an ASM-only Device Group.

Component: Application Security Manager

Symptoms:
System crashes after an ASM Sync in an ASM-only Device Group.

Conditions:
This occurs when the following conditions are met:
1) Two devices with both a full-sync device group, and a sync-only, ASM-enabled device group. Both manual sync groups.
2) Have a policy active on a virtual server on both devices.
3) Deactivate the policy on one device.
4) Push the ASM config from that device to another device.

Impact:
Peer Device is left in an inconsistent state and BD crashes.

Workaround:
None.

Fix:
ASM Configuration Sync now will gracefully handle being unable to deactivate when it conflicts with LTM config.


510459-1 : In some cases Access does not redirect client requests

Component: Access Policy Manager

Symptoms:
A client may receive the following error message upon request: "The requested file could not be found on the server. Please contact system administrator."

Conditions:
Client requests received by Access running on BIG-IP versions 11.4.0 to 11.6.0 may encounter this issue.

Impact:
Client request is not fulfilled and error message received.

Workaround:
None

Fix:
Resolved issue in which clients receive a file not found message from Access due to out of date White List entry in OPSWAT.


510393-1 : TMM may occasionally restart with a core file when deployed VCMP guests are stopped

Component: TMOS

Symptoms:
VCMP guest shutdown can interfere with execution of the VCMP hypervisor TMM, causing 'Clock advanced' messages and TMM restarts wit corresponding core files.

Conditions:
vCMP guests in state 'deployed' are modified to state 'provisioned' or 'configured', or are deleted entirely. The likelihood of a TMM restart increases with the number of guests that are stopping at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Shut down vCMP guests one at a time to reduce the likelihood of encountering this issue.

Fix:
Resolved occasional TMM restarts when stopping vCMP guests on 12050 and 10350N appliances


510381-3 : bcm56xxd might core when restarting due to bundling config change.

Component: TMOS

Symptoms:
A race condition exists where bcm56xxd might core while restarting due to a bundling configuration change if it is still processing other config messages from MCP. This affects all platforms that support interface bundling.

Conditions:
Interface bundling change requiring a restart while still processing configuration messages.

Impact:
Unnecessary core file produced since the daemon is restarting anyway.

Workaround:
None.

Fix:
Fixed possible race condition which resulted in a bcm56xxd core.


510264-1 : TMM core associated with smtps profile.

Component: Local Traffic Manager

Symptoms:
tmm can core when the smtps profile is enabled.

Conditions:
This is an intermittent core seen when the smtps profile is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
n/a

Fix:
tmm will no longer core from using the smtps profile.


510226-2 : All descriptions for ports-list's members are flushed after the port-list was updated

Component: Advanced Firewall Manager

Symptoms:
'Description' for port-list entries created from tmsh gets deleted when the corresponding port-list object is updated from GUI.

Conditions:
When a user updates an port-list object with member's description set, it gets deleted.

Impact:
User will lose the description value set for its members.

Workaround:
Not update the port list entry from GUI when its members have a 'description', or use tmsh to update port list

Fix:
Descriptions created for port list members from tmsh no longer get deleted when a user updates the port list object.


510224-2 : All descriptions for address-list members are flushed after the address-list was updated

Component: Advanced Firewall Manager

Symptoms:
'Description' for address-list entries created from tmsh gets deleted when the corresponding address-list object is updated from GUI.

Conditions:
When a user updates an address-list object with member's description set, it gets deleted.

Impact:
User will lose the description value set for its members.

Workaround:
Not update the address list entry from GUI when its members have a 'description.'

Fix:
Descriptions created for address list members from tmsh no longer get deleted when a user updates the address list object.


510159-1 : Outgoing MAP tunnel statistics not updated

Component: TMOS

Symptoms:
Outgoing statistics for MAP tunnels are not being shown in the 'tmsh show net tunnels command.

Conditions:
When sending bidirectional traffic over a MAP tunnel between a client and server across a DUT.

Impact:
Only incoming traffic is shown in the 'tmsh show net tunnels' command output. This is a cosmetic error, and does not indicate incorrect functionality.

Fix:
Outgoing statistics for MAP tunnels are now included in the 'tmsh show net tunnels command.


510119-4 : HSB performance can be suboptimal when transmitting TSO packets.

Component: TMOS

Symptoms:
For heavily fragmented TSO packets, it is possible to populate a high percentage of the HSB's transmit ring.

Conditions:
This can happen when transmitting large fragmented TSO packets.

Impact:
Suboptimal behavior might be seen when transmitting large fragmented TSO packets. There is a rare chance it can lead to a full or stuck transmit ring.

Workaround:
Disable TSO.


510049 : Revised BIG-IP CGNAT Implementations content

Component: TMOS

Symptoms:
The BIG-IP 11.6.0 CGNAT Implementations manual includes SIP ALG content for security, dialog_aware, insert_record_route_header settings. Also, content refers to the SIP Security check box, instead of the SIP Firewall check box.

Conditions:
Content for a SIP profile includes steps for configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box, which cause an error. Content also refers to the SIP Security check box, instead of the SIP Firewall check box.

Impact:
Configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box, causes an error. Content incorrectly refers to the SIP Security check box, instead of the SIP Firewall check box.

Workaround:
Deleted content for configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box. Changed content referring to the SIP Security check box to the SIP Firewall check box.

Fix:
Documentation is revised to omit content for configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box. Documentation also now refers to the SIP Firewall check box instead of the SIP Security check box.


509968-3 : BD crash when a specific configuration change happens

Component: Application Security Manager

Symptoms:
A reconfiguration or security application attaching to a VIP or a new security policy or other big config change followed by a traffic halting/resetting, a shrinking message in the bd.log followed by A BD crash.

Conditions:
Remote logger with "report anomalies" attached to the virtual, a session transaction attack is on-going and a configuration change of the session transaction configuration together with a custom header (for XFF) configuration. This can happen also when adding new web applications to existing virtual server or attaching existing web application to a virtual server while there is a session transaction attack on a virtual server.

Impact:
Traffic halted, a failover and traffic resets. BD will startup with the updated configuration in place.

Workaround:
Don't add security policies or attach security policies to a virtual server or reconfigure security policy or change the session transaction configuration together with the custom header configuration while there is a session transaction attack going on a virtual that has remote logger attached.

Fix:
A crash that happens upon a specific configuration change was fixed.


509956-4 : Improved handling of cookie values inside SWG blocked page.

Component: Access Policy Manager

Symptoms:
Certain components of cookies are not escaped and might negatively impact functionality.

Conditions:
Use of a reject ending in a per-request access policy.

Impact:
Potential disruption of functionality.

Workaround:
None.

Fix:
Improved the way that we process cookie values in an SWG blocked page.


509934-1 : Blob activation fails due to counter revision

Component: Advanced Firewall Manager

Symptoms:
Activation of Blob failed after config from ucs files (saved config has policy with atleast 1 rule) and running config has a policy (with same name) without any rules

Conditions:
Running config has a policy (say policy name = X) with no rules and associated to a context. Saved config (UCS) has a different policy (but same name X) with at least 1 rule. When loading UCS (saved config), blob activation fails due to TMM not being able to revise counters for the new container.

Impact:
Activation fails

Workaround:
N/A

Fix:
Correct counter tracking


509919-2 : Incorrect counter for SelfIP traffic on cluster

Component: Advanced Firewall Manager

Symptoms:
SelfIP traffic is always handled on the primary blade on a cluster and if it's disaggregated to non-primary blade, it gets internally forwarded to the primary blade.

Due to this, AFM was double classifying this traffic (only on cluster) causing incorrect AFM ACL/IPI counts.

Conditions:
SelfIP traffic is disaggregated to non-primary blade on a cluster and AFM is enabled

Impact:
Incorrect AFM ACL/IPI rule counters due to internal forwarding of SelfIP traffic on a cluster from non-primary to primary blade causing AFM to match/classify these packets twice.

Workaround:
None

Fix:
With the fix, self IP traffic on a cluster is counted correctly for AFM ACL/IPI matches.


509873-1 : Rare crash and core dump of TMM or bd after rebooting a device or joining a trust domain.

Component: Application Security Manager

Symptoms:
The TMM process or bd daemon may crash and core dump within 24 hours of either rebooting a device, restarting TMM, or joining a trust domain. This may also happen on a standalone device that has been rebooted.

Conditions:
Traffic arrives to a virtual server that is configured with: an anti-fraud profile, an ASM Security Policy, or a DOS profile that has 'Application Security' enabled.

Impact:
The crash might happen only within 24 hours of either rebooting a device, restarting TMM, or joining a trust domain. The TMM or bd crash causes the device to not handle traffic while the process is being restarted.

Workaround:
Performing the following actions prevents the crash from happening. Requires shell access to the device.

( 1. )

Edit the file /etc/bigstart/scripts/datasyncd:

Remove the last line, which contains:
exec /usr/share/datasync/bin/datasyncd >> /var/log/datasync/datasyncd.log

In its place, add this:
exec >> /var/log/datasync/datasyncd.log 2>&1

echo "`date`: fix start."
set -x
tmsh list security datasync local-profile
tmsh list security datasync local-profile | grep '^security' | awk '{print $4}' | while read -r table; do tmsh modify security datasync local-profile $table max-gen-rows infinite; done
tmsh list security datasync local-profile
set +x
echo "`date`: fix end."

exec /usr/share/datasync/bin/datasyncd

( 2. )

Run 'bigstart restart tmm'.
NOTE: This causes the device to be offline and not handle traffic while TMM restarts.

Fix:
This release fixes a potential (but rare) crash of either TMM or the Enforcer that may happen within 24 hours of either rebooting a device, or joining a trust domain.


509782-3 : TSO packets can be dropped with low MTU

Component: TMOS

Symptoms:
If an interface is configured with a low MTU, it is possible for the system to drop TSO packets. This can be observed looking at the tx_drop_tso_bigpkt stat in the tmm/hsb_internal_fsc table.

Conditions:
The interface is configured with a low MTU, usually 750 or lower. If TMM then attempts to use TSO for a packet, there is a chance this packet will be dropped.

Impact:
Large TSO packets are dropped.

Workaround:
Increase the MTU or disable TSO.

If TSO is not disabled, three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html

Fix:
Three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html


509758-2 : EdgeClient shows incorrect warning message about session expiration

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shows an incorrect warning message once a network access connection is established.

Conditions:
Access Policy has disabled Maximum Session timeout (set to 0) and
Network Access webtop is used.

Impact:
Versions that have session expiration timeout display all zeroes instead of the timeout value. This is a cosmetic issue that does not indicate incorrect system functionality.

Workaround:
None.

Fix:
Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message.


509722-1 : BWC traffic blocked

Component: Access Policy Manager

Symptoms:
BWC traffic blocked when configured using percentages and the configuration is modified.

Conditions:
Modifying configurations of BWC categories using percentages.

Impact:
BWC traffic is blocked.

Workaround:
The workaround is to not configure with percentages but configure with bandwidth.

Fix:
The problem with modifying BWC configured percentages has been corrected.


509677-1 : Edge-client crashes after switching to network with Captive Portal auth

Component: Access Policy Manager

Symptoms:
When switching to a network with Captive Portal authentication, the Edge-client becomes unresponsive.

Conditions:
- Captive Portal uses https logon page
- Network switching done by unplugging network cable from NIC or disconnecting from wireless network (not disabling network
interface).

Impact:
Edge-client crashes

Workaround:
N/A

Fix:
Corrected invalid pointer by update pointer name.


509646-7 : Occasional connections reset when using persistence

Component: Local Traffic Manager

Symptoms:
Occasional connections will be reset when using persistence. If tracking reset causes, the reset cause will be "Persist add entry not found."

Conditions:
This occurs only within the first 32 seconds of a tmm receiving traffic after startup. The client request further has to arrive on the exactly correct tmm on a chassis. This does not reproduce on non-chassis devices.

Impact:
Occasional reset connections. After 32 seconds of receiving traffic, the issue abates.

Fix:
Spurious resets of new persistent connections no longer occur.


509641-3 : Ephemeral pool members may not inherit attributes from FQDN parent

Component: Local Traffic Manager

Symptoms:
Newly resolved pool members do not have the appropriate attributes (priority, connlimit, etc.).

Conditions:
Parent FQDN has non-default attributes and a new ephemeral member is resolved.

Impact:
Ephemeral pool members have unexpected attributes.

Fix:
Ephemeral pool member now correctly inherits attributes from parent node upon resolution.


509600-1 : Global rule association to policy is lost after loading config.

Component: Advanced Firewall Manager

Symptoms:
The association of a global rule to a policy appears to be lost after loading a config by directly loading, saving, upgrading, and config syncing. As a result of this issue, you may encounter the following symptom:

After re-enabling a global policy and waiting for an unspecified period of time, you observe that the policy is disabled again.

Conditions:
This occurs when you associate a global rule with a policy, and then initiate an operation that causes config load.

Impact:
Policies are removed from enforcement in the global context.

Workaround:
To work around this issue, you can add back the rules manually, or, if you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context when no other route domains are configured.

Impact of workaround: If you have other route domains configured, Route Domain 0 is no longer usable as a global context.

Fix:
The association of a global rule to a policy is now retained after loading a config by directly loading, saving, upgrading, and config syncing.


509595-1 : Start uri is blank when going through portal in ie, but loads fine in firefox

Component: Access Policy Manager

Symptoms:
Clicking on Start URI through portal can end up with a blank page when using IE. Firefox browser works just fine.

Conditions:
Using IE browser to write to a previously closed document using document.write() can result in a blank page as document.open() returns a null object.

Impact:
A blank page.

Fix:
Now old document reference is used if document.open returns 'null'. So document.write() for closed document works as expected.


509504-5 : Excessive time to save/list a firewall rule-list configuration

Component: TMOS

Symptoms:
A configuration containing a large number of firewall rule-list::rules might take an excessively long time to save. Similarly, excessive times are seen for listing the firewall configuration.

Conditions:
Large number of AFM rules.

Impact:
A long time to save or list the configuration. While this issue was noticed for a firewall rule-list::rules configuration, the same issue might occur for deeply nested configurations.

Fix:
The save and list times for the numerous firewall rules/deeply nested configurations [example: firewall rule-list::rules] is significantly reduced.


509503-4 : tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration

Component: TMOS

Symptoms:
For certain configurations with deeply nested structures in it ex: some of the firewall rule rule-list configuration, requires excessive time for the tmsh load config file merge operation.

Conditions:
Configurations containing deeply nested structures.

Impact:
The time for the merge is significantly more than the time needed for load operation.

Workaround:
If you are affected of long load times during merging a configuration file into existing one, you can instead append the config file to the respective bigip_base.conf or bigip.conf file manually.

Fix:
The tmsh load sys config merge operation performance was optimized. With this optimization the time for merge operation is slightly greater than the load operation.


509495 : A TMM memory leak when HTTP protocol security enabled profile and no AFM license

Component: Application Security Manager

Symptoms:
This command :
tmctl memory_usage_stat | (head -n 2; grep httpsec)
shows increased memory on the httpsec::httpsec_plugin per transaction.

Conditions:
HTTP protocol security profile is enabled while AFM is not licensed.

Impact:
TMM memory increased on each transaction.

Workaround:
License AFM

Fix:
Fixed a memory leak on TMM when AFM is not licensed and HTTP security enabled profile is assigned to a virtual server.


509490-2 : [IE10]: attachEvent does not work

Component: Access Policy Manager

Symptoms:
Websites are broken in Internet Explorer if they use postMessage to send objects. There could be errors in the JavaScript console.

Conditions:
Web application in Internet Explorer 8, 9 or 10 that uses window.postMessage() and recieves message with handler added through window.attachEvent() working through Portal Access.

Impact:
Web-Application cannot use Window.postMessage() to send data with Portal Access in Internet Explorer.

Workaround:
No

Fix:
The 'onmessage' handler added with window.attachEvent() now correctly recieves data sent through window.postMessage().


509475 : SPDY profile with activation-mode always may not load on upgrade to 11.6.0 or later

Component: TMOS

Symptoms:
In 11.5.x and earlier versions it was possible to have a SPDY profile with the following combination of settings: activate-mode always, and protocol-versions { spdy3 spdy2 http1.1 }. In 11.6.0 this was changed to allow only a single protocol-version in conjunction with 'activation-mode always'.

Conditions:
A SPDY profile with activate-mode always and multiple protocol versions for protocol-versions.

Impact:
This might cause a failure when upgrading from prior versions to 11.6.0 or later.

Workaround:
Before upgrading make sure all SPDY profiles with 'activation-mode always' only have a single 'protocol-versions' value set.

Fix:
A SPDY profile with 'activation-mode always' and multiple 'protocol-versions' no longer causes an upgrade to fail. Instead upgrade changes the profile such that the 'protocol-versions' field only contains the highest SPDY protocol version that was listed before the upgrade.


509416 : Suspended 'after' commands may result in unexpected behaviors

Component: Local Traffic Manager

Symptoms:
Unexpected iRule behavior, crashes or aborts.

Conditions:
Can occur when a virtual server has a OneConnect profile and an iRule using the 'after' command.

Impact:
tmm crash.

Fix:
Connections are ineligible for re-use while there is still a pending, suspended or in-progress 'after' iRule. This is correct behavior.


509400-1 : vCMP VIPRION: internal flooded unicast packets with multi-slot trunks impact performance

Component: TMOS

Symptoms:
Occasional duplicated ICMP replies to a guest self-IP by multiple TMMs in a multi-slot guest. Also results in guest unicast traffic showing up in the host VLAN tcpdump because by design, a flooded unicast packet visits the host TMM and is then sent to the appropriate guest.

Conditions:
When a blade can receive traffic for a vCMP guest that is not deployed on its own blade, L2 learning inconsistencies can result in the FDB entry for the guest VLAN MAC timing out and causing unicast floods (destination-lookup-fail) packets. For example, in a 4-slot trunk and a 3-slot guest topology, the one slot not hosting the guest is subject to FDB entry timeouts due to normal traffic flow.

Impact:
Packets and connections continue to flow but more broadcast traffic than expected runs through the vCMP host TMM. This can cause extra CPU utilization and switch drops.

Workaround:
This situation is corrected any time the guest sends out a broadcast packet on its VLAN MAC. For example, the normal action of TMM emitting an ARP for an external node (for example a monitor whether reachable or not) can correct the situation because the ARP will update all the blades' internal FDB entries for the guest VLAN MAC and halt the flooded unicast situation until the FDB entry times out again.

Fix:
There is no longer duplicate traffic on vCMP guest when a blade can receive traffic for a vCMP guest that is not deployed on its own blade.


509346-2 : Intermittent or complete SSL handshake failure with netHSM keys

Component: Local Traffic Manager

Symptoms:
1) When the network HSM takes too long to respond, TMM is considered down. For chassis, this causes failover to other blades. Since all blades share the same netHSM, these blades might quickly fail as well. If that happens, all tmm traffic will be down. There might be many reasons causing netHSM delay/failure. For appliance and VE, it may cause intermittent or all SSL handshake failure, depending on the network HSM connection reliability.

2) With high memory consumption due to heavy configuration, if PKCS11d is restarted, the system might also experience PKCS11d service malfunctions, which might be seen as intermittent or complete SSL handshake failures, depending on each TMM's memory usage.

Conditions:
This affects all platforms - chassis, appliance, and VE.

1) netHSM has delay or failure.

2) High memory usage due to heavy configuration or provisioning followed by PKCS11d restart.

Impact:
1) All blades in chassis are put into "disabled" mode leading to all SSL handshake failure.

2) PKCS11d service malfunction, which might be seen as intermittent or all SSL handshake failures.

Workaround:
1) Restart the chassis to clear the state.

2) Reboot.

Fix:
1) The timeout trigger is now disabled for failover when netHSM is used. Although there might be many reasons for such failures, with this fix, netHSM-related SSL failures won't cause all blades to be disabled.

2) The system now resets shared memory queues at creation, to avoid potential memory corruption.


509310-5 : Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances

Component: Local Traffic Manager

Symptoms:
The egress VxLAN traffic on VIPRION chassis and 5000 series appliances has bad UDP checksum in its outer UDP header. The BIG-IP hardware does not support UDP checksum offload for VxLAN traffic if the outer UDP header is IPv4. The BIG-IP hardware uses UDP destination port 4789 to identify VxLAN traffic.

Conditions:
The outer UDP header of egress VxLAN traffic on VIPRION chassis and 5000 series appliances is IPv4 and has destination port equal to 4789.

Impact:
The egress VxLAN traffic is dropped due to bad UDP checksum.

Workaround:
Set db variable iptunnel.vxlan.udpport to 0. So the BIG-IP system hardware does not classify UDP destination port equal to 4789 as VxLAN traffic.

Fix:
VIPRION chassis and 5000 series appliances no longer generate bad bad outer IPv4 UDP checksums on egressing VxLAN traffic.


509284-2 : Improved reliability of a module interfacing with HSM

Component: Local Traffic Manager

Symptoms:
Assuming that tmm has crashed and auto-restarted, traffic may stop for profiles with HSM keys.

Conditions:
This can occur when using HSM keys, and TMM crashes.

Impact:
Encrypted traffic will not be processed, even after daemons restart.

Workaround:
Restart TMM, e.g. with 'bigstart restart tmm pkcs11d'

Fix:
Fixed a race condition that may prevent proper initialization of an inter-process communication between TMM and pkcs11d.


509276-4 : VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device

Component: TMOS

Symptoms:
VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on the standby device.

Conditions:
A VXLAN tunnel with a floating local address on the standby device.

Impact:
Incorrect gratuitous ARPs are generated on the standby device.

Fix:
VXLAN tunnels with floating local addresses no longer generate incorrect gratuitous ARPs on the standby device.


509273 : hostagentd consumes memory over time

Component: Device Management

Symptoms:
The hostagentd process on a vCMP host might consume more memory over time.

Conditions:
BIG-IP appliance or VIPRION blade/cluster with vCMP guests.

Impact:
Rarely, the vCMP host might run out of memory.

Workaround:
To work around this issue, you can disable guest health statistic collection on the vCMP host. To do so, perform one of the following procedures:

Option 1: Disabling statistic collection for the tmsh show vcmp health command.
Impact of workaround: This procedure affects values returned by the tmsh show vcmp health stats command.
1. Log in to the command line of the vCMP host appliance or primary blade of the cluster.
2. To disable statistic collection, type the following command:
tmsh modify vcmp guest all capabilities add { stats-isolated-mode }.
3. To restart the hostagentd process, type the following command:
a. On a BIG-IP appliance:
bigstart restart hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart restart hostagentd.


Option 2: Disabling the hostagentd process
Impact of workaround: This procedure affects health statistic collection, as well as the ability for guests to install from a host-provided ISO.
1. Log in to the command line of the vCMP host appliance or primary blade of the cluster.
2. To disable the hostagentd process, type the following command:
a. On a BIG-IP appliance:
bigstart stop hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart stop hostagentd.

3. To exclude the hostagentd process from starting up after rebooting the system, type the following command:
a. On a BIG-IP appliance:
bigstart disable hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart disable hostagentd.

Fix:
Fixed a rare vCMP host memory growth issue.


509108-1 : CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber

Component: Carrier-Grade NAT

Symptoms:
CGNAT PBA may log port-block allocation(LSN_PB_ALLOCATED) and immediately followed by a port-block release(LSN_PB_RELEASE) log message for a port-block which is already allocated to a different subscriber.

Conditions:
This can happen if subscriber traffic is received when blade is being added/removed or when blade is failing or while HA failover is in progress

Impact:
Causes ambiguity in reverse mapping subscriber connections

Fix:
CGNAT PBA does not log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber during a blade add/remove/fail/HA failover


509105-1 : TMM cores sometimes if provisioning hold time is set to non-zero.

Component: Policy Enforcement Manager

Symptoms:
TMM might core sometimes if provisioning hold time is set. When a multiple IP session is created with IPv4 and IPv6 addresses.

Conditions:
Provisioning hold time is set to non-zero.And remove one of the IP address by running the command: radius stop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable provisioning hold time. Set the tmm.pem.session.radius.provisioning.hold.time DB variable to 0:

list sys db tmm.pem.session.radius.provisioning.hold.time
sys db tmm.pem.session.radius.provisioning.hold.time {
    value "0"
}
root@(dpi-bvt2)(cfg-sync Standalone)(Active)(/Common)(tmos)#.

Fix:
In this release, TMM no longer cores if provisioning hold time is set to non-zero.


509037-1 : BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type

Component: TMOS

Symptoms:
MCPD accepts the wild-card IPIP tunnels with the same local-address and tunnel type (ip4ip6, ipip, ip6ip4, ip6ip6) without validation, although the configuration is eventually discarded in TMM.

Conditions:
Creating wild-card tunnels with the same local-address and IPIP tunnel-type.

Impact:
This incorrect configuration is allowed on the BIG-IP system without error.

Workaround:
Specify wild-card tunnel using different local-address and tunnel-type.

Fix:
Wild-card tunnel setup trials are now detected by BIG-IP system validation during creation time. The system disallows creation of wild-card tunnels with the same local-address and tunnel-type.


509010 : Adding/Deleting a local user takes 30 seconds to complete

Component: Access Policy Manager

Symptoms:
It takes about 30 seconds to add or to delete a local user.

Conditions:
The occurs when using the GUI to add or delete local users (on the GUI Access Policy :: Local User DB :: Manage Users screen).

Impact:
The add or delete operation incurs a delay of approximately 30 seconds.

Workaround:
None.

Fix:
Adding or deleting a local user now completes within an expected time interval.


508957-1 : ASM REST Slowness Viewing Policy List

Component: Application Security Manager

Symptoms:
When a large amount of virtual servers and security policies are defined on a system, REST responses for the mgmt/tm/asm/policies endpoint experience slowness.

Conditions:
Over 100 unique Virtual Servers and Security Policies are defined on a system.

Impact:
REST responses for the mgmt/tm/asm/policies endpoint experience slowness.

Fix:
Improved performance for the mgmt/tm/asm/policies REST endpoint for systems with large configurations.


508908-1 : Enforcer crash

Component: Application Security Manager

Symptoms:
A bd crash. Connections reset until the system restarts or a failover completes.

Conditions:
A multipart request with specific syntax error.

Impact:
A bd process crash, failover. Will reset connection until the system restarts/ failover finishes.

Workaround:
No workaround

Fix:
An Enforcer crash was fixed.


508719-1 : APM logon page missing title

Component: Access Policy Manager

Symptoms:
The title might be missing from a logon page.

Conditions:
Logon page uses field filled with dynamically assigned session variable.

Impact:
No title displays on the logon page.

Workaround:
Modify page logon.inc using customization panel.

*Add function:
function getSoftTokenPrompt()
{
    if ( softTokenFieldId != "" && edgeClientSoftTokenSupport()) {
        var div = document.getElementById("formHeaderSoftToken");
        if (div) {
            return div.innerHTML;
        }
    }
    return null;
}



*Replace code:
function OnLoad()
{
    var header = document.getElementById("credentials_table_header");
    var softTokenHeaderStr = getSoftTokenPrompt();
    if ( softTokenHeaderStr ) {
        header.innerHTML = softTokenHeaderStr;
    }

By:
function OnLoad()
{
    var header = document.getElementById("credentials_table_header");
    var softTokenHeaderStr = "<? echo $formHeaderSoftToken; ?>"
    if ( softTokenFieldId != "" && softTokenHeaderStr != "" && edgeClientSoftTokenSupport()) {
        header.innerHTML = softTokenHeaderStr;
    } else {
        header.innerHTML = "<? echo $formHeader; ?>";
    }

* Replace code
<td colspan=2 id="credentials_table_header" ></td>
By
<td colspan=2 id="credentials_table_header" ><? echo $formHeader; ?></td>

* Add code before </body> tag:
<div id="formHeaderSoftToken" style="overflow: hidden; visibility: hidden; height: 0; width: 0;"><? echo $formHeaderSoftToken; ?></div>

Fix:
The title displays on the logon page now.


508716-4 : DNS cache resolver drops chunked TCP responses

Component: Local Traffic Manager

Symptoms:
DNS cache resolver drops chunked TCP responses

Conditions:
If the cache resolver uses TCP to resolve a query, and a nameserver does not include the complete reply in the first TCP segment.

Impact:
The response will be discarded, the connection dropped, and the query retried

Fix:
DNS cache resolver no longer drops chunked TCP responses


508660-1 : Intermittent TMM crash in classification library

Component: Traffic Classification Engine

Symptoms:
TMM crashes sporadically without apparent triggers when using classification on the virtual server.

Conditions:
Using classification on the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable classification on the virtual server if not needed.

Fix:
Most recent classification library that has memory allocation fixes was integrated


508630-4 : The APM client does not clean up DNS search suffixes correctly in some cases

Component: Access Policy Manager

Symptoms:
The APM client does not clean up DNS search suffixes correctly when the DNs suffixes configured on a client contain names configured in an APM Network Access resource.

Conditions:
The problem occurs when a suffix name that is configured in a Network Access resource matches the suffix configured locally on the user's machine.

Impact:
As a result, DNS suffixes are not restored correctly.

Fix:
An additional fix was made to restore DNS suffixes correctly.


508544-1 : AVR injects CSPM JavaScript when the payload does not contain an HTML <head> tag

Component: Application Visibility and Reporting

Symptoms:
AVR injects CSPM JavaScript when the payload does not contain an HTML <head> tag.

Conditions:
This occurs when the following conditions are met. -- The page-load-time feature turned on. -- The HTTP content is not compressed. -- The HTTP content-type is text or HTML. -- The HTTP content does not contain an html <head> tag.

Impact:
JavaScript is unnecessarily included in HTTP responses.

Workaround:
Use iRules. This way, CSPM can be enabled and disabled and can be controlled for particular pages.

If the user can determine which URLs are fit for CSPM or by some specific content in the response, then it is possible to use iRules.
In order to do so, the page-load-time feature should be turned on in the Analytics profile and an iRule should be used. See details here:
https://support.f5.com/kb/en-us/solutions/public/13000/800/sol13859.html

Fix:
AVR injects CSPM JavaScript only when the payload contains an HTML tag. This is correct behavior.


508519-4 : Performance of Policy List screen

Component: Application Security Manager

Symptoms:
There is a performance issue with the Policy List/Import Policy/PCI report configuration utility screens.

Conditions:
20+ active security policies in the system

Impact:
With 160 active security policies it took about 10 second to load Policy List/Import Policy/PCI report configuration utility screens.

Workaround:
There is no workaround at this time.

Fix:
We fixed a performance issue with the Policy List/Import Policy/PCI report configuration utility screen.


508338-1 : Under rare conditions cookies are enforced as base64 instead of clear text

Component: Application Security Manager

Symptoms:
False positive "modified domain cookie" violation or false positive "illegal base64 value" violation created.

Conditions:
No specific condition, rare.

Impact:
The violation "illegal base64 value" on a cookie appears on transactions, even for cookies that are not marked as base64 value cookies.

Workaround:
No workaround

Fix:
We fixed an issue that rarely caused a false positive illegal base64 value, or false positive modified domain cookie violation.


508337-4 : In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access

Component: Access Policy Manager

Symptoms:
document.write() operation on parent window called from script in frame may cause errors on pages accessed through Portal Access. This issue is specific to Google Chrome browser and derivatives.

Impact:
Web application does not work through Portal Access with Google Chrome browser.

Fix:
Fixed a JavaScript error occurring on call of document.write() on opened document. The issue was happening when accessing pages through Portal Access with Google Chrome browser.


508076-2 : Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name.

Component: TMOS

Symptoms:
Unable to create SSL Certificate or Key if the name extension starts with a special extension.

Conditions:
When creating a certificate or key, if the certificate/key name has an extension starts with one of (".key", ".crt", ".csr", ".crl", ".der", ".exp", ".pem"), then the creation will fail.

For example, it is an error to create a key named "test.key1". In this case, the key extension ".key1" starts with ".key".

Impact:
Key creation or Certificate creation will fail.
The following example command will fail with error.
tmsh create sys crypto key test.key1
tmsh create sys crypto cert test.key1 key test.key1.key common-name test
Error: Key management library returned bad status: 02, Not Found

Workaround:
do not create a key or certificate with name extension starts with one of (.key .crt .csr .crl .der .exp .pem).

Fix:
With this fix, certificate/key extension can start with one of these special extensions.


508057-1 : MySQL Vulnerability CVE-2015-0411

Vulnerability Solution Article: K44611310


508051-1 : DHCP response may return to wrong DHCP client.

Component: Policy Enforcement Manager

Symptoms:
When there are multiple DHCP solicits messages from different clients with different source IPs, the DHCP responses may return to the client/source IP address which sends the first DHCP request to BIG-IP/PEM.

Conditions:
The issue may occur when multiple DHCP clients send DHCP solicits messages to BIG-IP/PEM in DHCP relay mode.

Impact:
When it occurs, DHCP responses may be returned to wrong DHCP clients who are requesting solicits messages in DHCP relay mode.

Workaround:
None.

Fix:
Multiple DHCP-solicits requests from different clients/source IP addresses are handled properly, and the response is sent back to the proper client/source IP address accordingly.


507919-1 : Updating ASM through iControl REST does not affect CMI sync state

Component: Application Security Manager

Symptoms:
Updates through REST in a manual sync CMI device group do not change the sync status to PENDING.

Conditions:
ASM is configured in a manual sync group and REST API is utilized.

Impact:
Sync status will now be changed after updates through REST in a manual sync CMI device group.

Workaround:
There is no workaround at this time.

Fix:
Sync status is now changed after updates through REST in a manual sync CMI device group.


507905 : Saving Policy History during UCS load causes DB deadlock/timeout

Component: Application Security Manager

Symptoms:
Loading a UCS from an older version for upgrade can cause DB timeouts. /var/log/ltm has this error signature: DBD::mysql::db do failed: Lock wait timeout exceeded; try restarting transaction at /usr/lib/perl5/site_perl/F5/DbUtils.pm

Conditions:
This is a rare issue that occurs when two devices with different versions installed on them are in a CMI device group. It seems to be triggered if a sync is triggered from the device running the older version. This occurs while a device group is in the middle of an upgrade, the newer version being pre 11.6.0 HF5 or 11.5.2 HF1

Impact:
UCS load fails and multiple error messages are logged.

Workaround:
Do not have BIG-IP devices with different versions in the same DSC device group

Fix:
We corrected an intermittent issue where an error state was received during the upgrade of a DSC device group.


507902-1 : Failure and restart of mcpd in secondary blade when cluster is part of a trust domain.

Component: Application Security Manager

Symptoms:
The mcpd daemon of a secondary blade reports failure and is restarted, causing the blade to be offline and not handle traffic for a few minutes.

Conditions:
A multi-blade device (cluster) is part of a trust domain, and one of the other devices in the trust domain is being rebooted. The mcpd failure may occur within a time frame of between a few minutes, and up to 24 hours. The failure should only happen once, and not repeat until the next time that a device in the trust-domain is being rebooted.

Impact:
During the mcpd restart, the blade is offline and not handling traffic for a few minutes. There is no impact to traffic handled by the primary blade.

Workaround:
The mcpd failure is caused by inconsistency between the primary and the secondary blades, after a reboot of a different device in the trust domain. So, the workaround is to check and fix the inconsistency after every reboot of any device in the trust domain. There is no need to do this when only one of the blades is being rebooted.

After any reboot of a device in the trust-domain, perform the following actions:

( 1. ) Check for inconsistency:

On each blade of each cluster in the trust-domain, run the following command:

tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table'

You should see an object for each of the devices (clusters) in the trust domain.
For example, if two multi-blade devices are joined in the trust-domain: vcmp1 and vcmp2, both having 2 blades.

[root@vcmp1:/S2-green-S:Active:In Sync (Sync Only)] config # tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table'
security datasync device-stats datasync-device-vcmp1.qa.com/datasync-device-vcmp1.qa.com-cs-asm-dosl7-stats {
    table cs-asm-dosl7
}
security datasync device-stats datasync-device-vcmp2.qa.com/datasync-device-vcmp2.qa.com-cs-asm-dosl7-stats {
    table cs-asm-dosl7
}

This shows both vcmp1 and vcmp2, so the state is good, no further action needed on this device.

However, in the faulty state, the secondary blade of vcmp2 will show:
[root@vcmp2:/S2-green-S:Active:In Sync (Sync Only)] config # tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table'
security datasync device-stats datasync-device-vcmp1.qa.com/datasync-device-vcmp1.qa.com-cs-asm-dosl7-stats {
    table cs-asm-dosl7
}

The vcmp2 device is missing. The means that the state is inconsistent, and an mcpd failure may happen sometime within 24 hours.

( 2. ) Fix the inconsistency if needed:

To fix the state, force a sync of the datasync device groups from vcmp1 (if vcmp2 had the faulty state).
If vcmp2 had the inconsistency, run the following commands on vcmp1 :

tmsh modify cm device-group datasync-global-dg devices modify { vcmp1.qa.com { set-sync-leader } }

Wait a few seconds

tmsh modify cm device-group datasync-device-vcmp1.qa.com-dg devices modify { vcmp1.qa.com { set-sync-leader } }
tmsh modify cm device-group datasync-device-vcmp2.qa.com-dg devices modify { vcmp1.qa.com { set-sync-leader } }

Wait a few more seconds, then check again the state using the instructions in step #1.
(tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table')
All blades should be good now.

Repeat steps #1 and #2 on each of the blades, in each of the clusters that are part of a trust-domain, when a device is being rebooted.

Fix:
The mcpd daemon of a secondary blade in a cluster no longer fails and restarts, when the cluster is part of a trust domain, and one of the other devices in the trust-domain is being rebooted.


507899 : Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value

Component: Access Policy Manager

Symptoms:
In a custom APM report, the Assigned IP field shows IPv4 instead of the assigned IP value.

Conditions:
This affects only 11.5.x and 11.6.x releases. If user creates a custom report with 'Assigned IP' as a field and runs the report, the content of Assigned IP is the IP type rather than the correct IP.

Impact:
The report content is not correct.

Workaround:
Use one of the built-in reports, All Sessions or Current Sessions, to get the correct content for the Assigned IP field.

Fix:
This release shows the correct 'Assigned IP' value instead of the IP type in the custom report field.


507853-1 : MCP may crash while performing a very large chunked query and CPU is highly loaded

Component: TMOS

Symptoms:
MCP crashes while performing a chunked query (such as 'tmsh show sys connection) that returns a large result if a connection to a TMM is severed (due to a zero-window timeout).

Conditions:
CPU is highly loaded.

Impact:
Failover (in a device cluster) or temporary outage (in a standalone system). A core file is generated that has a stack trace that includes a message similar to the following: error reading variable: Cannot access memory at address 0x1.

Workaround:
None.

Fix:
Ensured that MCP no longer crashes when performing a large chunked query and a connection to a TMM is severed.


507842-2 : Patch for BIND Vulnerability CVE-2015-1349

Vulnerability Solution Article: K16356


507782-1 : TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data

Component: Access Policy Manager

Symptoms:
TMM crashes on an attempt to open Citrix connection

Conditions:
Unpatched/malformed ICA file received by the client

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed validation for the input data sent in the ICA connection so that for the invalid/non-patched Address it will reject the connection instead of crashing.


507753 : URL categorization missed if HTTP1.0 header does not have HOST

Component: Policy Enforcement Manager

Symptoms:
If a URL does not contain input from HTTP host header in the URL request (which is a valid HTTP 1.0 request, but not valid on HTTP 1.1), the categorization does not happen.

Conditions:
When PEM URLCAT is enabled, and the URL input from HTTP host header is not available, which is possible for HTTP 1.0 request.

Impact:
URL is categorized as UNKNOWN under the condition.

Workaround:
None.

Fix:
Now, when the HTTP host header is not present in the HTTP request, the PEM categorization engine still considers and processes it.


507681-5 : Window.postMessage() does not send objects in IE11

Component: Access Policy Manager

Symptoms:
Websites are broken if they use postMessage to send objects in Internet Explorer 11. There could or could not be error in JavaScript console based on web application.

Conditions:
Web-Application that uses Window.postMessage() with Portal Access working in Internet Explorer 11.

Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access in Internet Explorer 11.

Workaround:
No

Fix:
Window.postMessage() now works in Internet Explorer 11.


507611-4 : On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.

Component: Local Traffic Manager

Symptoms:
BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.

Conditions:
BGP, TCP-MD5 on BIG-IP 2000- and 4000-series platforms.

Impact:
BGP session is not established.

Workaround:
Disable TCP-MD5 for neighbor.

Fix:
BGP sessions with TCP MD5 enabled now establish connection to neighbors as expected on BIG-IP 2000- and 4000-series platforms.


507602-1 : Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled

Component: TMOS

Symptoms:
IPsec lifebyte might cause inconsistent Security Association state among different cores. This might cause a memory leak and in some case data packets going through the IPsec tunnel can be looping between cores.

Conditions:
IPsec lifebyte is enabled in IPsec Policy configuration object on BIG-IP system or 3rd party IPsec device.

Impact:
Possible data packets looping and memory leak.

Workaround:
Disable lifebyte on IPsec devices on both end of the IPsec tunnel.

Fix:
IPsec lifebyte functions properly and leaves no inconsistent state on the BIG-IP device after rekey.


507575-1 : An incorrectly formated NAPTR creation via iControl can cause an error.

Component: TMOS

Symptoms:
NAPTR records are somewhat complicated and if an incorrect set of string arguments are passed to iControl, the string parsing can fail and generate unhelpful error messages.

Conditions:
Specifically, it is valid to have empty strings as some of the fields of a NAPTR record.
However, these empty strings must be quoted as empty strings.

An example of a valid empty string parameter
foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.

Not quoting the empty parameter (after "good") confuses the parser into thinking that not enough parameters were passed.
This causes a segfault and the error.

Impact:
Potential failure of iControl parsing.

Workaround:
Use quotes around empty strings such as:
foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.

Fix:
The string parser has been made tolerant of missing parameters for these records and will now report an error.


507549-1 : PEM may ignore a RAR if the target session is in the Provision-Pending state

Component: Policy Enforcement Manager

Symptoms:
A session may remain in the Provision-Pending state longer than desirable resulting in the wrong policies being applied for the session.

Conditions:
When a new session is created, PEM sends out a CCR-I and expects a CCA-I within a certain time. If the CCA-I from the PCRF is delayed/lost, this can result in the session remaining in the Provision-Pending state (which implies waiting for PCRF to provide a policy update for the session) for longer than desired. PEM will continue to retransmit CCR-I until a CCA-I is received from the PCRF. During this time period if a RAR is received from the PCRF, it will be ignored and thus the PCRF is unaware of the state of the session.

Impact:
While in the Provision-Pending state, PEM does not have any specific policies to apply to the new session. Consequently, it will continue to apply the Unknown-subscriber policies for the session as long as it continues to stay in the P-P state.

Fix:
Modified the state machine to generate an RAA with an error status to indicate to the PCRF that the RAR was not accepted.


507529-1 : Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow

Component: Local Traffic Manager

Symptoms:
A blade on the active system crashes in a configuration containing a performance layer 4 virtual server with connection mirroring enabled.

Conditions:
The chassis is configured for network mirroring within cluster.

There is more than one blade installed in the system or vcmp guest.

A virtual server has connection mirroring enabled and is associated with a virtual address that is not assigned a traffic-group (traffic-group is none).

Impact:
When the crash occurs, the blade posts the following assert: 'tmm failed assertion, non-zero ha_unit required for mirrored flow' and crashes.

Workaround:
Ensure that mirrored virtual servers are utilizing virtual addresses that are associated with a traffic group.


507490-1 : Invalid HTTP/2 input can cause the TMM to hang

Component: Local Traffic Manager

Symptoms:
A HTTP/2 frame with an overlarge encoded size can cause the TMM to hang.

Conditions:
A malformed HTTP/2 stream with overlarge lengths.

Impact:
The TMM will hang until killed by SOD.

Workaround:
None.

Fix:
The HTTP/2 filter now handles oversize headers correctly.


507487-1 : ZebOS Route not withdrawn when VAddr/VIP down and no default pool

Component: TMOS

Symptoms:
The BIG-IP system continues announcing RHI routes when Virtual Servers and Virtual Addresses are down.

Conditions:
The issue occurs in the following case: -- Have a VIP with pool selection via iRule. -- Configure RHI on the VAddr corresponding to the VIP. -- Down the pools (for example, toggling between HTTP monitor (up) and UDP monitor (down)). -- VIP, VAddr, and pools are red. -- Run the imish command.

Impact:
The kernel route still is announced, which might cause other network devices to be confused on the network status, so the impact varies.

Workaround:
Configure virtual server with default pool instead of iRule.

Fix:
Added validation for virtual server iRule pools.


507461-6 : Net cos config may not persist on HA unit following staggered restart of both HA pairs.

Component: TMOS

Symptoms:
The net cos global-settings may be cleared on a HA unit, as a result of a HA pair configuration sync.

Conditions:
With fully synced pair of HA chassis, restart active chassis blade and then restart standby chassis blade.

Impact:
Portion of cos config information on active chassis blade is missing, resulting in incongruent cos behavior between active and standby.

Workaround:
None.

Fix:
The system no longer resets active net cos settings during device/group HA configuration sync operations.


507410-2 : Possible TMM crash when handling certain types of traffic with SSL persistence enabled

Component: Local Traffic Manager

Symptoms:
When SSL persistence is used on a virtual, if the SSL session contains unexpected traffic the TMM might crash.

Conditions:
SSL persistence is enabled on a virtual server, and the SSL session contains unexpected traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use SSL persistence.

Fix:
SSL persistence will not crash regardless of the SSL traffic seen.


507327-1 : Programs that read stats can leak memory on errors reading files

Component: TMOS

Symptoms:
Daemons that read statistics might leak memory over time so the amount of memory they use continues to grow.

Conditions:
There is an error reading a statistics file. For example, permissions on the file or directory prohibit access.

Impact:
Eventually the daemon or system might run out of memory.

Workaround:
Remove anything causing an error reading a stats file such as deleting unneeded files or fixing permissions.

Fix:
A memory leak reading stats has been fixed.


507321-3 : JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields

Component: Access Policy Manager

Symptoms:
If JavaScript application uses user-defined object which contains 'origin', 'source' and 'data' fields with NULL values, any attempt to get these values fires an error.

Conditions:
User-defined JavaScript object with 'origin', 'source' and 'data' fields and with NULL value in any of these fields, for example:

var a = { origin: null , data:null , source:null };

Any attempt to read these values leads to JavaScript error in Portal Access scripts.

Impact:
Web application does not work correctly.

Fix:
Now user-defined JavaScript objects with 'origin', 'source' and 'data' fields may contain any values in these fields.


507318-3 : JS error when sending message from DWA new message form using Chrome

Component: Access Policy Manager

Symptoms:
When using Chrome to send a new message on DWA, a JavaScript 'toString' error occurs.

Conditions:
If user clicks on the Send button on the new message form, then JavaScript errors appear: -- cache-fm.js:5 Uncaught TypeError: Cannot read property 'toString' of undefined
?. -- OpenDocument&Form=l_ScriptFrame&l=en&CR&MX&TS=20140915T180028,72Z&charset=UTF-8&charset=UTF-8&KIC&…:37 Uncaught TypeError: Cannot read property 'EgI' of undefined.

Impact:
The message is sent, but the tab is not closed.

Workaround:
None.

Fix:
When using Chrome to send a new message on DWA, a JavaScript error occurred. The message was sent but the tab did not close. This no longer occurs.


507312-1 : icrd segmentation fault

Component: TMOS

Symptoms:
icrd segmentation fault generates a core

Conditions:
Multiple signals to the same Quit signal handler

Impact:
Core generated

Workaround:
N/A

Fix:
Simplify std::map to an array to avoid problems with signal
       races.


507289-3 : User interface performance of Web Application Security Editor users

Component: Application Security Manager

Symptoms:
Slow GUI performance for Web Application Security Editor users

Conditions:
At least 100 active security policies in the system

Impact:
Most ASM pages takes more than 5 seconds to load for Web Application Security Editor users

Workaround:
There is no workaround at this time.

Fix:
ASM Configuration utility pages load faster than they did previously for Web Application Security Editor users.


507143-1 : Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion

Component: Service Provider

Symptoms:
tmm cores due to 'valid pcb' assertion.

Conditions:
This can happen when the Diameter filter:
 - Receives and queues HUDCTL_SHUTDOWN event.
 - Receives a HUDCTL_ABORT event before HUDCTL_SHUTDOWN has been unqueued.

Impact:
tmm abort and restart.

Fix:
Diameter filter will now queue HUDCTL_ABORT events to prevent leapfrogging previously queued events.


507139-1 : Invalid HTTP/2 input can cause the TMM to hang

Component: Local Traffic Manager

Symptoms:
A HTTP/2 frame with an too-small encoded size can cause the TMM to hang.

Conditions:
A malformed HTTP/2 stream with a frame shorter than the encoded contents.

Impact:
The TMM will hang until killed by SOD.

Workaround:
None.

Fix:
The HTTP/2 filter now handles short frames correctly.


507127-2 : DNS cache resolver is inserted to a wrong list on creation.

Component: Local Traffic Manager

Symptoms:
When a DNS cache resolver is created, it should be added to the cache resolver linklist. However, it is instead added to an incorrect linklist.

Conditions:
When creating a new DNS cache resolver.

Impact:
Unable to find the DNS cache resolver when search the resolver link list.

Workaround:
None.

Fix:
DNS cache resolver is added to the correct linklist on creation and removed from the correct linklist on deletion.


507116-1 : Web-application issues and/or unexpected exceptions.

Component: Access Policy Manager

Symptoms:
Web-application issues and/or unexpected exceptions.

Conditions:
Undisclosed conditions related to web-applications.

Impact:
Unexpected web-application functionality.

Workaround:
None.

Fix:
Web-application issues have been fixed.


507109-4 : inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade

Component: Local Traffic Manager

Symptoms:
The inherit-certkeychain attribute of a child Client SSL profile can unexpectedly change after upgrade.

Conditions:
This issue occurs when all of the following conditions are met:

-- You create a Client SSL profile that does not inherit the certificate, key, and chain certificate settings from the parent profile.
-- You upgrade to BIG-IP 11.5.1 (HF6 or later), 11.5.2, 11.5.3, or 11.6.0.

Impact:
An incorrect cert key chain is used in the profile.

Workaround:
Manually edit bigip.conf to contain the correct value. To do so, add the following line into child client ssl profile:
inherit-certkeychain false
 
Run the command:
tmsh load sys config

Fix:
The certificate, key, and chain certificate settings in a Client SSL profile no longer change after an upgrade.


506734 : Cloud lookup stress condition

Component: Policy Enforcement Manager

Symptoms:
This is a problem specific to a URL Cloud lookup.

Conditions:
When the number of URLs that require cloud lookup exceed TMM limits (currently unprocessed 64 requests), TMM slows down. Data path traffic is throttled.

Impact:
TMM slows down. Data path traffic is throttled.

Workaround:
Self correcting after the normal URL traffic resumes.

Fix:
Thresholds were introduced in TMM. When the number of URLs that require cloud lookup exceed TMM limits (currently unprocessed 64 requests), URL cloud categorization is not attempted.


506702-4 : TSO can cause rare TMM crash.

Component: Local Traffic Manager

Symptoms:
TSO can cause rare TMM crash.

Conditions:
When TSO is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TSO no longer causes rare TMM crash.


506578 : Webroot cloud lookup does not yield a category.

Component: Policy Enforcement Manager

Symptoms:
If the URL portion of the cloud query (HOST and URL) consists of uppercase letters, the returned result consists of lowercase URL. This converted URL does not match a subsequent request to same URL in cloud. The URL goes uncategorized.

Conditions:
This occurs when Webroot cloud lookup is enabled, and the incoming HTTP request has a URL with some uppercase letters (host portion is case insensitive). This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Impact:
Additional Webroot cloud lookup request are sent to Webroot cloud service under certain condition.

Workaround:
None.

Fix:
Webroot cloud lookup is now categorized correctly. The request URL is stored without case conversion in the cache. A subsequent HTTP request with same URL is found in cache.


506557-3 : IBR tags might occasionally be all zeroes.

Component: WebAccelerator

Symptoms:
IBR tags might occasionally be all zeroes.

Conditions:
This might occur when requests to OWS to update cached, expired content, receive updated content from OWS that has no Content-Length header and is uncacheable (that is, served with X-WA-Info code S10206).

Impact:
The content hash for that URL can be incorrectly set to all zeroes, causing an incorrect IBR for that item until it is recached.

Workaround:
Avoid the specific preconditions, or disable IBR-TO for the specific content meeting the preconditions.

Fix:
Uncacheable updates from OWS will no longer set IBR tags to zero.


506407 : Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages

Component: Application Security Manager

Symptoms:
Redirect Response pages become 'invalid' and lose their redirect URL configuration after upgrade.

Conditions:
1) In 11.2.x a policy existed with a redirect response page where the Response Header had a 'Location' command in it.

2) Policy or device is upgraded to 11.4.x or 11.5.x (pre 11.5.3 HF2)

3) Policy or device is upgraded to 11.6.0 (pre 11.6.0 HF5).

Impact:
The Alternate Response Page is no longer valid and no longer redirects users to the desired URL.

Workaround:
Before upgrade, ensure the redirect URL is correctly configured.

Fix:
Upgrade to 11.6.x now correctly retains redirect URLs for Alternate Response Pages.


506386-2 : Automatic ASM sync group remains stuck in init state when configured from tmsh

Component: Application Security Manager

Symptoms:
When a failover device group (without ASM enabled) is in a fully synchronized state, and then ASM and auto-sync are enabled on the device group through tmsh, the units sit waiting for an "initial sync" event which never comes. All subsequent sync events are Incremental and never Full.

Conditions:
A failover device group (without ASM enabled) is in a fully synchronized state, and then ASM and auto-sync are enabled on the device group through tmsh.

Impact:
Infrequently an initial sync event fails after ASM and auto-sync are enabled on a failover device group that did not have ASM enabled.

Workaround:
ASM device sync flag should be configured before initial sync, or from GUI.

Fix:
We fixed an issue that occurred rarely when an initial sync event did not occur after ASM and auto-sync were enabled on a failover device group that did not have ASM enabled.


506372 : XML validation files related errors on upgrade

Component: Application Security Manager

Symptoms:
The following error appears in the ASM log after upgrade:

PLC.PL_XML_PROFILE_VALIDATION_FILES is missing xml_validation_file_id (0) -- skipping

Conditions:
ASM provisioned.
ASM policy with XML profile and validation files are assigned.

Impact:
XML validation files are not properly upgraded.

Workaround:
N/A

Fix:
XML validation files are now properly upgraded.


506355-1 : Importing an XML file without defined entity sections

Component: Application Security Manager

Symptoms:
Importing an XML file without entity sections defined will not create default wildcard entities in the security policy.

Conditions:
Importing a partially defined XML security policy file.

Impact:
Policy was not created with default entities as expected.

Workaround:
Add the missing entities after importing the incomplete XML file.

Fix:
Previously, importing an XML file without defining the entity sections resulted in an empty URL wildcard list. Now, this process creates default wildcard entities in the security policy, as expected.


506349-4 : BIG-IP Edge Client for Mac identified as browser by APM in some cases

Component: Access Policy Manager

Symptoms:
APM sometimes determines that BIG-IP Edge Client for Mac is a browser. This can happen if user connects again using the link on the logout page that says "Click here to open new session"

Conditions:
APM, MAC Edge client

Impact:
Impact depends upon access policy but user might not be able to connect.

Workaround:
Click the Disconnect/Connect buttons on BIG-IP Edge Client instead of clicking the links on the logout page.

Fix:
APM now correctly identifies BIG-IP Edge Client for Mac as an Edge Client even if the user opens a new session by clicking the link on the logout page that says "Click here to open new session".


506315-5 : WAM/AAM is honoring OWS age header when not honoring OWS maxage.

Component: WebAccelerator

Symptoms:
WAM/AAM policy is configured to ignore OWS maxage header values, but the policy does not ignore the OWS Age header.

Conditions:
BIG-IP system with AAM provisioned, content matching a policy node not honoring OWS headers maxage and or s-maxage, and a large 'Age' value.

Impact:
This results in WAM/AAM improperly reducing the lifetime of OWS responses by the amount of the Age header, and more frequent WAM/AAM revalidation of the affected content (possibly on every request if the Age header is larger than the policy-specified cache lifetime).

Workaround:
You can use any one of the following as a workaround:
-- Honor OWS lifetime headers (s-maxage and max-age).
-- Use an iRule to delete OWS Age header.
-- Increase cache AAM/WAM cache lifetime for that content to compensate.

Fix:
When WAM/AAM policy is configured not to honor OWS maxage, it also does not honor OWS Age headers, which is correct behavior.


506304-2 : UDP connections may stall if initialization fails

Component: Local Traffic Manager

Symptoms:
UDP connections that never expire. tmm logs containing 'hud queue full' errors.

Conditions:
UDP connections fail to initialize if the tmm's hud message queue is full. If these connections are flagged to not expire then they will linger forever.

Impact:
Stalled connections. Increased memory usage.

Fix:
UDP connections no longer stall if initialization fails.


506290-4 : MPI redirected traffic should be sent to HSB ring1

Component: Local Traffic Manager

Symptoms:
The MPI redirected traffic is the traffic between two TMMs. It is currently sent to HSB ring0. HSB ring0 has small packet buffers and is used to handle the traffic of highest priority. Large amount of MPI redirect traffic can cause packet drops on HSB ring0.

Conditions:
Large amount of MPI redirect traffic.

Impact:
Potential packet drops on HSB ring0.

Workaround:
None.

Fix:
Send MPI redirected traffic to HSB ring1, which is correct behavior.


506286-1 : TMSH reset of DOS stats

Component: Advanced Firewall Manager

Symptoms:
DOS stat reset via TMSH results in TMM restarts and cores.

Conditions:
Reset DOS stats via TMSH command

Impact:
TMM restarts and core files

Workaround:
N?A

Fix:
Corrected reset command to prevent core and restarts


506283 : 100% TPS drop when webroot cloud lookup is enabled under stress condition

Component: Policy Enforcement Manager

Symptoms:
When Webroot cloud lookup is enabled and the BIG-IP system is under stress load with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system, the TPS of the data path traffic slows down as it gets throttled.

Conditions:
If Webroot cloud lookup is enabled while there is heavy traffic with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system.

Impact:
The TPS Throughput may be reduced when this condition persists. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Workaround:
None.

Fix:
The system now throttles URL cloud lookup requests when PEM detects that the number of URLs that requires cloud lookup exceed TMM limits/thresholds.


506282-1 : GTM DNSSEC keys generation is not sychronized upon key creation

Component: Local Traffic Manager

Symptoms:
DNSSEC key generation is not synchronized upon key creation.

Conditions:
This occurs when creating LTM DNSSEC keys on one unit of a sync group.

Impact:
The keys are synced, but the key generation information is not.

Workaround:
Modify another parameter on the GTM system after DNSSEC key generation to trigger the sync operation.

Fix:
DNSSEC key generation is now synchronized upon key creation.


506281 : F5 Internal tool change to facilitate creating Engineering Hotfixes.

Component: TMOS

Symptoms:
F5 Internal tool change to facilitate creating Engineering Hotfixes.

Conditions:
Engineering Hotfix creation.

Impact:
No customer impact.

Fix:
Configuration Management tools fix for better reliability.


506274-2 : TMM crash/core seen when a traffic-selector is created Action discard

Component: TMOS

Symptoms:
TMM crash/core seen when a traffic-selector is created with unsupported Action discard.

Conditions:
Create an IPsec traffic-selector with Action discard

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not configure IPsec traffic-selector with Action discard.

Fix:
Configuring an IPsec traffic-selector with Action discard is not allowed.


506235-2 : SIGSEGV caused by access_redirect_client_to_original_uri

Component: Access Policy Manager

Symptoms:
TMM might core, possibly more than once in quick succession (within a few minutes).

Conditions:
BIG-IP v11.5.1 HF6 or later with APM provisioned.

Impact:
TMM core: -- Failover to standby (if applicable). -- Possible additional TMM cores on active and Standby units. If the BIG-IP system is configured in an HA pair, TMM might core on the Standby unit shortly after the Active unit. The TMM log entries reporting the TMM core might not include any stack trace details.

Fix:
This release fixes a TMM core that occurred with APM provisioned.


506223-2 : A URI in request to cab-archive in iNotes is rewritten incorrectly

Component: Access Policy Manager

Symptoms:
There are direct (not rewritten) requests in web application traffic (iNotes 8.5, 9)

Conditions:
Web application runs through Portal Access

Impact:
Installation of iNotes plug-ins is impossible.
Some resources may be not loaded.

Fix:
Portal Access rewrites URIs correctly.


506199-4 : VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles

Component: TMOS

Symptoms:
When multiple VCMP guests are configured on a VDAG platform, It is possible through cycles of provisioning and deprovisioning the guests to cause switch rules that play a role in disaggregation to be programmed in an order that causes packets to reach the wrong TMM in a guest, thus causing lower dataplane performance.

Conditions:
On a configuration with at least two VCMP guests that share at least one blade on a VDAG-based platform, change the vCMP state to provisioned, then to configured, then to provisioned, and so on.

Impact:
The potential for decreased dataplane performance. In addition to potentially lower performance, the guest's tmm flow redirect statistics increment quickly in conjunction with traffic. To determine these stats, run a command similar to the following: config # tmctl -d blade tmm/flow_redir_stats. This presents results similar to the following:
pg pu redirect_pg redirect_pu packets
-- -- ----------- ----------- -------
 0 0 0 1 636991

Also, VDAG statistics on the host might show an imbalance in destination port hits for those assigned to a single guest. To determine these stats, run a command similar to the following: config # tmctl -d blade switch/vdag_dest_hits -w 200. This presents results similar to the following:
slot dst_mod dst_port dst_trunk hits red_hits
---- ------- -------- --------- ------ --------
   1 1 0 0 0 0
   1 7 0 0 0 0
   1 13 0 0 0 0
   1 19 0 0 0 0
   1 0 0 0 0 0
   1 1 5 0 509100 0
   1 1 6 0 0 0

Workaround:
During a window in which a brief traffic interruption is acceptable, restart bcm56xxd on each effected blade in the host. On the host, run a command similar to the following: clsh bigstart restart bcm56xxd

Fix:
The system now ensures that VDAG entries get ordered correctly to avoid cases where VCMP guests on VDAG platforms might experience excessive TMM redirects after multiple guest provisioning cycles


506110-1 : Log flood within datasyncd.log in clustered environment

Component: Application Security Manager

Symptoms:
Log flooding occurs within datasyncd.log every few seconds:
rsync: failed to connect to 127.3.0.3: No route to host (113).

Conditions:
Within clustered environment, and one or more of the blades are either down, powered off, disabled, or not populated. This may happen in a blade that is powered on, or when the cluster is added to a trust-domain. The logged messages continue for a duration from a few minutes to a few hours.

Impact:
No impact to traffic. Messages are added to datasyncd.log every few seconds.

Workaround:
None.

Fix:
datasyncd.log no longer causes a log flood in clustered environments where one or more of the blades are either down, powered off, disabled, or not populated.


506041-2 : Folders belonging to a device group can show up on devices not in the group

Component: TMOS

Symptoms:
All folders and partitions always get synced regardless of whether they are in the device group. If a user wants to utilize the same folder/partition scheme across multiple devices, this can lead to conflicts. In particular it can clobber the default route domain on a partition or rewrite the device group of a folder.

Conditions:
This only occurs during a full sync.

This can occur if two different device groups use the same folder or partition names. For example, if there are two separate failover-sync groups in the same trust and they both sync a different set of objects in /MyHAFolder.

This can also occur if a device has a local folder or partition with the same name as one in a device group.

Impact:
If a conflicted partition uses different default route domains, they will be overridden and may result in a sync error.

Conflicted folders will inherit the configuration of the source of the config sync. This can override the device group, traffic group, and iApp reference of the folder.

Workaround:
Use unique partition and folder names across all devices in the trust group.

Fix:
Only folders and partitions in the device group will get synced. However, since multiple device groups can still share the same partition, there is still a chance that the route domain on the partition could get overridden if the two device groups use different route domains.


506034-3 : NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)

Vulnerability Solution Article: K16393


505986 : Extra Webroot cloud lookup requests when cache is full

Component: Policy Enforcement Manager

Symptoms:
When the Webroot cloud lookup cache is full, additional Webroot cloud lookup requests are made to Webroot cloud services when URL inputs cannot be categorized by local Webroot database and cloud lookup cache managed on the BIG-IP system.

Conditions:
This occurs when Webroot cloud lookup is enabled, and the 128 KB-sized cloud-entries internal cache is full.

Impact:
Additional Webroot cloud lookup request are sent to Webroot cloud service under certain conditions. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Workaround:
None.

Fix:
Webroot cloud lookup requests are no longer sent out to the cloud if the cloud lookup cache is full. This is correct behavior.


505964 : Invalid http cookie handling can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If an http cookie is invalid, then subsequent modifications to http cookie entries can result in a TMM core.

Conditions:
This issue can occur with an HTTP virtual server that performs cookie processing (either via an iRule, profile configuration, or as a result of persistence) and also performs header manipulation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A crash in the HTTP profile implementation of cookie handling has been fixed.


505878 : Configuration load failure on secondary blades may occur when the chassis is rebooted

Component: TMOS

Symptoms:
On secondary blades, errors similar to the following appear in the ltm log:

-- err mcpd[8115]: 01070821:3: User Restriction Error: User (Unknown) may not change the role of Administrator (t004576a).
-- err mcpd[8115]: 01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide().
-- err mcpd[8115]: 01070734:3: Configuration error: MCPProcessor::check_initialization:.

Conditions:
A multi-bladed system is required, along with the presence of a user account (other than admin or root) that has Administrator privileges. The issue may then occur with a reboot of some or all of the blades.

Impact:
Secondary blades are offline.

Workaround:
None.

Fix:
Configuration now loads to completion on secondary blades.


505797-1 : Citrix Receiver for Android fails to authenticate with APM configured as StoreFront proxy and Access Gateway

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android fails to authenticate with APM when it is configured in StoreFront proxy mode for AGEE authentication.

Conditions:
APM is configured in StoreFront proxy mode for AGEE authentication and Citrix Receiver for Android is used.

Impact:
Citrix Receiver for Android is unable to authenticate with APM.

Fix:
Now Citrix Receiver for Android can successfully authenticate with APM when it is configured in StoreFront proxy mode for AGEE authentication.


505755-3 : Some scripts on dynamically loaded html page could be not executed.

Component: Access Policy Manager

Symptoms:
Some scripts on dynamically loaded HTML page might not execute.

Conditions:
Dynamically loaded HTML page

Impact:
Web application accessed via Portal Access does not work as expected.

Workaround:
None.

Fix:
Fixed an issue in Portal Access that could affect script execution in documents.


505705-7 : Expired mirrored persistence entries not always freed using intra-chassis mirroring

Component: Local Traffic Manager

Symptoms:
When using persistence mirroring, it is possible for the mirror owner of a persistence record to also be the proxying tmm for the connection. In this case, depending on timing of the connection and timeouts configured, it is possible for a persistence record to not be released when the connection is terminated and persistence timeout expires.

Conditions:
* VIPRION chassis with 2 or more blades installed.
* Mirroring is set to "intra-chassis".
* Mirroring is enabled on one or more persistence profiles.
* The records appear in tmsh show sys persistence persist-records all-properties, with an age always set to zero but no connection and no other persistence records for the same persistence key.

Impact:
Possible memory growth. This is not a leak, in that the memory can be recovered when subsequent requests reach different tmms that might need the same persistence record.

Workaround:
None.

Fix:
Both the local and mirrored owner persistence record are properly removed.


505662-1 : Signed SAML IdP/SP exported metadata contains some elements in wrong order

Component: Access Policy Manager

Symptoms:
Location of <Signature> element is incorrect when exporting signed metadata from the BIG-IP system when configured as a SAML Identity Provider (IdP) or Service Provider (SP).

Conditions:
BIG-IP is configured as IdP or SP.
Administrator chooses to sign exported metadata.

Impact:
External SAML product may not be able to import metadata produced by BIG-IP system.

Workaround:
Metadata could be edited manually in text editor to move
<Signature> element to correct location.

Fix:
The location of the <Signature> element is now correct in exported signed metadata, whether the BIG-IP system is configured as a SAML Identity Provider (IdP) or Service Provider (SP).


505624-1 : Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration

Component: Advanced Firewall Manager

Symptoms:
A remote logger will continue to get DoS layer 7 messages after it was removed from the virtual server configuration.

Conditions:
A remote logger was connected to a virtual server and the user removed it from the virtual server configuration.

Impact:
That remote logger will continue to get DoS layer 7 messages.

Workaround:
bigstart restart dosl7d

Fix:
An issue where the DoS profile continued to write to a removed logging profile was fixed.


505529 : wr_urldbd restarts continuously on VIPRION chassis with webroot lookup enabled.

Component: Policy Enforcement Manager

Symptoms:
On VIPRION chassis the wr_urldbd may restart.

Conditions:
If webroot cloud lookup is enabled on a specific platform, such as VIPRION.

Impact:
When webroot cloud lookup is enabled on certain platform such as VIPRION, the PEM URL categorization feature is disrupted due to wr_urldbd daemon restart.

Workaround:
None.

Fix:
wr_urldbd no longer restarts on VIPRION chassis with webroot lookup enabled.


505331-1 : SASP Monitor may core

Component: Local Traffic Manager

Symptoms:
The SASP monitor unexpectedly terminates with a core dump.

Conditions:
More than one Group Workload Manager (GWM) server, and all servers are down at the same time.

Impact:
When the monitor cores, a pool member gets marked down, which might lead to an outage.

Workaround:
None.

Fix:
SASP monitor no longer cores when multiple Group Workload Manager (GWM) servers are down.


505323-1 : NSM hangs in a loop, utilizing 100% CPU

Component: TMOS

Symptoms:
NSM daemon hangs in an endless loop searching recursive nexthop in a trie. This causes NSM to be unresponsive.

Conditions:
Configure BGP with recursive nexthop.

Impact:
Dynamic routing fails to be responsive to imish commands, and NSM might not update routes.

Workaround:
None.

Fix:
NSM endless loop issue has been fixed and does not hang. Dynamic routing operation is normal.


505222-2 : DTLS drops egress packets when traffic is large

Component: Local Traffic Manager

Symptoms:
DTLS drops egress packets when traffic is large

Conditions:
DTLS has egress queue with maximum elements 127(default).
When traffic is large enough, the queue reaches the maximum limit and some packets are dropped.

Impact:
DTLS drops egress packets.

Workaround:
We can change the maximum elements from 127 to some bigger value by DB variable.

Fix:
In current implementation, DTLS sends CN requests one by one. DTLS sends one request, waits for the response and then sends another one.

The fix is sending multiple requests currently to CN.


505097-1 : lsn-pool backup-member not propagated to route table after tmrouted restart

Component: Carrier-Grade NAT

Symptoms:
The lsn-pool backup-member prefix is not in the route table after tmrouted restart, when lsn-pool route-advertisement is enabled.

Conditions:
An lsn-pool with route-advertisement enabled, and backup-members, backup-member prefix not properly propagated to the route-domain routing table after tmrouted restart.

Impact:
No routes for lsn-pool backup-member prefix.

Workaround:
Remove and re-add lsn-pool backup members.

Fix:
The lsn-pool backup-member prefix is now present in the route table after tmrouted restart, when lsn-pool route-advertisement is enabled.


505089-4 : Spurious ACKs result in SYN cookie rejected stat increment.

Component: Local Traffic Manager

Symptoms:
Sending unsolicited ACK to a virtual server increments the counter 'Total Software Rejected' from tmsh show ltm virtual 'name_of_virtual_server' when syn cookie status is not activated.

Conditions:
This has been observed under the following conditions: 1. The client sends a SYN, the LTM sends an SYN/ACK and then the client sends a bad ACK. 2. A client sends an ACK for a connection that does not exist in the connection table (either it never existed or had been closed).

Impact:
Potentially inaccurate statistics in tmsh show ltm virtual.

Workaround:
None.

Fix:
In this release, the system increments the syncookie reject stat only if a bad ACK could correspond to a syncookie the system issued.


505071-5 : Delete and create of the same object can cause secondary blades' mcpd processes to restart.

Component: TMOS

Symptoms:
A single transaction containing both a delete and a create of the same object can, for certain types of objects, cause the secondary blades' mcpd processes to restart because of validation failure. The validation error appears similar to the following: 01020036:3: The requested object type (object name) was not found.

Conditions:
This has been seen to occur when an APM policy agent logon page is modified, and the error reports that its customization group cannot be found.

In BIG-IP v11.6.0 HF6 and BIG-IP v11.5.4 and BIG-IP v11.5.4 HF1, this can also occur when an iApp creates a virtual server.

Impact:
mcpd restarts on every secondary blade, causing most other system services to restart as well. This might result in a temporary loss of traffic on all secondary blades. After mcpd restarts, the new configuration is accepted and the system returns to normal operation.

Workaround:
None.

Fix:
For certain types of objects, an incorrect message was sent to the secondary blades' mcpd processes if an object of that type was deleted and then recreated within a single transaction. This caused mcpd to restart on every secondary blade. The correct message is now sent, even for this type of object.


505069 : Webroot cloud lookup granularity

Component: Policy Enforcement Manager

Symptoms:
When Webroot cloud lookup is enabled and a URL that can not be categorized using the local Webroot database managed on the BIG-IP system, the Webroot cloud database look up is performed in a way that the entire URL is considered as one query rather than by its subparts.

Conditions:
If Webroot cloud lookup is enabled, and if the first request is: example.com/url1 and second request is example.com/url2, the second URL request results in an unnecessary cloud lookup.

Impact:
Potential performance impact due to additional, unnecessary Webroot cloud lookup. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Workaround:
None.

Fix:
The issue has been addressed with granular Webroot cloud lookup so that the 1st URL Webroot cloud lookup request gets all cloud results, so that additional Webroot cloud lookups could be avoided.


505059-1 : Some special characters are not properly handled for username and password fields in TCL monitors

Component: Local Traffic Manager

Symptoms:
Pool members are taken down

Conditions:
special characters like ", \ in the username or password fields in FTP, IMAP, POP3

Impact:
Pool members are taken down

Workaround:
Remove the special characters from the password and username.

Fix:
Handle special characters properly for username and password fields


505056-5 : BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.

Component: Local Traffic Manager

Symptoms:
When the hardware COS queue feature is enabled, in some cases the BIG-IP system sends an egress packet with a priority different from that of ingress packet on the same flow.

Conditions:
Hardware COS queue feature is enabled.

Impact:
Egress packets are sent with an incorrect packet priority and delivered on the incorrect switch COS queues, resulting in lower performance.

Workaround:
None.

Fix:
Packet priority passthrough mode is now sending correct packet priority and delivering on the correct switch COS queue.


505045-1 : MAP implementation not working with EA bits length set to 0.

Component: TMOS

Symptoms:
MAP implementation not working with EA bits length set to 0.

Conditions:
MAP-E tunnel profile is configured with (ea-bits-length == 0) and (ip4-prefix-length greater than 0). - Case when (ea-bits-length == 0) and (ip4-prefix-length is greater than 0). - Case when (ip6-prefix-length plus ea-bits-length, which is the MAP domain prefix-length) is greater than 48 bits. In this case, the Interface ID in the IPv6 destination address will be overwritten.

Impact:
MAP-E tunnel does not work.

Workaround:
None.

Fix:
MAP implementation is now working with EA bits length set to 0.


504973-1 : Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead

Component: Application Security Manager

Symptoms:
When creating a policy using a route domain and a full 32 bit subnet mask, the ASM saves it as a 128 bit mask.

Conditions:
Provisioned ASM

Impact:
Wrong 128 bit subnet mask is saved instead of the configured 32 bit mask.

Fix:
When creating a security policy using a route domain and a full 32 bit subnet mask, ASM no longer saves it as a 128 bit mask.


504899-2 : Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)

Component: Local Traffic Manager

Symptoms:
It is possible to have duplicated snat-translation addresses if one is explicitly created (named one) and the other is implicitly created when adding anonymous addresses to a snatpool.

Conditions:
No special conditions required other than to perform the configuration changes.

Impact:
As duplicated snat-translation addresses may exist, any change to an address entry which is assigned to an snatpool may not be affecting the right entry, this is:
we have the following snat-addresses:

snat_address_01 address 1.2.3.1
1.2.3.1(anonymous) address 1.2.3.1

And the following snatpool:

snat_pool { 1.2.3.1 1.2.3.2 }

If there is a change in snat_address_01 (which address is part of snat_pool (1.2.3.1)), then the actual snat_pool member (anonymous 1.2.3.1) will not be updated with the new setting and there will be no effect.


504880-2 : TMM may crash when RDP client connects to APM configured as Remote Desktop Gateway

Component: Access Policy Manager

Symptoms:
TMM may crash when RDP client connects to APM configured as Remote Desktop Gateway.

Conditions:
APM configured as Remote Desktop Gateway. RDP client connects to APM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM crash is fixed for the scenario where RDP client connects to APM configured as Remote Desktop Gateway.


504828-2 : "translate address" and "translate port" are enabled by default when configure from GUI

Component: Carrier-Grade NAT

Symptoms:
Virtual server configured for LSN via GUI CGNAT menu may have "translate address" and "translate port" enabled by default, which would cause LSN translation to fail.

Conditions:
Configuring CGNAT virtual server

Impact:
Configured CGNAT virtual server with incorrect "translate address" and "translate port" settings

Workaround:
Manually modify "translate address" and "translate port" to disabled

Fix:
Virtual server configured for LSN via GUI CGNAT menu no longer have "translate address" and "translate port" enabled by default.


504803-5 : GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'.

Component: TMOS

Symptoms:
Local Traffic Pool list does not show Pools with names that contain the characters 'mam' starting at the 5th position of the name.

Conditions:
This occurs using the GUI.

Impact:
Cannot see these pools in the GUI.

Workaround:
Use tmsh to list pools with mam in the name.

Fix:
Pools with a name that end in mam are now showing up in the Pools list in the GUI.


504718-2 : Policy auto-merge of Policy Diff

Component: Application Security Manager

Symptoms:
Running auto-merge on the Diff of two policies fails.

Conditions:
Running auto-merge on the Diff results of two policies.

Impact:
Policies cannot be auto-merged after viewing Diff.

Workaround:
None.

Fix:
The auto-merge functionality of Policy Diff now works as expected.


504633-1 : DTLS should not update 'expected next sequence number' when the record is bad.

Component: Local Traffic Manager

Symptoms:
DTLS updates the 'expected next sequence number' even if the record is bad. This might cause the unexpected sequence number of good records dropping.

Conditions:
DTLS receives a bad record with a very large sequence number.

Impact:
DTLS might drop the good records that have smaller sequence number packets than the bad records.

Workaround:
None.

Fix:
The system now updates the 'expected next sequence number' only when the record is good.


504627-1 : Valid RADIUS sessions deleted on no session inactivity if no subscriber traffic exists during session timeout period.

Component: Policy Enforcement Manager

Symptoms:
Valid sessions may be deleted after the session timeout period expires with no subscriber traffic, even if RADIUS accounting updates are being sent within the timeout period.

Conditions:
Sessions are created through RADIUS and remain open with no subscriber traffic for 2 minutes or longer.

Impact:
Valid sessions fail due to lack of activity and the user must re-authenticate. RADIUS Accounting-Request updates are not sufficient to keep the sessions open.

Workaround:
None.

Fix:
Alive or Valid sessions won't be deleted before the timeout any more due to a lack of traffic.


504606-3 : Session check interval now has minimum value

Component: Access Policy Manager

Symptoms:
Session check interval can be changed or turned off completely for debug purposes.

Conditions:
Using the session check interval.

Impact:
Session check interval may be set to excessively short value.

Workaround:
None.

Fix:
Session check interval now has a minimum (5000 msec), which prevents the value from being too small.


504572-4 : PVA accelerated 3WHS packets are sent in wrong hardware COS queue

Component: TMOS

Symptoms:
Under full ePVA acceleration, 3WHS (3-way handshake) packets from VIP to node will always egress on hardware COS queue 3, regardless of COS queue mapping configured on the system.

Conditions:
The packets needs to be fully accelerated by ePVA.

Impact:
Potential performance downgrade.

Workaround:
None.

Fix:
PVA accelerated 3WHS packets are new egressed on correct hardware COS queue.


504545-2 : FQDN: node without service checking reported as 'service checking enabled, no results yet'

Component: Local Traffic Manager

Symptoms:
When an FQDN Node has no Node Default or Node Specific monitor associated, the ephemeral nodes' status is 'Unknown (enabled)- Node address service checking is enabled but result is not available yet.' A standard node configured without a monitor has the correct status: 'Unknown (enabled) - Node address does not have service checking enabled.'

Conditions:
FQDN node created with one or more valid records returned for the FQDN, and no node default or node-specific health monitor configured.

Impact:
Cannot determine actual state of pool member.

Workaround:
None.

Fix:
FQDN node without service checking has the correct status: 'Unknown (enabled) - Node address does not have service checking enabled.'


504508-5 : IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled

Component: TMOS

Symptoms:
When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.

Conditions:
An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled

Impact:
IPsec tunnel goes down, traffic stops.

Workaround:
Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.

Fix:
IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.


504496-3 : AAA Local User Database may sync across failover groups

Component: TMOS

Symptoms:
APM units that are not in the same BIG-IP Sync-Failover group are sharing local user entries. The system may possibly also experience higher management CPU load as a result of frequently syncing the local user database.

Conditions:
There is at least one sync-failover group in the Device Management :: Device Groups list, and there are devices listed in Device Management :: Devices list that are not members of that sync-failover group (either standalone or members of another device group), and those devices are provisioned with APM.

Impact:
Unwanted sharing of local user database between sync-failover groups and/or standalone devices. The system may also experience higher management CPU load as a result of frequently syncing the local user database. Under severe conditions where the database is synced multiple times per minute continually for hours or days, the rapid syncing of the database may result in unexpected failover.

Fix:
AAA Local User Database now syncs correctly.


504494-2 : Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.

Component: TMOS

Symptoms:
If the BIG-IP system has a disabled HA Group and is upgraded to 11.5.x or later, the disabled group might be associated with traffic groups on upgrade.

Conditions:
Pre-upgrade there is exists a HA Group that is disabled.
Upgrade to 11.5.x or later from 10.2.x or 11.x (pre-11.5.0) to a version earlier than 12.0.0, 11.5.4, or 11.6.1.

Impact:
If the BIG-IP system is rebooted after the upgrade, it's possible that the switch will fail over because the HA group score is used even though the HA group is disabled.

Workaround:
After the upgrade, check all traffic groups and ensure that none of them are configured to use a disabled HA Group.

Fix:
Upgrading to 11.5.0 and later no longer associates a disabled HA group to traffic groups. This is correct behavior.


504490-1 : The BIG-IP system sometimes takes longer on boot up to become Active.

Component: TMOS

Symptoms:
The system takes several minutes longer than normal after boot up to go from Offline to Active.

Conditions:
This timing issue occurs rarely on boot up. This might more frequently occur on older platforms running newer versions of the software.

Impact:
Because of a timing issue during system load, it takes longer for the system to become ready to pass traffic after being deployed or rebooted.

Workaround:
None.

Fix:
A BIG-IP system no longer take longer than normal to become Active on boot up due to this particular underlying issue.


504461-2 : Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.

Component: Access Policy Manager

Symptoms:
APM is unable to complete the access policy when there is a Variable Assign agent in front of a Logon Page agent.

Conditions:
Access policy has a Variable Assign agent in front of a Logon Page agent.

Impact:
APM is unable to complete the access policy.

Fix:
Now APM can successfully run access policies where a Variable Assign agent resides in front of a Logon Page agent.


504414-1 : AVR HTTP External log - missing fields

Component: Application Visibility and Reporting

Symptoms:
New fields were added to HTTP statistics in version 11.6 and they are available in the Configuration utility, but they were not exported out to the external log.

Conditions:
Use AVR HTTP profile, with the external log option.

Impact:
Some information that AVR can provide is missing.

Workaround:
No workaround

Fix:
We added these previously missing fields to the external report:
DosL7ProfileName
TransactionOutcome
DosL7AttackID


504396-2 : When a virtual's ARP or ICMP is disabled, the wrong mac address is used

Component: Local Traffic Manager

Symptoms:
When we use tmsh to modify icmp_enabled or arp_enabled property of a virtual address object from true to false, tmm does not reset internal state properly. This results in a tmm using the VLAN's true mac as the source mac instead of the traffic group's mac masquerade address.

Conditions:
Using mac masquerading in a HA traffic group.

Impact:
Packets may be dropped by switches or routing tables improperly updated.

Workaround:
None.

Fix:
When a virtual server's ARP or ICMP is disabled, the correct mac address is now used.


504348-1 : iRules in event ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT cannot see modified headers

Component: Service Provider

Symptoms:
ADAPT iRules cannot inspect adapted headers because the rule sees the original headers before the request is adapted.
Similarly for the ADAPT_RESPONSE_RESULT event.

Conditions:
Using request-adapt or response-adapt profiles, and an internal virtual server that can modify the HTTP headers.

Along with an iRule such as:
when ADAPT_REQUEST_RESULT {
        log local0. "Modified host = [HTTP::host]"
}

Impact:
It is impossible to inspect the modified headers. One consequence is that if a request adaptation modifies the 'Host:' value, it is not possible to use an iRule to apply that to the transport connection, and as a result the modified request goes to the original server.

Workaround:
None.

Fix:
Two new ADAPT iRule events have been added (ADAPT_REQUEST_HEADERS and ADAPT_RESPONSE_HEADERS) which trigger after ADAPT has received the modified headers, when the IVS is returning a modified request or response. They do not trigger when the IVS has instructed ADAPT to bypass or a service-down condition has occurred.

Behavior Change:
Two new ADAPT iRule events have been added (ADAPT_REQUEST_HEADERS and ADAPT_RESPONSE_HEADERS) which trigger after ADAPT has received the modified headers, when the IVS is returning a modified request or response. They do not trigger when the IVS has instructed ADAPT to bypass or a service-down condition has occurred.


504306-2 : https monitors might fail to re-use SSL sessions.

Component: Local Traffic Manager

Symptoms:
SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.

Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur.

For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.

Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers.

BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.

Workaround:
None.

Fix:
https monitors now properly perform SSL session re-use.


504232-1 : Attack signatures are not blocked after signature/set change

Component: Application Security Manager

Symptoms:
System wide signature updates, like Attack Signature Update, can cause some security policies to erroneously change their enforcement of attack signatures to Transparent mode.

Conditions:
There are security policies in both Transparent and Blocking mode, and there is an update to the system's attack signatures.

Impact:
A security policy will not block attack signatures that are meant to be blocked.

Workaround:
Toggle the transparent/enforce flag on a security policy, and apply the security policy.

Fix:
We fixed an issue that caused false positives or a lack of enforcement (such as not blocking) when attack signatures were updated or modified.


504225-2 : Virtual creation with the multicast IPv6 address returns error message

Component: Local Traffic Manager

Symptoms:
When LTM has DHCPv6 profile attached to a virtual server with relay mode configured with multicast IPv6 address, it will return error message, '01020064:3: IPv6 Address ff02::1:2 is invalid, Multicast address not allowed.'

Conditions:
Create an IPv6 virtual with multicast IPv6 address with DHCPv6 profile (relay mode) attached.

Impact:
Cannot create a IPv6 virtual server with multicast IPv6 address and DHCPv6 relay mode profile attached.

Workaround:
None.

Fix:
Can now create an IPv6 virtual with multicast IPv6 address with DHCPv6 profile (relay mode) attached.


504182-1 : Enforcer cores after upgrade upon the first request

Component: Application Security Manager

Symptoms:
If an ASM security policy contains entities with invalid configuration from a previous version, UCS load will fail and leave the device in an inconsistent state, leading to BD crash.

Conditions:
An ASM security policy contains entities with invalid configuration from a previous version. This can occur on an upgrade from 11.5.x to 11.6.0 prior to HF5.

Impact:
UCS load will fail and leave the device in an inconsistent state, leading to BD crash.

Workaround:
Correct ASM entity configuration before upgrade.

Fix:
We fixed an upgrade issue where the Enforcer crashed after the upgrade upon the first request (this was due to a missing data protection configuration).


504105-4 : RRDAG enabled UDP ports may be used as source ports for locally originated traffic

Component: Local Traffic Manager

Symptoms:
RRDAG enabled UDP ports may be used as the source port on locally originated connections.

Conditions:
RRDAG is enabled

Impact:
Connections may be forwarded between tmms resulting in a performance impact

Fix:
RRDAG enabled ports can no longer be selected as a source port for locally originated connections.


504060 : iOS and Mac receivers cannot create account on Citrix StoreFront in proxy mode

Component: Access Policy Manager

Symptoms:
Creating a new account in Citrix Receiver for MacOS or iOS fails.

Conditions:
User creates a new account in Citrix Receiver for MacOS or iOS

Impact:
User is not able to access Store.
An error is displayed and the account is not created.

Workaround:
None

Fix:
Make sure AGEE auth request doesn't contain Connection: close header to keep the connection alive.


504031-1 : document.write()/document.writeln() redefinition does not work

Component: Access Policy Manager

Symptoms:
document.write()/document.writeln() redefinition does not work. Initial function is used instead.

Conditions:
When web application JavaScript tries to redefine document.write() and/or document.writeln().

Impact:
Web application layout an/or logic can be broken.

Fix:
Web application JavaScript can successfully redefine document.write and document.writeln.


504028-1 : Generate CCR-T first and then CCR-I if session being replaced

Component: Policy Enforcement Manager

Symptoms:
CCR-I was send first and then CCR-T was sent if same subscriber session is created with different IP. This could cause confusion to PCRF when it sees at period of time 2 active sessions for the same subscriber.

Conditions:
A session is created with subscriber ID say S1 and IP1 and new radius start or session create request arrives with S1 and IP2.

Impact:
CCR-I generated first and then CCR-T which will cause confusion to PCRF who maintain subscriber ID as their key to subscriber session.

Fix:
Upgrade to latest hotfix or version which has the fix for the issue.


504021-1 : lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled

Component: Carrier-Grade NAT

Symptoms:
lsn-pool with route-advertisement enabled does not have routes properly propagated to the routing-table.

Conditions:
when route-domain routing protocol is enabled after lsn-pool route-advertisement is enabled and lsn-pool member added.

Impact:
route entries for lsn-pool members with route-advertisement enabled.

Workaround:
Either 1) restart tmrouted after enable routing-protocol for the desired route-domain. 2) toggle routing-advertisement on lsn-pool after enable routing-protocol for the desired route-domain.

Fix:
route-domain with routing-protocol enabled will have routes for lsn-pool members, regardless of ordering in which routing-protocol or route-advertisement is enabled.


503979-1 : High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.

Component: Local Traffic Manager

Symptoms:
When DNS cache resolver is resolving a DNS query, it might send queries to the backend name server iteratively. If the name server is responding slowly and the cache resolver is sending queries to name servers at a high rate, the CPU usage of the BIG-IP system might be vary high.

Conditions:
(1) Configure the cache resolver to have a large value (, for example, 40 KB) for both max-concurrent-queries and max-concurrent-udp.
(2) The cache resolver sends queries to the name servers at a high rate.
(3) The backend name server is responding slowly to the cache resolver.

Impact:
The CPU usage might be extremely high. Site might be unstable.

Workaround:
Configure the cache resolver to have a default value for both max-concurrent-queries and max-concurrent-udp.

Fix:
The CPU usage does not increase unexpectedly when the cache resolver sends a large number of DNS queries to slow backend name servers.


503924-1 : Citrix receivers cannot authenticate

Component: Access Policy Manager

Symptoms:
Citrix Receivers does not successfully authenticate when username or password contain ampersand and Storefront is configured without APM gateway.

Conditions:
This occurs with Citrix Receivers for all users that have an ampersand in either their username or password.

Impact:
These users cannot authenticate.

Workaround:
For affected users that have an ampersand in their password, you can ask them to change to a password that does not contain an ampersand.

Fix:
Citrix Receivers successfully authenticate when username or password contain ampersand and Storefront is configured without APM gateway.


503875-1 : Configure bwc policy category max rate

Component: TMOS

Symptoms:
When category max rate percentage is configured with a low value, for example, a lower value relative to the policy max user rate, some packets might be dropped.

Conditions:
The bwc policy is configured as dynamic, with categories. And the category max rate is configured to low value when the policy is being provisioned and mapped to traffic flows.

Impact:
The packets in flows using the bwc policy and category may be dropped, the flows mapped to the category might not be able to pass packets.

Workaround:
Configure category rate in absolute value and higher value relative to policy max user rate.

Fix:
Category max rate percentage is now configured to ensure valid settings.


503741-2 : DTLS session should not be closed when it receives a bad record.

Component: Local Traffic Manager

Symptoms:
According to RFC6347: 4.1.2.7. Handling Invalid Records:
'Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.'

In the BIG-IP implementation, DTLS chooses to disconnect the session when it receives invalid record.

Conditions:
DTLS receives a bad record packet.

Impact:
DTLS disconnects the session.

Workaround:
None.

Fix:
The system now silently discards all of the invalid records and preserves the association. This is correct behavior.


503696-1 : BD enforcer updates may be stuck after BD restart

Component: Application Security Manager

Symptoms:
If BD enforcer restarts during an update, the current configuration update will get stuck and no further updates will be performed.

Conditions:
BD enforcer restarts during an update.

Impact:
The current configuration update will get stuck and no further updates will be performed.

Workaround:
bigstart restart asm

Fix:
BD enforcer updates continue to process correctly even after BD restart.


503683 : Configuration upgrade failure due to change in an ASM predefined report name

Component: Application Visibility and Reporting

Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version and upgrading.

Conditions:
Define scheduled report on top of 'Top alerted URLs' on previous version and upgrade the version. This can trigger on an upgrade to 11.6.0, but is fixed in 11.6.1 and beyond.

Impact:
Version upgrade fails, and the BIG-IP system is not usable.

Workaround:
Change the '/Common/Top Alerted URLs' reference in the bigip.conf file of the UCS to '/Common/Top Alarmed URLs', and then load the modified UCS.

Fix:
A configuration load failure no longer occurs after creating an ASM predefined report in a previous version and upgrading.


503676-4 : SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events

Component: Service Provider

Symptoms:
SIP REFER, INFO, and UPDATE requests do not trigger iRule events.

Conditions:
The occurs when the following conditions are met: -- Virtual server has a SIP profile. -- Virtual server has iRule(s) containing SIP_REQUEST or SIP_REQUEST_SEND events. -- SIP REFER, INFO, or UPDATE request is received on the virtual server.

Impact:
iRule event is not executed.

Workaround:
none

Fix:
SIP REFER, INFO, and UPDATE requests now trigger the SIP_REQUEST and SIP_REQUEST_SEND iRule events. This is the correct behavior.


503673-1 : APM sets MRHSession cookie on /cgi/login request from Citrix Receivers

Component: Access Policy Manager

Symptoms:
When Citrix Receiver clients send /cgi/login reqeust APM replies with a response containing MRHSession cookie.

Conditions:
APM is configured for Citrix replacement or proxy and Citrix Receiver clients are used.

Impact:
Unnecessary cookie value sent to the client.

Fix:
APM no longer sets MRHSession cookie on /cgi/login request from Citrix Receivers.


503652-4 : Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.

Component: Service Provider

Symptoms:
When a blade is enabled on a cluster while it is actively processing SIP UDP traffic, some packets might be lost.

Conditions:
This occurs in an Active HA cluster containing VIPRION B2100 blades with the udp.hash value set to 'ipport' and client-side round robin TMM disaggregation enabled.

Impact:
Some SIP UDP traffic packets might be lost.

Workaround:
Do not enable a blade in a cluster while the blade is processing SIP UDP traffic.

Fix:
Some SIP UDP connections are now retained after enabling a blade on the Active HA unit.


503620-3 : ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later

Component: Local Traffic Manager

Symptoms:
BIG-IP SSL when using ciphers ECDHE_ECDSA and DHE_DSS does not work consistently with OpenSSL clients using OpenSSL versions 1.0.1k or later.

Conditions:
When the ciphers used are ECDHE_ECDSA or DHE_DSS, and the OpenSSL clients have versions later than OpenSSL 1.0.1k.

Impact:
SSL handshake failed. The OpenSSL clients might encounter a decryption error while reading the server key exchange.

Workaround:
Use OpenSSL versions earlier than OpenSSL 1.0.1k.

Fix:
BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS with OpenSSL client version OpenSSL 1.0.1k and later.


503604-3 : Tmm core when switching from interface tunnel to policy based tunnel

Component: TMOS

Symptoms:
When the configuration is changed from interface tunnel to policy based tunnel, tmm crashes.
Most likely this is a timing issue where the pnh is not updated while the policy was updated. So the policy_type (policy_interface vs policy_ipsec) mismatched.

Conditions:
Traffic passing in the background and change the configuration from interface tunnel to policy based tunnel.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
When switching from interface tunnel to policy based tunnel, tmm cores.


503600-6 : TMM core logging from TMM while attempting to connect to remote logging server

Component: TMOS

Symptoms:
TMM crash and coredump while logging to remote logging server.

Conditions:
The problem might occur when a log message is created as the result of errors that can occur during log-connection establishment. The crash specifically occurs when an error occurs while attempting to connect to the remote logging server.

Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.

Workaround:
Two possible workarounds are available:
1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs.
2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.

Fix:
TMM no longer crashes and coredumps while logging to remote logging server.


503560-2 : Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.

Component: Local Traffic Manager

Symptoms:
Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.

Conditions:
HTTP transparent profile is attached to a virtual server. Statistics profile now cannot be attached to the same virtual server.

Impact:
Only a Statistics profile or an HTTP transparent profile may be assigned to a single virtual server.

Workaround:
None.

Fix:
The validation logic is now changed so as to allow a Statistics profiles and an HTTP transparent profile to be attached to the same virtual server simultaneously.


503541-2 : Use 64 bit instead of 10 bit for Rate Tracker library hashing.

Component: Advanced Firewall Manager

Symptoms:
Rate Tracker 10 bit hashing may cause inaccurate rate-limits by the Sweep & Flood DoS vectors.

Conditions:
When Sweep and Flood vector is enabled in AFM module.

Impact:
Impact to Sweep and Flood detection rate accuracy.

Workaround:
None.

Fix:
The system now uses 64 bit instead of 10 bit for Rate Tracker hashing, which results in more accuracy in attack detection and mitigation.


503471-1 : Memory leak can occur when there is a compressed response, and abnormal termination of the connection

Component: Application Visibility and Reporting

Symptoms:
Memory utilization grows over time.

Conditions:
This issue occurs when the BIG-IP system sends a compressed response, and an abnormal termination of the connection occurs.

Impact:
Memory leak in TMM that grows over time.

Workaround:
Avoid configuration of Application DoS with Client-side mitigation.

Fix:
A memory leak has been fixed that occurred when there was a compressed response and an abnormal termination of the connection.


503461-1 : Intermittent JavaScript failure on Safari on Macintosh computer or device.

Component: Fraud Protection Services

Symptoms:
On first page load, JavaScript encryption occasionally fails due to a bug in Safari's JavaScript interpreter.

Conditions:
Open protected page in Safari on a Macintosh computer or device.

Impact:
Protection fails.

Workaround:
None.

Fix:
FPS client-side operation supports improved handling of protected pages in Safari on iOS and OSX.


503384-1 : SMTP monitor fails on multi line greeting banner in SMTP server

Component: Local Traffic Manager

Symptoms:
SMTP monitor fails

Conditions:
This issue occurs when a multi line greeting banner is configured in SMTP server.

Impact:
SMTP monitor fails.

Workaround:
To work around this issue, configure a single line greeting banner in SMTP server.

Fix:
SMTP monitor succeeds with multi line greeting banner in SMTP server.


503381-2 : SSL persistence may cause connection resets

Component: Policy Enforcement Manager

Symptoms:
If SSL persistence is enabled, and the resulting connection does not use SSL (that is, it is plaintext), the connection may be reset.

Conditions:
SSL persistence is enabled on a virtual that does not use SSL.

Impact:
The connection is reset.

Workaround:
None.

Fix:
SSL persistence no longer cause the connection to be reset with non-SSL traffic.


503343-7 : TMM crashes when cloned packet incorrectly marked for TSO

Component: Local Traffic Manager

Symptoms:
TMM cores

Conditions:
1. Clone pool configured

2. Clone MTU > Client or Server MTU

3. tm.tcpsegmentationoffload db var in "disable" state

4. TSO enabled in client or server side interface

5. TSO disabled in clone interface

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the configured clone pool

Fix:
Prevent TMM crash due to cloned packet incorrectly marked for TSO.


503319-4 : After network access is established browser sometimes receives truncated proxy.pac file

Component: Access Policy Manager

Symptoms:
On MAC OSX platform, After network access is established, poxy.pac received by the browser is truncated.

Conditions:
This occurs if proxy.pac file is larger than 65535 bytes (~65 KB).

Impact:
Large proxy.pac file might not be downloaded or might be truncated.

Workaround:
Reduce proxy.pac file size so that merge file is less than ~65 KB.

Fix:
Merged (by F5 tunnel server) proxy.pac is now NOT truncated when sent to the browser even if its size is greater than ~65 KB.


503257-7 : Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST

Component: Local Traffic Manager

Symptoms:
Client connections to a virtual server with persistence, connection limits, and an iRule that issues an HTTP response may receive a RST with a cause of "pmbr enqueue failed" even though connection queuing is not enabled.

Conditions:
This can happen if the connection makes an HTTP request and an iRule directly responds to the first request on the connection. A future request on that TCP connection would be reset if it is persisted to a pool member that is at its connection limit. The iRule would use HTTP::respond (without "connection close") or HTTP::redirect.

Impact:
Clients may receive a RST and fail to connect to an available pool member under some traffic patterns.

Workaround:
If using HTTP::respond or HTTP::redirect in an iRule, change to HTTP::respond with the "Connection close" option in order to force the connection to terminate and the client to start a new connection after the redirect is sent.

Fix:
Persistence, connection limits and HTTP::respond or HTTP::redirect no longer result in RST.


503246-4 : TMM crashes when unable to allocate large amount of provisioned memory

Component: TMOS

Symptoms:
TMM panics and core dumps when unable to allocate the full amount of provisioned memory for each TMM instance.

Conditions:
The situation may occur when TMM starts (or restarts) while a process is still holding into large amounts of memory and TMM is unable to allocate the provisioned memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none

Fix:
The fix is a change in the TMM startup process


503237-8 : CVE-2015-0235 : glibc vulnerability known as Ghost

Vulnerability Solution Article: K16057


503214-3 : Under heavy load, hardware crypto queues may become unavailable.

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.

Conditions:
BIG-IP system under heavy load and using hardware crypto.

Impact:
HA failover. You might see messages similar to the following:
 -- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
 -- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
 -- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.

Workaround:
None.

Fix:
BIG-IP system now performs an extra check to determine whether the crypto hardware queues are available.


503169-1 : XML validation files are broken after upgrade

Component: Application Security Manager

Symptoms:
XML validation files are not assigned to the correct XML profiles after upgrade/policy import. The upgrade fails with the following signature in /var/log/asm:

crit perl[15504]: 01310027:2: ASM subsystem error (asm_start,F5::DbUtils::insert_data_to_table): Row 431 of table PLC.PL_CONTENT_PROFILE_VALUE_METACHARS is missing profile_id (277) -- skipping F5::ImportExportPolicy::Binary

Conditions:
ASM provisioned, XML profiles with XML validation files assigned. This can trigger on upgrade to 11.6.0.

Impact:
XML validation files are not assigned to the correct XML profiles.

Workaround:
N/A

Fix:
XML validation files are now assigned to the correct XML profiles.


503160-3 : FPS malicious words doesn't trigger alert when ignore list is defined

Component: Fraud Protection Services

Symptoms:
When the malicious words ignore list is not empty, all malicious words are ignored, whether or not they are on the ignore list.

Conditions:
FPS malicious words feature is enabled and a words is configured to be ignored.

Impact:
No malicious words alerts are sent for that page.

Workaround:
Empty the malicious words ignore list.

Fix:
Ignore list now works correctly.


503118-2 : clientside and serverside command crashes TMM

Component: Local Traffic Manager

Symptoms:
When parking command is used inside clientside or serverside, tmm crashes.

Conditions:
Parking command, e.g., the table command, is used inside clientside or serverside command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Move the parking command outside clientside or serverside command.

Fix:
Parking command can run inside clientside and serverside.

The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail.


503085-3 : Make the RateTracker threshold a constant

Component: Advanced Firewall Manager

Symptoms:
Dynamic detection threshold may impact Sweep and Flood detection rate accuracy under high traffic conditions.

Conditions:
When Sweep and Flood is enabled in AFM module.

Impact:
Some Sweep and Flood functionality might not provide sufficient detection rate accuracy.

Fix:
The RateTracker threshold is now a constant, which improves detection rate accuracy.


502959-2 : Unable get response from virtual server after node flapping

Component: Local Traffic Manager

Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently.

Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.

Impact:
Persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). In certain circumstances, requests may hang (the client is connected, waiting for a response).

Workaround:
None.

Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.


502852-2 : Deleting an in-use custom policy template

Component: Application Security Manager

Symptoms:
If a user tries to delete a custom policy template while there are still security policies in the system that were created from that template, the delete will fail. This also leaves the custom template in an unusable state that can neither be used to create further Policies nor can it ever be deleted.

Conditions:
A security policy exists on the system that was created from a custom template. The user then tries to delete the template before removing the policy from the system.

Impact:
The custom template becomes unusable for creating new policies, and cannot be deleted even after there are no longer any policies created from it left on the system.

Workaround:
Contact support for a script that will disassociate all user defined policy templates from existing policies.
This will allow any user defined template to be successfully deleted.

Fix:
If you fail to delete a custom policy template because an existing security policy refers to it, it no longer leaves the custom policy template in an unusable state.


502841-2 : REST API hangs due to icrd startup issues

Component: TMOS

Symptoms:
The symptoms are that iControl REST requests can go un-responded or come back with bad responses.

Conditions:
icrd starts much before restjavad

Impact:
Unusable REST API.

Workaround:
The workaround is to restart the icrd service after ascertaining that restjavad is running - 'bigstart status restjavad' followed by 'bigstart restart icrd'.

Fix:
Now the icrd service will wait until the restjavad service is completely up and responding.


502770-2 : clientside and serverside command crashes TMM

Component: Local Traffic Manager

Symptoms:
When the parking command is used inside clientside or serverside, tmm crashes.

Conditions:
Parking command, e.g. table command, is used inside clientside or serverside command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Move the parking command outside clientside or serverside command.

Fix:
Parking command can run inside clientside and serverside.

The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail.

Behavior Change:
clientside and serverside command error out if client side or server side connection does not exist at the time the command runs. Here is an example of where this might occur: clientside { SSL::disable }. This script fails if the client side connection does not exist. To work correctly, change the script to: SSL::disable clientside.


502747-1 : Incoming SYN generates unexpected ACK when connection cannot be recycled

Component: Local Traffic Manager

Symptoms:
Incoming SYN causes the BIG-IP system to generate ACK instead of SYN-ACK.

Conditions:
This can occur when the following conditions are met:
 - IP addresses and ports of SYN match an existing connection;
 - Sequence number of the SYN is greater than 2^31+ from previously sent FIN;
 - Existing connection is in TIME_WAIT state;
 - Virtual server has time_wait_recycle enabled.

Impact:
Client will generate RST and connection must be re-tried.

Workaround:
Set time-wait-timeout to 1 millisecond per SOL12673.

Fix:
The BIG-IP system will no longer generate an ACK to incoming SYNs which match an existing connection that cannot be recycled.


502714-4 : Deleting files and file object references in a single transaction might cause validation errors

Component: TMOS

Symptoms:
Deleting files and file object references in a single transaction can lead to a validation error.

This might occur during device group configuration sync, an iApp, a tmsh cli transaction, or an iControl transaction.

Conditions:
A file object is deleted in the same transaction that its references are also deleted.

Impact:
This can cause an invalid validation error, including during a config sync.

Workaround:
In the case of iControl and tmsh, file object references must first be deleted/removed in a separate transaction. In the case of config sync, perform a full sync.

Fix:
File objects properly resolve references within the transaction, so there are no validation errors when deleting files and file object references in a single transaction.


502683-3 : Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on

Component: Local Traffic Manager

Symptoms:
In certain corner cases, BIG-IP software rejects valid SYN-Cookie responses due to incorrect hardware algorithm masking on the software side.

Conditions:
This issue appears only on hardware-SYN-Cookie-capable platforms when running the hardware SYN-Cookie algorithm.

Impact:
Intermittent connection failures.

Workaround:
Run software SYN-Cookie algorithm. Use the DB variable.
This makes sure software is running correct generation and validation algorithm.

Fix:
Traffic is now handled correctly in certain corner cases involving hardware syncookies.


502675-1 : Improve reliability of LOP/LBH firmware updates

Component: TMOS

Symptoms:
Certain F5 appliances and blades implement the Always On Management functionality via a LOP (Lights Out Processor) or LBH (Lights Out Processor/Backplane Microcontroller Hybrid) device.
Under rare conditions, if a critical kernel event occurs while the LOP/LBH firmware is being updated to a newer version, the LOP/LBH firmware image may become corrupted on the LOP/LBH device.

Conditions:
This issue may occur on the following F5 Network appliances and blades: -- BIG-IP 2000-/4000-series, 5000-/7000-series, 10000-/12000-series appliances. -- VIPRION B2100, B2150, B2250 blades.

Impact:
If the LOP/LBH firmware becomes corrupted, the LOP/LBH device does not function properly, affecting critical chassis-management functionality such as identification of platform details including a blade's current slot in the chassis, obtaining current license state, and monitoring of chassis health information.

Workaround:
None.

Fix:
LOP/LBH firmware updates are protected against rare corruption by critical kernel events.


502480-1 : Mirrored connections on standby device do not get closed when Verified Accept is enabled

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, the BIG-IP may cause mirrored connections on the standby device to persist.

Conditions:
- Mirror enabled on the Virtual server
- Verified accept enabled on the TCP profile

Impact:
Resource leak on the standby device which could cause
an outage

Workaround:
Do not enable verified accept on mirrored flows.

Fix:
Mirrored connections to the standby device will now be properly closed on the standby.


502443-4 : After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.

Component: Local Traffic Manager

Symptoms:
The external monitoring daemon (bigd) sends monitoring traffic before tmm is ready to receive those responses. The response traffic is routed to a tmm on another blade/HA member. This tmm responds to the server with an ICMP "Unreachable" message. Meanwhile, the originating tmm on the new blade/HA member marks the pool member "down" because it never received the server's response.

Conditions:
Start with at least 1 blade enabled in a chassis or one HA member configured, and pass traffic constantly through a virtual server with a monitor-enabled pool attached. Then, enable a new blade in the cluster or a new HA member.

Impact:
Some packets are lost for several seconds. It can be longer depending on the total number of pool members.

Workaround:
Before adding a new blade to a chassis or a member to the HA configuration that is actively processing traffic, temporarily remove the monitor(s) from the pool. Once the new blade/HA member is up, manually add the monitor(s) back to the pool.

Fix:
When a VIPRION blade or BIG-IP HA member comes on-line, the bigd process on the blade/HA member no longer starts health monitors prematurely, which could have caused some monitored objects to be marked down incorrectly.

Behavior Change:
The external monitoring daemon (bigd) no longer sends monitoring traffic while the blade (cluster member) is offline or disabled, or while the HA member (chassis or appliance) is offline (including forced offline).


502441-5 : Network Access connection might reset for large proxy.pac files.

Component: Access Policy Manager

Symptoms:
Network Access connection might reset when large proxy.pac files are configured in the access policy.

Conditions:
MAC Edge client, browsers, Network Access, large proxy.pac file.

Impact:
Network Access connection might reset.

Workaround:
Reduce the proxy.pac file size to be less than 10 KB.

Fix:
Network Access connection does not reset if a large proxy.pac file is configured.


502414-2 : Make the RateTracker tier3 initialization number less variant.

Component: Advanced Firewall Manager

Symptoms:
Sweep and Flood vectors may exceed configured rate limit values by 10%-30$.

Conditions:
When Sweep and Flood vector is enabled in AFM module.

Impact:
Sweep and Flood attack detection at higher than configured levels.

Workaround:
None.

Fix:
An optimization was made to Rate Tracker that makes attack detection more accurate.


502269-1 : Large post requests may fail using form based SSO.

Component: Access Policy Manager

Symptoms:
SSOV2 modifies the payload for big post requests and since the server does not understand this, so all such transactions fail.

Conditions:
Large post requests using form based SSO.

Impact:
SSOV2 is a very common use case for APM. Many applications are configured with SSOV2. Any large post in such case will fail.

Workaround:
This issue has no workaround at this time.

Fix:
The fix essentially does not modify the payload so the applications have no problem.


502238-3 : Connectivity and traffic interruption issues caused by a stuck HSB transmit ring

Component: TMOS

Symptoms:
BIG-IP can experience sudden and permanent traffic interruption, impacting all traffic through TMM.

Conditions:
With TCP Segmentation Offload (TSO) enabled, it is possible to fill up the High-Speed Bridge (HSB) transmit ring, resulting in a stuck transmit ring.

The exact conditions under which this occurs is unknown, but it requires sudden transmission of a number of large packets that require TSO in order to result in a full transmit ring.

Impact:
The HSB's transmit ring becomes stuck. This requires a TMM restart in order to clear.

Workaround:
Disable TSO. This can be done using the following steps:
1. tmsh modify sys db tm.tcpsegmentationoffload value disable
2. bigstart restart tmm.

If TSO is not disabled, three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html

Fix:
Three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html


502174-4 : DTLS fragments do not work for ClientHello message.

Component: Local Traffic Manager

Symptoms:
DTLS fragments do not work for ClientHello message.

Conditions:
DTLS ClientHello splits into multiple fragments.

Impact:
Both first handshake and renegotiation are affected.

Fix:
DTLS ClientHello fragments are now handled.


502149-3 : Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'

Component: Local Traffic Manager

Symptoms:
When archiving cert/key via GUI, the following error message is displayed : 'EC keys are incompatible for Webserver/EM/iQuery.'

Conditions:
When archiving cert/key via GUI.

Impact:
Intermittently, an error is received when trying to archive key or certificates via GUI.

Workaround:
None.

Fix:
iControl stores the mode info and set a default value to it, so no error is reported..


502049-1 : Qkview may store information in the wrong format

Component: TMOS

Symptoms:
When creating a new monitor, some information may be stored in the wrong format.

Conditions:
Create a new monitor. Run qkview.

Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.

Workaround:
None.

Fix:
Monitor information is now stored in the correct format.


502048-1 : Qkview may store information in the wrong format

Component: TMOS

Symptoms:
When creating a new monitor, some information may be stored in the wrong format.

Conditions:
Create a new monitor. Run qkview.

Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.

Workaround:
None.

Fix:
Monitor information is now stored in the correct format.


502016-4 : MAC client components do not log version numbers in log file.

Component: Access Policy Manager

Symptoms:
Some client components do not log version numbers in the log file.

Conditions:
Mac client components.

Impact:
Lack of version numbers in the log file.

Workaround:
None.

Fix:
Client components for Mac now log version numbers in log files.


501986-3 : Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process

Component: Advanced Firewall Manager

Symptoms:
There is a need for Sweep and Flood vectors to be very accurate (+-5%). To ensure that Sweep and Flood can be very accurate we have to add a mode in which the Sweep and Flood vectors work per TMM process. In this case the traffic must be very well distributed for it to be effective.

So, now we have a sys db tunable which is: dos.globalsflimits which is true by default. If the tunable is set to false then the Sweep and Flood vectors work per TMM process. The limits that have been configured by the user are divided up equally among the various TMM processes, and because the traffic is well-distributed among the TMM processes we will get close to the limits specified.

Conditions:
When Sweep and Flood vector is enabled in AFM module.

Impact:
If the db variable is changed to false, the incoming traffic must be well distributed.

Workaround:
None.

Fix:
Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process.


501984-2 : TMM may experience an outage when an iRule fails in LB_SELECTED.

Component: Local Traffic Manager

Symptoms:
When an iRule fails in LB_SELECTED, it is possible for TMM to crash. The TMM failure is an intermittent, timing-related issue..

Conditions:
Using iRules with a rule for when LB_SELECTED is operating on a node/pool member.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


501953-2 : HA failsafe triggering on standby device does not clear next active for that device.

Component: TMOS

Symptoms:
An HA failsafe triggering on a standby device that is marked at next active for a traffic group does not clear the next active setting for that device. This leaves the system in a state when the device designated as next active cannot take over for the active device in the case of a failure.

Conditions:
HA setup with two or more devices in a device trust and device group. HA failsafes are configured on one or more devices in the device group. The HA failsafes are triggered on a device that is currently in the standby state and designated next active for a traffic group.

Impact:
A device marked as next active for a traffic group with a triggered HA failsafe does not take over a traffic group in the case of a failure on the active switch.

Workaround:
Workaround is to force the device in question offline, so that another device is marked as next active.

Fix:
The fix correctly removes the next active setting for a device when it is in standby mode and a HA failsafe triggers. This causes a new device to be picked as next active if one is in standby mode and capable of running the traffic group.


501714-2 : System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS.

Component: WebAccelerator

Symptoms:
The test to prevent JPEGs on OWS with low quality from being 'optimized' to higher quality (if the quality setting in WAM policy is higher than in the file on OWS) is not working.

Conditions:
AAM image optimization enabled and the JPEG quality in AAM policy is higher than the JPEGs on OWS.

Impact:
image optimization can make the file significantly bigger.

Workaround:
Add the line below to /service/wamd/settings (create the file if it does not exist):

export WAMD_OPT_IMAGES_NO_BIGGER=all

Note this will return the original file if the 'optimized' one comes out bigger: subtly different behavior than making any other requested changes but leaving the quality the same as the file on OWS.

Fix:
The test to prevent low quality JPEGs from optimizing to higher quality (becoming larger) is fixed.


501690-3 : TMM crash in RESOLV::lookup for multi-RR TXT record

Component: Local Traffic Manager

Symptoms:
TMM crashes with a specific ASSERT-based backtrace.

Conditions:
Requires an LTM listener with an iRule that has a RESOLV::lookup command querying for a TXT record and receiving multiple RRs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes due to the behavior of the LTM listener with an iRule that has a RESOLV::lookup command when parsing its return values.


501612-4 : Spurious Configuration Synchronizations

Component: Application Security Manager

Symptoms:
Some items (for example, Incidents) were considered to be config elements that require synchronization when their status changes (such as being read), but are not actually synchronized in a device group.

Conditions:
Event Correlation Incidents occur and are read by the user while in a manual sync device group for ASM.

Impact:
The synchronization state of a device group erroneously changes to "Pending"

Workaround:
None.

Fix:
Items that are not synchronized across a device group no longer cause changes to the synchronization state.


501516-5 : If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.

Component: Local Traffic Manager

Symptoms:
When using a very large number of monitors, bigd may run out of file descriptors when it is restarted.

Conditions:
A system with a large number of monitors configured.

Impact:
bigd cores and gets into a restart loop; monitors no longer work properly. The ltm log might contain error messages similar to the following: socket error: Too many open files.

Workaround:
Reduce the number of monitors on the system.

Fix:
bigd no longer runs out of file descriptors during restart when using a very large number of monitors.


501498-1 : APM CTU doesn't pick up logs for Machine Certificate Service

Component: Access Policy Manager

Symptoms:
CTU report does not contain logs from Machine Certificate Service.

Conditions:
When the CTU report is run, it does not contain data in the logs.

Impact:
Logs are not available to technical staff

Workaround:
You can pick up logs manually from C:\Windows\Temp\logterminal.txt.

Fix:
CTU correctly pick ups logs for Machine Cert service.


501494-1 : if window.onload is assigned null, then null should be retrieved

Component: Access Policy Manager

Symptoms:
After window.onload=null, non null value is returned from window.onload.

Conditions:
Web application that assigns null to window.onload and expects to obtain null in window.onload then.

Impact:
Web application logic can be broken.

Fix:
After window.unload=null, null is returned by getting value of window.onload;


501480-3 : AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.

Component: Advanced Firewall Manager

Symptoms:
With AFM DoS Single Endpoint Sweep and Flood Vectors configured, TMM might crash while processing a huge amount of the configured attack traffic.

Conditions:
AFM DoS Single Endpoint Sweep and Flood attack vector is enabled in the AFM module.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not configure the AFM DoS Single Endpoint Sweep and Flood Vector.

Fix:
AFM DoS Single Endpoint Sweep and Flood Vectors now correctly handles traffic so that TMM does not crash.


501437-3 : rsync daemon does not stop listening after configsync-ip set to none

Component: TMOS

Symptoms:
If a device is not in a CMI configuration, but has configsync-ip set on its self device object, and this configsync-ip is set to none, an rsync daemon continues to listen on the old configsync-ip.

Conditions:
This occurs when the following conditions are met: -- Device is not in a CMI configuration. -- Self device has a configsync-ip set.

Impact:
The rsync server may continue to listen even after it is expected that it will not listen.

Workaround:
None.

Fix:
The rsync daemon is now shut down properly when the configsync-ip is set to none, and no longer listens on configsync-ip.


501371-4 : mcpd sometimes exits while doing a file sync operation

Component: TMOS

Symptoms:
mcpd exits randomly. If mcpd debug logging is enabled, the system might post an operation similar to the following: Received request message from connection 0x5fe47008 (user %cmi-mcpd-peer-/Common/LNJDCZ-VPN1.example):
query_all {
   sync_file {
      sync_file_file_to_sync "/var/apm/localdb/mysql_bkup.sql"
      sync_file_target_dg "/Common/HA_Rhodes_APM"
      sync_file_postprocess_action "/usr/libexec/localdb_mysql_restore.sh"
      sync_file_originator "/Common/LNJDCZ-VPN1.example"
   }
}

Conditions:
mcpd is performing a file sync.

Impact:
Randomly, mcpd exits, triggering a failover.

Workaround:
None.

Fix:
Ensured mcpd no longer exits while performing a file sync.


501343-3 : In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle

Component: TMOS

Symptoms:
In FIPS HA setup when the FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B, Device B (the HA peer) gets the configuration from Device A and operates as if the handle is correct because the modulus matches, but it actually is the public-handle and not the private-handle.

Conditions:
FIPS HA setup and FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B.

Impact:
With this configuration, when the device fails over, it can lead to traffic failure. This occurs because TMM tries to use the public-handle when it should be using the private-handle.

Fix:
FIPS HA peer verifies the FIPS handle type to confirm that it uses only the private FIPS handles.


500938-3 : Network Access can be interrupted if second NIC is disconnected

Component: Access Policy Manager

Symptoms:
Networks Access connection breaks if second NIC disconnects.
Both NICs should be connected to same network. This happens for a specific Network Access configuration.

Conditions:
Network Access configuration:
* Full tunnel with "Prohibit routing table changes during Network Access connection" set to true.
* Split tunneling with "Prohibit routing table changes during Network Access connection" set to true, Address space is 0.0.0.0/0.
Client with 2 NICs both connected to the same network.

Impact:
NA is interrupted.


500925-3 : Introduce a new sys db variable to control number of merges per second of Rate Tracker library.

Component: Advanced Firewall Manager

Symptoms:
The accuracy of the rate limit for the Sweep and Flood vectors is affected by the number of merges per second in Rate Tracker library.

Conditions:
When sweep and flood vector is enabled in AFM module.

Impact:
No way to control number of merges per second of Rate Tracker, which could help in Rate Tracker libray accuracy.

Workaround:
None.

Fix:
Introduce a new sys db variable to control number of merges per second of Rate Tracker library.


500786-6 : Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile

Component: Local Traffic Manager

Symptoms:
When a FastL4/BIGTCP virtual with HTTP profile is used, certain kinds of traffic may cause huge memory growth and result in out-of-memory situation.

Conditions:
If the FastL4 virtual with HTTP profile handles HTTP cloaking traffic, that starts up as HTTP and then switches over to non-HTTP data, memory growth could grow unbounded due to lack of flow control. This may lead to out of memory conditions eventually.

Impact:
Out of memory conditions affecting the availability/stability of the BIG-IP system.

Workaround:
1.) Avoid using FastL4 with HTTP profile, unnecessarily.
2.) If it could not be avoided, use FastL4 + HTTP-Transparent profile combination instead AND set http-transparent profile attribute enforcement.pipeline to "pass-through". This would allow HTTP filter to run in "passthrough" mode. Hence avoid the excessive memory consumption.

Fix:
If the FastL4 virtual with HTTP profile handles HTTP cloaking traffic, that starts up as HTTP and then switches over to non-HTTP data, memory growth no longer grow unbounded due to lack of flow control.
This prevent from out of memory conditions eventually.


500640-1 : TMM core could be seen if FLOW_INIT iRule attached to Virtual server

Component: Advanced Firewall Manager

Symptoms:
TMM core is seen when FLOW_INIT iRule is applied to Virtual server for global rule

Conditions:
When logging is enabled and FLOW_INIT rule is applied and we get packets where we cannot the find Virtual Server, TMM could crash

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no work around

Fix:
Added check for NULL context in connflow to avoid rare crash bug.


500544-1 : XML validation files are not correctly imported/upgraded

Component: Application Security Manager

Symptoms:
XML validation files are not assigned to the correct XML profiles after upgrade/policy import.

Conditions:
ASM provisioned
XML profiles with XML validation files assigned

Impact:
XML validation files are not assigned to the correct XML profiles.

Workaround:
N/A

Fix:
XML validation files are now assigned to the correct XML profiles.


500457-1 : Synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash

Component: Application Visibility and Reporting

Symptoms:
There is a synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash.

Conditions:
AVR is provisioned or report statistic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release corrects a synchronization problem in AVR lookups that sometimes caused TMM and other daemons, such as the Enforcer, to crash.


500450-1 : ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.

Component: Access Policy Manager

Symptoms:
With APM and ASM configured on the same virtual server, cookie validation on ASM could modify the Set-Cookie header sent by the application server or inject another Set-Cookie header. APM websso module does not honor the Set-Cookie modification, nor the injection. ASM subsequently causes the connection to reset.

Conditions:
With APM and ASM configured on the same virtual server, if cookie validation on ASM modifies the Set-Cookie header sent by the application server or injects another Set-Cookie header, then APM websso module does not honor this.

Impact:
Connection reset on the above condition.

Workaround:
Use layered virtual servers with an iRule virtual command to send traffic from the ASM virtual server to an APM virtual server with ARP disabled instead of having everything on one virtual server.

Fix:
The APM websso module is modified to handle an ASM use case. Now the websso reparses the HTTP 401 response header from the server at the client side in addition to the current parsing at server-side processing.
With this fix any Set-Cookie modification or addition by ASM is sent to server in the response to 401 header.


500449 : "Any IPv4 or IPv6" choice in sweep attack has atypical definition

Component: Advanced Firewall Manager

Symptoms:
OLH does not convey the function of Any IPv4 or Any IPv6 choice in single endpoint sweep attack configuration.

Conditions:
When one of these options is chosen, the configuration does not behave as expected and detect "any" traffic.

Impact:
When selected, the endpoint sweep attack detects only traffic "other than TCP, UDP, ICMP, or IGMP."

Fix:
In the DoS Device Protection configuration for a Single Endpoint Sweep attack, the packet types "Any IPv4" and "Any IPv6" do not actually apply to all IPv4 and IPv6 traffic. Rather, these categories apply to any traffic other than TCP, UDP, ICMP, or IGMP. This has been clarified in the system online help.


500424-2 : dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error

Component: Carrier-Grade NAT

Symptoms:
DNATutil exits with the error "dnatutil: No tmms on the blade."

Conditions:
A DNAT state log entry that is interpreted as invalid

Impact:
DNATUtil will not be able to parse the whole log file for reverse mappings

Workaround:
remove the DNAT state chunk that produces the error.

Fix:
DNATUtil will continue on even if it encounters an error. It will report the error but not exit.


500365-3 : TMM Core as SIP hudnode leaks

Component: Service Provider

Symptoms:
There is a memory leak when using SIP in TCP/ClientSSL configurations.

Conditions:
The leak occurs when the clientside flow is torn down in response to the SSL handshake not completing.

Impact:
Because the SSL handshake is not complete, the SIP handler cannot complete the operation as expected, which results in an error and a memory leak of the SIP handler. The tmm memory increases, which eventually requires restarting tmm as a workaround.

Workaround:
Although there is no workaround to prevents the issue, you can recover from the memory-leak condition by restarting tmm.

Fix:
This release fixes a memory leak that occurred when using SIP in TCP/ClientSSL configurations, when the clientside flow was torn down in response to the SSL handshake not completing. The system now frees the SIP handler upon receiving the notification of a failed SSL handshake, so that the connection is rejected, the system performs the proper cleanup of the SIP handler, and no memory leak occurs.


500303-3 : Virtual Address status may not be reliably communicated with route daemon

Component: Local Traffic Manager

Symptoms:
Occasionally, when the Virtual Server status changes, the Virtual Address status may not me communicated to the routing services (that is, the tmrouted service).

This can result in incorrect routes.

Conditions:
Exact conditions unknown, but it can occur when the Virtual Server status changes.

Impact:
Virtual Addresses may have advertised routes when they are down, or vice versa.

Workaround:
None.

Fix:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.

Behavior Change:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.


500234-4 : TMM may core during failover due to invalid memory access in IPsec components

Component: TMOS

Symptoms:
TMM cores when transitioning from standby to active.

Conditions:
This might occur when the following conditions are met: -- An IPsec tunnel is enabled. -- The BIG-IP system is a member of an HA pair. -- The BIG-IP system transitions from standby to active.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a race condition that might have caused IPsec components to access previously freed memory.


500219-1 : TMM core if identical radius starts messages received

Component: Policy Enforcement Manager

Symptoms:
TMM cores and restarts with identical radius start messages are received by bigip when PEM provisioned.

Conditions:
Identical radius start message received by PEM to create session.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed tmm core issue when duplicate radius start messages are received by handling it properly.


500094-1 : OpenSSL vulnerability CVE-2014-3570

Vulnerability Solution Article: K16120


500093-1 : OpenSSL vulnerability CVE-2014-8275

Vulnerability Solution Article: K16136


500092-1 : OpenSSL vulnerability CVE-2015-0205

Vulnerability Solution Article: K16135


500090-1 : OpenSSL vulnerability CVE-2014-3572

Vulnerability Solution Article: K16126


500089-1 : OpenSSL vulnerability CVE-2015-0206

Vulnerability Solution Article: K16124


500088-1 : OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update

Vulnerability Solution Article: K16123


500034-1 : [SMTP Configuration] Encrypted password not shown in GUI

Component: Application Visibility and Reporting

Symptoms:
Under SMTP configuration, when authentication is enabled (the "use authentication" check box is checked) and a user name and password are configured, the password field is empty in the configuration utility when accessing the newly created SMTP object. TMSH shows the password in hash format.

Conditions:
1. authentication is enabled.
2. username and password are configured.

Impact:
SMTP authentication fails.

Workaround:
After saving the SMTP configuration for the first time using the configuration utility, use only TMSH, REST API, or iControl to edit it or re-enter the password.

Note: This will not fix sending AVR e-mails. The only way to send e-mail before this fix is using a non-authenticated SMTP server.

Fix:
Under SMTP configuration, when authentication is enabled (the "use authentication" check box is checked) and a user name and password are configured, the password is correctly decrypted using standard BIG-IP tools.


500003-4 : Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP

Component: Local Traffic Manager

Symptoms:
When incoming NTP packets from the configured NTP server arrive for a non-local IP on a BIG-IP system that is either a Virtual Edition (VE) guest, an appliance, or a vCMP guest on an appliance host, an iptables rule is triggered that results in further outgoing packets to the NTP server to have their destination IP addresses changed to 127.3.0.0, which is not routable and thus causes NTP time syncs to stop.

Conditions:
An NTP server is configured on a BIG-IP system that is either a VE, an appliance, or a vCMP guest on an appliance host, and packets arrive from the configured NTP server destined for an IP address belonging to another machine on the network. This can happen for several reasons:

1) The customer has a device on the same management network doing very low-to-zero volume of traffic over its management port. NTP syncs time less often than the L2 FDB expiration time.

2) The customer is using a L2 topology that uses redundant switches with NIC teaming / bonding, and one of the hosts cuts over to the other switch. This also causes transmits of packets that have no valid L2 FDB entry.

3) An STP topology change occurs in a given network, causing switches to drop L2 FDB entries for relevant hosts and flood unknown unicast destination traffic to all ports of a given VLAN.

4) Any unicast misdirection of NTP traffic to the management port not covered above.

Impact:
NTP time syncing stops on affected BIG-IP systems.

Workaround:
To remove the iptables rule that is causing the problem:

# iptables -t nat -D bpnet-in -p udp --dport 123 -j DNAT --to-destination 127.3.0.0.

Comment out the following line in the function setup_virtual_backplane() in the file /etc/init.d/cluster to prevent the rule from coming back upon reboot:

iptables -t nat -A bpnet-in -p udp --dport 123 -j DNAT --to-destination $int_mgmtip.

Fix:
Incoming NTP packets from configured NTP server to non-local IP now works correctly with outgoing NTP.


499950-5 : In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs

Component: Local Traffic Manager

Symptoms:
Inconsistent persistence entries across TMMs.

Conditions:
This occurs under the following conditions are met: -- intra_cluster HA configuration. -- node flapping.

Impact:
Inconsistent persistence behaviors.

Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:

when PERSIST_DOWN {
    persist delete source_addr [IP::client_addr]
}

For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.

Fix:
An issue involving inconsistent behavior of persistence across TMMs is fixed.


499947 : Improved performance loading thousands of Virtual Servers

Component: TMOS

Symptoms:
In v11.5.1 and newer, when loading thousands of Virtual Servers, mcpd might become overloaded, causing loads to take a long time, or fail entirely when mcpd times out and is restarted.

This might be more severe if GTM was enabled.

Conditions:
Thousands of Virtual Servers, GTM enabled. The problem is caused when tracking the state of Virtual Address changes and broadcasting those state changes under certain circumstances.

Impact:
Might cause long load times or configuration load failure because of mcpd timeout and restart.

Workaround:
Disable GTM. Reduce the number of Virtual Addresses.

Fix:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.

Behavior Change:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.


499946-3 : Nitrox might report bad records on highly fragmented SSL records

Component: Local Traffic Manager

Symptoms:
When using an AES-GCM cipher on highly fragmented SSL records, platforms with Cavium Nitrox cards might report Bad records.

Conditions:
The negotiated cipher is one of the AES-GCM ciphers, and the MTU is such that the SSL records are highly fragmented.

Impact:
The BIG-IP system disconnects Client SSL connections prematurely. The SSL profile shows a number of Bad records.

Workaround:
None.

Fix:
The processing buffers reserve the proper number of subsequent parameters.


499880 : boot menu titles might not contain volume suffix

Component: TMOS

Symptoms:
The title of a boot entry normally contains a suffix which is the name of the volume in which it resides, in angle brackets. Ex:

BIG-IP 11.6.0 Build 3.0.364 <MD1.2>

When BIG-IP 11.6.0 hf3 is installed, the resulting boot entry is missing the suffix:

BIG-IP 11.6.0 Build 3.0.412

Conditions:
occurs when hotfix 11.6.0 hf3 is installed

Impact:
none

Workaround:
none necessary

Fix:
Improved installer for HFR.


499795-2 : "persist add" in server-side iRule event can result in "Client Addr" being pool member address

Component: Local Traffic Manager

Symptoms:
When using Universal Persistence, depending on how an iRule is implemented, the Client Addr field in persist records may be the selected pool member's address, instead of the client address.

Conditions:
Universal Persistence

Impact:
The "Client Address" field in persistence records may be wrong. Note that this field is not used for anything in the data path, so this issue is purely cosmetic.

Fix:
Persist record now has correct "Client Addr" even when the owner for the persist record is in different TMM.


499778-1 : A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs

Component: Policy Enforcement Manager

Symptoms:
A stale session is left behind.

Conditions:
1. Create a session by sending radius start messages to static subscriber that learns IP addresses dynamically.
2. remove master IP from static subscriber list.
3. delete static subscriber.
4. Use pem_sessiondump --list to see that the session is not deleted.

Impact:
No functional issue.

Fix:
Reprovison session if IP removed/added in SSP case too. This will fix session delete if Master IP being removed


499719-1 : Order Zones statistics would cause database error

Component: Global Traffic Manager (DNS)

Symptoms:
'General database error retrieving information' error in GUI.

Conditions:
This occurs when using the GUI to view Statistics for DNS zones.

Impact:
Not able to view Statistics from GUI for DNS zones.

Workaround:
Use tmsh to view Statistics for DNS zones.

Fix:
'General database error retrieving information' error no longer occurs when viewing DNS zone statistics from the GUI.


499701-1 : SIP Filter drops UDP flow when ingressq len limit is reached.

Component: Service Provider

Symptoms:
UDP stats shows increase in the number of flows and valid SIP messages are dropped.

Conditions:
This occurs when an iRule processing delay occurs (session db operations) combined with increase in the SIP incoming flow.

Impact:
SIP UDP flows are dropped.

Workaround:
None.

Fix:
The SIP UDP flow now remains when the ingress len limit is reached.


499620-6 : BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.

Component: Access Policy Manager

Symptoms:
The BIG-IP Edge Client for Mac shows the wrong SSL protocol version in Details; it does not display the protocol version that was negotiated.

Conditions:
BIG-IP Edge Client for Mac.

Impact:
The BIG-IP Edge Client for Mac displays the incorrect SSL protocol version now in Details.

Workaround:
None.

Fix:
The BIG-IP Edge Client for Mac displays the correct SSL protocol version now in Details.


499537-3 : Qkview may store information in the wrong format

Component: TMOS

Symptoms:
When creating a new monitor, some information may be stored in the wrong format.

Conditions:
Create a new monitor. Run qkview.

Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.

Workaround:
None.

Fix:
Monitor information is now stored in the correct format.


499478-2 : Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate

Component: Local Traffic Manager

Symptoms:
Bug 464651 fixed a loop issue that occurred when building a certificate chain caused by an invalid configuration in certificates.

That fix unintentionally excluded the root certificate in the chain. While it is still a valid certificate chain, it does result in a change-in-behavior issue that is unacceptable in certain cases.

Conditions:
This occurs in versions containing the fix for Bug 464651 (11.4.1, 11.5.4).

Impact:
In some instances, the root certificate must be included in the certificate chain. In other cases, the certificate validation fails.

Workaround:
None.

Fix:
This fix restores the previous behavior by including the root certificate in the chain.


499430-2 : Standby unit might bridge network ingress packets when bridge_in_standby is disabled

Component: Local Traffic Manager

Symptoms:
On a standby unit with a vlangroup configured with multiple VLAN members and bridge_in_standby attribute set to false, the unit might still bridge network ingress packets across the vlangroup, if those packet happen to match the host monitor traffic flows.

Conditions:
This occurs when the following conditions are met: Configure a vlangroup with multiple VLAN members in HA configuration and set vlangroup's bridge_in_standby attribute to false. Configure monitors to use non-default monitor rules (ICMP, etc.).

Impact:
This results in a traffic bridging loop among active and standby unis. Excessive traffic load might take down monitors on the BIG-IP system.

Workaround:
None.

Fix:
Standby unit no longer bridges network ingress packets when bridge_in_standby is disabled. This is correct behavior.


499427-1 : Windows File Check does not work if the filename starts with an ampersand

Component: Access Policy Manager

Symptoms:
Windows File Check does not work if the filename starts with an ampersand.

Conditions:
Run Windows file check and add a file name that starts with an ampersand.

Impact:
Depends upon access policy, but in the worst case a user might be allowed to log in.

Fix:
Access policy Windows File check now works with a file name that starts with an ampersand (&).


499422-1 : An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.

Component: Local Traffic Manager

Symptoms:
An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.

Conditions:
When an ACK with an "invalid" sequence number is received, the resulting calculations involving the incoming seqno and rcv_nxt causes an outgoing ACK to be generated which will repeat if the server behavior repeats.

Impact:
Many connections delayed and CPU usage is very high, peak usage is around 90%. Traffic suffer a severe deterioration.

Fix:
This problem is now corrected by ensuring that when outgoing ACK is being generated that the FIN is stripped if it is not a retransmission of the FIN.


499347-3 : JSON UTF16 content could be blocked by ASM as Malformed JSON

Component: Application Security Manager

Symptoms:
When JSON UTF16 content is handled by ASM and the content includes one of the characters below, the request could be blocked by ASM policy.

XML_CHAR_BACKSLASH
XML_CHAR_LEFT_CURLY_BRACKET
XML_CHAR_RIGHT_CURLY_BRACKET

Conditions:
ASM policy assigned to a virtual server and the policy configured to enforce JSON content.

Impact:
False positive request blocking.

Workaround:
None.

Fix:
JSON unicode_charmap table has been fixed, thus UTF16 characters are interpreted correctly.


499315-1 : Added "Collect full URL" functionality.

Component: Application Visibility and Reporting

Symptoms:
Added functionality to collect the full URL (with host name) to AVR statistics.

Conditions:
In tmsh, run the command: modify sys db avr.includeserverinuri value disable

Run traffic with the URL http://172.29.33.87/debug

The URL that will be written to the lookup table is: "/debug"

In tmsh, run the command: modify sys db avr.includeserverinuri value enable

Run traffic with the URL http://172.29.33.87/debug

The URL that will be written to the lookup table is: "172.29.33.87/debug"

Impact:
Now possible to collect full URLs

Fix:
Added functionality to collect the full URL (with host name) to AVR statistics.


499299-1 : Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash

Component: Application Visibility and Reporting

Symptoms:
There is a synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash.

Conditions:
AVR is provisioned or report statistic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
We fixed a synchronization problem in AVR lookups that sometimes caused TMM and other daemons, such as the Enforcer, to crash.

Fix:
This is a duplicate of ID 475439.


499280-1 : Client side or server side SSL handshake may fail if it involves SHA512-signed certificates in TLS1.2

Component: Local Traffic Manager

Symptoms:
A handshake with either client-ssl or server-ssl when presented with a certificate signed/hashed with sha512 may fail.

Conditions:
The issue is seen when it meets the following 3 conditions.
1. The SSL connection is using TLS1.2
2. The backend server's certificate is signed/hashed with sha512.
3. The backend server is Microsoft IIS server. More precisely, a server that strictly enforces the RFC policy for TLS1.2: 'If the client provided a 'signature_algorithms' extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension.' This kind of server rejects the SSL connection if the BIG-IP system does not advertise sha512 when sending the clienthello message. Microsoft IIS server does strictly enforce this rejection behavior, although Apache and OpenSSL servers do not.

On the client side:
1. Client is trying to establish SSL connection using TLS1.2.
2. Client-ssl is configured with client-cert authentication.
3. Client is configured with sha512-signed certificate only. When the BIG-IP system sends a CertificateRequest that does not include sha512, the client might send back a null certificate.

Impact:
The BIG-IP system cannot establish SSL connection with the backend server. Client fails to establish an SSL connection with the BIG-IP system.

Workaround:
To workaround this:
-- Use TLS1/TLS1.1/SSL3 instead of TLS1.2.
-- Configure the backend server to use certificates signed/hashed with something other than sha512.
-- Use a backend server other than Microsoft IIS.

Fix:
For the serverside, the system now contains sha512 in the signature_algorithms extension when sending the clienthello with TLS1.2 (when you configures 'ANY' in the SSL sign hash option in the serverssl profile), so that the server does not reject the SSL connection because the BIG-IP system does not contain sha512 in the clienthello. sha512 is also included on the clientside, so that if the client uses sha512 to hash/sign the certvfy message, the BIG-IP system (acting as a server) does not reject to verify it (when you configures 'ANY' in the SSL sign hash option in the clientssl profile).


499260-3 : Deleting trust-domain fails when standby IP is in ha-order

Component: TMOS

Symptoms:
Deleting trust-domain fails when the ha-order traffic group contains a standby unit's IP address.

Conditions:
This occurs when there is a non-local device that is used by the HA order in one of the traffic groups.

Impact:
Unable to delete trust domain. The tmsh command 'delete cm trust-domain all' intermittently hangs. Pressing Ctrl + C shows: Unexpected Error: Could not reset trust-domain (error from devmgmtd): Error reading from server...' In the /var/log/ltm the system posts the message: 'err devmgmtd[7887]: 015a0000:3: -unknown- failed on -unknown-.devicegroup: 01071761:3: Cannot delete device (bigipsystem.example.com) from device group (/Common/sync-failover-1) because it is used by HA order on traffic group (/Common/traffic-group-2)'.

Workaround:
Retrying sometimes succeeds. Removing the ha-order traffic group also allows the operation to succeed.

Fix:
Deletion of a device trust domain now completes successfully when the BIG-IP system is a member of a device trust domain configured with a traffic group high-availability order that references a device other than the local system.


499150-3 : OneConnect does not reuse existing connections in VIP targeting VIP configuration

Component: Local Traffic Manager

Symptoms:
Significant increase in Active Connections and Connections per Second for virtual servers that receive connections from another virtual server with the Policy action 'virtual' or iRule command 'virtual' and the client virtual server has a OneConnect profile. The connections per second will match the rate of HTTP requests sent to the server virtual server.

A packet capture would reveal that OneConnect is not reusing previously opened connections, and previously opened connections remain idle until timeout.

Conditions:
This occurs when either of the following conditions are met:

-- Virtual-to-virtual configuration with OneConnect profile.
-- iRule contains the following command: node <ip> <port>.

Impact:
An increase in CPU and memory resources occurs due to the increase in connections established and connections that remain in memory.

Workaround:
If not required, remove the OneConnect profile from the client virtual server.

Fix:
Connections are correctly reused even with VIP on VIP configuration.


499036 : Rare cases of errors when loading data into mysql

Component: Application Visibility and Reporting

Symptoms:
In some cases, some AVR data was formed with duplicated rows, causing errors when inserting saving the data in mysql. You will see the following in monpd.log: "Some rows of load_stat_ip_1420015200.1 not loaded (22670 rows affected).".

Conditions:
This can occur when avr loads.

Impact:
Loss of some statistical data.

Workaround:
None

Fix:
We fixed an issue where in some cases, some AVR data was formed with duplicated rows, and triggered errors when saving the data in mysql.


498993-1 : it is possible to get infinite loop in LDAP Query while resolving nested groups

Component: Access Policy Manager

Symptoms:
Processing nested groups might cause an infinite loop.

Conditions:
LDAP query is configured to get group membership using 'member' attribute. On the LDAP server, group1 has group2 as a member and group2 has group1 as a membermember (membership loop), then the LDAP Query falls into an infinite loop trying to resolve nested groups.

Impact:
User cannot pass access policy that contains the affected agent. The apd process must be restarted to re-initialize LDAP agent.

Workaround:
None.

Fix:
The LDAP Query resolves group membership including nested groups as expected.


498992-6 : Troubleshooting enhancement: improve logging details for AWS failover failure.

Component: TMOS

Symptoms:
Logging information on BIG-IP VE for Failover on AWS was inadequate and did not provide the reason for failures in Failover.

Conditions:
Traffic-group failover sometimes failed without providing specific reason for the failure.

Impact:
The lack of logging messages that could pin-point the mis-configuration or connectivity issues on AWS makes it difficult to determine what is causing the Failover to fail.

Workaround:
None

Fix:
Added more logging details for AWS failover failure to assist in detecting problems in failover.

Behavior Change:
Previously, the following AWS permissions were required when running failover: ec2:AssignPrivateIpAddresses and ec2:DescribeNetworkInterfaces. Failover could fail because of region or key issues, and so an additional AWS permission, ec2:DescribeInstanceStatus, is now also required for running failover.


498785 : Black List Classes/Black List Categories terminology inconsistency

Component: Advanced Firewall Manager

Symptoms:
There is a terminology inconsistency in how the GUI in AFM 11.5.0 IP Intelligence, which refers to 'Black List Classes', and AFM 11.6.0 IP Intelligence, which refers to 'Black List Categories'. In addition, viewing 11.6.0 labels on Reporting or Event Logs for IP Intelligence reads 'Class', where they should read 'Category'.

Conditions:
This occurs when comparing AFM screens in 11.5.0 and 11.6.0.

Impact:
Inconsistent terminology might result in customer confusion.

Fix:
Black List Classes is now correctly referred to as Black List Categories in AFM 11.6.0 IP Intelligence, which makes the term consistent across the GUI versions.


498782-2 : Config snapshots are deleted when failover happens

Component: Access Policy Manager

Symptoms:
When failover occurs, the config snapshots on the new active node might be deleted during the HA state transition. As a result, a user might encounter one of the errors below:
1. Login failure/denied.
2. Some webtop resources are missing after successful login.

Conditions:
When the standby node switches to active.

Impact:
User cannot login or access some resources after login.

Workaround:
Restart APD by running the command: bigstart restart apd.

Fix:
Now APD uses a short time interval for periodic checking of config snapshots right after failover happens. If config snapshots are found to be missing, APD recreates them. After a few such cycles, APD reverts to using a long time interval for the check.


498708-1 : Errors logged in bd.log coming from the ACY module

Component: Application Security Manager

Symptoms:
Cosmetic errors logged in bd.log from the ACY module:
'acy_prepare_RWdas failed to init rwkm-report_kw_data report'.

Conditions:
Configuration changes between signature sets on a security policy.

Impact:
False errors appear constantly. These errors are cosmetic, and do not indicate a problem with the system.

Workaround:
None.

Fix:
We fixed false error logs that were coming from the ACY module.


498597-5 : SSL profile fails to initialize and might cause SSL operation issues

Component: Local Traffic Manager

Symptoms:
When the SSL profile fails to initialize, it causes the SSL enter pass-through mode instead of rejecting traffic.

Conditions:
SSL profile fails to initialize, for example, due to failure to load cert/key files.

Impact:
SSL enters pass-through mode instead of rejecting traffic. As a side effect, ConfigSync might fail, as the communication channel does not establish because of a hung SSL connection.

Workaround:
Make sure cert/key is available and has the proper grant access mode.

Fix:
When the SSL profile fails to initialize, it now causes the SSL to reject traffic correctly.


498469-5 : Mac Edge Client fails intermittently with machine certificate inspection

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac fails intermittently with machine certificate inspection when "Match CN with FQDN" setting is configured.

Conditions:
The problem occurs with BIG-IP Edge Client for Mac and machine certificate agent when in the access policy "Match CN with FQDN" is set.

Impact:
Edge ClienT fails to pass machine certificate inspection.

Fix:
BIG-IP Edge Client for Mac does not fail intermittently with machine certificate inspection agent.


498433-1 : Upgrading with ASM iRule and virtual server with no websecurity profile

Component: Application Security Manager

Symptoms:
If you have an iRule that uses "ASM::*" assigned to a virtual server with no websecurity profile, when trying to upgrade from BIG-IP version 11.4.0 to any newer version, the upgrade fails, and you receive the following error message:
-----------------
ASM::disable in rule (iRule_name) requires an associated WEBSECURITY profile on the virtual server (virtual_server_name).
-----------------

Conditions:
On version 11.4:
1) Have an iRule that uses ASM::*, e.g.
  when HTTP_REQUEST {
    ASM::disable
  }
2) Create a virtual server and associate an ASM policy with it via CPM (L7) policy
3) Assign the iRule to the VS
4) Remove the CPM policy from the VS

Now upgrade to any newer version
OR
Save the ucs and try to manually install it on any newer version

Impact:
Fails to upgrade.
Fails to install ucs.

Workaround:
Prior to upgrading and/or saving the ucs, for all virtual servers that have no websecurity profile assigned to them, remove all iRules that contain 'ASM::*' actions.

Fix:
You can now successfully upgrade from version 11.4.0 to any newer version even if you have an iRule that uses "ASM::*" and a virtual server with no websecurity profile assigned because the upgrade/ucs_install mechanism now detaches the ASM iRule from the virtual server.


498334-2 : DNS express doesn't send zone notify response

Component: Local Traffic Manager

Symptoms:
When a virtual server on the BIG-IP system receives a zone notify message, it does not send a response message back. Instead, it sends the original notify message back to the remote name server.

Conditions:
A zone notify message is sent to a virtual server with a DNS profile. The zone is configured to allow notify from the sender and the notify action is set to be consumed.

Impact:
The remote name server sends the notify message to the BIG-IP system several times since the remote name server does not receive a response message.

Workaround:
None.

Fix:
TMM will correctly send a response message back when processing a zone notify message from a remote name server.


498269-1 : 5200 does not forward STP BPDUs across VLAN groups when in PASSTHRU mode

Component: Local Traffic Manager

Symptoms:
When configured for bridging all traffic, 5200 platform does not bridge STP BPDUs when in PASSTHRU mode.

Conditions:
This occurs under the following conditions: -- Configure a VLAN group and configure to bridge all traffic. -- Configure STP in PASSTHRU mode.

Impact:
The 5200 platform does not forward STP BPDUs across VLAN groups when in PASSTHRU mode, so STP PASSTHRU mode does not work correctly between VLAN groups.

Fix:
The 5200 platform now forwards STP BPDUs across VLAN groups when in PASSTHRU mode.


498227-2 : Incorrect AFM firewall rule counter update after pktclass-daemon restarts.

Component: Advanced Firewall Manager

Symptoms:
Incorrect firewall rule counters are updated upon classifying traffic when rules are re-ordered AND pktclass-daemon is also restarted.

Conditions:
pktclass-daemon restarts and there are active firewall rules present (at any context).

Impact:
While there is no incorrect behavior in matching/classifying traffic, updating incorrect rule counter may lead to impression that traffic is being classified incorrectly.

Workaround:
None

Fix:
The issue regarding update of incorrect rule counter (after pktclass-daemon restarts) has been fixed.


498189-3 : ASM Request log does not show log messages.

Component: Application Security Manager

Symptoms:
The request log does not show log messages related to ASM.

Conditions:
This occurs when first assigning the application logging profile, and then assigning the DOS logging profile on the same virtual server.

Impact:
There will not be log messages related to ASM.

Workaround:
Remove the ASM logging profile, apply and re-add the application logging profile.

Fix:
ASM request log now shows log messages related to ASM, even if the application logging profile was assigned to the virtual server before the DOS logging profile was assigned to it.


497870-1 : PEM configured with BWC doing pem policy changes could trigger leak

Component: TMOS

Symptoms:
When PEM is configured to use bwc policy and cause re-evaluations due to pem policy change in configuration and/or PCRX could cause leak in bwc memory for active flows.

Conditions:
- PEM need to be configured to use bwc.
- Active flows.
- PEM policy change event for live flows.

Impact:
- memory leak.

Workaround:
- restart tmm.
- upgrade image.
- avoid PEM policy change event for live traffic flows.
- attach bwc to pem policy after PEM policy change event.

Fix:
The case when PEM policy is modified on live traffic, PEM initiates policy re-evaluation. In process internally bwc is detached and attached. During this, the flow active flag is not cleared thus during flow release memory is not released.


497769 : Policy Export: BIG-IP does not export redirect URL for "Login Response Page"

Component: Application Security Manager

Symptoms:
ASM does not export redirect URLs in "Login Response Page" for XML policies.

Conditions:
Redirect URL in "Login Response Page" is used in ASM security policy.

Impact:
We fixed an issue with XML policy export where the redirect response page was missing from the security policy.

Workaround:
Use binary policy export for exporting redirection response pages for login url.

Fix:
We fixed an issue with XML policy export where the redirect response page was missing from the security policy.


497742-3 : Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address

Component: Local Traffic Manager

Symptoms:
Some packets re-transmitted as part of a full-proxy, non-SNAT'd TCP virtual server on a translucent-mode vlangroup do not correctly have the translucent-mode bit-flip applied.

Conditions:
This occurs with a translucent vlangroup and full virtual server with no SNAT.

Impact:
Egressing traffic with the source-MAC of another host can potentially lead to traffic loops.

Workaround:
Enable SNAT on the virtual server.

Fix:
All TCP re-transmits have the proper source MAC address.


497732-2 : Enabling specific logging may trigger other unrelated events to be logged.

Component: Advanced Firewall Manager

Symptoms:
When logging is enabled for TCP events some internal traffic like UDP could be logged.

Conditions:
When logging is enabled in AFM for TCP events.

Impact:
Some unwanted log messages with show up

Workaround:
There is no work around.

Fix:
Fixed a bug where undesired traffic was logged when TCP events logs were enabled.


497719-1 : NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296

Vulnerability Solution Article: K15934


497681-1 : Tuning of Application DoS URL qualification criteria

Component: Application Visibility and Reporting

Symptoms:
Application DoS can not be tuned in order to tell which transactions are qualified for client side mitigation.

Conditions:
1. Create new L7-DoS profile, enable CS injection prevention
2. Sent more than 10 requests to qualified URL. Make sure that URL detected as qualified (I used avrstat tool)
3. Send 1 request with HEAD or TRACE methods. URL will be detected as non-qualified.

Impact:
AVR didn't qualify URLs according to the system's qualification criteria.

Workaround:
N/A

Fix:
We tuned the Application DoS URL qualification criteria.


497667-2 : Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error

Component: Advanced Firewall Manager

Symptoms:
PCCD gives error exhausted; causes inability to activate new mgmt port rules.

Conditions:
The mgmt port is configured as an IPV4 interface and an ICMPv6 protocol rule is applied with the action set to reject or vice-versa.

Impact:
error: resources exhausted; causes inability to activate new mgmt port rules

Fix:
Validation added to block invalid application of management firewall rule specifying ICMPv6 when management interface is configured with only IPv4 address. Validation also detects the reverse condition (IPv6 management address, ICMPv4 firewall rule). A descriptive error message is added.


497662-3 : BIG-IP DoS via buffer overflow in rrdstats

Component: Access Policy Manager

Symptoms:
BIG-IP DoS via buffer overflow in rrdstats

Conditions:
rrdstats given malformatted input

Impact:
Crash in rrdstats - some services unavailable while rrdstats down

Workaround:
No workaround. rrdstats will be restarted by BIG-IP

Fix:
Improved request parsing to make it more robust against invalid formats.


497627-3 : Tmm cores while using APM network access and no leasepool is created on the BIG-IP system.

Component: Access Policy Manager

Symptoms:
TMM cores in Network Access scenario when no leasepool is created on the BIG-IP system and IP address assignment is done through the Variable Assign agent (mcget {session.ldap.last.attr.vpnClientIp}).

Conditions:
APM network access and no leasepool is created on the BIG-IP system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
To work around the problem, create a leasepool on the BIG-IP system; it does not need to be attached to an access policy.

Fix:
TMM does not core now when using APM network access and no leasepool is created on the BIG-IP system.


497619-6 : TMM performance may be impacted when server node is flapping and persist is used

Component: Performance

Symptoms:
TMM consumes a higher percentage of the CPU resources when handling traffic.

Conditions:
This intermittent issue occurs when a pool members goes up and down when using source_addr persistence.

Impact:
System performance is impacted.

Workaround:
This issue has no workaround at this time.

Fix:
The intermittent performance impact no longer occurs when a pool members goes up and down when using source_addr persistence.


497584-2 : The RA bit on DNS response may not be set

Component: Local Traffic Manager

Symptoms:
Under some circumstances, the recursion available (RA) bit may be unset in responses from DNS cache.

Conditions:
If the system caches a message from the authoritative server without the rd bit, and subsequent queries with rd set find that message, the first message will not be used because the rd bit is not set. In this case, the operation falls back to the rrset cache and composes a message, but leaves the RA bit unset. This is appropriate for the transparent cache, but not the non-transparent cache.

Impact:
The impact of this issue is that recursion available is not signaled to clients so they may not treat the DNS cache as an available resolver.

Workaround:
To work around this issue, write an iRule to set the RA bit when the cache is a resolver. Must also check origin for CACHE.

Fix:
The RA bit is set for the response when the cache resolver answers the query from the fast path.


497564-2 : Improve High Speed Bridge diagnostic logging on transmit/receive failures

Component: TMOS

Symptoms:
When an HSB transmitter or receive failure occurs, no information is provided on the state of the HSB transmit/receive rings prior to the failure.

Conditions:
The HSB experiences a transmitter or receive failure.

Impact:
The unit is rebooted.

Workaround:
None.

Fix:
Improved High Speed Bridge diagnostic logging on transmit/receive failures.


497455-1 : MAC Edge client crashed during routine Network Access.

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac crashes during routine Network Access operations.

Conditions:
Edge Client for Mac and BIG-IP v11.6.0. This is a rarely occurring issue. Specific conditions are unknown.

Impact:
MAC Edge client crashes.

Workaround:
Restart Edge Client for Mac.

Fix:
A rarely occurring issue where BIG-IP Edge Client for Mac would crash randomly during regular Network Access connection has been fixed.


497436-4 : Mac Edge Client behaves erratically while establishing network access connection

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac does not establish a network access connection, or if it can establish a connection, then it drops the connection. A user might see a cycle of connect/re-connect again.

Conditions:
OS X Yosemite, network access, BIG-IP Edge Client for Mac.

Impact:
User cannot establish network access connection.

Workaround:
None.

Fix:
BIG-IP Edge Client for Mac can now establish a connection correctly. An issue with routing table patch coding deleting an essential route has been resolved.


497433-2 : SSL Forward Proxy server side now supports all key exchange methods.

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy implementation requires the clientssl and serverssl profiles to configure at least one RSA ciphersuite. If the backend server uses ciphersuites other than RSA key exchange such as (ECDHE-ECDSA, ECDH-ECDSA, DHE-DSS), the connection fails.

Conditions:
Must use RSA key exchange on the server side, meaning that it is not possible to have server side SSL uses key exchange methods--such as ECDHE-ECDSA, ECDH-ECDSA, DHE-DSS--while the client side still uses RSA key exchange.

Impact:
SSL Forward Proxy on the server side cannot be configured to use all key exchange methods the SSL module supports, and is limited to RSA.

Workaround:
None.

Fix:
SSL Forward Proxy server side supports all key exchange methods. Previously, SSL Forward Proxy on the server side only supported RSA, ECDHE-RSA, and EDH-RSA key exchange methods.

Behavior Change:
SSL Forward Proxy server side supports all key exchange methods. Previously, SSL Forward Proxy on the server side only supported RSA, ECDHE-RSA, and EDH-RSA key exchange methods.


497395-1 : Correctly assign severity to check component alerts

Component: Fraud Protection Services

Symptoms:
Check component alerts can be caused by legitimate browser settings. There is no way to distinguish this from malware alerts.

Conditions:
Check component alerts are sent.

Impact:
Difficult to identify users that are infected with malware.

Workaround:
None

Fix:
Differentiate between low severity and high severity component check alerts.

Behavior Change:
A new DB variable "AntiFraud.ComponentsValidation.Method" has been added that controls the type of request that the component check is performed on (all, get, post, or none)


497389-1 : Extraneous dedup_admin core

Component: Wan Optimization Manager

Symptoms:
There have been some extraneous dedup_admin cores generated during system shutdown.

Conditions:
Race condition during shutdown of vcmp with 2 blades.

Impact:
Extraneous dedup_admin core generated.

Workaround:
None

Fix:
Missing virtual destructor was added.


497376-1 : Wrong use of custom XFF headers when there are multiple matches

Component: Application Visibility and Reporting

Symptoms:
A specific case of multiple matching XFF headers and special settings, that lead to treating one of the supplied XFF headers, but not the desired one.

Conditions:
1. Configuring at least one custom XFF header in the HTTP profile.
2. The incoming request has at least 2 headers that match the custom headers.
3. The DB variable avr.alwaysuselastxff is set to 0.

Impact:
The incoming request is treated as coming from an IP address that is not the desired address, this affects the reports and the identification of this request by the DoS system.

Workaround:
It is possible to set an iRule that will do the logic of the comparing the XFF headers, remove the unnecessary ones, and keep only the desired one.

Fix:
The desired XFF header is taken as the one that represents the HTTP request IP address.


497342 : TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.

Component: Advanced Firewall Manager

Symptoms:
Critical system failure due to TMM process restarting.

Conditions:
Following conditions will trigger the TMM crash:

i) AFM rule match triggers an iRule execution.
ii) iRule has one (or more) FLOW_INIT event with 2 (or more) commands that result in aborting the connection (e.g. 'drop' followed by 'reject')

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
The aforementioned TMM crash has been fixed.


497325-1 : New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment

Component: Access Policy Manager

Symptoms:
New users cannot log in to Windows-based systems after installing BIG-IP Edge client in certain deployments.

Conditions:
This is a rare, environment-based issue.

Impact:
New users cannot log in to Windows-based systems

Workaround:
Remove \F5 Networks\VPN\client.f5c file.

Fix:
A rare, environment-based issue that prevented new users from logging in to Windows-based systems has been fixed.


497311 : Can't add a ICMPv6 type and code to a FW rule.

Component: Advanced Firewall Manager

Symptoms:
Can't add a ICMPv6 type and code to a FW rule

Conditions:
choose the protocol as ICMPv6 and try to add a type and code.

Impact:
Firewall Rule Creation Page gets affected.

Workaround:
Use tmsh to add ICMPv6 type and code to a FW rule.

Fix:
GUI now accepts firewall rules specifying ICMPv6 with type and code.


497304-1 : Unable to delete reconfigured HTTP iApp when auto-sync is enabled

Component: TMOS

Symptoms:
When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI:

-- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).
-- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).

Conditions:
Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp.

Impact:
Sync failure. Cannot delete the iApp manually after the error occurs.

Workaround:
Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync.

Fix:
Ensure the sFlow data source is removed from an HTTP profile when it is deleted.


497299-5 : Thales install fails if the BIG-IP system is also configured as the RFS

Component: Local Traffic Manager

Symptoms:
Thales install fails.

Conditions:
This occurs when the BIG-IP system is also configured as the RFS.

Impact:
Cannot use Thales HSM with the BIG-IP system.

Workaround:
In the following procedure, when running nethsm-thales-rfs-install.sh, the script returns the IP address used by the RFS server. Use that IP address when running the 'rfs-setup' command. When prompted with: Did you successfully run the above 'rfs-setup' command on the RFS server? (Yes/No), perform the following steps: 1. Open a new SSH connection to the BIG-IP system. 2. Run the following command: /opt/nfast/bin/rfs-setup --force -g --write-noauth x.x.x.x. 3. Return to nethsm-thales-install.sh SSH screen and answer 'Yes'. The script should now exit with a success message.

Fix:
Thales install script now runs successfully when the BIG-IP system is also configured as the RFS.


497263-1 : Global whitelist count exhausted prematurely

Component: Advanced Firewall Manager

Symptoms:
You receive an error message with this signature: error 0107181d:3: Cannot create white list entry, maximum limit 8 entries reached.

Conditions:
This can occur when configuring entries on both BIG-IP's in a sync group and syncing them. The whitelist count may be less than 8 but the error is still generated.

Impact:
You may receive an error message while creating a whitelist telling them they've exceeded the global whitelist count limit.

Workaround:
None

Fix:
An internal inconsistency with the system that oversees the whitelist count has been fixed.


497078-1 : Modifying an existing ipsec policy configuration object might cause tmm to crash

Component: TMOS

Symptoms:
Modifying an existing ipsec policy configuration object might cause tmm to crash

Conditions:
Modifying an existing ipsec policy configuration object that's not associated with any traffic selector that's assigned to an ikev2 ike peer configuration object.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Delete and re-create the ipsec policy mcp object

Fix:
tmm will not crash when user modify an existing ipsec policy configuration object


497065-1 : Linux RPM vulnerability CVE-2013-6435

Vulnerability Solution Article: K16383


497062-1 : PEM configured with BWC doing PEM policy changes could trigger leak

Component: TMOS

Symptoms:
When PEM is configured to use bwc policy and cause re-evaluations due to pem policy change in configuration and/or PCRX could cause leak in bwc memory for active flows.

Conditions:
This occurs when the following conditions are met: PEM is configured to use BWC. -- System is processing active flows. -- PEM is applying a policy change event for live flows.

Impact:
PEM configured with BWC doing PEM policy changes might trigger leak. Eventual low memory conditions, possibly followed by TMM core and traffic outage.

Workaround:
To work around this issue, complete the following steps: -- Restart tmm. -- Upgrade the image. -- Avoid PEM policy change events for live traffic flows. -- Attach BWC to the PEM policy after PEM policy change events.

Fix:
The case in which the PEM policy is modified while the system is processing live traffic, PEM now initiates policy re-evaluation and BWC is attached correctly to the policy, so no memory leak occurs.


496976-2 : Crash when receiving RADIUS message to update PEM static subscriber.

Component: Policy Enforcement Manager

Symptoms:
Crash when receiving RADIUS message to update PEM static subscriber.

Conditions:
1) A large number of PEM static subscribers in the system, for example, 100K.
2) Sends RADIUS messages for these 100K subscribers to update info.

Impact:
System crash.

Fix:
BIG-IP system no longer crashes when updating the static subscribers with RADIUS messages.


496950-1 : Flows may not be mirrored successfully when static routes and gateways are defined.

Component: Local Traffic Manager

Symptoms:
In certain circumstances, some L4 flows may not be successfully remirrored when a standby BIG-IP comes online. This involves a race condition when there are multiple routes and/or gateways defined; if the new standby device does not yet have the lasthop information when it gets the mirrored flow.

Conditions:
Using mirroring with layer 4 virtuals, with gateways and/or static routes defined.

Impact:
Not all flows will have been successfully remirrored to the standby device.

Workaround:
Usually "bigstart restart tmm" will recover most or all of the L4 flows. This does not work perfectly all of the time, but is far less likely to encounter the error condition than a "bigstart restart" or "shutdown -r".

Fix:
The standby device ignores the route to the client when accepting mirrored connections. If failover occurs without a route back to the client, the connection will still fail on failover.


496894-1 : TMM may restart when accessing SAML resource under certain conditions.

Component: Access Policy Manager

Symptoms:
When a user performs SAML Identity Provider (IdP)-initiated web single sign-on (Web SSO) using Artifact binding and the Artifact Resolution Service is not configured on IdP, TMM may restart.

Conditions:
This occurs under all of the following conditions:
1. The BIG-IP system is configured as a SAML IdP.
2. The IdP service does not have Artifact Resolution Service configured.
3. The corresponding Service Provider (SP) connector object, which is bound to the IdP, has Artifact binding configured.
4. The SAML Resource from this IdP is published on a webtop.

Impact:
As a result, TMM restarts.

Workaround:
To work around the problem, configure an Artifact Resolution Service and assign it to the IdP object.

Fix:
An issue where TMM would restart under certain conditions is now fixed.


496849-1 : F5 website update retrievals vulnerability

Vulnerability Solution Article: K16090


496845-1 : NTP vulnerability CVE-2014-9296

Vulnerability Solution Article: K15933


496817-1 : Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy

Component: Access Policy Manager

Symptoms:
In a reconnect scenario, Big-IP Edge Client cannot connect to a FirePass server if the tunnel was established through a proxy server.

Conditions:
Proxy is used to create VPN tunnel.
The server is FirePass.

Impact:
The client fails to restore the VPN connection to the FirePass server.

Workaround:
Restart client.

Fix:
Added backward compatibility changes to BIG-IP Edge Client for Windows to work properly with FirePass.


496775-3 : [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor

Component: Global Traffic Manager

Symptoms:
[GTM] [big3d] Unable to mark LTM virtual server up if there is another virtual server with same ltm_name for the bigip monitor.

Conditions:
LTM (running BIG-IP software older than v11.2.0) with a virtual server: /Common/http_vip with destination /Common/192.168.10.34:80.

GTM (running BIG-IP software newer than v11.5.0) with this LTM as a BIG-IP Server. Two virtual servers on LTM: One with the original LTM virtual server address, and the other with the translated address: 1. name ltm_http_vip :: destination 192.168.10.34:80 :: monitor /Common/bigip. 2. name ltm_http_trans_vip :: destination 10.10.10.34:80 :: translation-address 192.168.10.34:80 :: monitor /Common/bigip.

Impact:
Both virtual servers are marked up for a brief interval. After a few minutes, one of them is marked down.

Workaround:
You can use either of the following workarounds:
-- Use a monitor other than bigip.
-- Replace /shared/bin/big3d on the LTM system with a copy of a version v11.2.1 or later big3d.

Fix:
The BIG-IP health monitor no longer incorrectly marks down virtual servers with a duplicate ltm-name when there are BIG-IP GTM systems with differing software versions monitoring BIG-IP LTM virtual servers using the bigip monitor.


496758-5 : Monitor Parameters saved to config in a certain order may not construct parameters correctly

Component: Local Traffic Manager

Symptoms:
When configuring both a monitor and a child monitor, if the two monitors are saved in reverse order, the default monitor parameters will not be created.

For example:

ltm monitor tcp /Common/child {
    defaults-from /Common/parent
    destination *.990
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}
ltm monitor tcp /Common/parent {
    defaults-from /Common/tcp
    destination *:*
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}

Some of the default parameters for the above configuration will not be created upon loading config.

Conditions:
This occurs when there are at least two monitors, and the child custom monitor appears before the parent monitor. Must have a parent that derives from a root monitor, and a child that derives from the parent monitor.

Impact:
Possible undefined behavior in bigd, and failing iControl calls. On performing a 'tmsh load sys config verify' the system posts an error message similar to the following: 01070740:3: Performance monitor /Common/http-a may not have the manual resume feature. Unexpected Error: Validating configuration process failed.

Workaround:
A possible workaround involves switching the order of the monitors in the config file. This can either be accomplished manually, or by naming things in alphabetical order, such that the parent precedes the child:

ltm monitor tcp /Common/aaa_parent {
    defaults-from /Common/tcp
    destination *:*
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}
ltm monitor tcp /Common/bbb_child {
    defaults-from /Common/aaa_parent
    destination *.990
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}

Fix:
The system now handles a configuration in which a child custom monitor precedes the parent's, so that monitor parameters are constructed properly.


496679-5 : Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.

Component: TMOS

Symptoms:
After renaming a CM device object, or performing an upgrade from a version prior to 11.4.0, configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.

Conditions:
This issue occurs when one of the following conditions is met:

-- You load the BIG-IP configuration.
-- You upgrade the BIG-IP system software.
-- You perform a configuration synchronization (ConfigSync) operation for the device group.

The 'default-device' attribute has been deprecated beginning in 11.4.0 in favor of new functionality. Prior to 11.4.0, default-device was used to specify the device-group member that failback tries to make active.

From 11.4.0 and later, when auto-failback is enabled, the system uses the first member of the 'Failover Order' ('ha-order' in tmsh).

In 11.4.0 and later, this field is not used, but will fail validation if it contains a value that does not reference the name of an existing device-group member, or the value 'none'.

Impact:
Although the configuration can be saved, it fails when being loaded (for example, in response to a ConfigSync operation, during software upgrade, or when running the command: 'tmsh load sys config').

Workaround:
Modify any traffic-group default-device attributes that refer to the now-deprecated, default-device name.

Note: The system does not use this value, regardless of how you set it.

To work around this issue, you can modify the traffic-group default-device attribute to refer to default-device none. To do so, perform the following procedure:

1. Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh

2. To list the configured default device for a traffic group, use the following command syntax:
list /cm traffic-group <traffic group name>

For example, to list the configured default device for traffic-group-1, type the following command:

list /cm traffic-group traffic-group-1

3. Use none as the default device for your traffic group using the following command syntax:
modify cm traffic-group <traffic group name> default-device <default device name>.

For example, to modify your default device to none for traffic-group-1, type the following command:

modify cm traffic-group traffic-group-1 default-device none

4. Save the configuration changes by typing the following command:
save /sys config

Fix:
Renaming a device also renames the associated traffic-group's default device, so configuration load now completes successfully.


496588-1 : HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash

Component: Local Traffic Manager

Symptoms:
TMM may restart

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
Fixed a problem that occurred when extracting request headers. This problem could sometimes cause TMM to crash.


496565-1 : Secondary Blades Request a Sync

Component: Application Security Manager

Symptoms:
Secondary blades requesting ASM sync "ASM is now entering sync recovery state. Requesting complete configuration from" noise in the logs, and needless sync work done.
This issue does not affect enforcement or the actual sync state of the devices, it is just requesting extra synchronizations when they may not be needed.

Conditions:
Secondary blade restarts in unsynchronized mode.

Impact:
Unnecessary sync events are created

Workaround:
Restarting the asm_config_server process on the secondary blade should alleviate the issue, but it may recur.

Fix:
To optimize the system, DSC synchronization is no longer requested from secondary blades. This issue did not affect enforcement or the actual synchronization state of the devices.


496560-1 : AVR and APM: TMM crashes (additional fixes for ID 480350)

Component: Application Visibility and Reporting

Symptoms:
tmm can crash with AVR configured.

Conditions:
AVR and APM are used together.

Impact:
Traffic disrupted while tmm restarts.

Fix:
We fixed an issue that intermittently caused TMM to crash when APM and AVR are provisioned together.
This fix is additional to the one provided in ID 480350.


496498-3 : Firewall rule compilation will fail in certain scenario when there are multiple scheduled AFM rules and one of the non scheduled AFM rule is modified.

Component: Advanced Firewall Manager

Symptoms:
Firewall rule compilation will fail and following message will appear in /var/log/ltm:

Serialization failed: No Blobs available.

pktclass-daemon will transit in the failed state and any further firewall rule modifications will be rejected till the corrective action is taken.

Conditions:
For this issue to manifest, following conditions may suffice:

i) Presence of multiple scheduled firewall rules (expiring at different intervals).
ii) Presence of non scheduled firewall rules.
iii) Modify any non scheduled firewall rules in between the time interval of expiry to any 2 scheduled rules.

Impact:
Firewall rule compilation will fail and pktclass-daemon will go into failed state causing any further firewall rule update to be ignored till user-initiated corrective action is taken.

Fix:
The aforementioned incorrect behavior has been fixed.


496449-1 : APM does not support using session variables for the destination address in Citrix and VMware View remote desktop resources.

Component: Access Policy Manager

Symptoms:
APM does not support using session variables for the destination address in Citrix and VMware View remote desktop resources.

Conditions:
N/A, this release note describes an enhancement.

Impact:
N/A

Fix:
APM supports using session variables for the destination address in Citrix and VMware View remote desktop resources by configuring %{session.logon.last.domain} in the remote-desktop resource.


496447-1 : APM does not apply route domain configured in visual policy editor to Citrix/VMware View connections when their backends are specified as hostname/IP address.

Component: Access Policy Manager

Symptoms:
APM does not apply the route domain that is configured in visual policy editor to Citrix or VMware View connections when the Citrix or the VMware View backend is specified in the resource using a hostname or an IP address.

Conditions:
Citrix or VMWare View resources configured, and they use route domains

Impact:
Traffic is not sent to the resource's route domain.

Fix:
APM applies the route domain that is configured in visual policy editor to Citrix or VMware View connections when the Citrix or the VMware View backend is specified in the resource using a hostname or an IP address.

Note that if the Virtual Server and the resource are in different route domains and route domains have strict isolation mode, you may see an error in the Ltm log:
err tmm[18245]: 01230140:3: RST sent from 172.29.74.80:443 to 172.29.68.233:54767, [0x1f2920c:1989] Route domain not reachable (strict mode)

To correct this, ensure you set the virtual server route domain to be the parent of the Resource route domain.


496441-1 : APM does not apply route domain configured in visual policy editor to Java AppTunnel connections.

Component: Access Policy Manager

Symptoms:
APM does not apply route domain configured in visual policy editor to Java AppTunnel connections.

Conditions:
This can be encountered if your Java AppTunnel connections are using route domains.

Impact:
Unable to configure or use the route domain.

Fix:
In this release you can configure a route domain in the visual policy editor to Java AppTunnel connections.


496440-1 : APM does not apply route domain configured in visual policy editor to Java RDP connections.

Component: Access Policy Manager

Symptoms:
APM does not apply route domain configured in visual policy editor to Java RDP connections.

Conditions:
This is encountered if your Java RDP connections are configured to use route domains.

Impact:
You will be unable to configure a route domain for the resource.

Fix:
You can now configure a route domain in the visual policy editor for Java RDP connections.


496278-2 : Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name

Component: Advanced Firewall Manager

Symptoms:
Disabling/enabling Rule within Rule List causes disabling/enabling of a different but same-named Rule in a single Policy on the Active Rule Page in the GUI.

Conditions:
Only happens it the Rule names are the same with a single policy.

Impact:
Potentially, the incorrect Rule is disabled.

Workaround:
Make sure Rules have different names.

Fix:
The system now enables/disables only the selected Rule, regardless of the existence of other, same-name Rules in the policy.


496264-1 : SOAP Methods Were Not Being Validated For WSDL Based XML Profiles

Component: Application Security Manager

Symptoms:
After configuring an XML Content Profile from a WSDL file, the system was not validating the SOAP Methods.

Conditions:
WSDL Based XML Content Profiles with SOAP Methods are used on the system.

Impact:
SOAP Traffic was not properly validated.

Workaround:
None

Fix:
WSDL based XML Content Profiles are now enforced correctly.


496036 : GUI throws an error in some situations when an ASM policy is assigned to virtual server

Component: Advanced Firewall Manager

Symptoms:
When attempting to apply an ASM policy to a virtual server that is using LTM forwarding, the GUI no longer returns an error: An error has occurred while trying to process your request.

Conditions:
This occurs when navigating to Local Traffic :: Virtual Servers : Virtual Server List :: 'http_vip' :: Security :: Policies...

Impact:
The system posts an error: An error has occurred while trying to process your request.

Workaround:
None.

Fix:
When attempting to apply an ASM policy to a virtual server that is using LTM forwarding, the GUI no longer returns an error: An error has occurred while trying to process your request.


496011-1 : Resets when session awareness enabled

Component: Application Security Manager

Symptoms:
A connection reset may occur when a transaction takes a long time (more than 10 seconds together from the request start till the response end).

Conditions:
The session tracking feature is turned on and long transaction occurs.

Impact:
A connection reset.

Workaround:
Turn off session tracking.

Fix:
Connection resets no longer occur when session awareness is enabled and the server response takes a long time.


495928-5 : APM RDP connection gets dropped on AFM firewall policy change

Component: Advanced Firewall Manager

Symptoms:
An active RDP connection over APM VPN tunnel gets dropped when administrator makes a change to the AFM firewall policy.

Conditions:
APM tunnel and its application connections are subject to AFM firewall policy.

Impact:
RDP session disconnects and automatically reconnects.

Workaround:
Add an Allow rule to the firewall policy for destination TCP port 3389.

Fix:
RDP connections no longer get dropped during AFM firewall policy changes.


495913-2 : TMM core with CCA-I policy received with uninstall

Component: Policy Enforcement Manager

Symptoms:
If a CCA-I is received with Charging-Rule-Remove AVP for the session then TMM will core.

Conditions:
CCA-I message received with charging-rule-remove AVP

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed the tmm crash when CCA-I with policy uninstall is received.


495901-3 : Tunnel Server crash if probed on loopback listener.

Component: Access Policy Manager

Symptoms:
VPN client might disconnect and reconnect.

Conditions:
Unexpected request is sent on tunnel server loopback listener.

Impact:
Tunnel server crashes resulting in VPN disconnection and reconnection.

Workaround:
None.

Fix:
Additional check implemented in tunnel server before accepting incoming connection.


495875-2 : Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic

Component: Local Traffic Manager

Symptoms:
TMM might experience an infinite loop when selecting an available node for load balancing under heavy traffic conditions.

Conditions:
This occurs when the connection limit is specified for nodes, and there is heavy traffic.

Impact:
This causes a 10-second TMM heartbeat failure and a SIGABRT in TMM. The device goes offline and traffic processing is disrupted.

Workaround:
None.

Fix:
Connection limit on nodes now works correctly, and no longer causes tmm to loop indefinitely with heavy traffic.


495865-2 : iApps/tmsh cannot reconfigure pools that have monitors associated with them.

Component: TMOS

Symptoms:
iApps are unable to reconfigure pools that have monitors associated with them.

Conditions:
Using tmsh or iApps in the GUI to re-configure the pool monitor (for example, changing the monitor from 'http' to 'none').

Impact:
Monitor change does not occur. GUI or tmsh might post an error similar to the following: Monitor rule not found.

Workaround:
None.

Fix:
Users can now remove a monitor from a pool / set it to 'none' through tmsh or a GUI iApp transaction.


495862-1 : Virtual status becomes yellow and gets connection limit alert when all pool members forced down

Component: TMOS

Symptoms:
Invalid display of virtual status.

Conditions:
When all pool members forced down and the pool member's connection limit has been reached.

Impact:
Virtual monitor status becomes yellow and receives the following connection limit alert: The pool member's connection limit has been reached.

Workaround:
None.

Fix:
Virtual status now stays red if all the pool members are down.


495836-2 : SSL verification error occurs when using server side certificate.

Component: Local Traffic Manager

Symptoms:
SSL is stuck at signature check for server side certificates and hence can't complete the SSL handshake.

Conditions:
The issue can be seen when it meets the following conditions:
1. The backend server is Microsoft IIS or Netty.
2. serverSSL profile requires server side certificate authentication.

Impact:
SSL handshake fails. The handshake hangs until the timeout.

Workaround:
To work around this issue, you can configure the back-end Netty based SSL servers to use a Certificate Authority (CA) signed certificate. Otherwise, do not use use 'peer-cert-mode require'.

Fix:
SSL verification error no longer occurs when using server side certificate.


495744-1 : Some user defined ASM reports are not loading correctly after upgrade from 11.4 upwards

Component: Application Visibility and Reporting

Symptoms:
Some fields of user defined filters from older versions cannot be loaded in the new version, after an upgrade.

Conditions:
Custom user filter is defined. Most common when Source Client IP field is set.

Impact:
Filters cannot be applied correctly due to values not being recognized.

Workaround:
Before upgrade, the filters should be manually saved, and later on re-created on the new version.

Fix:
A better value upgrade has been implemented, and a warning message is displayed to the user about the situation.


495702-4 : Mac Edge Client cannot be downloaded sometimes from management UI

Component: Access Policy Manager

Symptoms:
Sometimes BIG-IP Edge Client for Mac cannot be downloaded from the management GUI.

Conditions:
Mac Edge Client, BIG-IP management UI.

Impact:
Mac Edge Client cannot be downloaded.

Workaround:
None.

Fix:
BIG-IP Edge Client for Mac can now be downloaded from the connectivity profile screen of the APM GUI.


495698-3 : iRule can be deleted even though it exists in a rule-list

Component: Advanced Firewall Manager

Symptoms:
The rule-list will reference a non existent iRule.

Conditions:
Have a rule-list that contains an iRule, and then delete that iRule.

Impact:
iRule will no longer have an effect, even though it still appears to be contained in the rule-list.

Workaround:
Do not delete an iRule if it is referenced by a rule-list.

Fix:
Introduced validation to ensure that a referenced iRule cannot be deleted.


495588-5 : Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases

Component: Local Traffic Manager

Symptoms:
Configuration fails with Syntax Error after upgrading to 11.5.0 from pre-11.5.0 releases.

Conditions:
When upgrading from a pre-11.5.0 release to version 11.5.0, the key/cert have an extra period in the name (for example mykey..key and mycert..crt). Beginning with version 11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name. During upgrade, the system provides a name for each key/cert, which can cause problems if the existing key/cert name contains a period character.

Impact:
Configuration load fails, and the system posts the alert: Syntax Error:(/config/bigip.conf at line: 12) one or more configuration identifiers must be provided.

Workaround:
Manually edit the bigip.conf to add a title for the cert-key-chain, and then run the command: tmsh load sys config.

Fix:
Before v11.5.0, Clientssl profile only supports one key/cert pair, no name associated with the key/cert pair. In v11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name.


495574-3 : DB monitor functionality might cause memory issues

Component: Local Traffic Manager

Symptoms:
TMM restarts continuously.

Conditions:
DB monitors configured

Impact:
System stops responding. System posts message: notice panic: FATAL: mmap of: /dev/mprov/tmm/tmm.4 length 1480589312 offset 4441767936 failed 12 (Cannot allocate memory).

Workaround:
Either kill the DB monitor java process or issue a bigstart restart.

Fix:
DB monitor functionality might cause memory issues.


495557-1 : Ephemeral node health status may report as 'unknown' rather than the expected 'offline'

Component: Local Traffic Manager

Symptoms:
Ephemeral node health status may report as 'unknown' rather than the expected 'offline'.

Conditions:
Change the monitor rule on the node several times.

Impact:
Node may be in unknown status when it should be offline.

Workaround:
Reset bigd.

Fix:
Ephemeral node health status now reports 'offline' rather than 'unknown' in cases in which the monitor is offline.


495526-1 : IPsec tunnel interface causes TMM core at times

Component: TMOS

Symptoms:
If users choose to modify the tunnel interface attributes, such as MTU value, TMM cores. This can occur regardless if traffic has flowed through the tunnel.

Conditions:
When IPsec tunnel interface has its configuration modified.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid modifying IPsec tunnel interface. Configure IPsec tunnel interface in one shot, using either create or delete.

Fix:
TMM no longer cores if users choose to modify the tunnel interface attributes, such as MTU value.


495525-1 : iApps fail when using FQDN nodes in pools

Component: iApp Technology

Symptoms:
Use of FQDN nodes causes errors in almost all f5-supported iapps.

Conditions:
1. create an FQDN node named "foo" that refers to the fqdn "www.foo.com"
2. create an iapp instance using the attached ephemeral_example template
3. enter "foo" when prompted by the iapp for a node name
4. click "finished" and observe the pool in the component view
5. click "reconfigure"
6. click "finished".

Impact:
iApp will throw an error: "0107189b:3: Cannot delete ephemeral object: /Common/foo-173.194.33.144."

Workaround:
none

Fix:
The iApp mark-and-sweep framework should be modified to ignore ephemeral pool members when modifying iApp-managed pools.


495443-4 : ECDH negotiation failures logged as critical errors.

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.

Fix:
These ECDH failures are now logged as non-critical errors.


495432-2 : Add new log messages for AFM rule blob load/activation in datapath.

Component: Advanced Firewall Manager

Symptoms:
Prior to fix, as AFM rule blob is compiled/serialized by pktclass-daemon and TMM is notified to activate it in datapath, there is no visibility to identify if the activation failed or succeeded.

Conditions:
AFM rule serialization message is processed by TMM

Impact:
End user lacks any visibility if the AFM rule serialized blob is successfully being used in the data path.

Workaround:
None

Fix:
With the fix, now we log message (in /var/log/ltm) as AFM rule serialized blob is activated in data path.


495390-4 : An error occurs on Active Rules page after attempting to reorder Rules in a Policy

Component: Advanced Firewall Manager

Symptoms:
An error occurs on Active Rules page after attempting to reorder Rules in a Policy: "An error has occurred while trying to process your request."

Conditions:
Attempting to reorder rules if they span more than one page

Impact:
You cannot reorder the rules, and an error message is displayed, "An error has occurred while trying to process your request."

Fix:
Reordering of rules is now working.


495336-1 : Logon page is not displayed correctly when 'force password change' is on for local users.

Component: Access Policy Manager

Symptoms:
Logon page is not displayed correctly when 'force password change' is on for local users.

Conditions:
When more than one logon page is configured in the Access policy, and the administrator sets 'Force Password Change' in the local user account database.

Impact:
Although it is correct behavior to require an initial password change and to require a logon after changing the password, the expected first page is a one-time password-change request, instead of the same change-password change page displayed twice.

Workaround:
The current workaround is to add 'Variable Assign' agent in the LocalDB Auth Successful branch with a custom variable, for example: session.logon.page.challenge = expr { 0 }.

Fix:
The system now shows the correct logon page after the successful password change.


495335-1 : BWC related tmm core

Component: TMOS

Symptoms:
tmm coredumps while BWC is processing packets.

Conditions:
BWC is being enabled on a virtual server that does not have any BWC iRules enabled. Reasons for this are being investigated.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Avoid a divide by zero while computing average packet size.


495319-3 : Connecting to FP with APM edge client is causing corporate network to be inaccessible

Component: Access Policy Manager

Symptoms:
Connecting to FirePass with a BIG-IP Edge Client for Mac that was downloaded from APM might not provide complete network access.

Conditions:
APM Edge Client, Firepass server, network access connection.

Impact:
Incomplete network access.

Workaround:
None.

Fix:
All configured networks are now reachable when connecting to FirePass using a BIG-IP Edge Client for Mac downloaded from APM.


495273-1 : LDAP extended error info only available at debug log level which could affect Branch rules

Component: Access Policy Manager

Symptoms:
LDAP session variable contains only simple error message at INFO log level and requires DEBUG log level to display the full error message. This variable is displayed in the logon page after logon failure.

Conditions:
LDAP Auth/Query is configured and there is need for extended error details at NON debug log level.

Impact:
Branch rules in visual policy editor based on extended error message will not work correctly in 11.6.

Fix:
A new session variable is introduced: session.ldap.last.errmsgext which contains extended error information at any log level. The existing session.ldap.last.errmsg variable contains only simple error message (decoded error code).

Behavior Change:
A new session variable is introduced, session.ldap.last.errmsgext, which contains extended error information at any log level. The existing session.ldap.last.errmsg variable now contains only a simple error message (decoded error code). Branch rules in visual policy editor based on extended error message will not work correctly.


495265-1 : SAML IdP and SP configured in same access profile not supported

Component: Access Policy Manager

Symptoms:
SLO might not work properly under certain conditions.
When a user attempts to start SLO, the connection gets reset. The system logs messages such as the following: RST sent from x.x.x.x:433 to x.x.x.x:xxxx, [0xxxxxx:xxx] Internal error ((APM::SSO) Error in reading sp info from session db failed)

Conditions:
All conditions must be met:

1. Both BIG-IP as SP and BIG-IP as IdP are configured on the same access profile.
2. SLO is configured for both BIG-IP as IdP and BIG-IP as SP.
3. SLO is executed in multiple TCP sessions between the user's browser and the BIG-IP system.

Impact:
SLO is not properly executed; users's session might not be terminated.

Workaround:
None.

Fix:
A problem with SAML single-logout has been fixed.


495253-1 : TMM may core in low memory situations during SSL egress handling

Component: Local Traffic Manager

Symptoms:
TMM may core in low memory situations during SSL egress handling.

Conditions:
This occurs when the following conditions are met: -- Low memory. -- SSL connections

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer cores in low-memory situations during SSL egress handling.


495030-1 : Segfault originating from flow_lookup_nexthop.

Component: Local Traffic Manager

Symptoms:
Segfault originating from flow_lookup_nexthop when neighbor_resolve is not able to determine the next hop.

Conditions:
Memory pressure or error condition.

Impact:
tmm core and tmms restart.

Fix:
Segfault originating from flow_lookup_nexthop problem has been corrected.


494978-1 : The hostagentd daemon should not be running in non-vcmp mode.

Component: TMOS

Symptoms:
The hostagentd daemon is running when vCMP is not provisioned.

Conditions:
This issue occurs on all platforms that support vCMP.

Impact:
In non-vCMP mode, hostagentd is an unnecessary system process. It may use a small amount of memory and cpu but does not otherwise impact system performance or traffic passing.

Workaround:
Hostagentd may be disabled by issuing 'bigstart disable hostagentd' on all blades of a chassis or on an appliance system.

Fix:
The hostagentd daemon is no longer started when the BIG-IP system is not provisioned for vCMP.


494977-2 : Rare outages possible when using config sync and node-based load balancing

Component: Local Traffic Manager

Symptoms:
In rare circumstances it is possible for tmm to experience an outage when processing traffic and using config sync. This is rare and appears to be related to a combination of config sync and processing traffic shortly after the tmm is brought online.

Conditions:
Using config sync and node-based load balancing. This has only been observed early in traffic processing during a config sync; it does not appear to be related to how long the tmm has been online (e.g., online and not processing traffic or online in standby does not seem to make any difference; however, issuing a config sync and failing over at the same time might cause this to occur.)

Impact:
Interruption in service or HA failover.

Fix:
Fixed a error that rarely occurred using config sync and node-based load balancing early in traffic processing.


494796 : Unable to create GTM Listener with non-default protocol profile.

Component: Global Traffic Manager

Symptoms:
When attempting to create a GTM Listener with anything besides a default protocol profile causes a duplicate profile error.

Conditions:
Create a GTM Listener with a protocol profile other than udp_gtm_dns or tcp.

Impact:
GTM listener creation does not complete.

Workaround:
Create a GTM Listener using a default protocol profile, and then modify the protocol profile settings.

Fix:
You can now create GTM Listener with non-default protocol profile.


494743-1 : Port exhaustion errors on VIPRION 4800 when using CGNAT

Component: Carrier-Grade NAT

Symptoms:
You may see the following on a VIPRION 4800 platform configured to use LSN deterministic NAT:

crit tmm3[12240]: 01010201:2: Inet port exhaustion on ...

Conditions:
VIPRION 4800 platform with multiple blades with LSN deterministic NAT

Impact:
DNAT port exhaustion alert,

Workaround:
Change LSN Pool members for LSN deterministic NAT pools, which will trigger a deterministic NAT data rebuild.

Fix:
TMM translations after blade failure or startup can be properly reverse-mapped by dnatutil, which fixes the port exhaustion alerts.


494735-1 : SSLv3 vulnerability CVE-2014-3566

Vulnerability Solution Article: K15702


494637-2 : localdbmgr process in constant restart/core loop

Component: Access Policy Manager

Symptoms:
The localdbmgr process keeps crashing repeatedly.

Conditions:
The issue is caused by corruption in the contents stored in the memcache. Although the conditions under which the memory corruption occurs are not reproducible, this is a rarely occurring issue.

Impact:
The localdbmgr process crashes repeatedly.

Workaround:
None.

Fix:
The localdbmgr process has been updated in order to gracefully handle corruption in the memcache contents.


494565-4 : CSS patcher crashes when a quoted value consists of spaces only

Component: Access Policy Manager

Symptoms:
CSS content that contains some spaces between quotes leads to rewrite crash.

Example:
...
background: url(' ') // some spaces between quotes
...

Conditions:
Conditions leading to this problem include any case when CSS content contains a quoted value which consists of spaces only.

Impact:
The impact of this issue causes a rewrite crash which leads to a possible web application malfunction.

Workaround:
To work around this issue, create a particular iRule that removes mentioned spaces between quotes.


494367-2 : HSB lockup after HiGig MAC reset

Component: TMOS

Symptoms:
HSB lockups can occur after a HiGig MAC reset on BIG-IP 5000/7000-series and 10250 platforms.

Conditions:
-- HiGig MAC reset.
-- BIG-IP 5000/7000-series and 10250 platforms.

Impact:
An HSB lockup results in a NIC failsafe and reboot of the unit.
The system posts messages similar to the following in the LTM log:
-- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is DOWN.
-- bcm56xxd[8161]: 012c0012:6: Reset HSBe2 (bus 1) HGM0 MAC completed on higig2 link 4.1 down event.
-- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is UP. ...
-- tmm2[13842]: 01230111:2: Interface 0.3: HSB DMA lockup on transmitter failure.

Workaround:
None.

Fix:
HSB lockups no longer occur after a HiGig MAC reset on BIG-IP 5000/7000-series and 10250 platforms.


494322-6 : The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used

Component: Local Traffic Manager

Symptoms:
If the flow inside a HTTP_REQUEST event raised by the explicit proxy is expired, the TMM may crash.

Conditions:
The explicit proxy is configured for HTTP, and the HTTP_REQUEST iRule event is used.

Impact:
If state-changing commands are used within the HTTP_REQUEST event raised by the explicit proxy, they may not work correctly, and TMM might crash.

Workaround:
Avoid the HTTP_REQUEST event if possible.

Fix:
The TMM no longer crashes when under load when the HTTP_REQUEST iRule handler is used with the explicit proxy. HTTP state-changing commands used within HTTP_REQUEST on the explicit proxy works correctly.


494319-1 : Proxy SSL caused tmm to core by dereferencing a null pointer

Component: Local Traffic Manager

Symptoms:
When server side SSL decides to 'passthrough' the traffic, it requests that the client side convert itself to 'passthrough' mode, but the client side SSL was already in a closing state (due to timeout).

Conditions:
When both Proxy SSL and Proxy SSL Passthrough are enabled.
Proxy SSL changes to passthrough mode, but the client side is closed or has timed out.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now checks that the state is not in closing state before updating the statistics.


494305-3 : [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list.

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use the GUI to remove the first virtual server listed in alphabetical order from the dependent list of virtual server if there are multiple virtual servers in the dependency list.

Conditions:
Virtual server with several dependency virtual servers configured.

Impact:
Cannot manage virtual server dependency list using GUI as expected.

Workaround:
Use the corresponding tmsh commands to manage the virtual server dependency list.

Fix:
You can now use the GUI to remove the alphabetically first virtual server from the dependent list of virtual servers.


494284-3 : Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.

Component: Access Policy Manager

Symptoms:
With BIG-IP Edge Client for Mac, when primary language is set to German on the Mac, the text shown under the disconnected status contains extra, unneeded text wording.

Conditions:
Edge Client for Mac, when primary language is set to German on the Mac.

Impact:
Shows the following message: 'Um eine Verbindung herzustellen, wählen Sie aus dem Menü oben einen Server aus, und klicken Sie dann auf die Schaltfläche 'Auto-Verbindung' oder 'Verbinden' sichern und Werner der Seite standen aufs Auge drücken als Schadenersatz einer Woche kein Telefonat erneute.'

Workaround:
None.

Fix:
For BIG-IP Edge Client for Mac with primary language of German, the content that displays under disconnected status is now correct, without any unneeded text.


494280-3 : TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel.

Conditions:
PPTP-ALG and CGNAT on a chassis system when a blade has been added with a stale PPTP tunnel.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The system now drops the new flow/tunnel and allow it to clean up, so TMM no longer crashes when PPTP finds a redirected flow when checking for an existing tunnel.


494189-1 : Poor performance in clipboard channel when copying

Component: Access Policy Manager

Symptoms:
JavaRDP client hangs when user tries to copy very large text fragment into clipboard.

Conditions:
User tries to copy very large text fragment.

Impact:
JavaRDP client lags or hangs on copying. In the worst case, user should close and reconnect JavaRDP client.

Workaround:
None

Fix:
Clipboard channel has significantly better performance now.


494176-5 : Network access to FP does not work on Yosemite using APM Mac Edge Client.

Component: Access Policy Manager

Symptoms:
If APM BIG-IP Edge Client for Mac on OS X Yosemite attempts to connect to FirePass, network access cannot be established.

Conditions:
APM Edge Client for Mac on OS X Yosemite connecting to FirePass.

Impact:
Network access cannot be established with FirePass.

Workaround:
None.

Fix:
Network access can now be established with FirePass using APM BIG-IP Edge Client for Mac on OS X Yosemite.


494122-2 : Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades

Component: Carrier-Grade NAT

Symptoms:
Deterministic NAT HSL state information is not useable by dnatutil, resulting in "Unparseable line" error.

Conditions:
Deterministic NAT and HSL logging for LSN pool on a VIPRION B4300 blade.

Impact:
Cannot use the HSL logged state information for dnatutil.

Workaround:
Use LTM logged deterministic NAT state information.

Fix:
Deterministic NAT state information from HSL is now usable on VIPRION B4300 blades.


494098-6 : PAC file download mechanism race condition

Component: Access Policy Manager

Symptoms:
PAC file download mechanism might encounter a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.

Conditions:
The /etc/hosts is patched with the static entry of the host that contains PAC file.

Impact:
Proxy PAC file fails to download.

Workaround:
Add delay in proxy PAC file download to avoid race condition.

Fix:
PAC file download mechanism now avoids a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.


494088-4 : APD or APMD should not assert when it can do more by logging error message before exiting.

Component: Access Policy Manager

Symptoms:
APD or APMD asserts and exits without logging error messages to aid in debugging the error.

Conditions:
In some rare situation apmd (for example, access 'profile not found', failure in 'loading policy object'), APD, APMD assert. This results in dumping core.

Impact:
Restarting of APD, APMD and core file.

Workaround:
None.

Fix:
Now, in some rare situations where previously APD or APMD would assert, the system logs proper error messages before exiting. This results in restarting APD or APMD.


494078-4 : Update Check feature can be target of man-in-middle-attack

Vulnerability Solution Article: K16090


493993-6 : TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module

Component: Access Policy Manager

Symptoms:
On a standby unit, TMM dumps core files when it is starting up and continues to do so when the active unit is handling traffic in the APM module.

Conditions:
The issue happens on APM systems when high availability is configured and the following conditions are met:
1. The active device is busy processing traffic.
2. Some sessions on the active device are terminated.
3. The TMM in standby device is starting up.

Impact:
TMM on the standby device crashes with SEGV, which causes existing sessions not stored on the standby device and users have to re-login should failover occur.

Fix:
In APM HA environments, the system now prevents global status from being updated before the initialization is completed on a standby device. TMM on the standby no longer dumps core files on startup.


493825-1 : Upgrade failure from version 11.4.0 due to incorrect configuration being saved

Component: Application Visibility and Reporting

Symptoms:
Upgrade failure, after saving a custom filter based on a client IP address in the Requests logs, loading the configuration, or upgrading from it, might fail.

Conditions:
After saving a custom filter based on a client IP address in the Requests logs.

Impact:
Configuration is not loaded.

Workaround:
Edit /config/bigip.conf, search for the following line, and delete it: values { \? }.

Fix:
After saving a custom filter based on a client IP address in the Requests logs, loading the configuration, or upgrading from it, now completes successfully.


493807-5 : TMM might crash when using PPTP with profile logging enabled

Component: Carrier-Grade NAT

Symptoms:
TMM might crash when using PPTP with profile logging enabled.

Conditions:
This occurs when the following conditions are met: -- PPTP-ALG with log profile enabled. -- CGNAT configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable logging from the PPTP profile.

Fix:
Using PPTP with profile logging now works correctly and no longer causes TMM to crash.


493791-2 : iApps do not support FQDN nodes

Component: TMOS

Symptoms:
All iApps fail when FQDN nodes are included as pool members in an iApp-generated pool.

Conditions:
- In an iApp, create a pool with nodes defined by FQDN.
- In an iApp, attempt to reconfigure, or even open, make no change, and click update.

Impact:
GUI shows the following error: 'script did not successfully complete: (field not present: 'address'...'.

Workaround:
Create the pool outside of the iApp and attach it with the 'use existing pool' option, which is a feature of all recent F5 Networks iApps.

Fix:
iApps now support FQDN nodes.


493673-2 : DNS record data may have domain names compressed when using iRules

Component: Local Traffic Manager

Symptoms:
Some DNS record types forbid dns name compression in their record data, e.g., the NAPTR Replacement field. For certain parts of the DNS feature set, some of these record datum may have compressed names, e.g., DNS iRules, DNSSEC, GTM.

Conditions:
Using iRules.

Impact:
Some clients may expect uncompressed names and may not be able to follow compression pointers. This may cause the client to fail to use the RR.

Workaround:
None.

Fix:
Fields are properly not compressed, e.g., the NAPTR Replacement field.


493507-1 : License checks for fictive URLs and injected tags

Component: Fraud Protection Services

Symptoms:
FPS plugin doesn't check the required license for fictive requests from JavaScript and for injected tags, like phishing CSS and image.

Conditions:
Feature is unlicensed.

Impact:
Injected tags may cause false positive alerts.

Workaround:
None.

Fix:
Phishing tags are no longer injected into HTML when phishing is not licensed. And responses to virtual URLs are sent only if the required feature is licensed.

Behavior Change:
Phishing tags are no longer injected into HTML when phishing protection is not licensed. And responses to virtual URLs are sent only if the required feature is licensed.


493487-3 : Function::call() and Function::apply() wrapping does not work as expected

Component: Access Policy Manager

Symptoms:
Function::call() and Function::apply() wrapping does not work as expected.

Conditions:
This occurs when using an indirect method call.

Impact:
Possible Adobe Flash web application malfunction, but the symptoms can vary.

Fix:
Indirect method call using Function::call() or Function::apply() works properly now.


493401-2 : Concurrent REST calls on a single endpoint may fail

Component: Application Security Manager

Symptoms:
Concurrent REST PATCH calls on a particular endpoint, or configuration by BIG-IQ, may fail due to database deadlocks.

Conditions:
Concurrent REST PATCH calls were made on a particular endpoint, or device was configured by BIG-IQ.

Impact:
Configuration changes fail due to database deadlock.

Workaround:
Return values from REST calls should be checked before proceeding to next call.

Fix:
Fixed a MySQL deadlock that occurred when using REST API to send several patch requests to parameters of a security policy.


493385-6 : BIG-IP Edge Client uses generic icon set even if F5 icon set is configured

Component: Access Policy Manager

Symptoms:
BIG-IP Edge client uses generic icon set even if F5 icon set is configured.

Conditions:
BIG-IP MAC Edge client customized for a specific language.

Impact:
The UI might show the generic icon set for MAC edge client in the system menu.

Workaround:
Remove customization for that language.

Fix:
Now BIG-IP Edge Client uses the set of icons that the configuration specifies. Also, F5 icons no longer display for a split second during application launch when the configuration specifies the generic set of icons.


493360-1 : Fixed possible issue causing Edge Client to crash during reconnect

Component: Access Policy Manager

Symptoms:
Edge Client may rarely crash during reconnect.

Conditions:
Session reconnection using Edge Client. When APM session closes on BIG-IP (by a timeout, or by other options, for example, 'Restrict to Single Client IP') the Edge Client starts new session. Occasionally when reestablishing connection to the BIG-IP system, the Edge Client crashes.

Impact:
Rarely encountered crash.

Workaround:
None.

Fix:
Fixed possible issue that could cause BIG-IP Edge Client for Windows to crash during reconnect.


493275-3 : Restoring UCS file breaks auto-sync requiring forced sync.

Component: TMOS

Symptoms:
Automatic sync will temporarily not work after loading a UCS.

Conditions:
Load of a UCS on an affected hotfix.

Impact:
Until a manual sync is done, auto-sync will not occur.

Workaround:
Perform a forced manual sync and then the system will return to operation.

Fix:
Restoring UCS file now retains auto-sync functionality.


493246-2 : SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot

Component: TMOS

Symptoms:
An SNMP query for sysCpuSensorSlot 0 returns 'Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot'.

Conditions:
SNMP query for sysCpuSensorSlot 0.

Impact:
SNMP MIB variable sysCpuSensorSlot 0 is not available.

Workaround:
Use the command 'tmctl cpu_info_stat' on the BIG-IP system to retrieve the sysCpuSensorSlot value.

Fix:
The software that generates the F5 BIG-IP MIBs has been updated to allow a slot 0 return value.


493234-1 : Device version in AFM log message could be empty

Component: Advanced Firewall Manager

Symptoms:
Device version in AFM log message could be empty

Conditions:
When a log message is generated for AFM events

Impact:
Log message will not have device version

Fix:
AFM log messages not correctly show device version.


493223-3 : syscalld core dumps now keep more debugging information

Component: TMOS

Symptoms:
syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump has little visibility into what commands were being run at the time.

Conditions:
syscalld is mostly invoked by the GUI or CMI sync to trigger the configuration being saved.

Impact:
syscalld core dumps will occur and generate customer cases, but it is difficult for a developer to obtain any useful information.

Workaround:
None.

Fix:
syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump used to have little visibility into what commands were being run at the time. It now maintains a list of the most recently run commands that will be written into the core file.


493213-1 : RBA eam and websso daemons segfaulting while provisioning

Component: TMOS

Symptoms:
Crash while provisioning

Conditions:
This sometimes seem to happen with only APM being provisioned and not being tested for APM functionality.

Impact:
RBA eam and websso daemons are segfaulting

Workaround:
none


493164-3 : flash.net.NetConnection::connect() has an erroneous security check

Component: Access Policy Manager

Symptoms:
Accessing some content in a different domain does not work as expected because of an erroneous security check.

Conditions:
This occurs when getting a URI property immediately after calling the connect() method.

Impact:
Possible Flash web application malfunction, but symptoms vary.

Fix:
The erroneous security check has been fixed, so accessing some content in a different domain now works as expected.


493140-1 : Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.

Component: Local Traffic Manager

Symptoms:
When using a cookie hash persistence profile and an iRule to provide finer granularity using offset and length parameters to calculate the hash, the system creates incorrect persistence entries.

Conditions:
Cookie hash persistence profile and iRule on top of that specifies offset and length of the cookie to be used for hashing is needed.

Impact:
Incorrect persistence entries are created.

Fix:
Using cookie hash persistence and invoking cookie hash persistence from within an iRule now works as expected.


493117-6 : Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted

Component: Local Traffic Manager

Symptoms:
After changing the netmask of an advertised virtual address, the address is no longer advertised.

Conditions:
Must have an advertised virtual address, and change its netmask.

Impact:
tmrouted must be restarted whenever the netmask of an advertised virtual address is changed.

Workaround:
Restart tmrouted whenever the netmask of an advertised virtual address is changed.

Fix:
Now, an advertised route remains advertised after its netmask is changed.


493106-4 : HTTP Basic authentication module logs clear text password in /var/log/apm at debug level

Component: Access Policy Manager

Symptoms:
The HTTP parser logs a clear text password in the /var/log/apm log file from a debug log message. This occurs only when the accesscontrol log level is debug and HTTP authentication of type Basic is used in the access policy.

Conditions:
The accesscontrol log level is debug and HTTP authentication of type Basic is used in the access policy.

Impact:
A clear text password is logged in /var/log/apm.

Workaround:
Change the accesscontrol log level to informational or higher.

Fix:
HTTP parser is fixed and to log obfuscated password in /var/log/apm.


493053-2 : Route domains' firewall policies may be removed after sync

Component: TMOS

Symptoms:
If you modify the firewall policy of a route domain, and then sync, then it may be removed rather than changed on devices receiving the sync.

Conditions:
This affects full load sync (full load checkbox is enabled, or the 'Overwrite Configuration' option was selected), but not incremental sync.

Impact:
Firewall rules may be removed.

Workaround:
Set the policy to none, sync, then set it to the desired value and sync again.

Fix:
If you modify the firewall policy of a route domain, and then sync, then it could be removed rather than changed on devices receiving the sync. This no longer happens.


493023-3 : Export of huge policies might ends up with 'too many pipes opened' error

Component: Access Policy Manager

Symptoms:
Export of huge policies might ends up with 'too many pipes opened' error. Policy must be >321 elements

Conditions:
Huge policy (300+ elements i.e. ~100 items)

Impact:
It's not possible to export access policy

Workaround:
N/A

Fix:
Extra huge policies are exportable


492978-1 : All blades in a cluster remain offline after provisioning ASM or FPS

Component: Application Security Manager

Symptoms:
After provisioning either ASM or FPS on a cluster, the system may reach a state in which the datasyncd process will keep all of the blades offline. The system will repeatedly switch the primary blade, but never successfully transition to online.

Conditions:
This is a rare scenario that may happen when provisioning either ASM or FPS on a cluster.

Impact:
If this state is reached, all of the blades will remain offline and not handle incoming traffic until the entire chassis is rebooted.

Workaround:
If this scenario happens, the workaround is to reboot the entire chassis, or individually reboot all of the blades roughly at the same time.

Fix:
Fixed a rare scenario in which all the blades in a cluster remain offline after provisioning either ASM or FPS.


492844-1 : Office365 generated SAML SLO message causes browser connection to be reset.

Component: Access Policy Manager

Symptoms:
When a user initiates SAML single logout (SLO) from Microsoft Office 365 (as a Service Provider), the request is terminated by the BIG-IP system.

Conditions:
This occurs under all of the following conditions:
1. The BIG-IP system is configured as a SAML Identity Provider (IdP).
2. Microsoft Office 365 is configured as a SAML Service Provider (SP).
3. SP-initiated SLO is attempted and the SLO message contains a detached signature.

Impact:
As a result, SLO is not executed and sessions on the BIG-IP system and the SP are left alive.

Fix:
Microsoft Office 365 generated SAML SLO message no longer causes browser connection to reset.


492809-4 : Small but continuous mcpd memory leak associated with statistics.

Component: TMOS

Symptoms:
A small amount of memory is allocated and not released each time the statsd process gathers the global access statistic information. Symptoms include a small but constant rise in memory usage associated with statistics. Note: Although the memory leak occurs in association with APM statistics specifically, APM does not need to be provisioned for the leak to occur.

Conditions:
This occurs during normal operation.

Impact:
Over a long period of time, mcpd runs out of memory. The system periodically posts messages similar to the following in /shared/tmp/mcpd.out: mcpd: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc.

Workaround:
None.

Fix:
An issue has been fixed that resulted in a small, periodic mcpd memory leak associated with statistics.


492780-1 : Elliptic Curves Extension in ServerHello might cause failed SSL connection.

Component: Local Traffic Manager

Symptoms:
Supported Elliptic Curves Extension is present in ServerHello, but some clients cannot process it. So we remove it.

Conditions:
The issue occurs when Supported Elliptic Curves Extension is present in ServerHello when presented to a client that cannot process it.

Impact:
Failed SSL connection.

Workaround:
None.

Fix:
Elliptic Curves Extension has been removed to support more types of clients.


492701-3 : Resolved LSOs are overwritten by source device in new Policy Sync with new LSO

Component: Access Policy Manager

Symptoms:
Previously resolved Location-Specific Object (LSO) on target devices are overwritten by values on source device in a new Policy Sync operation with new LSO to resolve.

Conditions:
Perform a Policy Sync on a profile with LSO, make changes to the LSO on resolution.
Perform another Policy Sync on the same profile with new LSO that requires resolution

Impact:
Previously customized values for LSO on target device are lost.

Workaround:
Config the value back on target device after the new sync.

Fix:
Customized LSO values on target device from previous Policy Sync will be retained after a new Policy Sync with new LSO.


492570-1 : JavaScript error during CSRF protection

Component: Application Security Manager

Symptoms:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.

Conditions:
Using Internet Explorer 8 with CSRF ASM enabled.

Impact:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.

Workaround:
N/A

Fix:
After upgrading to BIG-IP version 11.6.0, using Internet Explorer 8, there is no longer the JavaScript error "Object doesn't support this action" when using the CSRF protection feature. Note that despite the error message, there was CSRF protection.


492549 : FPS injection only into success responses

Component: Fraud Protection Services

Symptoms:
FPS JavaScript was injected into HTTP responses regardless their status code.

Conditions:
Error response (status code 404).

Impact:
WebSafe components are easily identified.

Fix:
FPS JavaScript is now injected only into responses with 2xx status codes.


492460-3 : Virtual deletion failure possible when using sFlow

Component: TMOS

Symptoms:
This error message might occur intermittently when trying to delete a virtual server:

01070265:3: The Virtual Server (vs_name) cannot be deleted because it is in use by a sflow http data source (ds_name).

Conditions:
sFlow is in use.

Impact:
Virtual may fail to be deleted.

Workaround:
None.

Fix:
This error message used to occur intermittently when trying to delete a virtual and using sFlow: 01070265:3: The Virtual Server (vs_name) cannot be deleted because it is in use by a sflow http data source (ds_name). This no longer occurs.


492458-1 : BIOS initial release

Component: TMOS

Symptoms:
This is a report of the initial release of BIOS 1.05.033.0.

Conditions:
New BIOS release.

Impact:
BIOS is updated to BIOS 1.05.033.0.

Workaround:
None.

Fix:
Initial BIOS 1.05.033.0 release. No issues.


492422-4 : HTTP request logging reports incorrect response code

Component: TMOS

Symptoms:
HTTP request logging reports 200/OK response code before any response has been received.

Conditions:
HTTP request logging enabled.

Impact:
Misleading messages in the logs. These messages are benign and can safely be ignored.

Fix:
Response code now reported only in HTTP response logs.


492368-5 : Unbound vulnerability CVE-2014-8602

Vulnerability Solution Article: K15931


492367-4 : BIND vulnerability CVE-2014-8500

Vulnerability Solution Article: K15927


492352-3 : Mismatch ckcName between GUI and TMSH can cause upgrade failure

Component: Local Traffic Manager

Symptoms:
Make the ckcName of clientssl_certkeychain same as TMSH.
Case 1: clientssl_certkeychain includes key/cert
TMSH uses <key-name> as ckcName
GUI uses <key-name>.key as ckcName
Case 2: clientssl_certkeychain includes key/cert/chain
TMSH uses <key-name>_<chain-name> as ckcName
GUI uses <key-name>.key as ckcName
The fix is making GUI same as TMSH.

Conditions:
Use GUI to create one SSL profile, then upgrade it.

Impact:
The upgrade failure since the mismatch ckcName between GUI and TMSH.

Fix:
Make ckcName same for both GUI and TMSH


492305-1 : Recurring file checker doesn't interrupt session if client machine has missing file

Component: Access Policy Manager

Symptoms:
If file required for recurring file checker agent is deleted on client machine when session already established - session would not be interrupted.

Conditions:
File checker agent is used.
Recurring check is enabled for it.

Impact:
Session is not interrupted when it should be.

Fix:
Now session is interrupted when file required for recurring file check is missing.


492287-1 : Support Android RDP client 8.1.3 with APM remote desktop gateway

Component: Access Policy Manager

Symptoms:
Support Android RDP client 8.1.3 with APM remote desktop gateway

Impact:
User's cannot run up-to-date official Android RDP client against APM as RDG.

Fix:
Support Android RDP client 8.1.3 with APM remote desktop gateway


492238-6 : When logging out of Office 365 TMM may restart

Component: Access Policy Manager

Symptoms:
TMM may restart when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).

Conditions:
The problem occurs under these conditions: 1. The BIG-IP system is configured as a SAML Identity Provider (IdP) with Office 365 configured as a SAML Service Provider (SP).
2. Single logout (SLO) is configured on the BIG-IP system.
3. As a part of a SLO request, the SP sends unsupported query parameters.

Impact:
Under certain conditions TMM may restart.

Workaround:
To work around the problem, disable SLO on the BIG-IP system.

Fix:
TMM no longer restarts when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).


492163-3 : Applying a monitor to pool and pool member may cause an issue.

Component: TMOS

Symptoms:
Typically, when applying a monitor to pool and a monitor to pool member, there are no issues. In a scenario where the pool monitor is incompatible with the pool member, it can cause validation issue.

Conditions:
A scenario where the pool monitor is incompatible with the pool member, it can cause validation issue. For example, a pool with an http monitor and a wildcard pool member (even if pool member had its own monitor).

Impact:
Failed transaction or configuration load.

Workaround:
Remove the pool monitor, load, then add pool monitor back.

Fix:
Instances in which the pool monitor is incompatible with the pool member are now validated correctly.


492153-2 : Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel changes to deprecated.

Conditions:
BIG-IP Edge Client monitors the state of IP address for the DTLS tunnel, so the system can react quickly to any network connectivity issues. The monitor correctly disconnects the tunnel if the adapter loses the IP address. However, there is an issue that causes the tunnel to shut down when the state of IP address is changed to deprecated.

Impact:
Tunnel processing halts.

Fix:
BIG-IP Edge Client now keeps the DTLS connection until the IP address becomes invalid, as expected.


492149-3 : Inline JavaScript with HTML entities may be handled incorrectly

Component: Access Policy Manager

Symptoms:
If JavaScript code is included into an HTML page and contains HTML entities inside, it may be processed incorrectly by Portal Access.

Conditions:
HTML page which contains inline JavaScript code with HTML entities inside.

Impact:
Web application does not work as expected.

Workaround:
Use an iRule for each individual case to correct this behavior.

Fix:
Now JavaScript code with HTML entities inside is processed correctly.


492122-5 : Now Windows Logon Integration does not recreate temporary user for logon execution each time

Component: Access Policy Manager

Symptoms:
Temporary user 'f5 Pre-Logon User' is created and deleted each time it is used which prevents the performance of domain operations like adding that user to specific domain group or setting properties because the SSID changes every time.

Conditions:
This happens when both of these conditions exist:
1. Windows Logon Integration is used.
2. Enforce access policy execution option is selected.

Impact:
As a result, it is impossible to manage the temporary user 'f5 Pre-Logon User'.

Fix:
Now the 'f5 Pre-Logon User' is created only once, which allows a Domain or System Administrator to manage it, because the SSID does not change. When the user is no longer required (that is, when the logon process is complete), 'f5 Pre-Logon User' is disabled and remains disabled until the next usage.


491887-1 : Changing the ending of a macro in Access Policy crashes TMM.

Component: Access Policy Manager

Symptoms:
The default ending for a macro is out. Changing this to anything else crashes the TMM and causes it to core.

Conditions:
Create a macro, change the ending.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed to allow for name changes to the macro endings, so that macros are no longer required to end in out.


491801 : GTM iRule command [LB::status up] gives error

Component: Global Traffic Manager (DNS)

Symptoms:
When attempting to create this GTM iRule

when DNS_REQUEST {
LB::status up
}

you'll get this error in the logs:

"01070151:3: Rule [/Common/irule_test] error: /Common/irule_test:2: error: [invalid option "up" must be: vs pool mbr][up]"

Conditions:
Creating GTM iRules

Impact:
Can't use this specific iRule command syntax.

Workaround:
None.


491791-3 : GET on non-existent pool members does not show error

Component: TMOS

Symptoms:
Performing a GET on nonexistent pool members does not show an error.

Conditions:
This occurs when using iControl REST with nonexistent pool members.

Impact:
The returned response typically indicates an almost-empty resource instead of a not-found error.

Workaround:
Use members GET for all members and iterate through the items returned to determine if a pool member exists.

Fix:
Performing a GET on nonexistent pool members now shows an error when using iControl REST with nonexistent pool members.


491771-2 : Parking command called from inside catch statement

Component: Policy Enforcement Manager

Symptoms:
If inside a proc or control statement (if, for, while) and a parking command (like table, session, open, send, RESOLVE::lookup) which is called from catch statement followed by a command which results in TCL error (caught), TMM will core with SIGFPE panic and this message:

    panic: TclExecuteByteCode execution failure: end stack top < start stack top

Example (THIS CODE MAY CAUSE TMM TO CRASH if this procedure is called):
    proc id491771 {
        # WILL CAUSE TMM TO CRASH
        catch { [table lookup "key"] }
    }

The correct usage of "catch" is without the brackets:
    proc id491771 {
        catch { table lookup "key" }
    }

Conditions:
1) A parking command like "table"
2) The very next operation generates an error
3) Both commands are inside a "catch" block
4) And this catch block exists within a proc or control statement (e.g., if, for, while)

Impact:
TMM cores with a SIGFPE and this panic string:

    panic: TclExecuteByteCode execution failure: end stack top < start stack top

Workaround:
Any command which completes without parking after the parking command but before the error will prevent the issue. For instance

set A "a"

Another solution is to move "catch" statement outside of proc or control statement into body of script.

Alternately remove the square brackets that indicate that the result of the command should be evaluated in this specific case. The use of brackets in this way is likely a mistake in coding of the iRule.


491727-2 : Upgrade can fail to load config due to tcp profile no longer allowing time-wait-timeout of 4294967295 (indefinite).

Component: TMOS

Symptoms:
Upgrade to v11.6.0 can fail with the following error message:

01070712:3: The value (-1) is outside the acceptable value set [value equal to or less than 600000] for time_wait_timeout in type TCP Profile for item <tcp_profile_name>
Unexpected Error: Loading configuration process failed.

Conditions:
A tcp profile exists with tcp_long_timeout equal to 4294967295 (indefinite).

Impact:
Upgrade to v11.6.0 fails and leaves device in INOPERATIVE state.

Workaround:
Change tcp_long_timeout prior to upgrade to a value in the range from 0 to 600000 inclusive OR, if already upgraded, edit bigip.conf to set tcp_long_timeout to a value in the range from 0 to 600000 inclusive and run "tmsh load sys config".

Fix:
BIG-IP configurations now load successfully after an upgrade if the TCP profile's Time Wait value is set to 4294967295


491716-2 : SNMP attribute type incorrect for certain OIDs

Component: TMOS

Symptoms:
The following OIDs have an incorrect setting of Gauge when they should be Integer:

sysIntfMediaIndex
sysIfIndex
sysPacketFilterAddrIndex
sysPacketFilterVlanIndex
sysPacketFilterMacIndex
sysStpBridgeTreeStatIndex
sysStpInterfaceTreeStatIndex
sysHostCpuIndex
sysIntfMediaSfpIndex

Conditions:
SNMP queries to some F5 enterprise OIDs.

Impact:
The attribute type mismatch may cause some MIB browsers to report errors because of a failure to strictly adhere to the SNMP standard.

Fix:
All F5 enterprise MIB attribute which include a limited value range have been changed to type Integer.


491556-7 : tmsh show sys connection output is corrected

Component: TMOS

Symptoms:
tmsh show sys connection output is corrupted for certain user roles.

Conditions:
This occurs for users with user roles that do not have access to all partitions.

Impact:
The output from tmsh show sys connection is corrupted. After issuing this command, the output of subsequent tmsh commands might not be correct or complete.

Workaround:
Quit out of tmsh. Restart the shell. Do not use the show sys connection command for users that do not have access to all partitions. Use the GUI instead to get this information.

Fix:
tmsh show sys connection output is correct for users that do not have access to all partitions.


491554-2 : [big3d] Possible memory leakage for auto-discovery error events.

Component: Global Traffic Manager

Symptoms:
The big3d process may leak memory.

As a result of this issue, you may encounter one or more of the following symptoms:

You notice a progressive increase in the amount of memory that the big3d process uses.
The big3d process produces a core file in the /shared/core directory.
The BIG-IP system unexpectedly fails over to another system in the device group.
The monitoring system marks the monitored device as unavailable.

Conditions:
This issue occurs when all of the following conditions are met:

Your system is actively monitored by a BIG-IP GTM or Enterprise Manager system.
The monitoring system is configured with discovery enabled.
The big3d process returns error messages to monitor requests.

Impact:
Memory usage for the big3d process increases, and may eventually affect other services and overall system performance.

Workaround:
None.

Fix:
big3d no longer leaks memory during auto-discovery failure events.


491518-2 : SSL persistence can prematurely terminate TCP connection

Component: Local Traffic Manager

Symptoms:
SSL [session id] persistence might prematurely close (FIN) a TCP connection before forwarding all data.

Conditions:
SSL persistence must be in use. A slow client side (WAN) exacerbates the issue.

Impact:
Premature close of TCP connection and potential data loss.

Workaround:
Disable SSL persistence.

Fix:
SSL [session id] persistence no longer prematurely terminate TCP connection.


491478-1 : EAM is a CMP plugin and spins up one thread per TMM.

Component: Access Policy Manager

Symptoms:
When OAM is enabled on a virtual, an 'eam' v1 plugin profile is added to the virtual. Due to ht-split performance changes (specifically addition of "plugin_threads" field in BZ439449the eam plugin profile claims to be a CMP-enabled plugin but forces the thread count to 1. This causes the number of MPI devices to be 0, thus no channel is spun up - all connections through the virtual result in "No plugin configuration found" error in /var/log/ltm and the connection is reset.

 SYMPTOM:

Virtuals with OAM enabled do not pass traffic - "No plugin configuration found" errors in /var/log/ltm

Conditions:
HTTP virtual with OAM enabled

Impact:
Traffic outage on OAM-enabled virtuals

Workaround:
hand-edit of /defaults/config_base.conf

        plugin_threads {
            class-name profile_eam
            container none
            instance-name eam
            value "1" <-- change this to "tmms"
        }

Fix:
EAM is a CMP plugin and spins up one thread per TMM.


491454-6 : SSL negotiation may fail when SPDY profile is enabled

Component: Local Traffic Manager

Symptoms:
SSL handshake fails when SPDY profile is attached.

Conditions:
This occurs when the following conditions are met: -- Client (i.e., Chrome for Android) attempts to use SPDY protocol using Next Protocol Negotiation (NPN) during SSL handshake. -- BIG-IP system has a Cavium Nitrox card.

Impact:
SSL handshake or other connection failure.

Workaround:
Remove SPDY profile.

Fix:
SSL handshake now completes successfully when a SPDY profile is attached when Next Protocol Negotiation (NPN) is detected on a BIG-IP system with a Cavium Nitrox accelerator.


491371-1 : CMI: Manual sync does not allow overwrite of 'newer' ASM config

Component: Application Security Manager

Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration.
This precludes the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.

Conditions:
Devices are set up in a Manual Sync ASM-enabled group.

Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.

Workaround:
Make a spurious change on the device that has an older config and then push the changes to the peer.

Fix:
An older ASM configuration can now be manually pushed to a peer in a device group.


491352-3 : Added ASM internal parameter to add more XML memory

Component: Application Security Manager

Symptoms:
It is not possible to add more than 1.2 GB of memory to the XML parser.

Conditions:
More than 1.2 GB of XML memory is needed.

Impact:
XML out of memory messages, traffic dropped.

Fix:
We added the internal parameter additional_xml_memory_in_mb that enables an additional amount of XML memory (in MB).


491233-1 : Rare deadlock in CustomDialer component

Component: Access Policy Manager

Symptoms:
Windows 7 systems hang at a black screen after a reboot. This requires a hard boot to resolve.

Conditions:
CustomDialer component.

Impact:
Cannot log in. Requires hard boot to resolve.

Fix:
The CustomDialer component has been updated to prevent a rarely occurring deadlock.


491185-1 : URL Latencies page: pagination limited to 180 pages

Component: Application Visibility and Reporting

Symptoms:
When there is a lot of information in URL Latencies with paging being available for more than 180 pages, no data is being displayed when switching to any of the pages above 180

Conditions:
URLs count exceeds 1800

Impact:
Not all URLs will be visible

Workaround:
Filtering can be used to limit the number of results below 1800.

Fix:
Number of reported URLs is now limited to 1000 (100 pages), consistent with other reporting pages.


491168 : Encrypt checkbox should be greyed out for a new parameter when Application Layer Encryption is disabled under URL Configuration.

Component: Fraud Protection Services

Symptoms:
Encrypt checkbox is not greyed out for a new parameter when Application Layer Encryption is disabled under URL Configuration.

Conditions:
Provision and license FPS

Impact:
Configuration may not be saved.

Workaround:
Manually disable Encrypt parameter or use tmsh disable Application Layer Encryption.

Fix:
Now Encrypt checkbox is grayed out for a new parameter when Application Layer Encryption is disabled under URL Configuration.


491165-1 : Legal IP addresses sometimes logged in Attack Started/Stopped message.

Component: Advanced Firewall Manager

Symptoms:
Sometimes legal IP addresses are logged as attack started/stopped messages.

Conditions:
AFM licensed and provisioned and Sweep & Flood Vector enabled.

Impact:
Logging.

Workaround:
N/A

Fix:
IP addresses are not logged any more for START/STOP messages. Only sampled messages will have packet details.


491080-5 : Memory leak in access framework

Component: Access Policy Manager

Symptoms:
When multiple concurrent attempts are made to access a resource protected by APM, one of these attempts proceeds to policy execution and the rest get a message stating that session evaluation is in progress. The page that delivers this message has a unique identifier in the URL that causes the caching of this page to be ineffective. Multiple cache entries are created and these entries present themselves as a leak.

Conditions:
Use of APM.
Multiple concurrent accesses to a resource protected by a virtual server with an APM profile attached.
Note that no prior established sessions must exist for that client for this to happen.

Impact:
A memory leak occurs.

Workaround:
None.

Fix:
The APM page caching now omits the unique identifier in the key. As a result, a single page, or a small fixed number of pages, can serve a multitude of clients without an increase in memory usage.


491030-6 : Nitrox crypto accelerator can sometimes hang when encrypting SSL records

Component: Local Traffic Manager

Symptoms:
Sometimes when encrypting certain SSL records, the Cavium Nitrox crypto accelerator can hang with the LTM log message "request queue stuck".

Conditions:
Certain SSL records on a system with a Cavium Nitrox card.

Impact:
Nitrox crypto accelerator can hang.

Workaround:
This issue has no workaround at this time.

Fix:
The Nitrox crypto accelerator will no longer hang with certain SSL records.


490999-2 : Subscriber-level AVR statistics display the subscriber-type as "Unknown" for subscribers created using Radius Acct-Start

Component: Application Visibility and Reporting

Symptoms:
Subscriber-level AVR statistics display subscriber-type as "Unknown" instead of "Dynamic" for subscribers created using a RADIUS Accounting-Start message.

Conditions:
Subscriber should be created using a Radius Acct-Start message.

Impact:
Incorrect subscriber-type in subscriber-level AVR statistics.

Workaround:
none

Fix:
Populate the correct subscriber-type in subscriber-level AVR statistics.


490936-2 : SSLv2/TLSv1 based handshake causing handshake failures

Component: Local Traffic Manager

Symptoms:
You are experiencing SSL handshake failures. /var/log/ltm contains error messages that read tmm[16895]: 01260009:7: Connection error:9044: invalid pre-master secret (40)

Conditions:
This occurs with clientssl profiles enabled and a client sends a CLIENTHELLO containing a SSLv2 or TLSv1 version in the handshake message.

Impact:
SSL connection unable to establish; error generated. Note this only occurs for clients that send SSLv2 or TLSv1 in the hello.


490893-4 : Determinstic NAT State information incomplete for HSL log format

Component: Carrier-Grade NAT

Symptoms:
Deterministic NAT state information incomplete for HSL log format, could possibly result in incorrect reverse and forward map for dnatutil when using with HSL logged state information.

Conditions:
Found to affect VIPRION B2250 blades with HTSPLIT enabled, when using dnatutil with HSL logged deterministic NAT state for reverse map.

Impact:
Reverse and forward map could be incorrect when use with HSL logged deterministic NAT state information.

Workaround:
Use LTM logged deterministic NAT state information for reverse or forward map.

Fix:
HSL logged deterministic NAT state information can be use to correctly forward and reverse map.


490844-4 : Some controls on a web page might stop working.

Component: Access Policy Manager

Symptoms:
Some controls on a web page might stop working.

Conditions:
Some events with that execute in web applications.

Impact:
Unexpected web application malfunctions.

Workaround:
Create an iRule specific to each case.

Fix:
Problems with EventTarget.addEventListener() new feature support were fixed.


490830-4 : Protected Workspace is not supported on Windows 10

Component: Access Policy Manager

Symptoms:
APM does not support Protected Workspace on Windows 10

Conditions:
Protected Workspace action configured on BIG-IP APM server.
Users connecting to BIG-IP APM using Windows 10 client.

Impact:
Users cannot use Protected Workspace feature on Windows 10.

Workaround:
n/a

Fix:
Protected Workspace disabled on Windows 10 client.


490817-1 : SSL filter might report codec alerts repeatedly

Component: Local Traffic Manager

Symptoms:
TMM cores due to Out of Memory (OOM), and xdata is the majority of the memory consumption.

Conditions:
The SSL enters a failure mode where it appears to transmit alert messages repeatedly until TMM is OOM, which causes the transmissions to stop due to lack of memory. TMM then cores due to lack of memory.

Impact:
The system might crash. (Massive xfrag usage, degraded performance, eventual TMM OOM.)

Fix:
Clear codec alert after propagation so SSL filter no longer reports alerts indefinitely.


490811-5 : Proxy configuration might not to be restored correctly in some rare cases

Component: Access Policy Manager

Symptoms:
Local proxy configuration on Mac OS X might not to be restored correctly in some rare cases.

Conditions:
BIG-IP Edge Client for Mac is connected, tunnel drops for some reason, race condition happens during proxy configuration restoration which causes it to not be restored properly.

Impact:
Proxy configuration might not to be restored correctly in some rare case.

Workaround:
None

Fix:
A rare case where proxy configuration might not be restored correctly has been fixed.


490801-2 : mod_ssl: missing support for TLSv1.1 and TLSv1.2

Component: TMOS

Symptoms:
This is due to using older versions of httpd
(which includes mod_ssl ...). Newer versions
of httpd as of 2.2.15-39 include the necessary
support for TLSv1.1 and TLSv1.2.

Conditions:
Any older versions of httpd which are not
upgraded to 2.2.15-39 or selectively patched
for the mod_ssl component will not be able
to provide support for TLSv1.1 and TLSv1.2.

Note that in older releases, there is
a dependency on openssl 1.0.1 for a backport
of the mod_ssl changes to actually support
TLSv1.1 and TLSv1.2.

Impact:
No support is provided for TLSv1.1 and TLSv1.2.

Workaround:
Upgrade to one of the following:

12.0.0-hf1 - includes changes to mod_ssl
12.1.0 - includes update to httpd 2.2.15-39

Fix:
Upgrade to httpd 2.2.15-39 (from el6.6)
provides the needed changes to mod_ssl
to support TLSv1.1 and TLSv1.2.


490740-10 : TMM may assert if HTTP is disabled by another filter while it is parked

Component: Local Traffic Manager

Symptoms:
If HTTP is parked in an iRule, if it is disabled by another filter on the client-side it will assert with the message:
TCL passthrough switch state only valid server-side.

Conditions:
A HTTP iRule on the client side parks. Another filter tells HTTP to disable itself.

Impact:
The impact of this issue is that the TMM will crash.

Workaround:
Avoid using HTTP::disable in iRules that can run simultaneously with with iRules triggered by the HTTP filter.

Instead, disable

Fix:
HTTP will no longer crash if HTTP is disabled while it is parked on the client side.


490713-3 : FTP port might occasionally be reused faster than expected

Component: Local Traffic Manager

Symptoms:
FTP port is randomly selected and occasionally might be reused quickly.

Conditions:
FTP active mode. Source Port is set to change.

Impact:
FTP port might occasionally be reused faster than expected.

Fix:
FTP port selection uses a round robin method to avoid quick-reuse as much as possible.


490681-1 : Memcache entry for dynamic user leaks

Component: Access Policy Manager

Symptoms:
A race condition causes a memcache entry to remain in memcache forever.

Conditions:
Due to a race condition between identifying dynamic users in MySQL and removing them from memcache (based on timestamp), some memcache entries remain. Although the entry is removed from MySQL, it remains in memcache.

Impact:
The user state information for the user remains unchanged. If the user is locked out in memcache, the user state remains locked out.

Workaround:
The only way to recover is to remove the user using telnet to access memcache (which is not a typical operation and is difficult to perform).

Fix:
Now a self expiry is set for each memcache object (which is configurable). With this change, each user remains in the cache only for the configured duration.


490675-1 : User name with leading or trailing spaces creates problems.

Component: Access Policy Manager

Symptoms:
User creates dynamic user with leading and trailing spaces. In the case user name will look like " user1 ". When the user entry gets created in MySQL it treats the user name " user1 " same as "user1", by eliminating the spaces at the beginning and the end. The memcache entry does not do the same.

Conditions:
Create a dynamic user with a regular name. Then retry the same username with leading and trailing spaces. There will be multiple entries for the same user (one regular and another with spaces). When the dynamic user gets deleted, the regular user name is deleted from memcache and from MySQL; the other user entry remains in memcache.

Impact:
Unnecessary memcache entries.

Workaround:
This issue has no workaround at this time.

Fix:
In this fix, we trim leading and trailing spaces from the user name before using it. So the user name is uniform everywhere.


490537-6 : Persistence Records display in GUI might cause system crash with large number of records

Component: TMOS

Symptoms:
Using the GUI to view Persistence Records statistics in GUI when there are a large number of records might crash the system. (Persistence Records are available for LTM and GTM by navigating to Statistics :: Module Statistics, clicking on Local Traffic, DNS Delivery, or DNS GSLB and then selecting 'Persistence Records' for Statistics Type.)

Conditions:
This occurs when viewing statistics in the GUI for a large number of Persistence Records (approximately 100,000 but the number might depend on system configuration and capacity)

Impact:
The system runs out of memory and fails over.

Workaround:
Use TMSH to see Persistence Records and associated statistics.
For LTM and GTM Delivery: tmsh show ltm persistence persist-records.
For GTM GSLB: tmsh show gtm persist destination | level | target-name | key | max-results | target-type.

Fix:
In this release, you can manage visibility of Persistence Records using a db variable: ui.statistics.modulestatistics.<localtraffic | dnsdelivery | dnsgslb>.persistencerecords. A db variable setting of "false" prevents the potential system crashes with a large number of persistence records.

To set the db variable:
-- for LTM Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.localtraffic.persistencerecords value true
-- for DNS Delivery Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.dnsdelivery.persistencerecords value true
-- for DNSGSLB, run the command: modify sys db ui.statistics.modulestatistics.dnsgslb.persistencerecords value true

Important: When you enable the db variable, the GUI-specific out-of-memory condition might occur if you have a large number of records. In that case, you should use TMSH to see Persistence Records and associated statistics.

For LTM and GTM Delivery: tmsh show ltm persistence persist-records.
For GTM GSLB: tmsh show gtm persist destination | level | target-name | key | max-results | target-type.

Behavior Change:
Beginning in version 12.0.0, the db variable ui.statistics.modulestatistics.<localtraffic | dnsdelivery | dnsgslb>.persistencerecords defaults to "false". In previous versions, the default was "true." That means that Persistence Records are no longer visible by default in the GUI. This prevents potential system crashes with a large number of persistence records. You can manage visibility of Persistence Records using the db variable.

Important: When you enable the db variable, the GUI-specific out-of-memory condition might occur if you have a large number of records. In that case, you should use TMSH to see Persistence Records and associated statistics. For example, for LTM, you can use the following command: tmsh show ltm persistence persist-records.

To set the db variable:
-- for LTM Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.localtraffic.persistencerecords value true.
-- for DNS Delivery Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.dnsdelivery.persistencerecords value true.
-- for DNSGSLB, run the command: modify sys db ui.statistics.modulestatistics.dnsgslb.persistencerecords value true.


490482-1 : Applying Access Policy with an unused macro crashes TMM.

Component: Access Policy Manager

Symptoms:
When an Access Policy has a macro attached but does not use the macro anywhere, applying the Access Policy crashes TMM.

Conditions:
Access Policy that has a macro attached but is not using the macro at any point in the policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Delete all unused macros.

Fix:
Access Policy can now successfully contain a macro attached but does not use the macro anywhere.


490480-3 : UCS load may fail if the UCS contains FIPS keys with names containing dot

Component: Local Traffic Manager

Symptoms:
UCS load may fail if the UCS file contains FIPS keys with names containing dot ( . ).

Conditions:
This occurs when the configuration includes at least one FIPS key with name containing a dot ( . ).

Impact:
UCS loading fails.

Fix:
UCS load now completes successfully if the saved configuration includes FIPS keys with names containing dot ( . ).


490429-2 : The dynamic routes for the default route might be flushed during operations on non-default route domains.

Component: Local Traffic Manager

Symptoms:
The dynamic routes for the default route might be flushed during operations on non-default route domains. For example when non-default route domain is deleted TMM, the operation also removes routes in the default route domain.

Conditions:
This happens on configuration changes and failover.

Impact:
Routing in default route domain might be impacted until tmrouted is restarted.

Workaround:
Avoid deleting non-default route domains. Issuing a bigstart restart tmrouted returns the system to a consistent state.

Fix:
The dynamic routes for the default route are no longer flushed during operations on non-default route domains.


490414-1 : /shared/vmisolinks present on systems running versions where block-devices are not present

Component: TMOS

Symptoms:
/shared/vmisolinks is not removed from vCMP hosts when booting into builds that do not support block-device-image and block-device-hotfix vcmp installations.

Conditions:
This occurs in 11.6.0 or later with vCMP provisioned. In pre-11.6.0 versions, vCMP does not have to be provisioned.

Impact:
/shared/vmisolinks is present and takes up space. /shared can artificially fill up and cause warnings.

Workaround:
/shared/vmisolinks can be safely removed from older versions with the following command sequence: -- 'clsh rm -rf /shared/vmisolinks'. -- 'clsh ls -al /shared/vmisolinks'.

After removing the /shared/vmisolinks directory from each cluster member or the appliance as a vCMP host, the space warnings related to /shared/vmisolinks will cease.

Fix:
/shared/vmisolinks is now properly cleaned up upon system startup.


490284-3 : ASM user interface extremely slow to respond (e.g. >2 minutes to render policy list)

Component: Application Security Manager

Symptoms:
ASM screens take a long time to load, MySQL spikes in usage.

Conditions:
Occurs after several thousand policy configuration changes have been made to the system.

Impact:
Slow ASM user interface pages.

Workaround:
There is no workaround at this time.

Fix:
We reduced the time it takes for ASM screens to load.


490225-3 : Duplicate DNSSEC keys can cause failed upgrade.

Component: Local Traffic Manager

Symptoms:
When DNSSEC keys are stored in HSM and the system is upgraded, config load can fail because of duplicate keys in HSM.

Conditions:
DNSSEC keys in HSM. Upgrade or UCS load of configuration that contains the same keys.

Impact:
Failed upgrade or config load.

Workaround:
None.

Fix:
BIG-IP DNS/mcpd now checks for an existing key and does not import keys that already exist.


490174-2 : Improved TLS protocol negotiation with clients supporting TLS1.3

Component: Local Traffic Manager

Symptoms:
When a TLS client connects to a BIG-IP TLS server requesting TLS1.3, the handshake will fail. A message will be logged in the Local Traffic Manager (LTM) log about a handshake failure.

The estimated deployment of clients supporting TLS1.3 is 2016.

Conditions:
A TLS client handshake with the protocol version set to TLS1.3 in the ClientHello.

Impact:
Lower performance is the most likely outcome. The hanshake requesting TLS1.3 will fail, after which a client will reconnect with a TLS 1.2 hanhdshake and succeed.

The worst case scenario is inability to establish a connection for clients that only implement standard TLS version negotiation mechanism.

The estimated deployment of clients supporting TLS1.3 is 2016.

Workaround:
This issue has no workaround at this time.

Fix:
TLS server code can now handle ClientHello.protocol_version that is higher than TLS1.2, according to the TLS1.2 specification.


490171-1 : Cannot add FQDN node if management route is not configured

Component: TMOS

Symptoms:
Upon trying to create a FQDN (Fully Qualified Domain Name) node without the management route configured, an error is displayed: 01070734:3: Configuration error: Please configure a default gateway.

Conditions:
A basic LTM configuration with DNS lookup server setup

Impact:
User must configure a management route - even if they otherwise do not need one or have one configured.

Workaround:
Create a temporary management-route default gateway in order to add nodes using their FQDN:
   1) tmsh create sys management-route default gateway 172.28.22.254 == create default management-route.
   2) tmsh create ltm node mydomain.com fqdn { name mydomain.com } == create FQDN node.
   3) tmsh delete sys management-route default == remove default management-route.

Fix:
It is no longer required that a default management route is setup in order to add nodes via their FQDN.


490129-1 : SMTP monitor could not create socket on IPv6 node address

Component: Local Traffic Manager

Symptoms:
SMTP Tcl monitor cannot create socket on IPv6 node address.

Conditions:
Conditions leading to this issue include SMTP monitors with IPv6 pool members.

Impact:
SMTP monitor IPv6 pool members are DOWN.

Workaround:
Create a External monitor using SMTP_monitor

Fix:
SMTP monitor successfully monitors IPv6 pool members


489957-5 : RADIUS::avp command fails when AVP contains multiple attribute (VSA).

Component: Service Provider

Symptoms:
The RADIUS::avp command fails when AVP contains multiple attributes (VSA) within an AVP.

Conditions:
One AVP contains multiple attributes (VSA).

Impact:
RADIUS::avp command fails.

Workaround:
None.

Fix:
RADIUS::avp command now completes successfully when AVP contains multiple attribute (VSA).


489933 : Generic malware false positives

Component: Fraud Protection Services

Symptoms:
False positive js_vhtml alert is sent when browsing to protected page with malware detection enabled.

Conditions:
Malware detection enabled.

Impact:
False positive js_vhtml alert will be sent.

Workaround:
None. This is a false positive alert and does not indicate an actual alert condition.

Fix:
Signatures updated to handle false positive js_vhtml alert that was sent when browsing to protected page with malware detection enabled.


489888-1 : Configuring VDI profile when APM is not provisioned, but does not.

Component: Access Policy Manager

Symptoms:
LTM GUI allows you to configure a VDI profile when APM is not provisioned, but since APM is not provisioned the profile will not work.

Conditions:
This can be encountered if APM was previously provisioned and one or more VDI profiles were configured. Upon de-provisioning APM, the profiles are still visible in the GUI.

Impact:
There should be no impact other than the GUI allowing you to configure something that cannot be used unless APM is provisioned.

Fix:
The GUI no longer allows you to configure VDI profile when APM is not provisioned.


489816-1 : F5 Enterprise MIB attribute sysTmmStatMemoryTotal returning zero

Component: Performance

Symptoms:
An SNMP query for F5 Enterprise MIB attribue sysTmmStatMemoryTotal and several others were returning zero values after upgrading to v11.6.0 HF6 or higher.

Conditions:
Always

Impact:
These values are incorrect.

Workaround:
Similar queries can be made to equivalent MIB attributes provided in units of kilobytes using SNMP type Gauge. In the case of sysTmmStatMemoryTotal, sysTmmStatMemoryTotalKb can be queried.

Fix:
For the affected MIB attributes in 11.6.0 HF6 and higher, zero values are no longer returned. Units of measurements continue to be in bytes using SNMP attribute type Counter64.


489796-2 : TMM cores when Woodside congestion control is used.

Component: Local Traffic Manager

Symptoms:
In Woodside congestion control, the congestion window is used to calculate the minimum delay. During this calculation, if congestion window is 0, division by congestion window (0) causes a core during the calculation.

Conditions:
The congestion window becomes 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use another congestion control rather than Woodside.

Fix:
A TMM crash bug when using Woodside congestion control has been fixed. The issue was a division by 0 bug.


489767 : Webroot cloud lookup support

Component: Policy Enforcement Manager

Symptoms:
PEM does not have the ability to query the Webroot cloud database for URLs that are only available in the Webroot server in the cloud. There is one global Webroot database on the BIG-IP system, which contains millions of URLs it can categorize. However, the Webroot URL categorization database is hosted on their cloud, and can categorize billions of URLs. In certain countries, some of the popular URLs can only be categorized by the Webroot cloud database.

Conditions:
This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Impact:
Certain URLs are categorized as unknown by the local Webroot database that is managed on the BIG-IP system, even though they could be categorized by the Webroot cloud service.

Workaround:
None.

Fix:
The support is added, so that PEM can perform the Webroot cloud lookup asynchronously and cache the categorization result. When feature requests with the same URL arrives, PEM will be able to categorize the URL based on the cached Webroot cloud lookup result.


489754-1 : Flow based reporting attribute mismatch between TMUI and TCL

Component: Policy Enforcement Manager

Symptoms:
Several fields are missed in PEM format script reporting.

Several fields in format script use usec, which should be milli-seconds.

Conditions:
In PEM session and flow format script reporting.

Impact:
Some new fields are added.

For session, here are the new fields:
last-sent-msec
report-id
report-version
timestamp-msec

For flow, here are the new fields:
flow-start-milli-seconds
flow-end-milli-seconds
report-id
route-domain
report-version
timestamp-msec
vlan-id

Workaround:
This issue has no workaround at this time.

Fix:
To keep the backward compatibility, the following fields are still kept. But the values of those *-usec below are 0 now, representing that they are not meaningful; we just do not want to break the users' existing scripts.

For session:
last-sent-usec
timestamp-usec
module-id

For flow:
flow-start-time-usec
flow-end-time-usec
timestamp-usec


489750-3 : Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config

Component: TMOS

Symptoms:
11.4.0 onwards, deletion of FIPS keys by-handle is expected to throw error if the BIG-IP config contains that key object. However, if the key name is different from the FIPS-label of the key, such deletion by-handle will delete key from FIPS card without checking BIG-IP config. It will not delete that key from BIG-IP config.

Conditions:
Delete FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.

Impact:
FIPS key deletion by-handle may not throw expected error when the FIPS handle corresponds to a key in the BIG-IP config and will delete the key from FIPS card without deleting the key in the BIG-IP config.

Workaround:
First, FIPS key deletion by-handle should be used only for FIPS key handles that don't have corresponding key objects in the BIG-IP config.

If the FIPS key deletion was desired and by-handle deletion is already performed which did not delete the key from BIG-IP config, then follow the below workaround:

After executing:
'tmsh delete sys crypto fips by-handle <handle-number>'

check if the corresponding key still exists in BIG-IP config by executing:
'tmsh list sys crypto key'

If the concerned key did not get deleted, execute:
'tmsh delete sys crypto key <keyname>'

Fix:
The system now handles the case in which deleting FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.


489705-2 : Running out of memory while parsing large XML SOAP requests

Component: Application Security Manager

Symptoms:
Running out of memory while parsing large XML SOAP requests.

Conditions:
System parses as XML a large multipart file upload.

Impact:
Unnecessary memory allocations which could cause the Enforcer to run out of memory. The system posts an error similar to the following: 'ASM out of memory error: event code X239 Exceeded maximum memory assigned for XML/JSON processing'.

Fix:
We fixed an issue where the system parsed as XML a large multipart file upload. Doing that caused unnecessary memory allocations which could cause the Enforcer to run out of memory. The following error message was displayed "ASM out of memory error: event code X239 Exceeded maximum memory assigned for XML/JSON processing".


489682-1 : Configuration upgrade failure due to change in an ASM predefined report name

Component: Application Visibility and Reporting

Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version and upgrading.

Conditions:
Define scheduled report on top of "Top alerted URLs" on 11.3.0 and upgrade the version.

Impact:
Version upgrade fails (the BIG-IP becomes unusable).

Workaround:
Change the "/Common/Top Alerted URLs" reference in the bigip.conf file of the UCS to "/Common/Top Alarmed URLs", and then load the modified UCS.

Fix:
If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs.


489648-1 : Empty violation details for attack signatures

Component: Application Security Manager

Symptoms:
Attack signatures detected on a transaction. The reporting does not show the details of all attack signatures.

Conditions:
Different signature sets are applied to different policies, and then a transaction with attack signatures appears on a request.

Impact:
Not all the detected attack signature details are shown. In some cases, there are empty violation details for certain attack signatures.

Workaround:
None.

Fix:
All attack signature details are now shown.


489451-3 : TMM might panic due to OpenSSL failure during handshake generation

Component: Local Traffic Manager

Symptoms:
TMM might panic due to OpenSSL failure during handshake generation.

Conditions:
Low memory. Software-based SSL handshake generation.

Impact:
TMM outage.

Fix:
The system now checks for OpenSSL failures during SSL handshake generation, so TMM no longer panics.


489382-7 : Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert

Component: Access Policy Manager

Symptoms:
Browser clients allow Machine Cert Auth agent to pass even if the match SubjectCN and FQDN criteria is not satisfied.
It only happens if the selected certificate is recognized by the BIG-IP system but does not fit the Machine Cert Auth selection criteria.

Conditions:
The problem occurs with a Mac and the browser client, with the Machine Cert Auth agent in the access policy, and a valid certificate.

Impact:
Browser allows network access to be established even though it should not

Workaround:
To work around the problem, add more search criteria in the Machine Cert Auth agent.

Fix:
Browser client now selects the appropriate certificate when the match SubjectCN and FQDN criteria is specified in the Machine Cert Auth agent.


489379-1 : Bot signature is not matched

Component: Advanced Firewall Manager

Symptoms:
Bot signature is not matched although its content appears in request.

Conditions:
Configure several bot signatures and send request that contain the signature. Some signature may not be matched.

Impact:
Signature that should be matched and blocked may reach the application.

Workaround:
This issue has no workaround at this time.

Fix:
All configured signature are now matched.


489364-1 : Now web VPN client correctly minimizes IE window to tray

Component: Access Policy Manager

Symptoms:
An Internet Explorer window remains on taskbar on Network Access connect even if 'minimize to tray' option is enabled.

Conditions:
Internet Explorer is used and 'minimize to tray' option is enabled

Impact:
IE window stays on desktop

Fix:
Now an Internet Explorer window is correctly minimized to tray.


489329-6 : Memory corruption can occur with SPDY/HTTP2 profile(s)

Component: Local Traffic Manager

Symptoms:
A virtual server using either the SPDY or HTTP2 profiles can experience random memory corruption due to a double free of memory.

Conditions:
SPDY/HTTP2 filter is configured on the virtual.

Impact:
This results in a TMM crash in random components due to memory corruption.

Workaround:
Do not use SPDY2/HTTP2 profiles.

Fix:
A memory corruption in the SPDY/HTTP2 profiles has been fixed.


489328-9 : When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.

Component: Access Policy Manager

Symptoms:
If a BIG-IP virtual server is accessed from multiple tabs with long initial URLs before session creation, this might cause TMM to crash.

Conditions:
Rare condition: a user opens the browser and different tabs in the browser pointing to BIG-IP APM virtual server and they cause the access policy to run from both tabs. If the length of the encoded URL falls into 4K boundary then TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Proper checks were added before processing the URL so that, if there is a long initial URL, the BIG-IP system does not process it, and a user might see a reset. After establishing the session in other tabs, the user can access the long URL again.


489323-1 : Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.

Vulnerability Solution Article: K43552605


489217-1 : "cipher" memory can leak

Component: Local Traffic Manager

Symptoms:
When performing SSL handshakes, memory usage can increase. Examining "cipher" memory in the "memory_usage_stat" may show large amounts of "cipher"memory allocated.

Conditions:
BIG-IP performing SSL handshakes.

Impact:
Memory usage increases until no more memory is available.

Fix:
"cipher" memory no longer leaks.


489084-1 : Validation error in MCPD for FQDN nodes

Component: TMOS

Symptoms:
Validation does not enforce unique FQDN nodes across folders.

Conditions:
Create two nodes with the same FQDN in two different folders.

Impact:
This issue can cause undefined behavior

Workaround:
Ensure FQDN nodes, like regular IP nodes, to be unique across folders.

Fix:
Ensure FQDN nodes, like regular IP nodes, to be unique across folders.


488989-3 : AVRD does not print out an error message when the external logging fails

Component: Application Visibility and Reporting

Symptoms:
External logging of AVR statistics is done by HSL framework, if a message is failed to be sent to the syslog server, then AVR does not log this error.

Conditions:
If network is under stress, there is a possibility that the external logging will not be 100% transmitted

Impact:
The logging application will not receive all log entries.

Fix:
AVR is logging about HSL sending error.
It is important to notice that it is still not 100% sure that the message will arrive to the destination, since an application level ack does not exist in syslog, but this by definition.


488986-2 : Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.

Component: Access Policy Manager

Symptoms:
An access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and Windows Edge client.

Conditions:
Internet Explorer versions 10 and 11.

Impact:
Access policy cannot enter Windows Protected Workspace.

Workaround:
Use a browser other than Internet Explorer versions 10 and 11.

Fix:
An access policy can now enter Windows Protected Workspace on Internet Explorer versions 10 and 11.


488931-1 : TMM may restart when MPTCP traffic is being handled.

Component: Local Traffic Manager

Symptoms:
There are some conditions where when multi-path TCP (MPTCP) traffic is being handled by an MPTCP-enabled virtual server might cause TMM to restart.

Conditions:
MPTCP traffic is being handled by a L7 virtual server.

Impact:
The TMM might restart when this condition occurs.

Workaround:
None.

Fix:
TMM may restart when multi-path TCP (MPTCP) traffic is being handled.


488921-2 : BIG-IP system sends unnecessary gratuitous ARPs

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends unnecessary gratuitous ARPs for its virtual IP addresses and self IP addresses.

Conditions:
When the virtual server status transitions from online to offline status or vice versa.

Impact:
The BIG-IP system sends out a large number of unwanted gratuitous ARPs if the virtual server changes its status rapidly. If devices connected to the BIG-IP system have rate limits configured, the devices might start ignoring the ARPs sent by the BIG-IP system, which might cause the devices to miss the critical gratuitous ARPs sent on HA failover. This might affect HA functionality.

Fix:
The system no longer sends unnecessary gratuitous ARPs when pool member state changes cause virtual server status changes.


488917-2 : Potentially confusing wamd shutdown error messages

Component: WebAccelerator

Symptoms:
When shutting down, wamd might log debug messages that appear serious.

Conditions:
wamd shutdown.

Impact:
Unnecessary log messages generated, similar to the following:
-- WA Debug (17637): * WARNING: The server encountered an unexpected condition. -- WA Debug (17637): * Contact F5 support if you are experiencing problems and include -- WA Debug (17637): * the following diagnostic information. These messages are cosmetic and do not indicate a problem with the system.

Workaround:
None.

Fix:
The wamd process no longer generates potentially alarming debug log messages when shutting down.


488916 : CIDR can now be used for SNAT Origin Address List

Component: TMOS

Symptoms:
A validation error occurred when address in IP/CIDR format is entered into the address list field, although it still accepts an address in IP/IP format.

Conditions:
When address in IP/CIDR format is entered into the address list field.

Impact:
Validation error occurs, although the field still accepts an address in IP/IP format.

Fix:
Validation error is no longer thrown and address in IP/CIDR format is now handled correctly.


488908-1 : In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function.

Component: Local Traffic Manager

Symptoms:
In client-ssl profile that serves as the server side.
BIG-IP SSL does not initialize some parameters.

Conditions:
In client-ssl profile which serves as the server side and retransmitting fragmented datagrams.

Impact:
SSL handshake fails. Datagram Transport Layer Security (DTLS) crash while retransmitting fragmented datagrams.

Workaround:
None.

Fix:
In client-ssl profile which serves as server side, BIG-IP SSL now initializes parameters in initialization function as expected.


488892-3 : JavaRDP client disconnects

Component: Access Policy Manager

Symptoms:
JavaRDP client disconnects user's session when user interacts before the handshake is complete.

Conditions:
The might occur when the network connection is slow but the user is fast enough to click the mouse within the client area or press a key on the keyboard. In this case the RDP client attempts to send this input event to the server.

Impact:
Because the RDP handshake is not completed at this point, the server aborts the connection.

Workaround:
Do not interact within the client area before the window fills with an image from the server. When that occurs, the connection is clearly established and all handshakes are completed.

Fix:
JavaRDP client session starts correctly now, and the system does not process extraneous input that occurs before the handshake completes.


488811-5 : F5-prelogon user profile folder are not fully cleaned-up

Component: Access Policy Manager

Symptoms:
When a user logs on using Network Logon in Windows, it triggers access policy execution, and the policy creates a temporary user, f5 Pre-Logon User. This causes the operating system to create a profile folder on the computer. After several executions, these folders start to accumulate because they are not removed properly after policy execution is complete.

Each time the access policy runs, it creates a user folder of the form f5 Pre-Logon User.<HOSTNAME>.xyz in the C:\Users folder.

Conditions:
A user logs on to the computer using Network Logon in Windows. (Windows Logon Integration)

Impact:
Disk runs out of space and user is confused.

Workaround:
To work around the problem, delete folders manually.


488736-5 : Fixed problem with iNotes 9 Instant Messaging

Component: Access Policy Manager

Symptoms:
iNotes 9 IM (Sametime) is not working. There are errors in JS Console.

Conditions:
User is connected to iNotes 9 through Portal Access.

Impact:
Sametime in iNotes 9 is not accessible.

Workaround:
No

Fix:
iNotes 9 Sametime (instant messaging) is working now.


488713-1 : Corrupt memory

Component: Application Visibility and Reporting

Symptoms:
The Thrift server raises an unhandled exception.

Conditions:
Using Thrift server when encountering an unhandled exception.

Impact:
AVRD crashes.

Workaround:
None.

Fix:
AVRD now handles an unhandled exception when using the Thrift server.


488686-1 : Large file transfer hangs when HTTP is in passthrough mode

Component: Local Traffic Manager

Symptoms:
Large file transfer hangs when HTTP is in passthrough mode. The HTTP profile may switch into passthrough mode for a number of reasons, including enforcement (the http-transparent profile options), the CONNECT HTTP method, iRule, unknown method detection, or switching protocols.

Conditions:
-- Virtual server with HTTP profile configured.
-- HTTP profile goes into passthrough mode.
-- Large file transfer occurs.

Impact:
File transfer hangs.

Workaround:
None.

Fix:
Flow control implemented in HTTP profile when in passthrough mode.


488600-2 : iRule compilation fails on upgrade

Component: Local Traffic Manager

Symptoms:
While upgrading, the configuration load fails and you see an error similar to the following:

localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. -- Syntax Error:(/config/bigip.conf at line: 40) "{" unknown property

Conditions:
Upgrade to 11.6.x versions may cause iRule compilation failures if the iRule contains whitespace instead of an opening brace after the event.

For example:
when CLIENT_ACCEPTED
{

Impact:
Configuration will fail to load on upgrade.

Workaround:
You can edit bigip.conf and manually correct the line in the iRule by putting the opening brace on tbe same line as the event, then reload the configuration with tmsh load sys config.

Example:
when CLIENT_ACCEPTED {

Fix:
Fix tcl parsing if there is a whitespace before the new line.


488598-1 : SMTP monitor on non-default route domain fails to create socket

Component: Local Traffic Manager

Symptoms:
SMTP monitor on non-default route domain fails to create socket

Conditions:
SMTP monitors on a non-default route domain.

Impact:
SMTP monitor pool members are DOWN. If debug logging is enabled for the monitor, the system posts messages in the monitors debug log: Notice 'ERROR: failed to connect 10.50.1.100%20:25 error: couldn't open socket: host is unreachable'.

Workaround:
Create an External monitor using SMTP_monitor.

Fix:
SMTP monitor no longer fails when using a non-default route domain.


488581 : The TMM process may restart and produce a core file when using the SSL::disable clientside iRule command within a HTTP_REQUEST event

Component: Local Traffic Manager

Symptoms:
The Traffic Management Microkernel (TMM) process may restart and produce a core file when using the SSL::disable client-side iRule command within an HTTP_REQUEST event.

Symptoms

As a result of this issue, you may encounter one or more of the following symptoms:

The BIG-IP system fails over to another host in the device group.
The BIG-IP system generates a TMM core file to the /shared/core directory.
The BIG-IP system temporarily fails to process traffic.

Conditions:
This issue occurs when the following conditions are met:

You have configured a virtual server that uses an iRule.
The iRule contains the SSL::disable client-side iRule command within an HTTP_REQUEST event.
The virtual server processes traffic that triggers the HTTP_REQUEST event while processing encrypted traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not put 'SSL::disable clientside' inside HTTP_REQUEST.

Fix:
The Traffic Management Microkernel (TMM) process no longer restarts and produces a core file when using the SSL::disable client-side iRule command within an HTTP_REQUEST event.


488374-2 : Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation

Component: TMOS

Symptoms:
Mismatched IPsec policy configuration causes racoon to core intermittently after failed IPsec tunnel negotiation.

Conditions:
During IPsec Tunnel negotiation, IKE Phase 1 negotiation succeeds and ISAKMP security association is created, but phase 2 (Quick mode) for IPsec security associations fails due to mismatched IPsec policy configuration. This intermittent error occurs because of a memory issue that causes heap corruption.

Impact:
Intermittently, the racoon daemon cores and crashes when there are earlier failed phase 2 negotiations.

Workaround:
Make sure IPsec policies such as encryption/authentication algorithms for the data going through IPsec tunnel on the remote device match the IPsec policy configured on the BIG-IP system for the same IPsec Tunnel.

Fix:
The racoon daemon no longer crashes due to mismatched IPsec policy configuration.


488306-1 : Requests not logged locally on the device

Component: Application Security Manager

Symptoms:
After deactivating or deleting security policies and then activating other policies, sometimes requests would not be logged on the local device.

Conditions:
Deactivating/deleting security policies and then activating other policies.

Impact:
Requests would not be logged on the local device

Workaround:
Restart ASM

Fix:
ASM now properly tracks security policy changes, and correctly logs requests.


488208-1 : openssl v1.0.1j.

Component: Local Traffic Manager

Symptoms:
openssl has been updated to version 1.0.1j

Conditions:
N/A

Impact:
N/A

Fix:
openssl has been updated to version 1.0.1j.


488166-1 : Provide an option to delete the session if IP class address Limit reached when new IP being added and create a new one instead.

Component: Policy Enforcement Manager

Symptoms:
When Multiple IP feature is supported, If a new IP needs to be add to session will fail if IP address limit is reached for particular class of IP addresses. So, if old IPs are not removed from the session even though subscriber may not be using it, we disallow new IP assignment and hence subscriber traffic might be blocked/not polcied as IP address was not added to session.

Conditions:
IP class address limit for the session and new IP address add for the same same subscriber session arrives.

Impact:
Session does not get created by radius, but by traffic and there is no subscriber ID assigned to it. PCRF may decline to give policy and hence Subscriber traffic may not be policed as expected.

Fix:
Now added a db variable Tmm.pem.session.delete.if.max.ipaddr.per.class.exceeded which is by default set to TRUE. Now. when a new IP address add request comes via Radius and Session IP limit has reached, then we delete the current session and create a new one altogether. So that new Subscriber session is not affected.


488105-3 : TMM may generate core during certain config change.

Component: Access Policy Manager

Symptoms:
While the sandbox file is being used by data-plane, if the admin changes configuration to delete this sandbox file, the TMM may generate core due to accessing freed up memory.

Conditions:
While data-plane is handling requests for the sandbox files, if admin deletes it from the control plane.

Impact:
TMM may core, which may cause APM service to become unavailable for some time.

Fix:
Access whitelist entries are refcount-ed to prevent freeing of the memory while it is still being used.


488015-1 : Multiple PHP vulnerabilities

Vulnerability Solution Article: K15866


487859-1 : Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.

Component: Access Policy Manager

Symptoms:
Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.

Conditions:
When importing the local DB user from the CSV file, with no UID value provided.

Impact:
All users imported without UIDs will be mapped to one user's detail entry (that is, fname, lname, email, and so on). So all such users show the same first name, last name, email, and other user details.

Workaround:
There is no workaround.

Fix:
Importing local db users with no UID set now generates a Unique ID and stores each user's details in the database.


487808-3 : End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing.

Component: Global Traffic Manager

Symptoms:
The BIG-IP Link Controller and BIG-IP GTM link cost-based and inbound link path-based load balancing features have reached End of Life (EoL).

Conditions:
BIG-IP Link Controller and BIG-IP GTM link cost-based and inbound link path-based load balancing features.

Impact:
Cannot use these features.

Workaround:
None.

Fix:
Link cost and inbound link path load balancing software support has reached EOL. For more information, see SOL15834: End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing, available here: https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15834.html.


487757 : Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on B4300/B2200/10000/12000-family platforms.

Component: Local Traffic Manager

Symptoms:
Different discard configurations as set on B4300/B2200/10000/12000-family platform interfaces, may result in different packet discard type counts, when the switch encounters bursty or severe MMU congestion.

Conditions:
Dissimilar congestion discard counts observed for switch ports supporting normal v.s. extended unicast queues.

Impact:
When switch ports encounters congestion, ports supporting extended unicast queue ports may show ingress back-pressure discard counts, as opposed to egress queue discard counts for ports supporting regular unicast queue ports.

Workaround:
None.

Fix:
Enabled egress CoS queue discard settings also for switch ports supporting extended unicast queues, as currently set for ports supporting normal unicast queues.


487625-3 : Qkview might hang

Component: TMOS

Symptoms:
A corrupted filestore causes qkview to hang.

Conditions:
This occurs due to filestore mapping issues. This might also occur when there are files listed in the filestore are missing.

Impact:
Qkview hangs and sync attempts silently fail due to filestore mapping issue. The system might post error messages similar to the following: err mcpd[4596]: 0107134e:3: Failed while making snapshot: (Failed to link files existing(/config/ssl/ssl.crt/ca-bundle.crt) new(/config/.snapshots_d/certificate_d/1389867940_:Common:ca-bundle.crt_1) errno(2)(No such file or directory).) errno(2) errstr(No such file or directory).

Workaround:
None.

Fix:
A corrupted filestore no longer causes qkview to hang.


487592 : Change in the caching duration of OCSP response when there is an error

Component: Local Traffic Manager

Symptoms:
Some of the OCSP responses that indicate an error (such as 'unauthorized' response from the responder) are cached indefinitely.

Conditions:
Some of the OCSP responses that indicate an error (such as 'unauthorized' response from the responder).

Impact:
Responses are cached indefinitely.

Workaround:
The response can be deleted from the cache so as to obtain a new response. The new response will be cached based on whether it is valid, and whether the responder indicates an error.

Fix:
Except when the responder sends a certificate-status 'revoked', or a response status 'signature required', the response is cached for the duration given by the 'cache-error-timeout' field.


487587-2 : The allowed range of 'status-age' in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might not be wide enough for some of the scenarios

Component: Local Traffic Manager

Symptoms:
The allowed range of 'status-age' in OCSP Stapling Parameters was 0 - 86400 (0 to 1 day in seconds). This range might not be enough to support some of the scenarios wherein the acceptable value could be as high as a 7-10 days.

Impact:
OCSP response is discarded even when it is acceptable as valid.

Workaround:
This issue has no workaround at this time.

Fix:
The allowed range of 'status-age' has been changed to 0 - MAX_INT, with 0 indicating that the status-age check is not performed. That is, it is not checked if the 'thisUpdate' value in the OCSP response is lagging in time by a specified value. Also, the default value of the status-age has been changed to 86400 (one day in seconds).


487567-4 : Addition of a DoS Profile Along with a Required Profile May Fail

Component: TMOS

Symptoms:
Certain DoS Profiles require a preliminary profile to be attached as well. For example DNS enabled DoS profile may require DNS profile to be attached first. However in cases where both profiles are being attached at the same time, an error may be thrown telling the user that the required profile is not attached.

Conditions:
A DoS profile needs to be attached at the same time with its required profile. For example, Application DoS Profile requires HTTP profile to be attached as well.

Impact:
If you have such DoS profiles in use and attach such profiles in single transaction you may be affected (GUI operations or iControl REST api).

Workaround:
None

Fix:
It is now possible to attach a DoS Profile and a required supporting profile in a single transaction.


487554-2 : System might reuse TCP source ports too quickly on the server side.

Component: Local Traffic Manager

Symptoms:
System might reuse TCP source ports too quickly on server side when dag hash is ip-only and sourceport mode is set to change.

Conditions:
This occurs when the dag-cmp hash is ip-only, and the virtual server or PEM-forwarding endpoints sourceport mode is set to change. The BIG-IP system might reuse some TCP source ports on the server side.

Impact:
Conflicting flows result in connections being reset.

Workaround:
This issue has no workaround at this time.

Fix:
In this release, reuse of TCP source ports is sequential, which eliminates the issue of TCP source ports being used too quickly on the server side.


487553 : FPS alerts

Component: Fraud Protection Services

Symptoms:
Fraud Protection Service (FPS) alerts are not being sent.

Conditions:
This occurs when using FPS.

Impact:
Alerts for the user credentials are not being sent.

Fix:
Improved alerting for Fraud Protection Service (FPS).


487552-3 : triplets-not-allowed threshold too high because LTM minimum requirements for 6G guests are coming from 8G table

Component: TMOS

Symptoms:
The system might post the following error when the provisioned modules should be supported: 01071008:3: Provisioning failed with error 255 - 'Physical memory (6144MiB) insufficient for 3 or more modules.'

Conditions:
VCMP guests and VE guests with memory between 5632 MiB and 6250 MiB.

Impact:
Not allowed to provision more than 3 modules.

Workaround:
Create VCMP guests with 4 or more CPUs. Configure the VE guests with more than 6250 MiB of memory available.

Fix:
Three or more modules can be provisioned on VCMP guests and VE guests having 5632 MiB or more memory.

Behavior Change:
You are now allowed to provision any number of combinations of modules on platforms with 5.5 GiB of memory or more so long as there are resources available. Previously, 3 or more modules were not allowed to be provisioned on platforms with 6 GiB or less. Note that Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.


487512-1 : Enable Bittorrent classification in Qosmos by default

Component: Traffic Classification Engine

Symptoms:
Due to poor accuracy of bittorrent classification field is asking to have qosmos enabled by default.
This was tested as part of the SR investigation and confirmed working at a customer site.

Conditions:
Running BitTorrent for a long period of time.

Impact:
Poor accuracy of classification of BitTorrent traffic.

Workaround:
tmsh modify sys db tmm.gpa.cec.behavioral_protocols value 183,271,553,580,597,1040,1041,842

Fix:
Bittorrent classification is now enabled in Qosmos by default.


487420-1 : BD crash upon stress on session tracking

Component: Application Security Manager

Symptoms:
An ASM bd process crash occurs in a specific scenario that involves system stress and session tracking, or the crash can be reached rarely from slow responses/servers with session tracking.

Conditions:
ASM under heavy load, session tracking is running.

Impact:
A bd process crash, failover, and/or traffic resets.

Workaround:
None.

Fix:
This release fixes a system crash scenario that occurred with session tracking.


487233-1 : vCMP guests are unable to access NTP or RSYNC via their management network.

Component: TMOS

Symptoms:
Attempts to access an external NTP server or RSYNC server from within a vCMP guest over the management network fails to pass traffic.

Conditions:
This issue affects vCMP guests running any BIG-IP software version when running on a vCMP hypervisor running software version 11.6.0.

Impact:
vCMP guests are unable to configure an external NTP server reachable over the management network.

Workaround:
An NTP server may be configured using a self-ip and the data plane network without issue.
If access is required via the management port, execute the following steps:
1) Add the commands
iptables -t nat -D PREROUTING -m physdev --physdev-in mgmt_vm_tap_+ -j ACCEPT
iptables -t nat -I PREROUTING 1 -m physdev --physdev-in mgmt_vm_tap_+ -j ACCEPT
to /config/startup on the vCMP hypervisor. This will ensure the workaround persists across reboots.
2) Run the following command at the vCMP hypervisor bash prompt:
clsh iptables -t nat -I PREROUTING 1 -m physdev --physdev-in mgmt_vm_tap_+ -j ACCEPT

Rebooting the hypervisor or affected guests is not required.

Fix:
An issue has been corrected which affected NTP and RSYNC access via the management network in vCMP guests.


487170-1 : Enahnced support for proxy servers that resolve to multiple IP addresses

Component: Access Policy Manager

Symptoms:
VPN might fail to connect in environments where DNS returns multiple IP address for the proxy server host name. This includes both Edge client and web client.

Conditions:
Proxy server name is resolved to multiple IP address, or the
proxy server IP address changes on a subsequent call to the DNS resolver.

Impact:
VPN connection might fail.

Workaround:
Configure DNS to persist an IP addresses for the proxy host name.

Fix:
Added support for scenarios where proxy host name resolves to multiple addresses.


487084-2 : GUI iFile delete confirmation page lists incorrect items to be deleted

Component: TMOS

Symptoms:
When deleting iFile objects from the GUI, all items listed on the confirm delete page display the name of the first iFile object. The correct items are still deleted, so this issue is cosmetic only.

Conditions:
This occurs when deleting any iFile object that is not the first one when ordered alphabetically. For example, in a configuration with three iFiles named 'Aardvark,' 'Anteater,' and 'Avalanche,' electing to delete Anteater and Avalanche in a single operation results in a delete confirmation page that displays two delete-confirmation entries, each of which shows the name 'Aardvark.' Similarly, when attempting to delete Anteater alone, the screen shows the name 'Aardvark.'

Impact:
The iFile confirm-delete page shows the wrong items. The correct items are deleted. This bug is cosmetic only and does not impact functionality

Workaround:
Use tmsh for deleting iFile objects

Fix:
When deleting iFile objects from the GUI, the delete-confirmation page now lists the correct items to be deleted.


486829-1 : HTTP Protocol Compliance options should not be modified during import/upgrade

Component: Application Security Manager

Symptoms:
HTTP Protocol Compliance options are enabled upon version upgrade or security policy import from a prior version.

Conditions:
This issue occurs when configuration was upgraded to 11.6.0, or security policy was imported from prior version to 11.6.0.

Impact:
HTTP Protocol Compliance options are enabled.

Workaround:
Set HTTP Protocol Compliance options to desired values after import/upgrade.

Fix:
HTTP Protocol Compliance options are correctly preserved after a security policy import or a version upgrade.


486791-2 : Resolution of multiple wireshark vulnerabilities

Vulnerability Solution Article: K16939


486762-1 : lsn-pool connection limits may be invalid when mirroring is enabled

Component: Carrier-Grade NAT

Symptoms:
A client may not be able to create as many connections as allowed because mirroring may cause a connection to be counted more than once against the connection limit.

Conditions:
An lsn-pool with connection limits enabled, assigned to a virtual server.

Impact:
Clients may not be able to open as many connections as they should be able to open. The connections will fail.

Workaround:
This issue has no workaround at this time.

Fix:
With the fix in place, clients may open the full number of allowable connections.


486725-2 : GUI creating key files with .key extensions in the name causing errors

Component: TMOS

Symptoms:
When using the GUI, if a user adds a '.key' extension to the name, the file will be created with an extra .key extension to the file.

Conditions:
When a key file name is 'test.key' entered from the GUI it is created with 'test.key.key'.

Impact:
The extra '.key' extension causes problems with deletion/Archive etc. GUI posts the following error: Not Found.

Workaround:
Delete the key and recreate without the .key in the name.

Fix:
The GUI will prevent names with reserved extensions such as '.key'.


486724-3 : After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails

Component: Local Traffic Manager

Symptoms:
After upgrading from TMOS v10 to TMOS v11 in a FIPS HA setup, config-sync will fail.

Conditions:
In a FIPS HA setup, upgrade from v10 to v11. After upgrade, trigger config-sync.

Impact:
HA devices will be in sync failed state

Workaround:
This issue has no workaround at this time.

Fix:
Config-sync will now be successful after upgrading from v10


486712-3 : GUI PVA connection maximum statistic is always zero

Component: TMOS

Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.

Conditions:
This occurs when fastL4 connections are used.

Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.

Fix:
Improved the statistics for updating the number of PVA connections when using fastL4.


486661-3 : Network Access should provide client IP address on reconnect log records

Component: Access Policy Manager

Symptoms:
Network Access should provide client IP address on reconnect log records

Conditions:
- Connect a client via network access - observe log of Client IP
- Disconnect and reconnect from a different client IP (or the same one)

Impact:
note that the log messages generated for the session do not include the client IP address.

Workaround:
none


486597-1 : Fixed Network Access renegotiation procedure

Component: Access Policy Manager

Symptoms:
Network Access reconnects on every SSL renegotiation attempt on Windows 7 for TLS1.2 and TLS1.1 if client cert is requested.

Conditions:
This occurs when the following conditions are met: Windows 7. -- TLS 1.1/TLS1.2. -- Client cert set to 'required' at Virtual Server's Client Cert profile.

Impact:
Reconnect on every SSL renegotiation attempt.

Workaround:
None.

Fix:
Fixed Network Access renegotiation procedure on TLS1.1 and TLS1.2 for Microsoft Windows 7.


486512-7 : audit_forwarder sending invalid NAS IP Address attributes

Component: TMOS

Symptoms:
Forwarded auditing messages contain the incorrect nas-ip-address attribute. It should be the local IP of the box. Instead nas-ip-address is another, random IP address.

Conditions:
This seems to work fine when the BIG-IP is a virtual machine.The issue reproduces only on the actual hardware.

Impact:
Cannot pass certification because config auditing is not working as expected (invalid NAS IP Address).

Workaround:
None.

Fix:
Forwarded auditing messages now contain the correct nas-ip-address attribute, so config auditing is now working as expected.


486485-1 : TCP MSS is incorrect after ICMP PMTU message.

Component: Local Traffic Manager

Symptoms:
After ICMP PMTU message, new TCP packets are well below the maximum size.

Conditions:
After receiving ICMP PMTU messages, which leads to use of undersized TCP packets.

Impact:
Reduced throughput of TCP connections.

Workaround:
Configure TCP MSS to the true value.


486450-2 : iApp re-deployment causes mcpd on secondaries to restart

Component: Local Traffic Manager

Symptoms:
iApp redeployment causes mcpd on secondaries to restart.

Conditions:
This occurs when redeploying iApps with the locally cached files in place.

Impact:
mcpd restarts on secondaries.

Fix:
iApp redeployment now works correctly, and no longer causes mcpd on secondaries to restart.


486356-1 : unable to configure a virtual with stats profile and sip profile in 11.6.0

Component: Service Provider

Symptoms:
Changes in profile validation logic unintentionally blocked using a stats profile with a sip profile in the same virtual server.

Impact:
Unable to add a stats profile to a virtual containing a sip profile.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed mcpd validation to allow a stats profile to be included in a sip virtual server.


486346-3 : Prevent wamd shutdown cores

Component: WebAccelerator

Symptoms:
Under some circumstances, wamd cores while trying to exit.

Conditions:
wamd during shutdown.

Impact:
Unnecessary core files generated consuming some resources.

Workaround:
None.

Fix:
wamd no longer cores and now exits gracefully when shutting down.


486344-2 : French translation does not properly fit buttons in BIG-IP Edge client on Windows

Component: Access Policy Manager

Symptoms:
French translation does not properly fit buttons in BIG-IP Edge Client on Windows-based systems.

Conditions:
French translation in BIG-IP Edge Client on Windows.

Impact:
Text does not fit buttons.

Fix:
Translated French text has been corrected to properly fit buttons in BIG-IP Edge Client on Windows-based systems.


486323-1 : The datasyncd process may keep restarting during the first 30 minutes following a hotfix installation

Component: Application Security Manager

Symptoms:
After an installation of an 11.6.0 hotfix, the datasyncd process may keep restarting during 30 minutes. This is rare, but if it does happen, the system will remain offline during this time, until the state is automatically recovered.

Conditions:
An 11.6.0 hotfix is being installed on a system that is already running 11.6.0, and has either ASM or FPS provisioned.

Impact:
During 30 minutes following the hotfix installation, the system remains offline and does not handle traffic.

Workaround:
This issue has no workaround at this time.

Fix:
We corrected a rare scenario that caused a machine to remain offline for 30 minutes after an 11.6.0 hotfix installation.


486268-1 : APM logon page missing title

Component: Access Policy Manager

Symptoms:
On the BIG-IP APM logon page, a title may not appear.

Conditions:
RSA error message contains newline symbols. (For example RSA 8.1 uses such message)

Impact:
May cause usability issues.

Fix:
Now the title displays correctly on the logon page; RSA error messages are now sanitized.


486137-3 : License activation may not proceed if MCPD is not fully operational

Component: TMOS

Symptoms:
When the MCPD is not fully started, the activation process may fail.

Conditions:
When the MCPD service is not fully operational, and an attempt is made to perform activation, the activation may fail, due to incomplete data in the message to the activation service.

Impact:
Activation of license may not succeed.

Workaround:
Wait until MCPD is fully operational before performing license activation.

Fix:
Activation function has been modified to eliminate dependency on the MCPD.


486001 : Application Layer encryption not working on password field in certain situations

Component: Fraud Protection Services

Symptoms:
URL matching did not work correctly.

Conditions:
Other HTTP header like Referrer also contains '?'.

Impact:
Plugin side of vCrypt and other configured features is not working.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed the application layer encryption for certain situations.


485948-5 : Machine Info Agent should have a fallback branch

Component: Access Policy Manager

Symptoms:
Machine Info agent is not supported for legacy logon clients (for example, mobile clients and Linux CLI); it is only supported for web logon clients (browsers and BIG-IP Edge Clients). However, the Machine Info agent does not throw any error if a legacy logon client connects to APM with the Machine Info agent in it.

Conditions:
This occurs with a Machine Info agent in the access policy and legacy logon clients.

Impact:
The impact of this issue is that the Machine Info agent does not create any machine information-related session variables for legacy logon clients, neither does it indicate that it is not supported.

Workaround:
To work around the problem, use the Client Type agent to distinguish between legacy logon or web logon clients. And then only add the Machine Info agent in web logon clients branch.

Fix:
The Machine Info agent now differentiates between legacy logon clients and web logon clients by creating an error session variable. The error session variable is set to 1 when legacy logon clients connect to APM and 0 otherwise.


485939-1 : OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.

Component: TMOS

Symptoms:
In a HA pair setup, the active node is sending an As_External Link-State Advertisement (LSA) with infinity metric value for the redistributed connected subnets that are configured in the network element of the OSPF.

Conditions:
HA pair with redistributed connected subnets and subnets configured in the network element in the OSPF.

Impact:
The active node in the HA pair sends an LSA with infinity metric that gets exchanged in the other networks affecting the routing process.

Workaround:
Clear ip ospf process fixes the issue. However, it is not an effective solution in a production environment.

Fix:
OSPF sessions in an HA pair doesn't send an As_External LSA for the subnets that are configured as network element and redistributed as connected subnets.


485917-3 : BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)

Vulnerability Solution Article: K15792


485906 : TMM may core when an APM virtual server has a OneConnect profile attached to the virtual server

Component: Access Policy Manager

Symptoms:
TMM may core if an APM virtual server detaches from its current resource and attaches to a different resource while handling requests.

Conditions:
This crash is most likely to occur when an APM virtual server is configured with a OneConnect profile. However, as long as there is the possibility that the resource APM should connect to is decided after the client connection is established (e.g., based on the HTTP Host header), this issue is possible. This would include iRules that change the backend resource, the load balancer makes a decision to switch the resource, or APM is configured to possibly interface with a number of different resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If OneConnect is present, removing its profiles from APM virtual servers greatly reduces the likelihood of this issue occurring. If the issue occurs without OneConnect, the other mitigation is to place APM in its own virtual, configured to interface with a layered virtual which remains constant. The layered virtual may then use iRules or load balance as normal. The APM virtual server cannot detach from one resource and re-attach to a different resource.

Fix:
APM virtual servers that can cause the resource to switch during request handling (as is most noticed with OneConnect profiles attached to them) will no longer cause TMM to crash and restart.


485833-7 : The mcpd process may leak memory when using tmsh to modify user attributes

Component: TMOS

Symptoms:
The Master Control Program Daemon (mcpd) may leak memory when you use the Traffic Management Shell (tmsh) to modify user attributes.

Note: The mcpd process is the messenger process that allows userland processes to communicate with the Traffic Management Microkernel (TMM), and the other way around.

As a result of this issue, you may encounter one or more of the following symptoms:

-- You are unable to configure the BIG-IP system.
-- You are unable to obtain statistics, or statistics may not be accurate.
-- In the /var/log/ltm file, you may observe an error message similar to the following example:
02001018:system library:fopen:Too many open files

Conditions:
This issue occurs when the following condition is met:

-- You are using the tmsh modify auth <user> command options to modify local user accounts. Some of the options include the following:
description User description.
partition-access The administrative partition which user has access.
password Set or modify the user password.
role Specifies the user role for the user account.
shell Specifies the shell to which the user has access.

Impact:
-- You cannot obtain or update the system status.
-- You cannot configure the BIG-IP system.
-- Userland processes may not be functional.

Workaround:
There is no workaround for this issue. To restore mcpd functionality, you can restart mcpd from the command line. To do so, perform the following procedure:

Impact of procedure: Restarting the mcpd process interrupts all traffic processing on the BIG-IP system. You should perform this procedure during a maintenance window.

Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh

To restart the mcpd process, type the following command:
restart sys service mcpd

Fix:
Ensure all user directory file descriptors are closed.


485812-2 : libxml2 vulnerability CVE-2014-3660

Vulnerability Solution Article: K15872


485787-1 : Firewall ACL counters for staged policy attached to a Virtual/SelfIP are not incremented when a policy with a similar rule to drop/reject packets is enforced by the Global or Route Domain context

Component: Advanced Firewall Manager

Symptoms:
Staged ACL Rule attached to VS or Self IP will never be hit if similar Rule with drop/reject action attached to an upper context as Enforced.

Conditions:
Policy should be staged at the Virtual or SelfIP context and enforced at the Global or Route Domain level. The action should be drop/reject.

Impact:
Staged policy counters are not incremented correctly.
Example:
We have 2 FW Policies (Policy1 and Policy2) with the same Rules:
security firewall policy Policy1 {
    rules {
        Rule1 {
            action reject
            destination {
                addresses {
                    10.10.10.11 { }
                }
            }
        }
    }
}

Policy1 attached to Global context as enforced:
security firewall global-rules {
    enforced-policy Policy1
}

Policy2 attached to VS as staged:
ltm virtual VS4_TCP {
    destination 10.10.10.11:any
    fw-staged-policy Policy2
    ip-protocol tcp
    ......
}

If we send traffic to hit this rule:
Policy1:Rule1 will be hit but Policy2:Rule1 will not be hit.

tmctl -w120 fw_rule_stat
context_type context_name rule_name micro_rules counter last_hit_time
------------ ------------ --------- ----------- ------- -------------
global Rule1 1 10 1413898646


tmctl -w120 fw_staged_rule_stat
context_type context_name rule_name micro_rules counter last_hit_time
------------ --------------- --------- ----------- ------- -------------
virtual /Common/VS4_TCP Rule1 1 0 0

Fix:
Counters for staged ACL rules now increment even when a match at a broader context is enforced. For example, a staged ACL rule in a policy assigned to a Virtual Server will now have policy counters increment even if an enforced policy assigned at the Global or Route Domain context matches.


485771-1 : TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort.

Component: Advanced Firewall Manager

Symptoms:
Critical system failure due to TMM process restarting.

Conditions:
Following conditions may suffice to trigger the TMM crash:

AFM rule match triggers an iRule execution with multiple FLOW_INIT events and one of the events will cause the connection to be aborted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
A crash bug when executing multiple FLOW_INIT events has been fixed.


485764-5 : WhiteHat vulnerability assessment tool is configured but integration does not work correctly

Component: Application Security Manager

Symptoms:
When the WhiteHat vulnerability assessment tool is configured on an already existing policy the proper response headers are not added to traffic that are needed for full integration.

Conditions:
The WhiteHat vulnerability assessment tool is configured on an already existing policy.

Impact:
Proper response headers are not added to traffic to integrate fully.

Workaround:
This issue has no workaround at this time.

Fix:
The system now adds correct response headers to traffic after the WhiteHat vulnerability assessment tool is configured.


485760-1 : Tag <NameIDFormat> in SAML metadata may contain wrong attributes

Component: Access Policy Manager

Symptoms:
When Big-IP is used as SAML IdP, SAML metadata could contain invalid NameIDFormat, e.g.:

<NameIDFormat Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" index="0" isDefault="true">urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

Conditions:
BIG-IP is used as IdP.
SAML Artifact Resolution Service is not configured.

Impact:
Metadata could fail to be imported to external Service Providers.

Workaround:
Manually correct metadata.
E.g. replace this:
"<NameIDFormat Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" index="0" isDefault="true">urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>"

with this:

"<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>"

Fix:
Issue where SAML metadata Tag NameIDFormat would contain invalid information under certain conditions is now fixed.


485702-4 : Default SNMP community 'public' is re-added after the upgrade

Component: TMOS

Symptoms:
If the SNMP default community (public) has been removed from the configuration, and a new version of the software is installed, the default community will be added to the new configuration.

Impact:
The impact of this issue is that the SNMP default community will be added to the new configuration.

Workaround:
After upgrading to versions after 11.4.0, delete the default 'public' community again.

Fix:
The default community string 'public' is not add to the SNMP configuration on upgrade if it has been deleted in the previous software configuration


485472-3 : iRule virtual command allows for protocol mismatch, resulting in crash

Component: Local Traffic Manager

Symptoms:
iRule 'virtual' command allows for protocol mismatch.

Conditions:
A virtual server with an iRule which leverages the 'virtual' command targeting a virtual server that differs in protocol. For example, a UDP virtual server targeting a TCP virtual server.

Impact:
tmm might crash with assert: 'Must be syncookie'. Traffic is interrupted.

Workaround:
This is the result of a misconfiguration. Modify iRules to ensure L4 protocols match between virtual servers.

Fix:
Resolved issue where TMM might crash with assert: 'Must be syncookie' when the iRule 'virtual' command leads to a protocol mismatch.


485465-3 : TMM might restart under certain conditions when executing SLO.

Component: Access Policy Manager

Symptoms:
TMM may restart when Single Logout (SLO) request/response contains an invalid 'Issuer' attribute.

Conditions:
SLO is configured on BIG-IP as SP or IdP.
SLO request or response is received from SP/IdP for which there is no current session.

Impact:
TMM restarts.

Workaround:
Disable SLO.

Fix:
The system now handles Single Logout (SLO) response/request so that TMM no longer restarts.


485396 : Online help about persistent cookies does not specify supported use

Component: Access Policy Manager

Symptoms:
Online help for creating an access profile and for creating SSO/Auth Domains does not specify that persistent cookies are supported only in an LTM-APM configuration.

Conditions:
Online Help

Impact:
Help page is unclear.

Fix:
Online help has been updated to clarify the use of persistent cookies for SSO Across Authentication Domains. Persistent cookies are supported only when a session is started using an LTM-APM access profile type.


485355-3 : Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace)

Component: Access Policy Manager

Symptoms:
Click-to-Run Office 2013 applications fail to start inside Microsoft Windows Protected Workspace without any error message.

Conditions:
Click-to-Run version of Office 2013 is used under PWS

Impact:
Click-to-Run version of Office 2013 does not work inside PWS

Workaround:
To work around the problem, use the full installation of Office 2013.

Fix:
Click-to-Run Office 2013 applications can start inside Microsoft Windows Protected Workspace (PWS) now.


485352-1 : TMM dumps core file when loading configuration or starting up

Component: TMOS

Symptoms:
TMM dumps core file when configuration file is being loaded or when TMM is starting up.

Conditions:
This error happens when there is no APM license installed.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The system now correctly handles configuration load when there is no APM license.


485253 : Enable directory protection

Component: Fraud Protection Services

Symptoms:
PATH_INFO feature does not support any directory protection.

Conditions:
Configuring directory without dot '.' in its name as protected URL with turned on PATH_INFO feature.

Impact:
The configured directory contents are not protected.

Workaround:
Only directories with dot '.' in their name can be configured as protected by turning on PATH_INFO feature.

Fix:
Enabled protection on a complete directory of protected URLs.


485251-1 : AVR core witch include tmstat backtrace

Component: Application Visibility and Reporting

Symptoms:
due to a synchronization problem in AVR, some tmstat data (relevant to AVR only) got corrupted. 
This corruption can cause AVR core.

Conditions:
Provision AVR.

Impact:
This bug cause AVR core.

Fix:
The synchronization problem fixed.


485202-1 : LDAP agent does not escape '=' character in LDAP DN

Component: Access Policy Manager

Symptoms:
Starting from BIG-IP 11.6.0, session variables may have modifiers when used in configuration, such as:
%{session.logon.last.ldap.dn:ldapdn}

With session variable modifier "ldapdn", the resultant value should be escaped by LDAP DN rules. The rules include an equals (=) character which should be escaped, but it is not.

Conditions:
LDAP session variable that contains LDAP DN is used in configuration with "ldapdn" session variable modifier.

Impact:
Depends on the purpose of usage session variable with "ldapdn" modifier in a configuration.

Workaround:
It is possible to escape '=' character using the Variable Assign agent before using that session variable with the modifier in other configurations.

Fix:
Now the session variable modifier "ldapdn" escapes the equal sign (=) character as well as other characters that require escaping.


485189-3 : TMM might crash if unable to find persistence cookie

Component: Local Traffic Manager

Symptoms:
TMM might crash and generate a core if unable to find persistence cookie.

Conditions:
Although specific conditions for this issue are unknown, it is possibly due to having a virtual with cookie persistence enabled and iRules that disable persistence.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM now verifies that a persistence cookie was successfully found before extracting it from HTTP responses.


485188-1 : Support for TLS_FALLBACK_SCSV

Component: Local Traffic Manager

Symptoms:
A certain class of SSL attacks using weaker protocol versions is possible.

Conditions:
N/A

Impact:
N/A

Fix:
When the SSL ClientHello contains the SCSV marker, if the client protocol offered is not the latest that the virtual server supports, a fatal alert will be sent.

For more information, see SOL16935: Support for the TLS Fallback SCSV
https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16935.html


485182-2 : wom_verify_config does not recognize iSession profile in /Common sub-partition

Component: Wan Optimization Manager

Symptoms:
The wom_verify_config does not recognize iSession profile in /Common sub-partition.

Conditions:
iApps creates some objects (virtual, profiles) under /Common/DMZPrimary.vysbank.com.app/. These objects are invisible to wom_verify_config.

Impact:
wom_verify_config cannot verify the system configuration.

Fix:
The wom_verify_config now recognizes objects in sub-partitions.


484948-1 : UDP connflow may aborted from parked iRule in server_closed.

Component: Local Traffic Manager

Symptoms:
Some UDP idle flows will abort a parked iRule after the UDP idle timeout.

Conditions:
Conditions leading to this issue include:
1) UDP virtual, drop connection on response.
2) client_closed and server_close iRule, and parked in irule for a long time
3) make the the virtual expired when iRule is parking.

Impact:
The impact of this issue is the iRule aborts and impacts performance. The user cannot keep accurate connection count per client using iRules.

Workaround:
Set the idle timeout to a different value in client and sever will make it happen much less frequently.

Fix:
Resolve problem of double calling functions that caused iRule to abort.


484861-5 : A standby-standby state can be created when auto failback acts in a CRC disagreement scenario

Component: TMOS

Symptoms:
A standby-standby state can occur after a failback if there is a CRC disagreement between peers.

Conditions:
HA pair using auto failback. There must be a CRC disagreement between peers. The failback preferred system must have a lower traffic group score than its peers. NOTE: CRC disagreements may lead to other issues and the customer is strongly advised to sync the devices to remove the disagreement.

Impact:
It's a site down situation as all the objects in the traffic group will become unreachable.

Workaround:
Sync devices to remove the CRC disagreement.

Fix:
Ensure that the preferred system goes active after auto failback, even if its traffic group score is lower than that of its peers.


484856-1 : Citrix remote desktop visible even if the user cannot access it

Component: Access Policy Manager

Symptoms:
When a remote desktop has auto logon enabled and has no resources assigned for the user, its folder icon is still visible from APM webtop.

Conditions:
This occurs with APM with Citrix XML Broker Integration with Dynamic Web top, and you have users configured to not use the desktop

Impact:
These users can see the remote desktop.

Fix:
Now when a remote desktop has auto logon enabled and has no resources assigned for the user, its folder icon is hidden from APM webtop.


484847-2 : DTLS cannot be disabled on Edge Client for troubleshooting purposes

Component: Access Policy Manager

Symptoms:
There is no client side option to disable DTLS. This option can be very useful in troubleshooting client connectivity issues.

Conditions:
It is required to debug DTLS versus TLS connections.

Impact:
Troubleshooting connectivity issues becomes difficult.

Workaround:
Disable DTLS on server side.

Fix:
Now you can add new registry keys and use them to disable DTLS on both BIG-IP Edge Client and browsers. Using these keys, you can disable DTLS on a particular client without changing the BIG-IP system configuration.

To disable DTLS on a client machine:
Create registry DWORD value (keys are both valid for both x64 and x86 systems):
HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\EnableDTLSTransport
or
HKEY_CURRENT_USER\Software\F5 Networks\RemoteAccess\EnableDTLSTransport
and set to 0


484733-4 : aws-failover-tgactive.sh doesn't skip network forwarding virtuals

Component: TMOS

Symptoms:
When there are forwarding virtual servers with SNATs defined in the configuration, the reassignment of IP addresses for virtual servers does not happen correctly in Amazon Web Services (AWS).

Conditions:
Forwarding virtual servers with SNATs defined.

Impact:
HA failover is impacted.

Fix:
The reassignment of IP addresses for forwarding virtual servers with SNATs defined in the configuration now occurs as expected in Amazon Web Services (AWS).


484706-2 : Incremental sync of iApp changes may fail

Component: TMOS

Symptoms:
Incremental sync of the deletion of an iApp instance may fail, with the error message indicating that certain objects owned by the application are still in use. Alternatively, child objects that should have been deleted when reconfiguring an iApp instance may remain on peer devices after incremental sync has completed.

Conditions:
Incremental sync of the deletion of an iApp instance. Incremental sync of deleting a child object, if the iApp implementation script creates the parent object without child objects, and then separately adds the replacement child objects.

Impact:
An attempt to delete an iApp may cause a sync failure. An attempt to reconfigure an iApp without a previously existing child object (pool member, etc.) may cause the object to continue to exist on peer devices.

Workaround:
Full load sync (either the 'Overwrite Configuration' option on the Device Management Overview page, or temporarily setting the device group to full load only), and then performing the sync operation completes successfully.

Fix:
Incremental sync of the deletion of an iApp instance now completes successfully. Incremental sync of iApp changes, where the iApp template creates a parent object separately from child objects now syncs correctly.


484635-1 : OpenSSL DTLS SRTP Memory Leak CVE-2014-3513, OpenSSL vulnerability CVE-2014-3567, and OpenSSL vulnerability CVE-2014-3568.

Vulnerability Solution Article: K15722


484582-2 : APM Portal Access is inaccessible.

Component: Access Policy Manager

Symptoms:
APM Portal Access is inaccessible.

Conditions:
One of sessions reaches 64 KB of Portal Access application cookie storage.

Impact:
Rewrite plugin crashes; APM Portal Access becomes inaccessible. Shortly after this plugin crashes with *** glibc detected *** memory-corruption-message. The rewrite daemon log contains following lines:
- notice rewrite - cookie.cpp:543 : updateCookieSessionStore : expiring cookie ...

Workaround:
None.

Fix:
Rewrite plugin no longer crashes when Portal Access application cookies require more than 32 KB of storage.


484534-4 : interface STP state stays in blocked when added to STP as disabled

Component: TMOS

Symptoms:
When two interfaces are disabled and added to Spanning Tree Protocol (STP) in the VLAN configuration, the second interface stays in 'blocked' STP state.

Conditions:
At least two interfaces exist in disabled state, added to STP.

Impact:
The blocked port does not send out data.

Workaround:
If the STP flag is disabled and re-enabled on the blocked interface, after the port is enabled, the port STP status is re-evaluated to the correct state.

Fix:
Spanning Tree Protocol (STP) now checks for the disabled state of the port before adding it as an STP member.


484483-2 : TCP and UDP was classified as Unknown by classification library

Component: Traffic Classification Engine

Symptoms:
When traffic didn't map to any of the supported Application Layer protocol/service it was classified as Unknown which is misleading and doesn't provide enough granularity.

Conditions:
Traffic didn't map to any of the supported Application Layer protocol.

Impact:
Misleading classification results

Fix:
Instead of classifying traffic as Unknown we will now tag flows as TCP or UDP depending what type of traffic is seen by the classification library


484454-3 : Users not able to log on after failover

Component: Access Policy Manager

Symptoms:
Users fail the access policy check after failover happens. The command 'configdump -allkeys' does not display any entry for the access profile.

Conditions:
The issue will show up after the following events:
1. The TMM on the active node restarts or crashes, the node become standby.
2. TMM and APD restart. APD re-creates config snapshots in the SessionDB.
3. The snapshots just created get deleted.
4. Failover happens again and the node becomes active.
5. Users fail to log on

Impact:
Users cannot log on

Workaround:
Run 'bigstart restart apd' to re-create config snapshots.

Fix:
APM checks config snapshots periodically and recreates them if any are missing.


484453-6 : Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand)

Component: TMOS

Symptoms:
When the log filter is configured to filter at the 'Informational' log level, the logs can get filled with 'client /var/run/lopd.chmand.lopuns already registered' messages when registering with either the Lights Out Processor daemon (lopd) or the CAN daemon (cand). These messages appear in the log every two seconds on systems with lopd, or every 20 seconds on systems with cand.

Conditions:
This occurs when using a remote syslog logging filter with the 'Severity' field set to 'Informational'.

Impact:
Logs fill with messages. These messages are related to communication with the Lights Out Processor daemon (lopd) or with the CAN daemon (cand), and are completely benign, so you can safely ignore them.

Workaround:
Change the remote syslog logging level to 'Notice'.

Fix:
Reduced the log level for registering with the LOP (lights out processor) and CAN daemon (cand) to the debug level.


484429-4 : After updating a key/certificate in place and synchronizing the configuration, TMM may log critical-level messages that it could not load a key, certificate, or chain.

Component: Local Traffic Manager

Symptoms:
After updating a key/certificate in place and synchronizing the configuration, TMM may log critical-level messages about loading a key, certificate, or chain.

Conditions:
A certificate and/or key referenced by an SSL profile are deleted and then recreated, and then that is synchronized (via a full sync, not an incremental sync) to peer devices.

Impact:
In 11.5.0 and later, this message indicates an issue that impacts traffic to affected virtual servers: 01260000:2: Profile /Common/otters: could not load key/certificate. In versions earlier than 11.5.0, these messages can safely be ignored: -- 01260000:2: Profile /Common/otters-ssl: could not load key file. -- 01260000:2: Profile /Common/otters-ssl: could load neither certificate nor chain file

Fix:
TMM still log critical-level messages, but the system function properly and traffic is not affected.


484399-2 : Virtual Edition second installation slot and VMWare

Component: TMOS

Symptoms:
You cannot install TMOS on 2nd slot on BIG-IP VE 11.5.1 LTM-only image for VMWare.

Conditions:
The LTM-only BIG-IP VE deployed on VMWare.

Impact:
Inconvenience. As a workaround , you must manually delete 2nd slot and then do the installation.

Workaround:
[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh install sys software image BIGIP-11.6.0.0.0.401.iso volume HD1.2
[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh show sys software

-------------------------------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
-------------------------------------------------------------------------------------------
HD1.1 BIG-IP 11.6.0 0.0.401 yes complete
HD1.2 BIG-IP 11.6.0 0.0.401 no failed (Disk full (volume group). See SOL#10636)

[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh delete sys software volume HD1.2
[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh show sys software

---------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------------------------
HD1.1 BIG-IP 11.6.0 0.0.401 yes complete
HD1.2 BIG-IP 11.6.0 0.0.401 no failed to delete volumeset

[root@cblee_11:LICENSE EXPIRED:Standalone] images # reboot

# Login again:

[root@cblee_11:LICENSE EXPIRED:Standalone] config # tmsh show sys software

---------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------
HD1.1 BIG-IP 11.6.0 0.0.401 yes complete

[root@cblee_11:LICENSE EXPIRED:Standalone] config # cd /shared/images
[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh install sys software image BIGIP-11.6.0.0.0.401.iso volume HD1.2 create-volume
[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh show sys software
---------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------
HD1.1 BIG-IP 11.6.0 0.0.401 yes complete
HD1.2 BIG-IP 11.6.0 0.0.401 no complete

Fix:
OVA will only create 1 slot and leave the remaining disk space free.


484305-2 : Clientside or serverside command with parking command crashes TMM

Component: Local Traffic Manager

Symptoms:
Any parking iRule command used inside clientside or serverside crashes TMM.

Conditions:
Parking command used inside clientside or serverside.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
See if you really need to run the parking command inside clientside/serverside, if not, move the command outside.

Fix:
TMM no longer crashes when an iRule executes a parking command inside a 'clientside' or 'serverside' context-switching command.


484298-2 : The aced process may restart in a loop

Component: Access Policy Manager

Symptoms:
The aced process may restart in an infinite loop if a parent process cannot start.

This can result in a user not being able to log in using their valid SecurID credentials.

You may notice repeated "re-starting aced" messages in the log file.

Conditions:
If a parent process dies, the child process may hold server port 60000. If this occurs, then new parent process cannot start.

Impact:
RSA SecurID authentication fails

Fix:
Now, the aced process behaves as expected. A child process never listens at server port.


484278-4 : BIG-IP crash when processing packet and running iRule at the same time

Component: Policy Enforcement Manager

Symptoms:
The BIG-IP system sometimes crashes if it is processing packets and iRules at the same time.

Conditions:
Conditions leading to this issue include having iRule scripts and processing iRule tasks, and processing incoming traffic along with the iRule tasks.

Impact:
The impact of this issue is that the BIG-IP system goes to crash intermittently.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed the iRule processing problem that is causing the BIG-IP to crash while processing incoming packets.


484245-1 : Delete firewall rule in GUI changes port settings in other rules to 'any'

Component: Advanced Firewall Manager

Symptoms:
Using the GUI to delete a network firewall rule causes a change to other rules that specify ports.

Conditions:
This occurs when using the GUI to delete a firewall rule, and there are other rules that are limited to specific ports.

Impact:
The port changes to 'any' in all network firewall rules that specify ports. For example, any firewall rules that match traffic on port '80' change to match on port 'any' when this issue occurs.

Workaround:
Use tmsh, iControl, and BIG-IQ to manage firewall rules. Use port lists instead of specifying ports. These could include lists with a single port.

Fix:
Using the GUI to delete a rule no longer changes ports specified in other rules to 'any.'


484214-2 : Nitrox got stuck when processed certain SSL records

Component: Local Traffic Manager

Symptoms:
During decryption, Nitrox queue got stuck when processed certain SSL records.

Conditions:
Nitrox device is used to decrypt SSL records.

Impact:
The Nitrox device queue got stuck.

Fix:
Ensure SSL record is not malformed before sending it to Nitrox for decryption.


484095-1 : RADIUS accounting message with multiple IPv6 prefix causes TMM crash

Component: Policy Enforcement Manager

Symptoms:
When RADIUS Accounting message contains multiple Framed-IPv6-Prefix AVPs all these AVPs except the first one are parsed incorrectly, and in some cases may lead to tmm crash with core.

Conditions:
RADIUS Subscriber discovery is enabled in PEM.
RADIUS Accounting message contains multiple Framed-IPv6-Prefix AVPs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
For adding multiple IPv6 prefixes into a single PEM session use multiple RADIUS Accounting messages containing a single Framed-IPv6-Prefix AVP for each.
The tmm.pem.session.provisioning.continuous sys db variable should be set to true.

Fix:
Fixes the TMM crash problem, and radius accounting message with multiple IPv6-prefix is now parsed correctly.


484079-1 : Change to signature list of manual Signature Sets does not take effect.

Component: Application Security Manager

Symptoms:
When the signature list of a manual Attack Signature Set is modified, the change does not affect enforcement or remote logging.

Conditions:
The signature list of a manual Attack Signature Set is modified (with no other change to the Signature Set).

Impact:
The change does not take effect in signature enforcement or remote logging.

Workaround:
Any spurious change to the signature set (such as unchecking/checking 'Assign to Policy by Default'), or unassigning and reassigning the signature set to the affected policy.

Fix:
When the signature list of a manual Attack Signature Set is modified, enforcement and remote logging are now updated correctly.


484020 : If Identify as Username is enabled for a parameter, the Encrypt checkbox is not grayed out.

Component: Fraud Protection Services

Symptoms:
If "Identify as Username" is enabled for a parameter in URL Properties under FPS Profile, the "Encrypt" checkbox is not grayed out.

Conditions:
Provision and license FPS.

Impact:
Application Encryption may not work properly when selecting the Encrypt checkbox.

Workaround:
Use tmsh.

Fix:
If Identify as Username is enabled for a parameter, the Encrypt checkbox becomes grayed out. This is correct behavior.


484013-4 : tmm might crash under load when logging profile is used with packet classification

Component: Advanced Firewall Manager

Symptoms:
When tmm is under heavy load it may run out of memory and crash under certain conditions.

Conditions:
This occurs when the following conditions are met:
1. Packet classification is enabled
2. Security logging profile is used with 'log translation fields' option enabled.
3. Fast flow forwarding is enabled on forwarding virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
To work around this, do one of the following:
-- Disable 'log translation fields' in the security logging profile.
-- Disable fast flow forwarding.

Fix:
This fixes a memory leak when TMM is overloaded and forwards flows to the peer, and packet classification is enabled with 'log translation fields' in the logging profile.


483974-2 : Unrecognized EDNS0 option may be considered malformed.

Component: Local Traffic Manager

Symptoms:
Unrecognized edns0 option may be considered malformed and dropped by the BIG-IP system.

Conditions:
Client sending queries with non-standard edns0 option code. The BIG-IP system is configured with a DNS profile.

Impact:
All queries containing unrecognized option code are dropped. RFC says unrecognized options MUST be ignored.

Workaround:
To work around this issue, write an iRule to parse binary UDP payload; remove option from edns0 record.

Fix:
Unrecognized DNS EDNS0 options are now ignored.


483798-1 : TMM crashes if iRule PSC::ip_address is used after RADIUS Authentication of DHCP discovery.

Component: Policy Enforcement Manager

Symptoms:
Using iRule PSC::ip_address can cause TMM crash after RADIUS authentication of DHCP discovery is conducted.

Conditions:
1. Configure DHCPv4-based subscriber discovery in Relay mode.
2. Configure RADIUS Authentication for DHCPv4 profile.
3. Using PSC::pa_address command in an iRule for RADIUS Authentication virtual
4. Initiate RADIUS authentication process.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The fix fixes the crash problem in using the PSC::ip_address with the RADIUS authentication process


483792-5 : when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources

Component: Access Policy Manager

Symptoms:
Customers running into iSession related issues.

Conditions:
This happens when APM has been running.

Impact:
Some of the Network Access resources may not run properly when iSession control channel is disabled.

Workaround:
None

Fix:
When the iSession control channel is disabled through db variable, then some of the Network Access resources, including App tunnel, Microsoft RDP, and optimized tunnel resources, will not be assigned to the session.


483762-3 : Overlapping vCMP guest MAC addresses

Component: TMOS

Symptoms:
Intermittent traffic disruptions such as unexpected resets and drops may occur as the result of MAC address conflicts between vCMP guests on an affected hypervisor and/or conflict with other F5 devices with adjacent MAC address ranges.

Conditions:
MCPD has restarted on a vCMP hypervisor, and vCMP guest instances with more than 2 VLANs are deployed after the MCPD restart.

Impact:
Intermittent traffic disruptions such as unexpected resets and drops.

Workaround:
1. Restart vCMPD on the hypervisor.
2. Re-deploy the vCMP Guest by setting it to "Configured", then "Deployed" again. Note, you need to set to "Configured", not "Provisioned".

Fix:
MAC address conflicts no longer occur between vCMP guests when the vCMP
  hypervisor is running a fixed version.

  If a vCMP guest running a fixed version detects that the hypervisor has
  provided an invalid set of MAC addresses, the guest will log an error similar
  to
    err chmand[28121]: 012a0003:3: unexpected init failure : VcmpPlatform: MAC pool size from hypervisor is zero
    crit chmand[28121]: 012a0002:2: critical platform initialize failure. exiting...
  and not start.


483751-1 : Internal objects can have load failures on restarted blades

Component: TMOS

Symptoms:
If the primary blade of a chassis is reset, once it rejoins the cluster as a secondary its configuration may fail to load with errors that look like this:

01070088:3: The requested object name (/Common/default-eviction-policy) is invalid.
01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide().
01070734:3: Configuration error: MCPProcessor::check_initialization:
01070734:3: Configuration error: URL category (/Common/Abortion) cannot be deleted. It is being used by a URL filter.

Conditions:
This only affects chassis.

Impact:
The impact of this issue is that mcpd will not finish startup unless the workaround steps are performed.

Workaround:
Log in to the affected blade, remove the binary database (/bin/rm -v /var/db/mcp*), and restart all services on the blade (bigstart restart).

Fix:
Formerly, the primary blade of a chassis is reset, once it rejoins the cluster as a secondary its configuration may fail to load with errors that look like this:

01070088:3: The requested object name (/Common/default-eviction-policy) is invalid.
01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide().
01070734:3: Configuration error: MCPProcessor::check_initialization:
01070734:3: Configuration error: URL category (/Common/Abortion) cannot be deleted. It is being used by a URL filter.

The system will now load successfully and not hit this error.


483719-2 : vlan-groups configured with a single member VLAN result in memory leak

Component: Local Traffic Manager

Symptoms:
If a vlan-group contains only a single member VLAN, tmm begins to leak memory as observed in 'tmctl memory_usage_stat'.

Conditions:
Configure a vlan-group with a single member VLAN.

Impact:
Continuous memory leaks might eventuallyresult in traffic disruptions.

Workaround:
Remove vlan-groups containing a single member VLAN or configure at least two member VLANs per vlan-group

Fix:
Single-member vlan-groups no longer leak memory.


483699-1 : No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list

Component: TMOS

Symptoms:
After uploading a file to the system and creating the iFile object, the user is unable to access the object.

Conditions:
Uploading a file to the system and creating the iFile object.

Impact:
The system posts a No Access error, and the user is unable to access the iFile object

Workaround:
This issue has no workaround at this time.

Fix:
Accessing iFile object in Local Traffic :: iRules : iFile list now works correctly and no longer produces No Access error.


483683-3 : MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error

Component: TMOS

Symptoms:
"Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error on secondary blades when starting up. When this happens, MCP is left in a bad state and several issues (not obviously related to this error) can occur.

Conditions:
Only occurs on a chassis system, and only on secondary blades.

Impact:
This error is the precursor to bad behavior on the system. The exact issues seen are hard to quantify, as they vary depending on what state MCP's database is in when the exception is thrown.

Fix:
Added code to catch exceptions in rm_DBLowHighWide. We now delete the binary MCP database when an exception is caught, and restart MCP. This restart without a binary database bypasses rm_DBLowHighWide and allows the secondary MCP to receive its configuration from the primary MCP.


483665-2 : Restrict the permissions for private keys

Component: Local Traffic Manager

Symptoms:
Use security best practices for keys on BIG-IP.

Impact:
Protected keys to industry best practices.

Fix:
The permissions for SSL keys are more restricted.


483601 : APM sends a logout Bookmarked Access whitelist URL when session is expired.

Component: Access Policy Manager

Symptoms:
You will see a logout page for bookmarked APM whitelist URL after session is expired.

Conditions:
This condition will occur if the user has bookmarked a APM whitelist entry and tries to access this bookmarked URL after some time (Access session is expired).

Impact:
User sees a logout page instead of a logon to revalidate themselves.

Workaround:
This issue has no workaround at this time.

Fix:
If a session is expired and a query is made with an Access whitelist and query parameters, APM code did not handle the case properly and sent a logout page. APM now enables the user to revalidate by starting the Access policy again.


483539-1 : With fastL4, incorrect MSS value might be used if SYN has options without MSS specified

Component: Local Traffic Manager

Symptoms:
Due to the incorrect MSS value, TMM might core because based on the MSS value the outgoing packet attempts to use TSO, which is not correct. This can result in a crash.

Conditions:
A virtual using fastL4 where a SYN packet with options is received, but the SYN packet does not contain an MSS option.

Impact:
If this issue occurs, then TMM will core resulting in a failover/reboot of the system.

Workaround:
None.

Fix:
The correct MSS value is now used when SYN has options without MSS specified, so TMM no longer cores.


483526-1 : Rarely seen Edge Client for Mac crash on session disconnect

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client crashed a couple of times in persistent testing on session disconnect.

Conditions:
Long persistent connection to APM.

Impact:
Edge Client crashes on session disconnect, but restarting Edge Client works fine.

Workaround:
To work around the problem, restart Edge Client for Mac.

Fix:
BIG-IP Edge Client for Mac now gracefully handles session disconnect on long-lived persistent connections.


483501-1 : Access policy v2 memory leak during object deletion in tmm.

Component: Access Policy Manager

Symptoms:
A small memory leak everytime a per request access policy is deleted.

Conditions:
If the access policy delete was done before execute_access_policy' released the ref count, the access policy was getting deleted even though its still being used for one session.
If the access policy delete was done when the access policy was not being used by any session, the access policy was not getting deleted.

Impact:
A small memory leak everytime a per request access policy is deleted.

Workaround:
None

Fix:
1) In 'access_policy_add', increment the access policy reference count before adding the access policy to the global access policy hash table.
   2) In 'release_access_policy' dont return 'access_policy->ref_count' at the end of the function. The 'access_policy' could have potentially been deleted and freed by this point. The return value is not really used so just dont return any value.


483436-1 : Update 11.5.0 license files for "hourly billing" with production licenses.

Component: TMOS

Symptoms:
You are unable to use non-production licenses for hourly billing purpose.

Conditions:
Cloud installations of BIGIP.

Impact:
Cloud installations of BIGIP.

Fix:
Update to AWS License files


483379-1 : High CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes

Component: Access Policy Manager

Symptoms:
MAC edge client has high CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes

Conditions:
MAC Edge client usage for 20-30 minutes

Impact:
Hig CPU consumption and unresponsive menubar resource

Fix:
An issue with BIG-IP Edge Client for Mac consuming high CPU and having an unresponsive menu icon on OS X 10.10 Yosemite is now fixed.


483353-1 : HTTP compression might cause TMM crash in low-memory conditions

Component: Local Traffic Manager

Symptoms:
TMM might crash in HTTP compression in low-memory conditions when unable to initialize the compression provider.

Conditions:
HTTP compression is configured and TMM is low on memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove HTTP compression from the virtual to avoid the issue.

Fix:
HTTP compression now gracefully handles failed compression provider initialization.


483328-4 : Client SSL profiles might fail to complete handshake, system logs critical-level error '01260000:2: Profile name-of-profile: could not load key/certificate'

Component: Local Traffic Manager

Symptoms:
- SSL (e.g., HTTPS) virtual servers fail to negotiate SSL handshake. Operations on the device stall (not immediately fail).
- At a packet capture level, the BIG-IP system acknowledges the Client Hello, but does not send a Server Hello.
- System logs critical-level messages similar to the following whenever a user or the system modifies a virtual server: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.

Conditions:
This issue might occur after an upgrade at the time of the initial ConfigSync; the device that receives the initial ConfigSync is likely to be affected. This issue might also occur if an administrator makes changes to certificates and keys referenced by an SSL profile (for example, deletes and recreates a certificate or key with the same name), and then performs a ConfigSync to the peer device; the peer device may be affected.

Impact:
All traffic to affected SSL virtual servers is disrupted.

Workaround:
After a device has been affected, restarting the affected TMMs resolves the issue. Note that restarting TMM temporarily disrupts traffic (or causes a failover). You can restart the TMMs by running 'bigstart restart tmm' on the affected appliance, or 'clsh bigstart restart tmm' on an affected VIPRION system.

Fix:
SSL virtual servers now successfully negotiate SSL handshake, so the device no longer logs the following message: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.


483286-3 : APM MySQL database full as log_session_details table keeps growing

Component: Access Policy Manager

Symptoms:
APM stores session reporting data in "apm" MySQL database, under log_session_details table, but never does any cleanup. This causes the table to continuously grow. Eventually this consumes all disk, potentially corrupting the SQL data, and stopping services on the BIG-IP system that rely on MySQL.

Conditions:
Conditions leading to this issue include: APM is provisioned; and 350M APM sessions are created over any period of time (each row in log_session_details consumes ~20 bytes).

Impact:
MySql volume (12G) will fill with data, potentially stopping or degrading services in the box that rely on MySQL. Including: ASM, AVR, APM Reporting, Web UI, and QkView.

Workaround:
Workaround is to manually clean up the log_session_details table in MySQL database.

First, retrieve the randomly generated MySQL password per box, using the following shell command as the root user. For example,

# perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw
PjL7mq+fFJ

where PjL7mq+fFJ is the random password at MySQL installation in this example. Use this password in the following command for clean-up.

# /usr/bin/mysql -uroot -pPjL7mq+fFJ --database=apm -e "delete from log_session_details where active = 'N';"

This will delete all those rows that are referred to by an inactive session.


483228-3 : The icrd_child process generates core when terminating

Component: TMOS

Symptoms:
A race condition in the terminate handler of the icrd_child process causes it to crash and generate a core.

Conditions:
This is an intermittent issue that is caused by a race condition.

Impact:
This does not impact functionality, but the system posts messages to icrd log similar to the following: notice icrd: 5823,14414, RestServer, INFO, Connection idle too long fd:11.

Workaround:
None.

Fix:
This release fixes an intermittent race condition in the terminate handler of the icrd_child process, so the process no longer crashes and generates a core.


483104-3 : vCMP guests report platform type as 'unknown'

Component: TMOS

Symptoms:
vCMP guests report 'unknown' as platform type.

Conditions:
This occurs on vCMP guests.

Impact:
You will be unable to remotely determine exactly which platform is being monitored.

Workaround:
None.

Fix:
vCMP guests now report bigipVcmpGuest as platform type, which is correct behavior.


483020-1 : [SWG] Policy execution hang when using iRule event in VPE

Component: Access Policy Manager

Symptoms:
Using the iRule Event Visual Policy Editor (VPE) object creates hang in the policy. The event is started, but never finishes, just hangs.

Conditions:
This issue occurs when the iRule event is in the access policy.

Impact:
The access policy evaluation never finishes.

Workaround:
None.

Fix:
[SWG] Policy execution with the iRule event in place no longer hangs.


482943-1 : Cannot upgrade because of lack of root/admin access.

Component: TMOS

Symptoms:
Cannot upgrade because of lack of root/admin access.

Conditions:
Cloud deployments.

Impact:
Cannot upgrade.

Workaround:
None.

Fix:
Changed the internal access properties to support deploying updates to the Cloud.


482915-1 : Learning suggestion for the maximum headers check violation appears only for blocked requests

Component: Application Security Manager

Symptoms:
There are no learning suggestions for the Maximum headers sub-violation if the HTTP protocol compliance violation is in Alarm only (not in Blocking).

Conditions:
If the HTTP compliance is in Alarm only (not in Blocking) and the Maximum number of headers sub-violation is enabled, and there is a violation for the maximum number of headers (which is not blocking) and no other violation in the request is blocking.

Impact:
There will not be a learning suggestion for this violation and no automated learning will happen for the number of headers.

Workaround:
This issue has no workaround at this time.

Fix:
Previously, manual learning of the sub-violation Maximum number of headers happened only for blocked requests. The system now produces learning suggestions for the Maximum number of headers sub-violation even if the HTTP protocol compliance violation is in Alarm only (not in Blocking).


482833 : apd crash for missing db variable

Component: Access Policy Manager

Symptoms:
apd will crash every time it starts

Conditions:
apd will crash always.

Impact:
apd will not to be able to operate.

Fix:
Missing an inclusion of RPM file for bigdbd in rollup package file, caused new db variable unexposed to the system. Due to this whenever, apd trying to access these db variables, it failed and crashed.
We fixed the issue, by including the RPM file definition in rollup.package.inc


482710-4 : SSLv3 protocol disabled in APM clients

Component: Access Policy Manager

Symptoms:
Clients configured to only support SSLv3 will fail to connect. Web login using clients configured to only support SSLv3 will fail.

Impact:
Clients should be configured to support TLS based ciphers.

Fix:
SSLv3 protocol is disabled in APM clients. All clients must connect using TLS based ciphers.


482699-4 : VPE displaying "Uncaught TypeError"

Component: Access Policy Manager

Symptoms:
VPE displaying "Uncaught TypeError"

Conditions:
While editing on Chrome ver >=37

Impact:
Really hard to Edit VPE on chrome

Workaround:
Use different browser

Fix:
Visual policy editor works correctly on Google Chrome.


482442-5 : [GTM] [GUI] Changes to a single wideip Propagates to All WIPs

Component: Global Traffic Manager (DNS)

Symptoms:
When clicking to update one single wideip with below changes, it Propagates the changes to all wideips:
"Description"
"State"
"IPv6 NoError Response",
"IPv6 NoError TTL",
"Load-Balancing Decision Log".

Conditions:
From GUI, disabling/enabling single wideip:
Global Traffic > Wide IPs > (click on any wideip) > Make the related changes > Click Update button

Impact:
When updating single wideip, it propagates all wideips.

Workaround:
1. Use tmsh;
2. If modifying wideip state,
   Enabling/Disabling wideip via wideip list page:
   - Global Traffic > Wide IPs > Select any wideip's check box > Click on Enable button

Fix:
State changes for wideips should be updated correctly when the "Update" button is clicked in the GUI wideip properties page.


482436-1 : BIG-IP processing of invalid SIP request may result in high CPU utilization

Component: Service Provider

Symptoms:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.

Conditions:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.

Impact:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.

Fix:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.


482434 : Possible performance degradation in AWS cloud

Component: TMOS

Symptoms:
Throughput and new connections per/sec might be up to 4 times slower in AWS for SR-IOV enabled instances.

Conditions:
This might occur when a BIG-IP virtual server is configured with a Standard profile.

Impact:
Performance is 3-to-4 times slower than the license limit. Slow throuhgput and new connections per/second

Workaround:
If throughput performance is 3x-4x times slower than license limit for virtual servers with 'Standard' profile, consider disabling interruptible sleep. To do so, use the following commands to: 1. set the appropriate DB variable to 0 (zero), and 2. restart tmm: 1. setdb Scheduler.UnicAsleepRxLimit.LTM 0. 2. bigstart restart tmm.

Fix:
Throughput and new connections per/sec are now comparable in AWS for SR-IOV enabled instances and in other instances.


482373-3 : Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction

Component: TMOS

Symptoms:
A create followed by a delete of a virtual server in a transaction fails

Conditions:
A virtual server must be deleted in the same transaction as another virtual server being created where both share the same destination address. This applies to operations performed via iControl REST and tmsh.

Impact:
Transaction may fail

Workaround:
Use create and delete in separate transactions

Fix:
Transactions where virtual servers are deleted and re-created with the same virtual IP address will now complete successfully.


482269-1 : APM support for Windows 10 out-of-the-box detection

Component: Access Policy Manager

Symptoms:
APM does not support out-of-the-box detection for Windows 10 in visual policy editor configuration.

Conditions:
Windows 10, APM

Impact:
Windows 10 cannot be detected in visual policy editor rules.

Fix:
APM now supports out-of-the-box detection of Microsoft Windows 10 in visual policy editor action items, such as, Client OS and Client Type.


482266-3 : Windows 10 support for Network Access / BIG-IP Edge Client

Component: Access Policy Manager

Symptoms:
Connection fails with "Network Access Connection Device was not found." message.

Conditions:
1. Clean installation of Windows 10 (not upgrade)
OR
2. Windows has been upgraded from previous version of Windows OS and it did not have NA driver installed.

Impact:
User running Windows 10 can not establish a VPN connection.

Fix:
Users running on Windows 10 running the BIG-IP Edge Client will no longer see a "Network Access Connection Device was not found." error message.


482260-4 : Location of Captive portal configuration registry entry in 64 bit windows is incorrect

Component: Access Policy Manager

Symptoms:
Captive portal detection configuration in BIG-IP Edge Client does not work as intended on 64-bit Windows-based platforms.

Changing HKEY_CURRENT_USER\Software\F5 Networks\RemoteAccess\DisableCaptivePortalDetection has no impact on captive portal detection in Edge Client on 64-bit Windows.

Impact:
Windows 64-bit clients are not redirected to the custom captive portal page as the expected but instead are sent to the default URL.

Workaround:
Configuring this setting in HKEY_CURRENT_USER\Software\Wow6432Node\F5 Networks\RemoteAccess works.

Fix:
APM captive portal probe URL in BIG-IP Edge Client for Windows can now be customized on x64 Windows-based platforms in the same way as for x86 Windows-based platforms.


482251-3 : Portal Access. Location.href(url) support.

Component: Access Policy Manager

Symptoms:
Some pages cannot be loaded in specific web applications.

Conditions:
This happens in Microsoft Internet Explorer browser-specific code that contains: Location.href(some_url).

Impact:
Web application cannot load some web pages.

Workaround:
None.

Fix:
The Microsoft Internet Explorer browser-specific code Location.href(some_url) now works correctly, so web applications can load previously unloadable web pages.


482241-1 : Windows 10 cannot be properly detected

Component: Access Policy Manager

Symptoms:
Windows 10 cannot be properly detected by BIG-IP

Conditions:
Windows 10 desktop operating system and BIG-IP APM access policy with client OS and Windows info agents.

Impact:
Windows 10 will not be detected out-of-the-box by BIG-IP client OS and Windows info agents.

Workaround:
User agent can be parsed in access policy for windows 10 tokens.

Fix:
Windows 10 can now be detected out-of-the-box by Client OS and Windows Info agents.


482202-1 : Very long FTP command may be ignored.

Component: Carrier-Grade NAT

Symptoms:
FTP commands are delimited with carriage returns. If the BIGIP receives a large buffer with no carriage return then it passes the data through without inspecting for or acting on commands. Since the only commands we act on should be delimited within a reasonable size this does not affect FTP behavior and protects the BIGIP against large amounts of data that is not FTP command data is passed across FTP.

Conditions:
If the FTP profile encounters command buffers that contain many carriage returns without valid command data then the buffers are passed on without inspection.

Impact:
Under normal conditions there is no impact. If there is invalid data followed by valid data then the valid data may be ignored.

Workaround:
Do not use the FTP profile for traffic other than FTP.

Fix:
The FTP profile does not process invalid command data


482177-4 : Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO

Component: Access Policy Manager

Symptoms:
Accessing SharePoint web application portal with SSO configured for path /* (as part of portal access resource item) first will break IdP intiated Security Assertion Markup Language (SAML) single sign-on (SSO).

Conditions:
Having SharePoint Portal Access resource as well as SAML resource on full webtop. Access SharePoint application by clicking first on SharePoint icon on full webtop and then SAML resource causes SAML SSO to break.

Impact:
End user will see 404 NotFound page.

Workaround:
Disable SSO to Portal Access application SharePoint.

Fix:
Accessing a SAML resource on the webtop after a SharePoint resource no longer causes SSO to break.


482145-3 : Text in buttons not centered correctly for higher DPI settings

Component: Access Policy Manager

Symptoms:
When high DPI setting are used in Windows, text in buttons is not centered correctly and may run outside the boundaries of buttons.

Conditions:
User interface is displayed and user has set a higher DPI setting for Windows.

Impact:
Button text does not look correct.

Workaround:
Set DPI settings back to default.

Fix:
Buttons are now correctly scaled for Windows DPI setting.


482137-1 : Adding TCP iRules to PEM space

Component: Policy Enforcement Manager

Symptoms:
TCP iRules are missing in the PEM space.

Conditions:
When writing iRules scripts in PEM space, TCP iRules is not working.

Impact:
TCP iRules are not functioning if trying to run in PEM space

Fix:
TCP iRules have been added to PEM space and thus functioning properly


482134-1 : APD and APMD cores during shutdown.

Component: Access Policy Manager

Symptoms:
When apd and apmd shutdown while they are still processing, the system cores while accessing policy configuration data.

Conditions:
This occurs with a second apd or apmd process while an apd or apmd process is already running. The second apd or apmd process goes down (because one process is already up).

Impact:
During this shutdown process, the system cores.

Workaround:
None.

Fix:
APD and APMD no longer core during shutdown of a second occurrence of APD or APMD.


482046-1 : Old password is not verified during password change from View client.

Component: Access Policy Manager

Symptoms:
Old password is not verified during password change from View client. When user's AD password is expired, the system requires the user to change it on logon. Typically for changing the password both old a new passwords are provided.

Conditions:
When user's AD password is expired.

Impact:
Old password is not verified during password change from View client.

Workaround:
None.

Fix:
Now APM verifies the user's old password before submitting the new one to AD when native VMware View client is used.


482034 : Browser displays error in console in Firefox 3.6.22

Component: Fraud Protection Services

Symptoms:
When using Websafe on some very old versions of Firefox, inspecting the browser's console shows a JavaScript error message.

Conditions:
End user browses a WebSafe protected page using Firefox 3.6.22.

Impact:
Browser's console shows a JavaScript error message.

Workaround:
Use a new version of Firefox.

Fix:
No errors are triggered when using Firefox 3.6.22.


481987-6 : Allow NTLM feature to be enabled with APM Limited license

Component: Access Policy Manager

Symptoms:
When a BIG-IP system has an APM Limited license, NTLM is silently disabled and the connection goes through.

This breaks many (all) use-cases for Exchange + APM.

Conditions:
APM and Exchange are deployed together with APM Limited / Lite license.

Impact:
Exchange cannot be used with APM Limited license when NTLM frontend authentication is selected, which is used in essentially all APM + Exchange deployments.

Fix:
The NTLM frontend authentication (ECA) feature can now be used with an APM Limited license. Typically, this is for Exchange deployments.


481950-1 : DHCP: Need an upgrade script for DHCPRELAY virtuals for BIG-IP version 11.5 and 11.4

Component: Policy Enforcement Manager

Symptoms:
When you upgrade from 11.4 or 11.5 to 11.6 configuration while you have a virtual of type DHCPRELAY, the configuration loading will fail.

Conditions:
The user must have DHCPRELAY virtual for this to happen.

Impact:
The impact of this issue is that configuration load will fail until you fix the issue.

Workaround:
Manually go in bigip.conf and remove the udp{} profile and instead add dhcpv4 or dhcpv6 profile under this virtual.
Also, you need to set the mode of operation (relay or forwarding) in that profile you are attaching.

Forwarding mode work with unicast DHCP traffic, while Relay mode works with Broadcast or multicast traffic.


481948-1 : LSN_DELETE messages may not be logged in PBA mode

Component: Carrier-Grade NAT

Symptoms:
LSN_DELETE messages are missing when in PBA mode, even if configured in the log profile.

Conditions:
An lsn-pool in PBA mode, a log profile that enables LSN_DELETE messages, and a connection that is torn down.

Impact:
Individual connection logs may be missing.

Workaround:
Use the PBA logging to determine which subscriber was using a translation endpoint.

Fix:
LSN_DELETE messages are now present when in PBA mode, if configured in the log profile.


481880-5 : SASPD monitor cores

Component: Local Traffic Manager

Symptoms:
SASP monitor process core dumping during a state change.

Conditions:
This occurs when the SASP monitor is configured in push mode.

Impact:
Pool member is marked down, which leads to monitor outage.

Fix:
SASP monitor no longer core dumps during a state change in push mode.


481820-1 : Internal misbehavior of the SPDY filter

Component: Local Traffic Manager

Symptoms:
The SPDY filter incorrectly handles the error case in which a child flow is aborted.

Conditions:
A child flow that is aborted for any reason would trigger an superfluous ABORT event to be sent by SPDY.

Impact:
Potential disruption of valid client traffic, in theory.

Workaround:
None.

Fix:
SPDY no longer sends superfluous aborts to an already aborting child flow.


481806-2 : Java Runtime Environment vulnerability CVE-2013-4002

Vulnerability Solution Article: K16872


481792-1 : BD may crash within HTTP payload parser.

Component: Application Security Manager

Symptoms:
The BIG-IP system may temporarily fail to process traffic.

Conditions:
Fix JSON parser issue with errors in escaped character - will not copy an error character.

Impact:
The BIG-IP system may temporarily fail to process traffic.

Workaround:
This issue has no workaround at this time.

Fix:
We fixed an issue of specific requests that sometimes caused the Enforcer to crash.


481706-2 : AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP

Component: Advanced Firewall Manager

Symptoms:
When a AFM DoS Sweep/Flood attack is ongoing there is a chance that we could log a non-attacking src IP (which is sending packets which are below the detect threshold) as an attacker in the "attack_sampled" AFM DoS log message.

Conditions:
When the AFM DoS Sweep or Flood attack is ongoing, and we have multiple src IPs (attackers and non-attackers) sending packets which match the AFM DoS Sweep or Flood vector, we could see the "attack sampled" log from a IP which is not actually sending packets above the configured attack rate.

Impact:
The log message could list an innocent src IP as an attacker. In AVR also you could see this IP as an attacker.

Workaround:
None, since the log message is cosmetic.

Fix:
Improved security logging to reduce incorrect messages.


481696-2 : Failover error message 'sod out of shmem' in /var/log/ltm

Component: TMOS

Symptoms:
You might see a failover error message 'sod out of shmem' in /var/log/ltm.

Conditions:
The conditions under which this occurs vary based on the configured shared memory usage.

Impact:
Failover might not function fully. System posts the message 'err sod[6300]: 01140003:3: Out of shmem, increment amount' in /etc/ha_table/ha_table.conf.

Workaround:
Manually modify /etc/ha_table/ha_table.conf as follows: Change this line: 'ha segment path: /sod table pages: 2' to this: 'ha segment path: /sod table pages: 4'. Save the file and reboot the system.

Fix:
Amount of shmem for sod has been increased.


481677-2 : A possible TMM crash in some circumstances.

Component: Local Traffic Manager

Symptoms:
If TCP::Close is called during the SSL handshake, the TMM might crash.

Conditions:
TCP::close is called during an SSL handshake

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When closing the connection before or during an SSL/TLS handshake, use the "drop" or "reject" command instead of the TCP::close command.

Fix:
TMM no longer produces a core file when the TCP::close iRule command is executed during an SSL handshake.


481663-5 : Disable isession control channel on demand.

Component: Access Policy Manager

Symptoms:
Customers running into isession related issues.

Conditions:
This happens when APM has been running.

Impact:
TMM could run out of memory because of these issues.

Workaround:
This issue has no workaround at this time.

Fix:
If customer does not need optimized tunnels, app tunnels, remote desktop then he can safely disable the db variable "isession.ctrl.apm" which disables isession.
Then do "bigstart restart tmm apd" so that the db variable takes effect.


481648-8 : mib-2 ipAddrTable interface index does not correlate to ifTable

Component: TMOS

Symptoms:
The ipaddrTable's ipAdEntIfIndex value does not match the ifTable's ifIndex value for the same interface.

Conditions:
Using SNMP to monitor F5 and other network devices.

Impact:
Data in the mib-2 ifTable does not correlate to the data in the ipAddrTable.

Workaround:
Use the F5 MIB to monitor F5 devices.

Fix:
The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the same interface.


481647-5 : OSPF daemon asserts and generates core

Component: TMOS

Symptoms:
The OSPF daemon might assert if receiving a Link Status (LS) Update header with a length greater than 255 bytes.

Conditions:
This occurs when the LSA header length is greater than 255 bytes in length.

Impact:
OSPF daemon asserts and generates a core, which might cause a service outage.

Workaround:
None.

Fix:
OSPF daemon no longer asserts when receiving a Link Status (LS) Update Packet with an LSA header whose length is greater than 255 bytes.


481541-1 : Memory leak in monpd when LTM and AVR or ASM are provisioned

Component: Application Visibility and Reporting

Symptoms:
When processing 'empty' reports (that is, reports containing no data), monpd has a memory leak.

Conditions:
This might happen when no traffic or data runs for more than 5 minutes through a module that reports to AVR, and therefore no data should be presented by AVR.

Impact:
Memory is gradually exhausted.

Workaround:
To prevent this issue, monitor memory usage and restart monpd prior to the system running out of memory.

Fix:
Previously, a memory leak in the monpd daemon occurred in some situations. It no longer occurs.


481530-1 : Signature reporting details for sensitive data violation

Component: Application Security Manager

Symptoms:
ASM blocks some requests that match signatures of the 'XPath Injection' attack type, but specific details regarding the violations are not visible for the affected requests as the signatures match sensitive parameters.

Conditions:
Request with sensitive data, a signature match inside the sensitive data.

Impact:
You cannot view or learn about violations in the GUI for signatures that match on sensitive parameters.

Workaround:
Suggestions of how to acquire the sig id:
1. Attach a custom remote logger that includes the violation details field and the support id. Note: You can configure only these two.
2. Turn on the ATTACK_SIG logger module for the bd.log and grep for 'Matched SIGID:' messages.
3. Remove the sensitive configuration. Note: This might not work for your environment.

Fix:
Signature names that are matched inside sensitive data are now shown in the violation details in the Configuration utility.


481476-5 : MySQL performance

Component: Application Security Manager

Symptoms:
MySQL usage would spike to 100% for extended periods of time.

Conditions:
Occurs after several thousand policy configuration changes have been made to the system.

Impact:
Slow ASM GUI pages.

Workaround:
There is no workaround at this time.

Fix:
A MySQL performance issue was fixed.


481431-1 : AAM concatenation set memory leak on configuration change

Component: WebAccelerator

Symptoms:
When AAM configuration is reloaded, it can leak some data structures associated with concatenation sets

Conditions:
AAM provisioned and concatenation sets defined

Impact:
tmm memory consumption will slowly grow

Workaround:
restart tmm to free memory

Fix:
Reloading AAM configuration no longer leaks memory associated with concatenation sets.


481373-1 : TMM might core when deleting an entry for a user in a Radius AAA cache

Component: Policy Enforcement Manager

Symptoms:
TMM crash resulting in temporary loss of service

Conditions:
Radius AAA in use with user entries present.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer cores when deleting a user in the Radius AAA cache.


481328-2 : Many 'tmsh save sys config gtm-only partitions all' stack memory issue.

Component: Global Traffic Manager

Symptoms:
Suitably large GTM configurations can take longer to save to the bigip_gtm.conf file than the configured timeout.

Conditions:
This occurs when GSLB automatic configuration save is enabled, many changes are made that require configuration save, and the gtm.global-settings.general.automatic-configuration-save-timeout is less than the length of time it takes to save the configuration to file.

Impact:
Making numerous changes might lead to multiple instances of the save operation running simultaneously. Large memory consumption, potentially leading to a crash.

Workaround:
Set gtm.global-settings.general.automatic-configuration-save-timeout to a larger value or disable automatic configuration saving for GTM / GSLB.

Fix:
Simultaneous GTM configuration saves no longer occur, so memory is not consumed for them.


481257-5 : Information on "OPSWAT Integration Libraries V3" is missing from CTU report

Component: Access Policy Manager

Symptoms:
Information on "OPSWAT Integration Libraries V3" is missing from CTU report

Conditions:
"OPSWAT Integration Libraries V3" are installed on the PC.

Impact:
Information on "OPSWAT Integration Libraries V3" is not available in CTU report

Workaround:
None

Fix:
CTU report now includes information on "OPSWAT Integration Libraries V3".


481216-1 : Fallback may be attempted incorrectly in an abort after an Early Server Response

Component: Local Traffic Manager

Symptoms:
After an Early Server Response, the BIG-IP system might attempt to generate a fallback response if an error occurs. However, the response has already partially egressed, so this does not work correctly.

Conditions:
Fallback configured or enabled by an iRule. An early server response triggers an error that leads to an Abort being raised. The Abort triggers a fallback response inappropriately.

Impact:
The server-side might read HTTP data structures after they have already been freed. A fallback can be generated on the server-side, leading to a use-after-free if the client side has already aborted.

Fix:
A fallback response is no longer inappropriately generated after an error after an Early Server Response.


481210-1 : Active Directory Query doesn't populate all values of multi-value attributes

Component: Access Policy Manager

Symptoms:
If some attribute requested by Active Directory (AD) Query contains multiple values (for example, memberOf), then the last value is omitted in the corresponding session variable.

Conditions:
Active Directory attribute has multiple values.

Impact:
Access policy may make wrong decision based on session variables registered by AD Query.

Fix:
All values are now populated as session variables as expected.


481203-5 : User name case sensitivity issue

Component: Access Policy Manager

Symptoms:
Create a local user (for dynamic user too) starting with upper case. When responding to logon page, user can enter all lower case or upper case or any combination of the same. User gets authenticated, however, for all different combinations of user names, it creates an entry in memcache. Actually there should be only one. So when the user gets deleted, all other entries remains in memcache.

Conditions:
This issue occurs While entering user name during logon page response.

Impact:
This issue causes dangling memcache entries which does not have accountability.

Workaround:
This issue has no workaround at this time.

Fix:
While creating memcache entry, we now normalize the username into utf8 lowerecase. This makes sure, there is only one entry for all combination of usernames.


481189-2 : Change the default value of pccd.hash.load.factor to 25

Component: Advanced Firewall Manager

Symptoms:
Sometimes the firewall rule BLOB is very big even though the configurations do not seems to be very big.

Conditions:
The BLOB size depends on many factors such as Src/Dst IP addresses in a rule. There is no straightforward rule to estimate the size of the BLOB from static inspection of the rules. Two set of configurations that look very similar can generate BLOB of very different sizes sometimes.

Impact:
One factor that contribute to the BLOB size is the load factor (percentage of fullness) of the internal hash tables. The load factor specifies the minimum percentage of fullness that need to be reached before the table is expanded to a larger size.

Workaround:
You can manually set the hash load factor from 0 (don't check) to 75.

Fix:
The load factor controls the minimum percentage of fullness that need to be reached before the table is expanded to a larger size. Setting it to 25 by default prevent the firewall rule compiler from growing the table size too aggressively and results in big firewall BLOB.


481162-2 : vs-index is set differently on each blade in a chassis

Component: Local Traffic Manager

Symptoms:
The vs-index field on virtual servers differs on each blade in a chassis.

Conditions:
This occurs on chassis systems when creating a virtual server on a multi-blade VIPRION and on multi-blade vCMP guests.

Impact:
The recently created virtual server holds different vs_index across blades (typically, the virtual servers differ by one, when compared with the active blade). From that point on, every newly created virtual server carries that inconsistency, so that vs-index is set differently on each blade in a chassis.

Workaround:
Follow the procedure in SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) to clear the configuration cache and reload configuration after reboot.

Fix:
The vs-index is now the same on each blade in a chassis on a multi-blade VIPRION and on multi-blade vCMP guests.


481135-1 : The pool members of a wide IP in Link Controller can not be modified once created

Component: TMOS

Symptoms:
After wide IP is created in the Linked Controller, a user cannot modify them from the GUI member page.

Conditions:
When trying to update the pool members of a wide IP in Link Controller, an error occurs.

Impact:
After wide IP is created in the Linked Controller, a user must use to use tmsh to modify members or use the GUI to delete the wide IP and recreate it with different virtual servers.

Workaround:
Use tmsh to change pool members: tmsh modify gtm pool <pool name> members add { <server>:<vs> }.

Fix:
The pool members of a wide IP in Link Controller can now be modified from the GUI pool member page.


481089-7 : Request group incorrectly deleted prior to being processed

Component: TMOS

Symptoms:
After performing a full sync, sometimes the BIG-IP systems remain out of sync.

Conditions:
A full sync must be performed. There must be more than one active connection to mcpd, and one of them must get disconnected before the sync completes.

Impact:
The BIG-IP systems remain out of sync even after a sync operation.

Workaround:
There are 2 possible workaround: 1) Reset device trust and then re-associate peer devices. 2) Set sync-leader using the following tmsh command. (You might need to run the command more than once until the cid.id of the lagging device is equal or greater than the peer unit.) 'tmsh modify cm device-group fail_over_group_name devices modify { name_of_standby_device { set-sync-leader } }'.

Note: You can run the following command from the active device to view any cid.id mismatch, and if further set-sync-leader commands are necessary: 'tmsh run cm watch-devicegroup-device'.

Fix:
After performing a full sync, BIG-IP systems remain in sync as expected, even when active mcpd connections are deleted before the sync completes.


481082-2 : Software auto update schedule settings can be reset during a full sync

Component: TMOS

Symptoms:
After performing a full sync, the auto update settings of the target machine are reset to defaults.

Conditions:
Perform a full sync to a system that has non-default auto update settings.

Impact:
Auto update settings can get out of sync, and be incorrect.

Workaround:
After a full sync, ensure that the auto update settings on both systems are set as desired.

Fix:
The auto update settings no longer reset during a sync operation.


481046-5 : F5_Inflate_text(o, incr, v) wrapper need to be fixed for case when o is script tag

Component: Access Policy Manager

Symptoms:
A web application can get an unrewritten dynamically-generated script when not using Internet Explorer browser.

Conditions:
The problem occurs when scriptTag.text='source script' and the browser is not Internet Explorer.

Impact:
As a result, the web application misfunctions.

Workaround:
This issue has no workaround at this time.

Fix:
The wrapper for scriptTag.text='source script' now rewrites 'source script' for all browsers.


481020-1 : Traffic does not flow through VPN tunnel in environements where proxy server is load balanced

Component: Access Policy Manager

Symptoms:
VPN will appear to be established but no traffic will flow through the VPN tunnel.

Conditions:
VPN is established through proxy server.
DNS returns different IP address for subsequent name resolution query for proxy server.

Impact:
No traffic flows through VPN tunnel.

Workaround:
Use IP address for proxy server instead of name.

Fix:
Resolved intermittent routing table issue that caused Traffic not to flow through tunnel if proxy server is load balanced.


480995-1 : APM client components are not using extended logging by default.

Component: Access Policy Manager

Symptoms:
If end users of APM are encountering issues, extended client logs are disabled by default. This makes troubleshooting more difficult, and you would need to work with the end user to enable extended logging and try to reproduce the symptom they are seeing.

Conditions:
This occurs for end users connecting to APM

Impact:
Extended logs are not present by default, which makes troubleshooting client-side issues more difficult

Fix:
APM client components are now using extended logging by default.


480931-1 : Multiple BASH vulnerabilities - ShellShock

Vulnerability Solution Article: K15629


480910 : A TCP profile with 'Rate Pace" or 'Tail Loss Probe' enabled fails to successfully establish a connection.

Component: Wan Optimization Manager

Symptoms:
TCP connection establishment fails on some virtuals.

Conditions:
A TCP profile with advanced options like 'Rate Pace' or 'Tail Loss Probe' enabled, needs to be in use.

Impact:
All TCP connections using a tcp profile which has advanced options like 'Rate Pace' or 'Tail Loss Probe' enabled will fail to establish a connection.

Workaround:
Avoid using the tcp profile options like 'Rate Pace' or 'Tail Loss Probe'. If these options are a must requirement then there is no other workaround, other than to upgrade to a build with fix.

Fix:
A TCP profile with 'Rate Pace" or 'Tail Loss Probe' enabled now successfully establishes a connection.


480903-1 : AFM DoS ICMP sweep mitigation performance impact

Component: Advanced Firewall Manager

Symptoms:
In AFM DoS, the performance of ICMP Sweep Vector Mitigation brings down the performance of the BIG-IP system.

Conditions:
ICMP Traffic levels at 4 million pps from ~100 Src IP addresses, with the AFM DoS Sweep vector enabled to mitigate ICMP traffic.

Impact:
Slower performance of the BIG-IP system. A lot of CPU is used to mitigate the AFM DoS Sweep vector.

Workaround:
Do not enable the AFM DoS Sweep vector for ICMP Traffic when the attack rate is over 4 Million pps.

Fix:
AFM DoS ICMP sweep mitigation performance issues have been alleviated.


480888-2 : Tcl parks during HTTP::collect, and serverssl is present, data can be truncated

Component: Local Traffic Manager

Symptoms:
If Tcl parks during HTTP::collect, and serverssl is present, data can be truncated. serverssl can send an 'early' EOF when notified by the server.

Conditions:
serverssl with a server that notifies SSL of connection termination. If Tcl is parked during a HTTP::collect call, then it is possible for the EOF to be placed before the data collected. If that occurs, then the data is dropped. Use of HTTP::collect in an iRule on the server-side. If HTTP::collect is called within the HTTP_RESPONSE_DATA event, the occurrence is much more likely.

Impact:
The server response is truncated.

Fix:
A response from the server is no longer truncated in some situations when the serverssl profile is combined with the use of the HTTP::collect iRule command.


480827-1 : Logging might show unnecessary messages when Citrix Receiver connects to Storefront: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND).

Component: Access Policy Manager

Symptoms:
Logging might show unnecessary messages when Citrix Receiver connects to Storefront: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND).

Conditions:
This occurs when VDI log level is set to Debug.

Impact:
BIG-IP logs an error message: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND). This message is cosmetic and can be ignored.

Workaround:
Set VDI log level to a level above Debug.

Fix:
Improved error logging to not show unnecessary messages on default level.


480826 : IPs can be added for infinite duration

Component: Advanced Firewall Manager

Symptoms:
Keyword 'infinite' is not seen as valid by tmsh. This fix allows the user to use 'infinite' as a valid input to tmsh.

Conditions:
Attempting to configure an infinite TTL via TMSH for shun list entries.

Impact:
It is not possible to add a shunned IP to a shun list with infinite TTL.

Workaround:
N/A

Fix:
This fix allows the user to use 'infinite' as a valid input to tmsh.


480817-3 : Added options to troubleshoot client by disabling specific features

Component: Access Policy Manager

Symptoms:
It is impossible to turn off specific features on specific clients for troubleshooting purposes.

Conditions:
Always using Edge client

Impact:
Lack of these options made client troubleshooting difficult as the options could only be set on the server.

Fix:
Added following features:

DWORD key Default value HKLM only
------------------------------------------------------------------
UseLocalProxy false yes
EnableEdgeClientUpdate true yes
EnableWebComponentsUpdate true yes
EnableDTLSTransport (Bug484847) true no
EnableNACompression true no
EnableOptimizedTunnelCompression true no
SessionChecksInterval 10000 no
------------------------------------------------------------------
("false" == 0, "true" - any value except 0);

Key: HKLM( or HKCU)\Software\F5 Networks\RemoteAccess

Zero value for SessionChecksInterval disables this features completely.
"HLKM only" means that that feature can be only be disabled/enabled by value located at HKLM sub-tree, features with "no" can be disabled using both HKLM (Local Machine) and HKCU (current User).

CLIENT control channel is not yet implemented


480811-2 : qkview will not collect lib directories.

Component: TMOS

Symptoms:
qkview collects subdirectories in /var/run. In 11.6.0, this directory contains symbolic links to /lib64 and /usr/lib64. These directories contain a lot of files that are static and not required for problem diagnosis.

Impact:
qkviews can take a long time to transmit and to interpret due to the large file size.

Workaround:
This issue has no workaround at this time.

Fix:
The lib directories /usr/lib64 and /lib64 will no longer be collected in qkview.

Behavior Change:
qkview now explicitly excludes file collection from the lib and lib64 directories (as well as /usr/lib and /usr/lib64).


480761-1 : Fixed issue causing TunnelServer to crash during reconnect

Component: Access Policy Manager

Symptoms:
TunnelServer may crash in rare conditions during reconnect.

Conditions:
Crash may happens when PC wakes up after hibernate

Impact:
User sees confusing message about crashed TunnelServer.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed issue that caused TunnelServer to crash during reconnect.


480699-2 : HA mirroring can overflow buffer limits on larger platforms

Component: Local Traffic Manager

Symptoms:
When using mirroring, some connections between HA peers may overflow buffers and enter a state in which the buffer is repeatedly reset due to overflow.

Conditions:
LTM logs show resets, usually within one minute of each other. Viewing tmctl ha_stat shows the 'overflows' count incrementing by one approximately every minute or less. The 'buffered' count then increases, until at the maximum the 'overflows' count increments again. This does not apply to cases in which client and server bandwidth are far in excess of mirroring bandwidth, nor to cases in which there are occasional but not frequent overflows.

Impact:
In this state, failover can lose more than the expected number of L4 connections, and no L7 connections are mirrored. Note that any failure invalidates L7 mirroring; L4 mirroring recovers from occasional HA connection failures including those related to overflow (provided the HA connection remains up for at least one minute after reconnecting).

Workaround:
Try increasing the statemirror.queuelen to 256 MB (the current maximum) until repeated buffer overflows stop. If overflows continue after the maximum is set, there is no further workaround.

Fix:
Increased the maximum statemirror.queuelen db variable limits. If necessary, the statemirror.queuelen can now be increased beyond 256 MB up to 1 GB. Note that increasing the statemirror.queuelen increases memory requirements to approximately twice the queuelen multiplied by the number of TMMs, and also increases the time required to detect an error in the mirroring connection. The statemirror.queuelen should be kept as low as possible to prevent repeated failure.


480686-7 : Packet loop in VLAN Group

Component: Local Traffic Manager

Symptoms:
On an active VIPRION or vCMP guest with a VLAN Group configuration, the CPU usage unexpectedly rises, and traffic flowing through the device may experience high latency and packet drops. A packet capture shows packets looping internally between VLAN members of the VLAN Group.

Conditions:
This occurs when using a VLAN Group (in Translucent or Transparent mode) on VIPRION hardware (including vCMP guest of a VIPRION), and an IP address conflict exists between the BIG-IP and another device on the VLAN Group. Note: The device causing the IP conflict may be unrelated to packets that are found looping in a packet capture.

Impact:
This results in high CPU usage and potentially unresponsive GUI. Traffic flowing through the VLAN Group may experience high latency and packet drops. The Self IP on the affected VLAN becomes almost impossible to reach.

Workaround:
Disable vlangroup.flow.allocate db variable to prevent flow creation for vlangroup forwarded packets.

Fix:
Internal vlangroup loop no longer occurs when the Translucent/Transparent vlangroup setting exists with a duplicate IP address.


480679-1 : The big3d daemon does not receive config updates from mcpd

Component: TMOS

Symptoms:
Any Enterprise Manager device connected to a BIG-IP v11.6.0 will not receive configuration change notifications (including status) for nodes, pool members, or pools and will require manual refresh of configuration for those types. Stats and other configuration items remain unaffected.

Conditions:
This only affects EM devices and potentially MangementPack connections to a BIG-IP. The BIG-IP must be version 11.6.0 only, but the EM may be any version.

Impact:
The impact of this bug is that Enterprise Manager devices will not receive configuration update notifications for nodes, pool members, or pools. This includes status changes. Stats and other configuration items remain unaffected.

Workaround:
This issue has no workaround at this time.

Fix:
The mapping for subscription groups has been fixed so that the SUBSCRIPTION_NODE_ADDRESS and other similar subscription groups will not be overwritten by the SUBSCRIPTION_MONITOR group.


480623 : Category defaulted to whitelist when a valid category was not specified

Component: Advanced Firewall Manager

Symptoms:
When a category not present was specified, a default of zero was being used which defaulted to Whitelist.

Conditions:
Configuring a nonexistent shun category.

Impact:
The category is set to the default, which is Whitelist.

Workaround:
N/A

Fix:
Category defaulted to whitelist when a valid category was not specified.


480583-1 : Support SIP/DNS DOS only for UDP packets and SIP DOS does not drop packets but count drops

Component: Advanced Firewall Manager

Symptoms:
SIP DOS does not drop the packets after attack is detected but counts the stats for drop packets.

Conditions:
SIP DOS attack is detected.

Impact:
SIP DOS Attack packets will not be dropped.

Workaround:
None

Fix:
This fix causes the system to drop SIP DoS attack packets. This change also restricts SIP/DNS DoS detection only to UDP packets. SIP/DNS DoS attacks over TCP and SCTP are not detected.

Behavior Change:
Prior to this release, SIP/DNS DOS detection and mitigation was supported on TCP,UDP and SCTP protocol packets. With this release SIP/DNS DOS detection and mitigation is only for UDP protocol packets. SIP/DNS DOS attacks will not be detected for TCP and SCTP protocol packets.


480544-1 : Secondary IP flows are not forwarded in multiple IP session

Component: Policy Enforcement Manager

Symptoms:
If a session is created with 2 IP address then flows associated to secondary IP (2nd IP of the session) are not forwarded properly and consequently policies are not applied.

Conditions:
A multiple IP session with 2 IP address in the session.

Impact:
Policies are not applied accordingly for all the flows associated to secondary IP of the session.

Fix:
Have to upgrade to hotifix or new version with this fix.


480443-1 : Internal misbehavior of the SPDY filter

Component: Local Traffic Manager

Symptoms:
The SPDY filter may send events to a child flow, after that child flow has been deleted. When a filter for the delete child flow processes this event, it may crash.

Conditions:
The conditions that trigger this are unclear. The fix eliminates the behavior that caused a crash. The crash only occurs with a complex virtual server configuration and even then very rarely.

Impact:
The tmm crashes.

Workaround:
This issue has no workaround at this time.

Fix:
The SPDY filter no longer sends events up on deleted child flows, thus preventing a possible crash.


480370-6 : Connections to virtual servers with port-preserve property will cause connections to leak in TMM

Component: Local Traffic Manager

Symptoms:
Connections leak, exhausting the memory over time and causing TMM to re-start.

Conditions:
Virtual server with port-preserve setting. Tunneled APM connections in a CMP environment (many TMM processes).

Impact:
TMM process re-starts causing traffic disruption. Low performance is also seen due to the high number of leaked connections.

Workaround:
None.

Fix:
The internal listeners that are created to forward the connections between TMM processes are now deleted when no longer needed, so new connections are not created, which prevents a memory leak.


480360-5 : Edge Client for Mac blocks textexpander application's functionality

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac blocks textexpander application's functionality.
Edge Client does npt release secure input and from there on textexpander application does not expand keywords.

Conditions:
BIG-IP access policy must have logon page configured with password field. Edge Client for Mac connects to such a BIG-IP

Impact:
textexpander fails to expand recognized keywords

Workaround:
Click on submit button with mouse or press tab to move focus on submit button and then hit return.

Fix:
BIG-IP Edge Client for Mac was fixed so that it does not block textexpander's functionality.


480350-1 : AVR and APM: TMM crashes

Component: Application Visibility and Reporting

Symptoms:
Intermittent TMM crash when APM and AVR are provisioned together.

Conditions:
AVR enabled with APM.

Impact:
TMM crashes. This is an intermittent issue. Traffic disrupted while tmm restarts.

Workaround:
Disable AVR.

Fix:
This release fixes an issue that intermittently caused TMM to crash when APM and AVR were provisioned together.


480311-1 : ADAPT should be able to work with OneConnect

Component: Service Provider

Symptoms:
The request-adapt and response-adapt profiles are unable to work with the OneConnect profile, and so those combinations are not allowed in the same virtual server.

Conditions:
Attempt to combine request-adapt or response-adapt profile with OneConnect profile on the same virtual server.

Impact:
When adaptation is being used, the connection cannot be kept open and reused for multiple HTTP transactions.

Fix:
The OneConnect profile can be combined with either or both of request-adapt and response-adapt profiles on a virtual server. Both client and server HTTP connections are reused.


480305-1 : tmm log flood: isession_handle_evt: bad transition:7

Component: Wan Optimization Manager

Symptoms:
tmm log flood with the event:
01470000:3: iSession: Connection error: isession_handle_evt:6680: isession_handle_evt: bad transition:7

Conditions:
This may happen when using APM.

Impact:
The tmm log is filled with unnecessary events.

Workaround:
None

Fix:
Fixed iControl / iSession memory leak issue; set proper log level to prevent log flooding.


480299-1 : Delayed update of Virtual Address might not always happen.

Component: Local Traffic Manager

Symptoms:
When a Virtual IP status changes such that a Virtual Address should transition from down to up, the update does not always get to all subscribers.

Conditions:
Route Health Injection (RHI)-enabled Virtual Address and routing protocol on the Virtual IP.

Impact:
RHI might never be re-announced. The delayed update might not propagate the status change, because of the assumption that the previous update reached all subscribers, and might skip the delayed update.

Workaround:
None.

Fix:
Virtual Address delayed update mechanism now sends delayed updates approximately three seconds after change, regardless of previous status, guaranteeing that Virtual Address status reaches all subscribers.


480272-6 : During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID

Component: Access Policy Manager

Symptoms:
OAM ObConfig Initialization returns wrong accessgate ID, and that resulted in EAM setting wrong domain for the ObSSOCookie.

Conditions:
After network connection failure with backend OAM server, ObConfig initilization returned past Accessgate ID.

Impact:
The impact of this issue is that ObConfig initialization returns the wrong accessgate ID.

Workaround:
This issue has no workaround at this time.

Fix:
AccessGate init should now fail initialization and retry in case of an AccessGate ID mismatch. If all retries fail, then the AccessGate remains uninitialized. The administrator should clear the config cache for all the AccessGates and restart the EAM process.


480247-5 : Modifying edge client application folder causes gatekeeper to throw warning

Component: Access Policy Manager

Symptoms:
Configuration file exist in edge client application folder and this keeps getting modified by edge client (e.g. when user adds new server), gatekeeper throws warning if this file is modified by edge client.

Conditions:
MAC Edge client, OS X Yosemite, configuration.

Impact:
Gatekeeper throws warning, edge client might keep working correctly.

Fix:
BIG-IP Edge Client does not update its application directory anymore; instead it uses /Libarary/Application\ Support/ directory.


480246-4 : Message: Data publisher not found or not implemented when processing request

Component: TMOS

Symptoms:
The system posts messages in ltm log similar to the following: err mcpd[7172]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (20594).

Conditions:
This occurs on a bladed system from an snmp query against blade_voltage_stat.

Impact:
For bladed systems, the system does not report the blade voltage. For systems that are not bladed system, there is no publisher for this query. This message is cosmetic for non-bladed systems, and you can safely ignore it.

Workaround:
None.

Fix:
The main query processing file was not included during build-time. The file has been added and the stats should now show as expected.


480242-5 : APD, APMD, MCPD communication error failure now reported with error code

Component: Access Policy Manager

Symptoms:
When an unexpected error is received during communication between apd, apmd, and mcpd, it throws an exception.

Conditions:
Rarely reproducible, failed communication between apd, apmd, and mcpd.

Impact:
The system cores without an error code indicating the reason. This hampers finding the actual cause for the error.

Workaround:
None.

Fix:
Now, when an error occurs, the system prints an error code in HEX, which facilitates finding the reason for the error.


480196 : Packets not counted in tmctl ip_intelligence_stat on accept-decisively ACL match

Component: Advanced Firewall Manager

Symptoms:
We missed counting packets in the IPI tmctl table when a matching rule resulted in accept-decisively match.

Conditions:
An ACL rule with accept-decisively as action along with IPI configuration.

Impact:
This caused a change of behavior compared to a prior version.

Workaround:
None

Fix:
We now count packets in the IPI tmctl table when a matching rule results in accept-decisively match.


480119-2 : Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.

Component: Carrier-Grade NAT

Symptoms:
PPTP filter emits a vague error message in the ltm log, for example: 'Error ERR_BOUNDS connflow 74.14.223.32:1723 -- 121.54.54.11:34976 processing pullup of control message,' or
'Error ERR_BOUNDS connflow 65.93.152.110:1723 -- 121.54.54.11:2004 processing egress message.'

Conditions:
PPTP ALG is configured. CGNAT is configured. Non-PPTP traffic is being directed to port 1723.

Impact:
These messages are cosmetic only, and can be ignored safely, but may indicate that another protocol is using port 1723.

Workaround:
None.

Fix:
Error ERR_BOUNDS loglevel has changed from ERR to DEBUG, which is correct behavior.


480113-4 : Install of FIPS exported key files (.exp) causes device-group sync failure

Component: Local Traffic Manager

Symptoms:
Install of FIPS exported key files (.exp) on one BIG-IP causes device group sync to fail.

Conditions:
With two or more FIPS BIG-IPs configured in a device group, install a correct FIPS exported key file (.exp key) on bigip1. This exp file must be from a FIPS box belonging to the same FIPS security domain.

Impact:
Device group sync failed.

Workaround:
Copy the FIPS .exp file to the peer. Install this .exp key file on the peer also, similar to how it was installed on the first BIG-IP.

Fix:
FIPS exported keys can now be successfully installed in FIPS cards without causing config-sync failure.


480071-2 : Backslashes in policy rule added/duplicated when modified in GUI.

Component: TMOS

Symptoms:
Policy no longer matches rule after modification via the GUI.

Conditions:
This occurs when the policy rule contains literal backslash.

Impact:
The policy does not match the expected condition.

Workaround:
Use tmsh to make policy changes.

Fix:
Backslashes in policy rule are now correctly escapsed when modified in GUI.


480047-1 : BIG-IP Edge Client for Windows does not enable you to generate a client troubleshooting report from the user interface.

Component: Access Policy Manager

Symptoms:
If end users of the Edge Client are encountering difficulty connecting, it is not easy for them to provide you with a troubleshooting report so you can diagnose the problem.

Conditions:
This occurs with Edge Client users.

Impact:
This makes it difficult to diagnose the problem with end users trying to connect with the Edge Client.

Fix:
BIG-IP Edge Client for Windows now enables you to generate a client troubleshooting report from the user interface.


480009-2 : OSPFv2 Redistributed routes are deleted after blade failover with Graceful Restart

Component: Local Traffic Manager

Symptoms:
OSPFv2 Redistributed routes are getting deleted after blade failover

Conditions:
1. Configure OSPFv2 and enable Graceful restart
2. Add static routes on Chassis and redistribute static through ospfv2

blade failover

Impact:
Routes are deleted after failover.


479917-1 : TMM crashes if new IP address is added to a session through radius interim update message.

Component: Policy Enforcement Manager

Symptoms:
TMM goes to crash if new IP address is added to an existing session via radius interim update message.

Conditions:
This issue occurs when: 1. There is an existing session established.
2. Update the existing session with a new IP address using radius interim update.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
After a fix, the new IP address can be added to an existing session through radius interim update message without causing a crash.


479897-1 : Multiple PHP 5.x vulnerabilities

Vulnerability Solution Article: K15761


479889-5 : Memory leaks when iSession and iControl are configured

Component: Wan Optimization Manager

Symptoms:
Memory leaks might occur when iSession and iControl are configured.

Conditions:
This occurs when using iSession on APM.

Impact:
Memory leaks.

Fix:
This release resolves memory leaks that occurred when iSession and iControl were configured.


479715-3 : Multi-tab protection problems with multi-domain SSO

Component: Access Policy Manager

Symptoms:
When APM is configured with multi-domain SSO, and an unauthenticated user opens multiple tabs simultaneously to different protected domains, then one of the tabs will be issued an error page indicating authentication is in progress. That page offers a link to reset the session and begin a fresh authentication sequence. Clicking on the link will result in the same error page being presented.

Conditions:
APM is configured with multi-domain SSO, and an unauthenticated user opens multiple tabs simultaneously to different protected domains, and then follows the link to reset the session.

Impact:
The user will be unable to establish a session until the session itself has expired or the browser is restarted.

Workaround:
This issue has no workaround at this time.

Fix:
The errant behavior is caused by an improper URL being presented by the error page. When APM checks the improper URL, it causes it to issue the same error page. This has now been corrected.


479682-4 : TMM generates hundreds of ICMP packets in response to a single packet

Component: Local Traffic Manager

Symptoms:
TMM generates hundreds of ICMP packets in response to a single packet.

Conditions:
This occurs on a VIP2VIP configuration when the server on the second virtual server becomes unreachable.

Impact:
tmm sends hundreds of ICMP packets to the client upon receiving single packet from client.

Fix:
TMM no longer generates hundreds of ICMP packets when the server on the second virtual server in a VIP2VIP configuration becomes unreachable.


479674-1 : bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.

Component: Local Traffic Manager

Symptoms:
bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.

Conditions:
Tcl Monitors: FTP, SMTP, POP3, IMAP, when the timeout is less than the interval. Might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.

Impact:
bigd crashes and posts an error message similar to the following: Received invalid magic value in the stream'.

Workaround:
Correct the monitor timeout to be higher than interval. Generally, the timeout should be ((3 * interval) + 1) seconds.

Note: This workaround might not work in cases where the failure is due to Tcl worker being in a stuck state due to the pool member not responding within the configured timeout.

Fix:
The system no longer crashes when Tcl monitors are improperly configured, that is, when the timeout specified is less than the interval.


479660-2 : tmm crash in ipsec when ipsec-policy and ike-peer do not match.

Component: TMOS

Symptoms:
While making changes to ipsec, tmm can crash.

Conditions:
This can occur when ipsec-policy and ike-peer IP addresses do not match.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that the ike-peer "tunnel-remote-address" and ipsec-policy "remote-address" are the same.

Fix:
tmm no longer crashes in ipsec when ipsec-policy and ike-peer do not match.


479553-4 : Sync may fail after deleting a persistence profile

Component: TMOS

Symptoms:
After syncing configuration, the following error occurs:
'One or more persistence attributes are incompatible with the persistence mode for profile'.

Conditions:
This happens if automatic sync is disabled on a device group and a user both creates and deletes a persistence profile before manually syncing the configuration.

Impact:
Peer boxes fail to load the configuration.

Workaround:
There are two possible workarounds: 1. Perform a full sync instead of an incremental sync. 2. Create the profile, then perform a sync, and then delete the profile, and perform a separate sync.

Fix:
This was an invalid error case being handled internally and was removed.


479543-6 : Transaction will fail when deleting pool member and related node

Component: TMOS

Symptoms:
Removing a pool and the related nodes in the same transaction will fail. It will output an error message similar to the following:

01070110:3: Node address '/Common/12.33.22.2' is referenced by a member of pool '/Common/mypool'.

Conditions:
Create a pool, add a single pool member (which creates the associated node). If you then delete the pool and node in the same transaction, the transaction will fail.

Impact:
A pool and related nodes cannot be deleted within the same transaction.

Workaround:
If you delete the pool and nodes in 2 separate transactions, the process will succeed.

Fix:
The pool-member reference check for the node was moved to a later stage of validation, allowing the pool and pool members to be updated/deleted. This ensures that when the delete code for the node checks for references from a pool, there will be none.


479524-5 : If a "refresh" response header should not be rewritten, it can crash the rewrite plugin or be improperly rewritten

Component: Access Policy Manager

Symptoms:
If a "Refresh" response header should not be rewritten, it can crash the rewrite plugin or be improperly rewritten.

Conditions:
If URL in a "Refresh" header matches the bypass list, plugin crashes; if it is related to the current path, it is rewritten as an empty string.

Impact:
The impact of this issue is a possible web application malfunction.

Workaround:
This issue has no workaround at this time.

Fix:
Portal Access no longer crashes if a URL in a Refresh header matches a Portal Access bypass list entry.


479460-5 : SessionDb may be trapped in wrong HA state during initialization

Component: TMOS

Symptoms:
An error case may happen on BIG-IP if the following conditions are met:

1. There are two BIG-IPs configured as inter-cluster HA.
2. These two BIG-IPs are multi-blade chasis system.
3. Master record with independent subkeys is added to SessionDB.

The observed symptom this that you can explicitly deleted such a master record, but auto expiration mechanisms (timeout & lifetime) will not work on it, and this record will live forever until it is explicitly deleted.

Conditions:
Inter-chassis mirroring
Chassis w/ multiple blades

Impact:
an inconsistent state between systems can cause persistence entries to never timeout.

This will impact CGNAT records stored in SessionDB such as persistence records and PBA blocks.


479451-1 : Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth

Component: Access Policy Manager

Symptoms:
Different Outlook users are tied to a single APM session.

Conditions:
Users have identical passwords and come from the same client IP address.

Impact:
The impact of this issue is APM does not validate Outlook credentials.

Workaround:
This issue has no workaround at this time.

Fix:
APM correctly validates Outlook credentials and creates new APM session for users that come from the same IP and have identical passwords.


479450 : SSL traffic is not forwarded to destination

Component: Traffic Classification Engine

Symptoms:
SSL traffic is not forwarded to the backend server.

Conditions:
This issue occurs when SSL session reused is enabled (which is standard behavior).

Impact:
The impact of this issue is that SSL traffic is interrupted (flows are dropped).

Workaround:
Remove the _sys_CEC_SSL_client_policy policy from the SSL VS.

Fix:
Bug fix in classification library that caused SSL traffic not to be forwarded to the destination.


479431-4 : Apache Axis vulnerability CVE-2014-3596

Vulnerability Solution Article: K16821


479374-5 : Setting appropriate TX driver settings for 40 GB interfaces.

Component: TMOS

Symptoms:
In rare cases, the VIPRION C4800 chassis might experience an inability to establish some connections due to losing packets in one direction while in transit between blades.

Conditions:
VIPRION C4800 chassis.

Impact:
When the problem is due to this issue, one or more 5.x or 6.x interfaces show status as 'up' but the corresponding media as 'none'. Inability to establish some connections. The problem is consistent, depending on source and destination IP and port.

Fix:
VIPRION C4800 backplane interfaces are now given proper settings to prevent unidirectional traffic issues.


479359-1 : Loading a UCS file with no-platform-check stalls at platform check

Component: TMOS

Symptoms:
Loading a UCS file with the no-platform-check option does not bypass the platform check (which it should).

Conditions:
This occurs when using the no-platform-check option to load a UCS file from a different platform. This issue occurs only in version 11.6.0 (the base software), 11.6.0 HF1, 11.6.0 HF2, and 11.6.0 HF3.

Impact:
The user cannot load UCS files from other platforms. The system posts the following error message: ERROR: The platform on the system is different from the platform in the UCS. Can't install the UCS. To bypass platform check, use no-platform-check option.

Workaround:
On the system where you are installing the UCS, use tmsh to run the following commands: -- modify sys db ucs.platformcheck value false. -- load sys ucs my_ucs_filename.

Fix:
The no-platform-check option now bypasses the platform check, which allows the user to load UCS files from other platforms.


479334-5 : monpd/ltm log errors after Hotfix is applied

Component: Application Visibility and Reporting

Symptoms:
When you apply a hotfix on an already configured and working volume, many errors are logged in the monpd/ltm logs.

Conditions:
Applying a hotfix to a configured and working volume.

Impact:
None, cosmetic benign errors only.

Workaround:
Run the following commands:
1. mysql -p`perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw` AVR < /var/avr/avr_srv_code.sql
2. bigstart restart monpd


479302-3 : Error message in ltm log: bcm56xxd: reading L2 entry Operation failed bs_arl.cpp.

Component: TMOS

Symptoms:
Error message in ltm log: bcm56xxd: reading L2 entry Operation failed bs_arl.cpp.

Conditions:
bcm56xxd periodically reads the switch's internal L2 table to save certain L2 information for internal debug use. Reads to unused entries of this table might fail and produce an error.

Impact:
Error messages in /var/log/ltm. Messages appear similar to the following: err bcm56xxd[7453]: 012c0011:3: Error: reading L2 entry 68416: Operation failed bs_arl.cpp(1579)

Workaround:
None.

Fix:
In this release, the seldom-used internal debug table has been removed, which eliminates the periodic accesses.


479176-1 : TMM hangs and receives SIGABRT due to race condition during DNS db load

Component: Local Traffic Manager

Symptoms:
The TMM attempts a DNS db load while starting.

Conditions:
This is a potential race condition that might occur intermittently after the restart.

Impact:
One thread hangs indefinitely and tmm receives a SIGABRT after a period of time.

Fix:
This release fixes a potential race condition that occurred during DNS db load.


479171-3 : TMM might crash when DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM might crash when DSACK is enabled

Conditions:
This occurs rarely on a virtual server configured with a TCP profile that has DSACK (Duplicate Selective Acknowledgement) enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use TCP profile with the DSACK feature enabled.

Fix:
TMM no longer attempts to transmit DSACKs after reassembly queue has been purged, so no TMM crash occurs.


479152-5 : Hardware parity error mitigation on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades

Component: TMOS

Symptoms:
In rare occurrences, BIG-IP hardware is susceptible to parity errors due to unknown source.

Conditions:
This occurs only on the BIG-IP 10000s/10200v/10250v platforms, and on the VIPRION B4300/B4340N and B2250 blades. The exact trigger of the parity error is unknown at this time.

Impact:
This impacts several series of BIG-IP products with hardware parity error mitigation capabilities.

Workaround:
Rebooting BIG-IP hardware should clear issues caused by hardware parity errors.

Fix:
This release includes functionality to leverage hardware parity error mitigation capabilities, which reduces the number of fatal errors.


479142-1 : Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)

Component: Global Traffic Manager

Symptoms:
The resource record (RR) in ZoneRunner Daemon (ZRD) is not deleted when the associated Virtual Server is deleted from the Global Traffic Manager (GTM) server object.

Conditions:
Conditions that lead to this issue include a GTM server object with a Virtual Server; a pool with the above virtual server; a wideip using the above pool as resources; and deleting the virtual server from the GTM server object.

Impact:
BIND will contain and return RRs that were intended to be deleted.
The RR is orphaned and could only be deleted manually from ZRD.

Workaround:
To workaround this issue you can delete the GTM server associated with the virtual server to be deleted, but this would delete other associated virtual servers too. Alternatively, you can manually delete the RR in ZRD.

Fix:
Deleting a virtual server now correctly deletes the resource record (RR) in ZoneRunner Daemon (ZRD).


479084-1 : ZoneRunner can fail to respond to commands after a VE resume.

Component: Global Traffic Manager

Symptoms:
The ZoneRunner GUI can become unresponsive after a VE resume.

Conditions:
This is due to the "lo:" interface not being recreated during the resume processing.
ZoneRunner relies on this interface to communicate with the on box BIND server.

Impact:
ZoneRunner cannot create/modify/delete/query records from the on box BIND server

Workaround:
Restart ZoneRunner after a VE resume with the command:
bigstart restart zonerunner.

Fix:
ZoneRunner now uses the tmm0 interface to communicate with BIND.


478983-1 : TMM core during certificate verification against CRL

Component: Local Traffic Manager

Symptoms:
TMM core during certificate verification against CRL.

Conditions:
Conditions leading to this issue include a Client/Server SSL profile with CRL enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable CRL on the Client/Server SSL profile

Fix:
Prevent TMM core during certificate verification against CRL


478948 : DC PSU reported as AC

Component: TMOS

Symptoms:
When powering up a DC chassis, if one DC PSU is plugged in before the other DC PSU, the system may report the second PSU to be plugged in as an AC PSU.

Conditions:
The following platforms with 2 DC PSUs installed: 10000, 10050, 10055, 10200, 10350, 12050

Impact:
TMOS reports the wrong PSU type to the user.

Workaround:
Removing the DC PSU which is being reported incorrectly and reinstalling will work around this problem:
- Remove PSU for > 30 seconds or until TMOS reports PSU is not present.
- Insert PSU

Fix:
On BIG-IP 10000/12000 Series platforms, the system no longer reports a secondary DC power supply that is installed, but not powered on, as an AC power supply, when power is applied to the secondary DC power supply.


478922-3 : ICSA logging issues on versions 11.4.0 and later

Component: TMOS

Symptoms:
Attempting to turn on ICSA logging for non-ESP packets lead to the following log messages.

Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: 'inbound'.

Conditions:
ICSA logging is enabled. Connections are sent through the BIG-IP system.

Impact:
ICSA logging misses information that is required for certification. Logs similar to the following are found in /var/log/ICSA

Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: 'inbound'.

Workaround:
None.

Fix:
Resolved issue that ICSA logging did not contain information that is required for certification.


478920 : SIP::discard is not invoked for all request messages

Component: Service Provider

Symptoms:
SIP::discard is invoked only for the first two request messages, and the other request messages are allowed to pass through.

Conditions:
This occurs when an iRule that uses SIP::discard, for example:
when SIP_REQUEST {
  SIP::discard
}.

Impact:
Any iRule that uses SIP::discard might not work as expected.

Workaround:
To work around this issue, you can use MR::message drop in MR event to drop the message instead

Fix:
The ingress queue for the messages is cleared properly when SIP::discard iRule is present. Now all request messages are correctly dropped if the SIP::discard iRule is present in SIP_REQUEST event.


478896 : Hourly Billing AMIs for 11.6.0 contain internal instead of production license

Component: TMOS

Symptoms:
In previous F5 Amazon Marketplace releases Hourly Billing AMIs were generated with internal/dev license.

Conditions:
Amazon Marketplace Hourly Billing AMIs.

Impact:
The internal/dev license for Hourly Billing AMIs has been replaced with proper production license.

Fix:
The internal/dev license for Hourly Billing AMIs has been replaced with proper production license.


478876-2 : BIG-IP with many active ASM accounts after a restart

Component: Application Security Manager

Symptoms:
After a restart, a BIG-IP with ASM provisioned having many active accounts will restart in cycles.

Conditions:
Restart a BIG-IP with ASM provisioned having many active accounts.

Impact:
BIG-IP flips between the Active and INOPERATIVE states forever.

Fix:
After you restart a BIG-IP system with ASM provisioned that has many active accounts, you no longer experience frequent restarts.


478859 : Username displayed with trailing "&" sign

Component: Fraud Protection Services

Symptoms:
In Phishing alerts, the username may be displayed in the alert dashboard with an "&" sign appended.

Conditions:
Phishing user alerts.

Impact:
Incorrect username shown in alert dashboard.

Workaround:
None.

Fix:
Removed the extra "&" sign.


478840-1 : Cannot delete keys in subfolders using the BIG-IP GUI

Component: Local Traffic Manager

Symptoms:
Cannot delete keys in subfolders using the BIG-IP GUI.

Conditions:
Deletion of keys in subfolders using web GUI.

Impact:
Keys are not deleted.

Workaround:
To work around this issue, delete keys in subfolders using tmsh.

Fix:
Keys in subfolders can now be successfully deleted using web GUI.


478816 : Fastl4 TCP connection trasitions are not logged

Component: Advanced Firewall Manager

Symptoms:
For fastl4 Virtual Server TCP connection transitions are not logged

Conditions:
When TCP connections are established and closed for fastl4 virtual Server , the events are not logged

Impact:
No logging information for the TCP state transitions for fastl4

Fix:
An enhancement that allows logging the TCP events and errors on fastL4 virtual.


478812-2 : DNSX Zone Transfer functionality preserved after power loss

Component: Local Traffic Manager

Symptoms:
Zone transfer daemon, zxfrd, will restart endlessly until it is stopped. On the console there will be emergency system alerts every few seconds saying that zxfrd is restarting. Because of the frequency of these alerts, it will be impossible to use the console for anything.

In addition, zone transfers initiated by the BIG-IP will not succeed.

Conditions:
If BIG-IP loses power in the middle of a DNS zone transfer, zone data may be corrupted upon booting up. This results in a nonfunctional zxfrd.

Impact:
The BIG-IP will not be able to transfer zone data from other servers and the TMOS console will be unusable until zxfrd is stopped.

Workaround:
Run the following commands in the console of your affected BIG-IP:

bigstart stop zxfrd
cd /var/db && rm -f tmmdns.bin zxfrd.bin
bigstart start zxfrd

Fix:
With this fix, zone data is no longer susceptible to corruption from power loss.


478791-1 : Hardware compression test fails on 5000 series, 7000 series, 10000 series platforms

Component: TMOS

Symptoms:
Internally executed hardware acceleration tests fail while running a platform-check utility command.

Conditions:
Running hardware acceleration tests with the platform-check utility command on the following platforms: 5000 series, 7000 series, 10000 series.

Impact:
Tests fail.

Workaround:
None.

Fix:
Internally executed hardware acceleration tests no longer fail while running a platform-check utility command.


478761-1 : load sys config default does not work with iCR

Component: TMOS

Symptoms:
load sys config default does not work with iControl REST (iCR). Running the command 'load sys config default' through the iCR interface fails and returns an similar to the following: { "code": 500, "errorStack": [], "message": "Failed to append to temp tar file \"/var/tmp/tmsh/9X0zkv/data\" cache path \"/config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca.crt_37022_1\"exit code (2).\n" }.

Conditions:
Running the command 'load sys config default' through the iCR interface.

Impact:
iCR cannot be used for loading default system config.

Workaround:
Use tmsh to load the default configuration.

Fix:
The load sys config default command functions correctly through iControl REST (iCR) using the following syntax:

curl -sk -u admin:muadib https://ip-address/mgmt/tm/sys/config -H 'Content-Type: application/json' -X POST -d '{"command":"load","name":"default"}'.


478751-6 : OAM10g form based AuthN is not working for a single/multiple domain.

Component: Access Policy Manager

Symptoms:
OAM10g form based AuthN is not working for a single/multiple domain.

Conditions:
Conditions leading to this issue include double encoding of parameters and race condition on parsing form body.

Impact:
Form based OAM authentication might not work.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed all the issues found during the testing of OAM Form-based AuthN scheme, for both single domain and multiple domain.


478734-5 : Incorrect 'FIPS import for failed for key' failure when operation actually succeeds

Component: Local Traffic Manager

Symptoms:
Incorrect debug failure log.

Conditions:
Found internally by test, conditions for this issue are unknown.

Impact:
False failure logged.

Workaround:
None.

Fix:
Fix debug failure log found by internal F5 testing.


478674-1 : ASM internal parameters for high availability timeout was not handled correctly

Component: Application Security Manager

Symptoms:
The internal parameters bd_hb_interval and bd_hb_interval_low_platforms are not handled correctly and a different value is registered against the high availability (HA) system. This causes the system to have faster than expected failovers. Also, when bypass asm is turned on and a bigstart restart asm was applied, a failover happens.

Conditions:
Two possible conditions:
1. An internal parameter is configured for the timeout to the HA system. When ASM does not send a lifesign to the HA system for 10 seconds (instead of the configured time)
2. bypass asm is internal parameter is applied and a bigstart restart asm happens.

Impact:
A failover happens.

Workaround:
This issue has no workaround at this time.

Fix:
We fixed internal parameter processing for the high availability lifesign timeout.


478672-1 : Enforcer memory leak

Component: Application Security Manager

Symptoms:
The BIG-IP system may temporarily fail to process traffic.

Conditions:
Traffic with parameters.

Impact:
The BIG-IP system may temporarily fail to process traffic.

Workaround:
N/A

Fix:
We fixed an issue that sometimes caused ASM to run out of memory.


478658-6 : Window.postMessage() does not send objects

Component: Access Policy Manager

Symptoms:
Websites are broken if they use postMessage to send objects. There could or could not be an error in the JavaScript console based on web application.

Conditions:
Web-Application that uses Window.postMessage() with Portal Access.

Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access.

Workaround:
No

Fix:
Window.postMessage supports sending objects.


478644 : dwbld race with mcpd causes core.

Component: Advanced Firewall Manager

Symptoms:
dwbld depends on MCP for configuration. If mcpd has not completely initialized when dwbld queries it (for tags), this can result in a core.

Conditions:
dwbld queries mcpd for tags.

Impact:
dwbld core.

Workaround:
None.

Fix:
dwbld now waits for mcpd to completely initialize, preventing a core.


478631 : No validation for Shun TTL lengths

Component: Advanced Firewall Manager

Symptoms:
TTL lengths can get truncated due to being too large.

Conditions:
A large TTL value, above 2^31.

Impact:
Bits get truncated, so the value is wrong.

Workaround:
Don't enter 10+ year long TTL values.

Fix:
IP Intelligence now rejects ip-ttl values that are above 2^31. This value determines how long an IP address will be shunned.


478617-6 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
TCP segment size is 40 bytes less.

Conditions:
ICMP implementation using Path MTU (PMTU)

Impact:
The impact of this issue is less data per TCP segment.

Workaround:
Disable Path MTU Discovery by doing the following,

"tmsh modify sys db tm.enforcepathmtu value disable"

Fix:
BIG-IP no longer includes maximum TCP options length in calculating MSS on ICMP PMTU.


478592-1 : When using the SSL forward proxy feature, clients might be presented with expired certificates.

Component: Local Traffic Manager

Symptoms:
When SSL forward proxy feature is enabled, the certificates cached might not expire at the right time resulting in expired certificates being presented to the clients.

Conditions:
When using the SSL forward proxy feature.

Impact:
Incorrect certificates are presented to the clients.

Workaround:
Manually delete the cached certs in: show ltm clientssl-proxy cached-certs.

Fix:
Cached certificates are now handled correctly.


478492-7 : Incorrect handling of HTML entities in attribute values

Component: Access Policy Manager

Symptoms:
If an HTML tag attribute contains HTML entities inside its value, this value may not be processed correctly by Portal Access.

Conditions:
For example, if a form action begins with '&#x2f;' instead of '/', it will be rewritten although absolute action path should be left untouched. This leads to incorrect behavior of this web application.

Impact:
Web application may not work correctly.

Workaround:
This issue has no workaround at this time.

Fix:
Now HTML tag attributes with HTML entities inside their values are processed correctly.


478491 : Microsoft RDP client for iOS doesn't work against F5 APM for versions >= 8.1.0

Component: Access Policy Manager

Symptoms:
RDP client for iOS fails to connect to APM configured as RemoteDesktop Gateway.

Conditions:
F5 APM configured as RemoteDesktop Gateway
iOS RDP client configured to use APM as RD Gateway in order to connect to the intranet terminal server.

Impact:
iOS users can't access their backends.

Fix:
Fix has improved iOS client recognition so that it works fine for the latest released version.


478442-5 : Core in sip filter due to sending of HUDEVT message while processing of HUDCTL message

Component: Service Provider

Symptoms:
There is a tmm core caused by the looping of the SIP message.

Conditions:
The looping back of the message might occur because of a timing error, for example, in response to iRule logic that sends a HUDEVT message while processing a HUDCTL message.

Impact:
The system cores. This might result in SIP traffic not being forwarded to the server.

Fix:
Core in sip filter no longer occurs when sending HUDEVT message while processing of HUDCTL message.


478439-6 : Unnecessary re-transmission of packets on higher ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.

Conditions:
ICMP PMTU is higher than existing MTU.

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.

Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU).


478399-2 : PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.

Component: Policy Enforcement Manager

Symptoms:
If LTM virtual server has the RADIUS profile 'radiusLB-subscriber-awre' configured, the PEM subscriber session will be created, even if the BIG-IP system is not licensed for PEM, which can cause 100% TMM usage due to the overhead of processing RADIUS messages.

Conditions:
The RADIUS profile 'radiusLB-subscriber-awre' is configured on the LTM virtual server for non-PEM configurations.

Impact:
100% TMM usage due to PEM subscriber session being created, even when the BIG-IP system is not licensed for the PEM module.

Workaround:
The workaround is to avoid the misconfiguration by not associating the RADIUS profile 'radiusLB-subscriber-awre' to LTM virtual servers for non-PEM configurations, such as when there is no PEM license for the BIG-IP system.

Fix:
A validation has been added to prevent the RADIUS profile 'radiusLB-subscriber-awre' from being mistakenly associated with the LTM virtual server, when the BIG-IP system is not licensed for PEM.


478397-1 : Memory leak in BIG-IP APM Edge Client Windows API.

Component: Access Policy Manager

Symptoms:
There is a possible memory leak in the BIG-IP APM Edge Client Windows API.

Conditions:
Memory can leak in the Edge Client when it fails to connect.

Impact:
It is not known what the impact is.

Fix:
A memory leak in the Windows Edge Client has been fixed.


478351-1 : Changing management IP can lead to bd crash

Component: Application Security Manager

Symptoms:
A bd crashes after a management IP change.

Conditions:
Remote logger is configured, high traffic volume and a configuration changed for the management IP.

Impact:
The impact of this issue is a system outage as the bd restarts.

Workaround:
This issue has no workaround at this time.

Fix:
We fixed a crash that could happen when management IP configuration was changed.


478346-1 : Some AVR statistics not collected properly

Component: Application Visibility and Reporting

Symptoms:
AVR fails to report HTTP statistics.

Conditions:
Analytics or dos profile attached to the virtual IP.

Impact:
HTTP statistics are not shown.

Workaround:
None.

Fix:
Fixed an HTTP statistics reporting problem with AVR.


478333 : Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Windows client shows an error about corrupted config file, when User's profile and temp folders are located on different partitions

Conditions:
Edge Client for Windows.
User's profile and temp folders are located on different partitions.

Impact:
Configuration will not be saved.

Fix:
Now BIG-IP Edge Client for Windows correctly handles a profile located on a different partition.


478285-2 : [MAC][NA] Routing table is not restored correctly in multi-homed environment if server settings disallow local subnet access

Component: Access Policy Manager

Symptoms:
Routing table is not restored correctly after edge client disconnects in multi-homed environment if server settings disallow local subnet access

Conditions:
multi-homed environment, server settings disallow local subnet access, MAC edge client

Impact:
Routing table might be corrupted

Fix:
An issue with routing table not being restored correctly in multi-homed environment when server settings disallow local subnet access is now fixed.


478261-2 : WinInet handle leak in Edge Client on Windows

Component: Access Policy Manager

Symptoms:
WinInet handle leak in Edge Client on Windows

Conditions:
EdgeClient on Windows, general use

Impact:
This leak has slight/minor impact on consuming resources

Fix:
WinInet handle leak was eliminated.


478257-7 : Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed

Component: Local Traffic Manager

Symptoms:
Re-transmission of fragment needed packets.

Conditions:
Multiple ICMP Destination Unreachable with Fragmentation needed code messages.

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by doing the following,

"tmsh modify sys db tm.enforcepathmtu value disable"

Fix:
BIG-IP no longer re-transmits packets if the MTU is not changed.


478215-2 : The command 'show ltm pool detail' returns duplicate members in some cases

Component: TMOS

Symptoms:
The command "show ltm pool <poolname> detail" may show duplicate pool members in some conditions.

Conditions:
The conditions required are that the same IP address must be used for multiple members and one member must have :0 port.

Impact:
Redundant pool members listed when running the command.

Workaround:
This issue has no workaround at this time.

Fix:
'show ltm pool detail' no longer returns duplicate entries for members where their IP matches that of another member whose port is 'any'.


478214-1 : APM Native RDP Proxy does not allow users to authenticate without specifying a domain name.

Component: Access Policy Manager

Symptoms:
APM Native RDP Proxy does not allow users to authenticate without specifying a domain name.

Conditions:
1. APM is configured as Remote Desktop Gateway (RDG)
2. User attempts to login without specifying domain name

Impact:
Connection fails and the user is not able to login.

Workaround:
Specify domain name along with user id.

Fix:
APM Native RDP Proxy now allows users to authenticate without specifying a domain name. Previously, domain name was required.


478195-4 : Installation of FIPS .exp key files sets incorrect public exponent.

Component: Local Traffic Manager

Symptoms:
Newer FIPS platforms use NGFIPS devices, which seem to be returning the public exponent in little-endian format, when the FIPS exported keys (.exp key files) are imported into FIPS cards. Since F5's code was expecting this in big-endian format, this leads to incorrect public exponent value being written in the key file.

Conditions:
Using FIPS platforms (except the older 8900/6900 FIPS platforms):
1. Put two FIPS platforms in the same FIPS security domain without configuring them in a device group.
2. Create or install a key into FIPS card on box1.
3. Copy the key's FIPS exported key (from /config/ssl/ssl.cavfips/) to box2.
4. Install this FIPS .exp key file on box2 using:
'tmsh install sys crypto key <keyname> from-local-file <.exp file path> security-type fips'

Impact:
If the corresponding certificate was copied from box1 to box2 and then installed on box2, configuring this key/cert on a SSL profile will lead to the error 'key and certificate do not match'.

If the corresponding certificate is newly created on box2 after the key install, then SSL traffic using this key/cert will fail.

Fix:
FIPS exported keys can now be correctly installed on other FIPS platforms that belong to the same FIPS security domain.


478115-5 : The action attribute value of a form HTML tag is not properly rewritten in the Minimal Content Rewriting mode when it starts with "/"

Component: Access Policy Manager

Symptoms:
If the action URL of a form HTML tag begins with "/" and the Minimal Content Rewriting list contains the current host name, this URL is erroneously rewritten with adding of "/f5-w-" prefix.

Conditions:
The current host name is in Minimal Content Rewriting list.

Impact:
The impact of this issue is a possible web application malfunction.

Workaround:
To work around this issue, create a particular iRule for each case.

Fix:
The action attribute value of a form HTML tag is now properly rewritten in the Minimal Content Rewriting mode when it starts with a forward slash (/).


477924-1 : System can crash referencing compression provider where selection of provider has been deferred

Component: Local Traffic Manager

Symptoms:
System can crash referencing compression provider where selection of provider has been deferred.

Conditions:
Network flow that is likely to require compression is detected. Unusual condition occurs where provider is never selected, but system reference selected provider anyway.

Impact:
Tmm cores, Unit fails over. This occurs intermittently.

Workaround:
Run the command: tmsh modify sys db compression.allowproviderselectiondeferral value disable

Fix:
Select provider in previously unknown case, prior to reference. New feature defers selection of provider to improve provider selection behavior.


477898-1 : Some strings on BIG-IP APM EDGE Client User Interface were not localized

Component: Access Policy Manager

Symptoms:
Some text in internationalized Edge Client was still shown in English.

Conditions:
Use of internationalized edge client

Impact:
Some strings were displayed in English instead of localized language.

Workaround:
None.

Fix:
BIG-IP APM Edge Client User Interface Translation has been updated. UI messages and labels have now been translated into several languages.


477888-4 : ESP ICSA support is non-functional on versions 11.4.0 and up

Component: TMOS

Symptoms:
Attempting to turn on ICSA logging for ESP packets will lead to the following logs.

Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: "inbound"

Conditions:
ICSA logging for ESP packets is enabled.

ESP connections are sent through the BIG-IP.

Logs similar to the following are found in /var/log/ICSA

Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: "inbound"

Impact:
ICSA logging misses information that is required for certification.

Fix:
ICSA logging no longer misses information that is required for certification.


477859-1 : ZebOS config load may fail if password begins with numeric character

Component: TMOS

Symptoms:
ZebOS config load might fail if a password begins with a number.

Conditions:
In config file, set a password that begins with a number.
e.g., neighbor 1.2.3.4 password 0abcdefghijkl

Impact:
ZebOS config load fails.

Workaround:
Use a password beginning with an alpha character.

Fix:
ZebOS config now loads correctly when the password begins with a number.


477841-1 : Safari 8 does not use Network Access proxy.

Component: Access Policy Manager

Symptoms:
Network Access (NA) proxy settings are applied to the system, but Safari 8 doesn't use them.

Conditions:
Using Safari 8.

Impact:
End users trying to use the Network Access feature of APM will be unable to if they are connecting using Safari 8. Safari 8 was available on OSX Yosemite.

Workaround:
Network Access can be launched using other browsers like Firefox and Chrome.

Fix:
Safari 8 will now properly use the admin-defined proxy settings if available.


477795-1 : SSL profile passphrase may be displayed in clear text on the Dashboard

Component: Access Policy Manager

Symptoms:
Whenever there is a configuration change, it is indicated by a red dot in the dashboard. When the user clicks on it they can see the SSL passphrase, passwords, etc.

Conditions:
This happens whenever there is a config change event.

Impact:
Visible to any user who may not have the permission to see it

Workaround:
None.

Fix:
Now, passphrases, secrets, passwords, and so on, do not display in clear text and appear as "*****".


477789-4 : SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN.

Component: TMOS

Symptoms:
When an & (ampersand) character is entered for Common Name, Organization Name, Division or SAN in an SSL Certificate, the ampersand is escaped and replaced with an &amp; string.

Conditions:
Create or renew an existing certificate with an ampersand in the Common Name, Organization Name, Division, or SAN.

Impact:
The system escapes the ampersand with an &amp; string. Names such as AT&T that generate certificates that escape the ampersand character do not work as expected.

Fix:
The system now correctly converts the '&' (ampersand) character in the Certificate and ensures that the Peer Device process is still operating.


477769-1 : TMM crash (panic) in AFM pktclass code (Assertion 'classifier ref non-zero' failed.) when virtual server has SPDY or HTTP Prefetching enabled along with AFM Rules.

Component: Advanced Firewall Manager

Symptoms:
TMM will crash (panic) in AFM pktclass code with following signature: Assertion 'classifier ref non-zero' failed.

Conditions:
For this to happen, following conditions must be met:

- AFM is enabled.
- Virtual Server has AFM Rules (policy).
- Either SPDY profile OR HTTP prefetching enabled.
- Then the AFM Rule (policy) on this Virtual Server is modified.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM crash (panic) is fixed now and TMM no longer panics in scenarios with SPDY or HTTP Prefetching enabled.


477700-1 : Detail missing from power supply 'Bad' status log messages

Component: TMOS

Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad

Conditions:
BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances or VIPRION B2100-/B2200-series blades, in which one or more installed power supplies triggers an internal hardware sensor alert indicating a 'Bad' power supply status.

Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.

Workaround:
If power supply errors continue to be logged:

1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }

2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.

3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }

4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.

Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.


477676 : HSB v2.3.12.1 bitstream integrated to fix HSB firmware issues

Component: TMOS

Symptoms:
There exist some HSB firmware issues in BIG-IP software versions running HSB bitstream versions earlier than v2.3.12.1.

Conditions:
VIPRION C2400 chassis, the 2000-series platforms, and B2250 blades using HSB bitstream versions earlier than v2.3.12.1.

Impact:
Firmware issues.

Workaround:
None.

Fix:
An updated HSB bitstream is included in BIG-IP software version 11.6.0 HF2 and later.


477642-5 : Portal Access rewriting leads to page reload in Firefox

Component: Access Policy Manager

Symptoms:
Endless page reload after Portal Access rewriting in Firefox.

Conditions:
Browser is Firefox; there is an expression similar to "location.hash = ''" in the Javascript code.

Impact:
Customer cannot access page with Firefox.

Workaround:
An iRule, which changes javascript code from {location.hash = ''} to {location.hash = '#'}.
Note that such iRule should be written for specific application, that's why there's no generic solution in this section.

Fix:
In Portal Access assignment of empty string to location.hash property no longer causes page reload loop in Firefox.


477611-4 : ICMP monitor does not work on DAG Round Robin enabled VLANs

Component: TMOS

Symptoms:
ICMP monitor does not work on the VLANs with DAG Round Robin set to enabled.

Conditions:
For a VLAN, the DAG Round Robin option is enabled.

Impact:
ICMP monitor will be down.

Workaround:
Utilize another monitor or disable the DAG Round Robin option.

Fix:
Apply DAG Round Robin to icmp echo only.


477576-1 : Valid iRule command FLOWTABLE::limit gets rejected when virtual server or route domain name is not specified

Component: Advanced Firewall Manager

Symptoms:
An iRule cannot be saved with the following valid iRule commands:

FLOWTABLE::limit virtual
FLOWTABLE::limit route_domain

Conditions:
Saving an iRule

Impact:
iRule cannot be saved.

Workaround:
Use the following commands instead:

FLOWTABLE::limit virtual [virtual name]
FLOWTABLE::limit route_domain [ROUTE::domain]

Fix:
An iRule using the following commands can now be saved:

FLOWTABLE::limit virtual
FLOWTABLE::limit route_domain


477571-1 : HTTP/2 support.

Component: Local Traffic Manager

Symptoms:
BIG-IP's http/2 support is not compatible with draft-14

Conditions:
The IETF released draft-14, BIG-IP is compatible with draft-13.

Impact:
None known.

Fix:
HTTP/2 supports IETF HTTP-WG http2-draft-14.


477540-1 : 'ACCESS::policy evaluate' iRule command causes crash of apmd daemon

Component: Access Policy Manager

Symptoms:
Call of the ACCESS::policy evaluate iRule command in affected builds causes crash of APDM daemon.

Impact:
As a result, access policy evaluation cannot be initiated from iRules.

Fix:
APMD no longer crashes with null Tcl interpreter object when used with the ACCESS::policy evaluate iRule command.


477524 : Enable ssh for admin account and disable ssh for root account for Amazon deployments

Component: TMOS

Symptoms:
Amazon's recent requirement was to disable ssh access for root account. All the management on the AWS instance should be done through different account using ssh.

Conditions:
Amazon AWS environment.

Impact:
There will be no root access for VMs from next Amazon Market release. The replacement is admin account. All management functionality will be available by ssh-in using admin account.

Fix:
F5 disabled ssh for root account for VMs in Amazon cloud (after Amazon mandated it). F5 enabled ssh permissions for built-in admin account. The default shell for admin account is tmsh (instead of bash). On all new Amazon deployments all management tasks should be done through admin account.

Behavior Change:
There will be no root access for VMs from next Amazon Market release. The replacement is admin account. All management functionality will be available by ssh-in using admin account.


477474-3 : Wrong HTML rewriting at client side for very special case

Component: Access Policy Manager

Symptoms:
HTML attributes may be handled incorrectly.

Conditions:
Attributes with names that include a hyphen (-) are concatenated with legal event names. For example:

<some_tag aaa-onclick=zzzz>
<some_tag1 onclick-bbb=yyyy>

Impact:
This issue affects web application functionality.

Fix:
HTML Attributes with names that include a hyphen (-) are now handled correctly in Portal Access.


477445-1 : APM client improved to support 2 interface connected to the same network segment

Component: Access Policy Manager

Symptoms:
APM client was not able to re-connect automatically on a system with 2 or more interfaces connected to the same network segment. This happens when physical interface get disconnected. User had to wait for a few minutes (or manually press disconnect and then connect button) to restore VPN connection.

Conditions:
This issue occurs when a system has two or more interfaces connected to the same network segment.

Impact:
The impact of this issue is that the client is unable to reconnect automatically.

Workaround:
Manually press disconnect and then connect button to restore VPN connection.

Fix:
Client modified to restore routing table state and select active interface (on a system connected to the same network segment through multiple interfaces).


477432-6 : Roll forward from 11.3.0 with iApp configured fails to load correctly and causes bd to core

Component: Application Security Manager

Symptoms:
ts_debug.log:
-----------
asm|INFO|Aug 14 19:10:41.710|12226|,,MCP Validation error - 010715bd:3: The parent folder is owned by application service (/Common/SharePoint.app/SharePoint), the object ownership cannot be changed to ().
-----------

Conditions:
This occurs after committing the Database changes, but the system then rolls back the UCS files under /ts/var/account. This can occur on a config roll forward from 11.3.0 and earlier to a later version.

Impact:
this causes an inconsistency for the files BD will expect when starting, and lead to BD coring. The BIG-IP system may temporarily fail to process traffic as it recovers from BD restarting.

Workaround:
Disable ASM for iApps before upgrade, and then re-enable.

Fix:
We fixed an error that caused the Enforcer to crash if you tried to roll forward a system configuration containing an iApp (application service) from version 11.3.0 or earlier.


477394-1 : LTM might reset and cause out-of-ports

Component: Local Traffic Manager

Symptoms:
Passive FTP using FTP range iRule might intermittently cause out-of-ports reset.

Conditions:
This occurs when using passive FTP with an range of FTP ports in an iRule.

Impact:
LTM resets.

Fix:
Passive FTP using FTP range iRule no longer causes out-of-ports reset.


477375-5 : SASP Monitor may core

Component: Local Traffic Manager

Symptoms:
Rarely, the SASP monitor cores.

Conditions:
This occurs when the SASP monitor is configured in push mode.

Impact:
When the monitor cores, a pool member gets marked down, which might lead to an outage. This occurs rarely.

Fix:
SASP monitor no longer cores when configured in push mode.


477318-1 : Fixes possible segfault

Component: Service Provider

Symptoms:
When generic message is configured with the message parser disabled and messages are pushed to the outgoing connection faster than it is able to receive them, a segfault may occur.

Conditions:
When generic message is configured with the message parser disabled and messages are pushed to the outgoing connection faster than it is able to receive them.

Impact:
Segfault occurs.

Workaround:
None.

Fix:
Fixed the segfault that occurred in generic message when a HUDEVT_SENT is received and the parser is disabled.


477281-4 : Improved XML Parsing

Component: TMOS

Symptoms:
With certain requests, XML parsing improperly returns the incorrect document.

Conditions:
A certain set of parameters are sent to pages which utilize DocumentBuilderFactory to process and return XML documents.

Impact:
The document that was requested is not returned. Another document is returned instead.

Workaround:
None.

Fix:
XML Parser configuration was changed to ensure only correct documents are returned to all requests.


477278-5 : XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033

Vulnerability Solution Article: K15605


477274-8 : Buffer Overflow in MCPQ

Vulnerability Solution Article: K16196


477240-2 : iQuery connection resets every 24 hours

Component: Global Traffic Manager

Symptoms:
An iQuery connection attempts to renegotiate SSL keys every 24 hours.

Conditions:
Once every 24-hours after an iQuery connection is established.

Impact:
The response to this by big3d is to close the connection. All virtual servers go red.

Workaround:
None.

Fix:
SSL properly renegotiates rather than terminates connections when the session expires.


477218-5 : Simultaneous stats query and pool configuration change results in process exit on secondary.

Component: TMOS

Symptoms:
Simultaneous stats query and pool configuration change results in process exit on secondary.

Conditions:
Running parallel operations in tmsh/GUI or multiple tmsh operations on pool objects. For example, running 'tmsh show' command while simultaneously updating the monitor on the pool in the GUI.

Impact:
The primary restarts, and the slot goes down, resulting in potential traffic impact. The ltm logs display error messages similar to the following: -- err mcpd[29041]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool (/Common/CYBS-P-UBC-43) was not found. -- notice mcpd[8487]: 0107092a:5: Secondary slot 1 disconnected.

Workaround:
Use the absolute name of the pool in the tmsh command: /partition_name/pool_name.

Fix:
TMSH command now automatically issues the absolute path by using the context for the current connection to MCPd, so there are no MCPd restarts in this case.


477138-1 : Only one of several VMware View Desktop/Application pools with the same display name can be launched from APM Webtop

Component: Access Policy Manager

Symptoms:
Only one of several VMware View Desktop/Application pools with the same display name can be launched from APM Webtop.

Conditions:
Configuration with VMware View Desktop/Application pools with the same display name.

Impact:
Only one of several VMware View Desktop/Application pools with the same display name can be launched.

Workaround:
Use unique display names for VMware View Desktop/Application pools.

Fix:
All of VMware View Desktop/Application pools with the same display name can now be launched from APM Webtop.


477111-5 : Dual management routes in the main routing table

Component: TMOS

Symptoms:
Dual management routes might exist in the default routing table, main. On version 11.6.0, the the system also produces an error message when querying SNMP ipCidrRouteTable.

Conditions:
In versions earlier that 11.6.0, conditions are unknown other than observing the dual management routes in the main routing table. On version 11.6.0, the condition is snmpwalking ipCidrRouteTable.

Impact:
On affected versions earlier than 11.6.0, there are dual management routes in the main routing table. On version 11.6.0, you might also receive an error upon querying SNMP ipCidrRouteTable and/or snmpd core.

Workaround:
To recover from this issue, delete the duplicate route.

Fix:
The main routing table now has a single entry for the management network.


477064-1 : TMM may crash in SSL

Component: Local Traffic Manager

Symptoms:
When SSL is configured in TMM, a crash might occur if events happen in a specific (unknown) order.

Conditions:
ClientSSL is configured on a virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
The TMM exit and restart that occurred in certain circumstances when processing SSL traffic has been fixed.


477031-2 : Deleting multiple VXLAN tunnels with flooding type multipoint can cause TMM restart

Component: TMOS

Symptoms:
Deleting multiple VXLAN tunnels with flooding type multipoint can cause TMM restart.

Conditions:
Deleting multiple VXLAN tunnels with flooding type multipoint.

Impact:
TMM restart and a TMM core is generated.

Workaround:
None.

Fix:
No TMM restart when deleting multiple VXLAN tunnels with flooding type multipoint.


476904-2 : App type 0 session Update Failed on PEMDB: ERR_INPROGRESS

Component: Policy Enforcement Manager

Symptoms:
The log "App type 0 session Update Failed on PEMDB: ERR_INPROGRESS" shows up even the log level is set to Critical, it should be logged at debug log level.

Conditions:
This occurs under normal PEM operation, and is part of PEM debug logging.

Impact:
This log is for debugging, it can be safely ignored.

Fix:
Adjusted Logging levels to remove potentialy confusing messages.


476886-3 : When ICAP cuts off request payload, OneConnect does not drop the connection

Component: Service Provider

Symptoms:
After sending an ICAP preview, BigIP waits for a response from the ICAP server. If BigIP receives the complete ICAP response before it has completed sending the ICAP request (for example, when the response contains an encapsulated 302 redirect), it stops sending the request payload and closes the TCP connection. However when a OneConnect profile (CONNPOOL filter) is on the IVS, the TCP connection to the ICAP server is not terminated.

Conditions:
This occurs when using ICAP and OneConnect profiles on an IVS, when the BIG-IP ICAP client has resumed sending the request body on receiving a 200-OK response after the preview. ICAP server response completes before it has received the entire request body (for example, encapsulated redirect).

Impact:
The ICAP server cannot detect the end of the ICAP request so might get confused.

Workaround:
Do not use OneConnect. As an alternative, if the ICAP server completes its response, it could ignore any further input from the client until it detects another RESPMOD or REQMOD indicating the beginning of a new transaction. ICAP servers are not required to do this, but it would allow connection reuse in the case where the server completes its response before the request is complete.

Fix:
In this release, if the BIG-IP system receives the complete ICAP response from the ICAP server before it has completed sending the ICAP request, and a OneConnect profile is on the IVS, the TCP connection to the ICAP server is terminated and that connection is not reused.


476738-1 : rsync daemon may be configured to listen on a public port

Vulnerability Solution Article: K15549


476736-2 : APM IPv6 Network Access connection may fail in some cases

Component: Access Policy Manager

Symptoms:
When the client provided link local address contains zeros for first 4+ bytes, the IPv6 Network Access connection will fail due to listener bind failure.

Conditions:
When the first 4+ bytes of IPv6 Link Local address are zeros this bug will show up.

Impact:
IPv6 Network Access Tunnels may not succeed.

Workaround:
There is no workaround for this.

Fix:
For a certain set of IPv6 link local addresses, the IPv6 Network Access tunnel may not succeed due to listener lookup failure. This code change fixes this issue.


476705-1 : TMM can crash if receiving radius start or stop messages with multiple IP but no subscriber ID.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes if the radius start/stop messages received have multiple IP addresses but have no subscriber ID.

Conditions:
Conditions leading to this issue include: Receiving radius start or stop messages; the radius message has multiple IP addresses listed; and the radius message dose not have subscriber ID.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
After the fix, TMM does not crash if receiving the radius message specified in the above condition


476683-2 : Suspended DNS_RESPONSE events are not resumed

Component: Local Traffic Manager

Symptoms:
iRules that cause the DNS_RESPONSE event to suspend will not be resumed.

Conditions:
DNS_RESPONSE event with command that causes it to be suspended.

Impact:
DNS_RESPONSE event does not complete execution.

Workaround:
Do not use iRule commands in DNS_RESPONSE event that result in suspension.

Fix:
DNS_RESPONSE events are now resumed after suspension.


476599-4 : TMM may panic when resuming DNS_REQUEST iRule event

Component: Local Traffic Manager

Symptoms:
TMM panic when executing DNS_REQUEST event.

Conditions:
The TMM panics when the following events have occurred: - DNS_RESPONSE event has been suspended. - DNS_REQUEST event is executed.

Impact:
TMM restart.

Workaround:
None.

Fix:
In this release, the system clears suspended iRules that have failed before executing new events.


476567-5 : fastL4: acceleration state is incorrectly reported on show sys conn

Component: Local Traffic Manager

Symptoms:
The results of the command show sys conn shows both-sides of two connections are accelerated, which means there should be four accelerated flows. But the ePVA accelerated flow count only shows three accelerated flows, which is what is expected with this combination of IP/port addresses.

Conditions:
This occurs when using FastL4 and acceleration.

Impact:
The system reports incorrect status.

Fix:
The system now updates accelerated status after the flow has been successfully inserted into the ePVA, so the correct state is reported.


476564-5 : ePVA FIX: no RST for an unaccelerated flow targeting a network virtual

Component: Local Traffic Manager

Symptoms:
A network virtual server configured with guaranteed acceleration fails to receive a RST for a flow that is not accelerated. They see a RST when targeting a host virtual. This results in the client sending packet retransmissions continuously, since the client has no indication that the connection was closed.

Conditions:
This occurs with guaranteed latency.

Impact:
The system drops flows.

Fix:
The system now sends RST in guaranteed mode for an ePVA flow when the packet is received in software.


476476-7 : Occasional inability to cache optimized PDFs and images

Component: WebAccelerator

Symptoms:
Restarting the datastor service can result in some optimized PDFs or optimized images becoming un-cacheable

Conditions:
If WAM has a handle to cached content in datastor which no longer exists because datastor restarted or evicted it, and if this content is an image or PDF which WAM optimized, and if two requests for such content arrive on the same TCP connection, the second can get incorrectly cached such that it can not be served or replaced until tmm is restarted.

Impact:
Certain URLs become uncacheable, thus reducing effectiveness of WAM.

Workaround:
Disable client keep-alive in the HTTP profile (change Maximum Requests in the HTTP profile from 0 to 1)
or disable PDF linearization and image optimization.

A partial workaround is to use wa_clear_cache instead of restarting datastor to clear the cache. Content which datastor evicts might still suffer (but this is unlikely).

Fix:
Restarting datastor no longer results in the possibility of some optimized PDFs or optimized images becoming uncacheable.


476475 : SSL accelerator card does not function on the BIG-IP 12250 platform.

Component: TMOS

Symptoms:
SSL accelerator card does not function on the BIG-IP 12250 platform.

Conditions:
This occurs on BIG-IP 12250 platforms running 11.6.0 hf1.

Impact:
SSL acceleration does not work.

Workaround:
None.

Fix:
SSL acceleration support is now present for the BIG-IP 12250 platform.


476386-2 : DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 should only be supported for tls1.2

Component: Local Traffic Manager

Symptoms:
DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 are visible for other protocols, but are only supported for TLS1.2.

Conditions:
These should only show up under TLS1.2 but they are visible for other protocols.

Impact:
Selecting these might have unexpected results.

Workaround:
None.

Fix:
Resolved issue to ensure that DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 is supported only for TLS1.2.


476336 : TMM and other daemons, such as the Enforcer, crash

Component: Application Visibility and Reporting

Symptoms:
Synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash.

Conditions:
Using AVR.

Impact:
TMM and other daemons, such as the Enforcer, crash. Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
Resolved an issue leading to tmm core when multiple modules, including ASM, APM, AFM, ADM and AVR, are provisioned.


476288-1 : Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault

Component: TMOS

Symptoms:
When multiple route domains and multiple routing protocols per route domain are repeatedly created and deleted, the tmrouted crashes and restarts.

Conditions:
multiple route domains with multiple routing protocols per each route domain are created and deleted repeatedly in a short time intervals.

Impact:
The routing information is lost and the tables need to be built again. This might cause packet loss.

Workaround:
None.

Fix:
Repeated creation and deletion of route domains and routing protocols led to a race condition between the start timer of the routing protocols and inconsistent memory state of the deleted routing protocols. This fix resolves the race condition.


476281 : tmm crash on uninitialized variable

Component: Local Traffic Manager

Symptoms:
tmm occasionally crashes when server_key and client_key variables are not initialized before being used.

Conditions:
This occurs when using an FTP virtual server.

Impact:
Traffic disrupted while tmm restarts.

Fix:
tmm no longer crashes when server_key and client_key variables are uninitialized.


476191-1 : Bypass unicode validation on XML and JSON profiles by internal parameter

Component: Application Security Manager

Symptoms:
Some UTF-8 characters in JSON data can result in the "Malformed JSON data" violation.

Conditions:
JSON and UTF-8 handling -- There are applications that use unicode characters that are not mapped as allowed by the ASM XML/JSON parser.

Impact:
The ASM identified properly formatted JSON data as malformed.

Workaround:
N/A

Fix:
So that you can bypass unicode validation on XML and JSON profiles, we added two internal parameters:

- relax_unicode_in_xml: The default is 0 which is the current behavior. When the value is changed to 1, a bad unicode character does not produce an XML malformed violation. A bad unicode character might be a legal unicode character that does not appear in the mapping of the system's XML parser.

- relax_unicode_in_json: The default is 0 which is the current behavior. When the value is changed to 1, a bad unicode character does not produce a JSON malformed violation. A bad unicode character might be a legal unicode character that does not appear in the mapping of the system's JSON parser.


476179-1 : Brute Force end attack operation mode reported as blocking while it was actually in transparent mode

Component: Application Security Manager

Symptoms:
When the Brute-Force attack_status ended log message appear - the operation mode changed to Blocking even though he has set it as Alarm on the configuration.

Conditions:
When brute force configured to work in Transparent mode

Impact:
False reporting during Transparent Brute Force attack.

Workaround:
N/A

Fix:
Brute force reporting: The brute force reported operation mode (Transparent or Blocking) is now the same when the attack starts and ends. Previously, sometimes the system would change the operation mode logged when the attack ended.


476157-3 : MIT Kerberos 5 vulnerability CVE-2014-4342

Vulnerability Solution Article: K15547


476144-1 : TMM generates a core file when dynamically loading a shared library.

Component: Performance

Symptoms:
When attempting to dynamically link a shared library, TMM cores.

Conditions:
Dynamically loading more than a certain number of shared libraries will result in a tmm core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
Invalid attempt to free TMM memory is ignored.


476133-1 : In APM OAM authentication, ObSSOCookie _lastUseTime was not updated.

Component: Access Policy Manager

Symptoms:
_lastUseTime in APM OAM ObSSOCookie is not updated after the user is authenticated using ObSSOCookie. This results in ObSSOCookie expiring prematurely.

Conditions:
User is already authenticated and provided with an ObSSOCookie.

Impact:
With ObSSOCookie gets expired prematurely and authentication with ObSSOCookie fails, User is asked to submit credentials for authentication.

Workaround:
No known workaround

Fix:
Issue Fixed. _lastUseTime in OAM ObSSOCookie is updated on successful authentication and authorization process.


476126-1 : Adding SR-IOV and VLAN tagging in the F5 VE with Emulex NIC

Component: TMOS

Symptoms:
SR-IOV and VLAN tagging were not supported for Emulex NICs prior version 11.5.1. The underlying NIC driver from Emulex lacked such support.

Conditions:
This issue occurs when VE running on host with Emulex NICs.

Impact:
The impact of this issue is no SR-IOV and VLAN tagging support.

Workaround:
This issue has no workaround at this time.

Fix:
The latest Emulex NIC driver was included in 11.5.1-HF5. It supports SR-IOV and VLAN tagging when Emulex NICs are used.


476097-1 : TCP Server MSS option is ignored in verified accept mode

Component: Local Traffic Manager

Symptoms:
After enabling 'verified-accept' in the TCP profile, window scaling is not working on server side connection. More specifically, the BIG-IP system ignores window scaling from the back-end server.

Conditions:
Enabling 'verified-accept' in TCP profile.

Impact:
the BIG-IP system ignores window scaling from the back-end server.

Workaround:
Disable 'verified-accept' in the TCP profile.

Fix:
Window scaling with back-end server now works when 'verified-accept' is enabled in the TCP profile.


476038-1 : Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac crashes on OS X 10.7 if a user adds a new server using its IP address rather than its DNS name.

Conditions:
Create an APM virtual server IP address using the Edge Client for Mac

Impact:
Edge Client crashes

Workaround:
Use DNS name rather than IP address when adding a new server.

Fix:
On BIG-IP Edge Client for Mac on OS X 10.7, a user can successfully add a new server using IP address.


476033-1 : APM does not support Microsoft Remote Desktop 8.0.8 client for iOS to work using APM as RD Gateway.

Component: Access Policy Manager

Symptoms:
APM does not support Microsoft Remote Desktop 8.0.8 client for iOS to work using APM as RD Gateway.

Conditions:
Using Microsoft Remote Desktop 8.0.8 client.

Impact:
iOS client does not work when using APM as RD Gateway.

Workaround:
priority 1
when HTTP_REQUEST {
    if { [HTTP::header rdg-client-generation] == "iOS=1" } {
        HTTP::respond 404
        TCP::close
        event disable all
    }
}

Fix:
Support Microsoft Remote Desktop 8.0.8 client for iOS to work using APM as RD Gateway.


476032-1 : BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client hangs in "Disconnecting" state for some time if the backend server is FirePass.

Conditions:
FirePass server as backend

Impact:
User has to wait

Fix:
Issue fixed. Now BIG-IP Edge Client disconnects from FirePass smoothly without delays.


475861-1 : Session Awareness: Requests are reset

Component: Application Security Manager

Symptoms:
Long Requests (greater than 10 MB) are being reset.

Conditions:
1. Send traffic of long requests (greater than 10 MB)
2. enable Session Awareness with log all requests is enabled for a session.

Impact:
Long Requests (greater than 10 MB) are being reset.

Workaround:
N/A

Fix:
Requests are no longer reset when session awareness is enabled, log all requests is enabled for a session, and a large POST request (greater than 10 MB) is sent when the "buffer exceed max length" violation is disabled.


475856-1 : BD may crash when enabling Base64 Decoding on Wildcard cookie

Component: Application Security Manager

Symptoms:
The BIG-IP system may temporarily fail to process traffic.

Conditions:
Enabling Base64 Decoding on Wildcard cookie.

Impact:
The BIG-IP system may temporarily fail to process traffic.

Workaround:
N/A

Fix:
The Enforcer no longer crashes when Base64 Decoding is enabled on a wildcard cookie.


475829-1 : AWS - VE is locked out after live install on 2nd slot.

Component: TMOS

Symptoms:
SSH access might be blocked on VE (launched in AWS) after live install on 2nd slot is performed and VE is booted to 2nd slot.

Conditions:
VE running in AWS
Live install performed on 2nd slot and VE is booted to it.

Impact:
SSH access to the box might be lost.
It's effectively locked out since there is no console access to this VM.

Fix:
The public key for ssh access is obtained from AWS metadata service on 1st boot.


475819-4 : BD crash when trying to report attack signatures

Component: Application Security Manager

Symptoms:
The Enforcer rarely crashes when logging attack signatures.

Conditions:
A rare issue that happens suddenly when reporting attack signatures to the logs.

Impact:
Traffic resets, failover.

Workaround:
This issue has no workaround at this time.

Fix:
We fixed an issue that rarely caused the Enforcer to crash when logging attack signatures.


475791-4 : HTTP caching configured in a Web Acceleration profile may dispatch internal messages out-of-order, leading to assert

Component: Local Traffic Manager

Symptoms:
HTTP caching configured in a Web Acceleration profile may dispatch internal messages out-of-order, leading to assert

Conditions:
Assert may occur when the following conditions are met:
 - Virtual server has HTTP caching configured in a Web Acceleration profile.
 - Virtual server has mirroring enabled.
 - Device is in standby mode.
 - Active unit is unable to fulfill incoming HTTP request (ramcache entry is invalid / no pool members).
 - Standby unit is able to fulfill mirrored request (ramcache entry is valid).

Impact:
Due to this rarely occurring race condition, a tmm_panic occurs ('valid pcb') when a connection is being closed and the ramcache feature is able fulfill an incoming request. Standby unit becomes temporarily unavailable.

Workaround:
Do not use connection mirroring when HTTP caching is configured in a Web Acceleration.

Fix:
HTTP caching configured in a Web Acceleration profile no longer dispatches internal messages out-of-order, leading to assert.


475770-1 : Fixed routing table management for cases when 2 or more interfaces are used

Component: Access Policy Manager

Symptoms:
Some routes are not restored correctly if the system has 2 or more network interfaces.

Conditions:
Interface is only affected if:
1) Not used for Network Access connection.
2) Physically UP at the start of test.
3) Physically brought DOWN before connecting to Network Access.
4) Physically brought UP again after Network Access is disconnected.

Impact:
Some routes are not restored correctly.

Workaround:
None.

Fix:
Improved routing table management for two or more network interfaces.


475743-4 : Improve administrative login efficiency

Vulnerability Solution Article: K92140924


475735-4 : Failed to load config after removing peer from sync-only group

Component: Access Policy Manager

Symptoms:
Load sys config fails.

Conditions:
Loading config after removing peer from sync-only device group.

Impact:
Failed to load config.

Workaround:
Remove peer device from the sync-only device group on which policy sync has been performed previously.

Fix:
A user can now load sys config even after removing the peer from the sync-only group.


475701-2 : FastL4 with FIX late-bind enabled may not honor client-timeout

Component: Local Traffic Manager

Symptoms:
When insufficient initial data is received, the FastL4 fix late-bind timeout recovery action is not taken (no RST sent with disconnection and no default pool use with fallback).

Conditions:
FastL4 profile with FIX late-bind enabled and insufficient data is received.

Impact:
The client-timeout feature does not work. Client connections seem to hang, and RST is not sent (when timeout-recovery disconnect) or the connection does not continue with standard FastL4 behavior (when timeout-recovery fallback) if enough initial data does not arrive within the client-timeout.

Workaround:
Setting tcp-handshake-timeout to a value that is greater than client-timeout might allow this to work.

Fix:
FastL4 with FIX late-bind enabled now honors client-timeout.


475682-6 : APM OAM should be sending a single Cookie header with the cookies delimited by semi-colon.

Component: Access Policy Manager

Symptoms:
Authentication with OAM ObSSOCookie failed after the mutiple cookies added by APM EAM module was sent with a comma delimiter to separate them. EAM should be making a single Cookie header with the cookies delimited by semi-colon.

Conditions:
Authentication with OAM ObSSOCookie fails after multiple cookies added by APM EAM module are sent with comma delimiter to separate them.

Impact:
Authentication with OAM ObSSOCookie fails and user is required to authenticate again with credentials.

Workaround:
no workaround

Fix:
EAM used to send multiple cookies headers in HTTP message. Multiple HTTP headers like this are treated as comma-separated by some receivers. Now EAM adds a single Cookie header with the cookies delimited by semi-colon.


475677-3 : Connections may hang until timeout if a LTM policy action failed

Component: Local Traffic Manager

Symptoms:
When an LTM policy action that takes place during an HTTP request or response fails (which is very rare), the affected connection hangs until a timeout occurs.

Conditions:
This issue occurs when you attach an LTM policy to a virtual with a rule that has an action that fails. Now send a request that matches that rule. The command 'tmsh show ltm policy' will show the action failed, but the connection 'hangs' until timeout.

Impact:
When an LTM policy action fails, affected connections hang until they time out.

Workaround:
This issue has no workaround at this time.

Fix:
When an LTM policy action fails, the affected connection no longer hangs until timeout, but rather gets reset immediately.


475650-5 : The TMM may restart when processing single logout (SLO) messages.

Component: Access Policy Manager

Symptoms:
BIG-IP is configured as IdP and is processing SLO message from SP. Due to internal error, SAML metadata can get corrupted, and cause the TMM to restart.

Conditions:
Internal processing error.

Impact:
The TMM restarts.

Workaround:
To work around this issue, disable SLO on the BIG-IP system.

Fix:
Issue is fixed that caused TMM to occasionally restart when processing SLO messages.


475647-2 : VIPRION Host PIC firmware version 7.02 update

Component: TMOS

Symptoms:
Correctly report part numbers of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00).

Conditions:
Affects VIPRION B4300 series blades.

Impact:
Features of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00) may not be properly supported by the BIG-IP software.

Workaround:
None.

Fix:
VIPRION Host PIC firmware version 7.02 update now supports all expected BIG-IP software features on VIPRION B4300 blades.


475592-2 : Per-core and system CPU usage graphs do not match

Component: TMOS

Symptoms:
There are discrepancies between the per-core CPU usage graphs and the system CPU usage graph.

Conditions:
Normal running conditions.

Impact:
The system does not report the actual CPU usage. In some places the per-core usage is high while the system usage does not reflect that, and in other places the system usage is high, while the per-core usage is flat.

Fix:
System now reports matching CPU usage in the per-core CPU usage graphs and the system CPU usage graph.


475551-1 : Flaw in CSRF protection mechanism

Component: Application Security Manager

Symptoms:
Flaw in Cross-site request forgery (CSRF) protection mechanism.

Conditions:
CSRF protection is configured.

Impact:
Flaw in Cross-site request forgery (CSRF) protection mechanism.

Workaround:
None.

Fix:
Internal testing found and resolved a flaw in the CSRF mechanism


475549-3 : Input handling error in GTM GUI

Component: Global Traffic Manager (DNS)

Symptoms:
Certain input sequences are not processed correctly in the GTM WebUI

Conditions:
GTM provisioned

Impact:
Incorrect output from GTM UI web pages

Fix:
Correctly process input in the GTM WebUI


475505-6 : Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.

Component: Access Policy Manager

Symptoms:
Windows Phone 8.1 built-in browser is not properly detected by the BIG-IP system.

Conditions:
Windows Phone 8.1 built-in browser.

Impact:
Built-in browser is not properly detected.

Fix:
Microsoft Windows Phone 8.1 built-in browser is now properly detected by the BIG-IP system.


475439-1 : Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash

Component: Application Visibility and Reporting

Symptoms:
There is a synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash.

Conditions:
AVR is provisioned or report statistic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
We fixed a synchronization problem in AVR lookups that sometimes caused TMM and other daemons, such as the Enforcer, to crash.


475408-1 : SSL persistence profile does not find the server certificate.

Component: Local Traffic Manager

Symptoms:
When an SSL record is constructed in a certain way, the SSL persistence code might not detect the server certificate.

Conditions:
SSL persistence profile is configured.

Impact:
Loss of functionality

Workaround:
None.

Fix:
SSL now correctly parses the handshake records.


475403-2 : Tunnel reconnect with v2.02 does not occur

Component: Access Policy Manager

Symptoms:
Tunnel reconnect does not happen when DTLS is enabled

Conditions:
Configure SSL profile
Enable DTLS in NA resource
Establish NA connection from the device

Impact:
Reconnect does not happen

Workaround:
N/A

Fix:
A HelloRequest is re-transmitted if not responded by a ClientHello


475363-6 : Empty or invalid configuration, or during exception in NTLM, handling might not work as expected.

Component: Access Policy Manager

Symptoms:
When the system encounters an empty or invalid configuration, or during exception in NTLM, handling might not work as expected.

Conditions:
Empty DC list configured in the NTLM configuration.

Impact:
NTLM authentication won't work correctly.

Workaround:
Fix the configuration - make sure that DC list is not empty.

Fix:
ECA data plane has been updated to include additional security change against empty configuration.


475360-6 : Edge client remembers specific virtual server URI after it is redirected

Component: Access Policy Manager

Symptoms:
When client is redirected with HTTP 302, either from Access policy or from iRule, it remembers the URL of the server it was redirected to, even after a hard disconnect.

Impact:
Certain configurations in which APM server is selected based on location (or other attributes) of the client will not work as intended and user will continue to use the same APM that it used the first time.

Workaround:
Restart edge client and connect again.

Fix:
Resolved issue when BIG-IP Edge Client remembers a specific virtual server URI after it is redirected.


475322-2 : cur_conns number different in tmstat and snmp output.

Component: Local Traffic Manager

Symptoms:
The current connections (cur_conns) number different in tmstat and snmp output.

Conditions:
This problem occurs when MPTCP is used.

Impact:
Incorrect cur_conns counting when using MPTCP.

Workaround:
None.

Fix:
The discrepancies in current connections (cur_conns) between tmstat and snmp has been corrected.


475262-1 : In some cases Edge Client for Windows does not re-resolve server hostname while reconnecting

Component: Access Policy Manager

Symptoms:
If BIG-IP Edge Client for Windows connects to APM server using FQDN, it does not re-resolve the server hostname while reconnecting.

In failover scenarios where one APM server goes down, Edge Client will continually try to connect to the non-existent IP of the APM server that went down and will not switch over to the next APM server.

Conditions:
The problem occurs under these conditions.
1. Edge Client is connected to APM server using FQDN and
2. More than one APM servers are configured and a GTM, or another DNS server, is used for failing over.

Impact:
The client does not re-resolve the server hostname while reconnecting and needs to be restarted to successfully connect again.

Workaround:
To work around the problem, restart Edge Client and connect again.

Fix:
Resolved this issue: when APM is configured with URL (https://....), BIG-IP Edge Client for Windows does not resolve the APM hostname while reconnecting.


475231-5 : TCP::close in CLIENTSSL_CLIENTCERT iRule event may result in tmm crash

Component: Local Traffic Manager

Symptoms:
TCP::close in CLIENTSSL_CLIENTCERT iRule event may cause tmm to crash.

Conditions:
This occurs when TCP::close is called within a CLIENTSSL_CLIENTCERT iRule event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use TCP::close in CLIENTSSL_CLIENTCERT iRule event

Fix:
Connection remains open after dispatching CLIENTSSL_CLIENTCERT iRule event, which prevents accessing invalid memory.


475163-5 : Submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL.

Component: Access Policy Manager

Symptoms:
The result of submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL.

Conditions:
Form tag does not have action attribute.

Impact:
Form cannot be submitted.

Workaround:
Add attribute "action=''" into the HTML form tag, either by modifying the source or by using an iRule.

Fix:
Now HTML forms without action attribute are handled correctly.


475148-1 : Microsoft RDP Client for Mac OS X ver. 8.0.9 does not work correctly with BIG-IP APM.

Component: Access Policy Manager

Symptoms:
Microsoft RDP Client for Mac OS X ver. 8.0.9 does not work correctly with BIG-IP APM.

Conditions:
Using Microsoft RDP Client for Mac OS X ver. 8.0.9.

Impact:
Does not work correctly with BIG-IP APM.

Workaround:
None.

Fix:
Microsoft RDP Client for Mac OS X ver. 8.0.9 now correctly works with BIG-IP APM.


475143 : CATEGORY::filetype command may cause tmm to crash and restart

Component: Access Policy Manager

Symptoms:
If an iRule command is created using the CATEGORY::filetype command, the tmm may eventually suffer a failure, and restart.

Conditions:
A bug in the implementation of CATEGORY::filetype iRule command triggers undefined behavior, leading to tmm crash and restart.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The errant code was corrected to remove the undefined behavior.


475135-1 : BIG-IP goes offline after time change

Component: Application Security Manager

Symptoms:
BIG-IP goes offline after time changes backward

Conditions:
Time changed.
ASM or FPS was just provisioned.

Impact:
Box is offline.

Workaround:
restart datasyncd daemon

Fix:
We fixed a problem where the system would become OFFLINE when moving the system time backwards soon after provisioning ASM or FPS.


475092 : Viewing DNS::Zones:Zones:Zones List:Statistics in the GUI generates error.

Component: Global Traffic Manager (DNS)

Symptoms:
DNS::Zones:Zones:Zones List:Statistics shows the error 'An error has occurred while trying to process your request'.

Conditions:
View DNSX Zone Status through the GUI.

Impact:
Cannot view statistics for DNSX Zones.

Workaround:
Use tmsh instead.

Fix:
No error occurs while navigating to DNS::Zones:Zones:Zones List:Statistics.


475055-3 : Core caused by incorrect accounting of I/O flows

Component: Local Traffic Manager

Symptoms:
I/O flows for the Cavium Nitrox are not always added to the count- but are always subtracted correctly, causing an imbalance.

Conditions:
This occurs only on platforms using the Cavium Nitrox chip.

Impact:
Incorrect accounting allowed the number of flows to drop below zero, triggering an assert and a core.

Fix:
Resolved core caused by accounting miscalculation of Nitrox I/O flows


475049-1 : Missing validation of disallowing empty DC configuration list

Component: Access Policy Manager

Symptoms:
NTLM authentication feature requires at least one Domain Controller to be specified in the NTLM Auth Configuration Domain Controller FQDN list. This is as designed to prevent unwanted load on the server because NTLM authentication is performed on a per connection basis. There is no DC autodiscovery mechanism implemented for NTLM authentication, by design. To effect the feature, we need the administrator to specify particular servers. Having this list empty caused an unexpected behavior, in which authentication is not performed and yet is considered a success.

The configuration of the Domain Controller for an NTLM authentication configuration is different from the configuration of the Domain Controller for an NTLM machine account. For the NTLM machine account, the BIG-IP system can automatically discover one of the available DCs using DNS method or the administrator can specify a DC.

We are asking administrators to specify at least one Domain Controller for NTLM Auth configurations in the Domain Controller FQDN list.

Conditions:
Domain Controller configuration is allowed to be empty which is both incorrect and unsupported.

Impact:
misbehave with incorrect and unsupported configuration, and causes no authentication is being performed.

Fix:
In this release, the Domain Controller (DC) fully qualified domain name (FQDN) list for an NTLM Auth Configuration is mandatory.
Before you upgrade, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh.
In tmsh, you can add the following line (dc-fqdn-list { <fqdn> } ) for each ntlm auth configuration as shown in this example.
apm ntlm ntlm-auth ntlm_test {
    app-service none
    dc-fqdn-list { dc01.example.com }
    machine-account-name mdc1
    partition Common
    service-id 2
}


474974-3 : Fix ssl_profile nref counter problem.

Component: Local Traffic Manager

Symptoms:
ssl_profile memory leak.

Conditions:
This occurs after several iterations of the following steps:
(1) Create ssl_profiles
(2) Use ssl_profiles to complete a number of handshake operations.
(3) Delete ssl_profiles.

Impact:
ssl_profile memory leak.

Workaround:
None.

Fix:
ssl_profile no longer leaks memory when creating and deleting a number of profiles that have completed handshake operations.


474896-1 : Remote logs without attack ID and mitigation fields

Component: Advanced Firewall Manager

Symptoms:
Sometimes customers are getting empty values within dos_attack_id and dos_mitigation_action fields in the remote logger.

Conditions:
When proactive is turned on attack logs are issued without attack.

Impact:
Sometimes customers are getting empty values within dos_attack_id and dos_mitigation_action fields in the remote logger.

Workaround:
This issue has no workaround at this time.

Fix:
DoS for Application Security now reports suspicious entities only if the application is under attack, or as part of proactive mitigation. DoS for Application Security no longer reports suspicious entities if an attack has not occurred, because this led to logs with empty attack IDs and blank mitigation methods.


474779-1 : EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.

Component: Access Policy Manager

Symptoms:
On EAM process initialization, the plugin is unable to register a thread (MPI channel) with TMM on rare occasions. A subsequent system call to end the process fails.

Conditions:
Unknown.

Impact:
EAM plugin is up but the access gates are not initialized correctly.

Workaround:
Establish connection to OAM server.
bigstart stop eam
Clear config.cache from each accessgates by deleting /config/aaa/oam/<partition_name>/<aaa_oam_obj_name>/<accessgate_name>/config.cache using commandline.
bigstart restart eam

Fix:
EAM plugin initialization is fixed, now the plugin register with TMM process will not fail.


474757-15 : OpenSSL DTLS vulnerabilities CVE-2014-3505, CVE-2014-3506, and CVE-2014-3507, OpenSSL vulnerability CVE-2014-3508, OpenSSL vulnerability CVE-2014-3510, TLS vulnerability CVE-2014-3511.

Vulnerability Solution Article: K15573


474751-1 : IKEv1 daemon crashes when flushing SAs

Component: TMOS

Symptoms:
IKEv1 daemon (racoon) may occasionally crash because of freeing null pointer when the IKEv1 negotiation data is flushed.

Conditions:
The IKEv1 security associations are flushed by user issued commands.

Impact:
IKEv1 daemon (racoon) crashes and restarts, losing unrelated but useful state information. IKEv1 daemon (racoon) can re-establish security associations on demand by user traffic.

Workaround:
None.

Fix:
A safety check during memory management function can prevent such erroneous memory freeing event. Crash is no longer seen.


474730-5 : Incorrect handling of form if it contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with absolute path in the action is handled incorrectly in Internet Explorer 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions: HTML Form with absolute action path; a tag with id=action inside this form; IE7-9

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.

Fix:
Now forms with absolute action path and tag with id=action inside are handled correctly.


474698-2 : BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.

Component: Access Policy Manager

Symptoms:
When client initiates Single Logout (SLO) on the BIG-IP system as IdP which is associated with multiple SP connectors, IdP will send SLO request message to each SP to which user has connected within this session.

If user has connected to multiple SP (bound to different IdP) within the same session, the SLO messages f is sent with 'Issuer'element referencing the name of the last IdP service user has accessed.

Conditions:
This issue occurs when:
1.BIG-IP is configured as IdP.
2.BIG-IP has more then one IdP configuration object.
3.IdP objects are assigned as resources to the same Access Policy.
4.Each IdP configuration is bound to at least one SP-connector.
5.Client initiated SLO on IdP.

Impact:
Impact is based on recipient of the message. Recipient (SP) may reject the SLO request, or process it successfully based on implementation.

Workaround:
Disable SLO on BIG-IP.


474638-1 : PEM: Session policy list may be lost if there is an radius update of custom attributes

Component: Policy Enforcement Manager

Symptoms:
If for a session, if radius update is received and an IRULE is triggered to create/update custom attributes, then session may loose its provisioned policies.

Conditions:
PEM irule for radius profile updating custom attributes.

Impact:
No proper policing of session.

Fix:
Custom attribute for create or update no longer harms the policy list.


474613-1 : Upgrading from previous versions

Component: Application Visibility and Reporting

Symptoms:
Configuration upgrade from versions 11.2, 11.1, or 11.0 fails when two analytics profiles on different partitions are configured with the same remote login server IP address.

Conditions:
Upgrading from versions 11.2, 11.1, or 11.0 when two analytics profiles on different partitions are configured with the same remote login server IP address.

Impact:
Upgrade process fails.

Workaround:
Remove the external logging configuration on the source partition, upgrade, and then restore the configuration as needed.

Fix:
Configuration upgrade from versions 11.2, 11.1, or 11.0 now succeeds and works correctly even when two analytics profiles on different partitions are configured with the same remote login server IP address.


474601-5 : FTP connections are being offloaded to ePVA

Component: Local Traffic Manager

Symptoms:
FTP connections are offloaded to acceleration hardware embedded Packet Velocity Acceleration (ePVA) chip.

Conditions:
SNAT listener

Impact:
FTP data connections fail due to lack of translation in PORT commands.

Workaround:
Use FTP virtual instead of SNAT listener.

Fix:
FTP connections will no longer be offload to ePVA hardware when traversing through a SNAT listener.


474584-2 : igbvf driver leaks xfrags when partial jumbo frame received

Component: Local Traffic Manager

Symptoms:
On platforms utilizing the igbvf driver, xfrags can be leaked if a partial jumbo frame is received.

Conditions:
On platforms utilizing the igbvf driver, xfrags can be leaked if a partial jumbo frame is received.

Impact:
TMM memory usage increases over time and eventually TMM crashes due to lack of memory.

Workaround:
None.

Fix:
The igbvf driver no longer leaks xfrags when a partial jumbo frame is received.


474582-3 : Add timestamps to logstatd logs for Policy Sync

Component: Access Policy Manager

Symptoms:
Log messages in /var/tmp/logstatd.log used for Policy Sync do not have timestamps which makes troubleshooting very difficult.

Conditions:
Run Policy Sync.

Impact:
Serviceability. logstatd.log used for Policy Sync do not have timestamps.

Workaround:
None.

Fix:
A timestamp is now prepended to each log message line in logstatd.log for Policy Sync.


474532-5 : TMM may restart when SLO response is received on SLO request URL (.../post/sls)

Component: Access Policy Manager

Symptoms:
The BIG-IP system expects to receive SLO responses on a particular URL:
(.../post/slr). TMM may restart when SLO response is received on an SLO request URL (.../post/sls).

Conditions:
The BIG-IP system is configured as SAML SP or IdP.
SLO response is received on SLO request URL.

Impact:
TMM reboots and is temporarily unavailable.

Workaround:
There are two workarounds:

1. Reconfigure another SAML party to send SLO messages to a proper URL.
2. Disable SLO

Fix:
Proper validation was added to check correct messages were received on proper URL. Logging was added for failing cases.


474469 : Identical source integrity alerts are present.

Component: Fraud Protection Services

Symptoms:
Unnecessary alerts are sent, when the same protected page is requested by an end-user.

Conditions:
This occurs when source integrity URLs are configured and the user refreshes the page.

Impact:
Unnecessary alerts are sent, cluttering the alert dashboard.

Workaround:
None.

Fix:
Repeating identical alerts are now prevented.


474465-3 : Analysis processes appear to use high CPU though not affecting data plane

Component: Application Visibility and Reporting

Symptoms:
The average system CPU usage and the busiest CPU in the dashboard can appear to be exceptionally high when a module with dedicated analysis processes like AVR is being used. These processes have dedicated resources so they do not impact the resources used by the critical data plane, so the high CPU usage is misleading.

Conditions:
A module such as AVR that has dedicated analysis processes must be provisioned.

Impact:
The system CPU usage and busiest CPU appear to be higher than expected.

Workaround:
The workaround is to examine the detailed per CPU graphs and note that the high CPU is limited to the analysis processor which is the CPU with the highest number on a BIG-IP appliance.

Fix:
Average system CPU and busiest CPU calculation is now based on the critical data plane processing.

Behavior Change:
Average system CPU and busiest CPU calculation is now based on the critical data plane processing.


474445-2 : TMM crash when processing unexpected HTTP response in WAM

Component: WebAccelerator

Symptoms:
TMM crash when processing unexpected HTTP response in WAM

Conditions:
Three conditions:
WAM enabled virtual server
WAM disabled during request phase
WAM enabled during response phase

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not disable WAM during request processing unless it will also be disabled during response processing. If WAM is disabled, close the connection after the response with HTTP::Close to ensure it cannot be used for future requests.

Fix:
TMM no longer crashes when processing unexpected HTTP response in WAM.


474430-1 : Rare issue: client session might not be restored by fingerprint in the Web Scraping mitigation.

Component: Application Security Manager

Symptoms:
It is possible for a user to restart the ASM session in a rare case.

Conditions:
There are Java-Script obfuscation changes.

Impact:
Clients can bypass web scraping violations.

Workaround:
N/A

Fix:
We fixed a rare problem in the Web Scraping mitigation, where a client session would not be restored by fingerprint.


474392-1 : OS X 10.10 Yosemite support

Component: Access Policy Manager

Symptoms:
OS X 10.10 Yosemite support doesn't exist. Components are not signed with version 2 signatures

Conditions:
OS X Yosemite, mac edge client components with version 1

Impact:
gatekeeper might throw warnings.

Fix:
Code signing of executables (app, plugin and installer) have been updated to Apple's latest (v2) signature requirement.


474388-3 : TMM restart, SIGSEGV messages, and core

Component: Local Traffic Manager

Symptoms:
Certain conditions might produce error messages similar to the following, in the core file/tmm.log: -- RVAvpBigIP01 notice RIP=0x8cc872 -- RVAvpBigIP01 notice session_process_pending_event_callback ERROR: could not send callback to 192.168.96.27:50441 - 192.168.96.28:443 ERR_NOT_FOUND.

Conditions:
This occurs because of a race condition, for example, one between the HTTP and APM-related profiles during which an APM-profile-related action completes after the HTTP-profile closes the connection.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The race condition that occurred has been fixed, so no APM-profile-related actions complete after the HTTP-profile closes the connection.


474356-1 : Client SSL on partition other than /Common does not load if no key/cert/inherit-certkeychain

Component: Local Traffic Manager

Symptoms:
Client SSL configurations on a partition other than /Common do not load if there is no key/cert or inherit-certkeychain.

Conditions:
This occurs when the following conditions are met:
1. There is a configuration in a folder/partition other than /Common.
2. crypto-server-default-clientssl, or another clientssl profile, has no key/cert or inherit-certkeychain configured.

Impact:
Cannot load configuration or UCS.

Workaround:
To work around this, complete the following steps: 1. modify /defaults/profile_base.conf and /config/profile_base.conf -- config # vim /defaults/profile_base.conf -- config # vim /config/profile_base.conf

-- Locate crypto-server-default-clientssl and add the key/cert-related configuration to it. Specifically, change the profile information to match the following:

ltm profile client-ssl crypto-server-default-clientssl {
    defaults-from /Common/clientssl
    cert-key-chain {
        default {
            cert /Common/default.crt
            chain none
            key /Common/default.key
            passphrase none
        }
    }
    cert /Common/default.crt
    chain none
    key /Common/default.key
    passphrase none
    inherit-certkeychain true
    ciphers DHE-RSA-AES256-GCM-SHA384
    renegotiate-period 21600
    cache-size 0
}
2. For clientssl other than crypto-server-default-clientssl, make sure key/cert and/or inherit-certkeychain is set.

3. Load the configuration by running the command: tmsh load sys conf

Fix:
Client SSL configurations on a partition other than /Common do not now have a default key/cert and inherit-certkeychain, so the configuration loads correctly.


474323 : ePVA IPv6 feature is not available

Component: TMOS

Symptoms:
IPv6 full hardware acceleration with ePVA feature is disabled. An issue was uncovered in the 2.3.x bitstream that results in Flow Status Updates (FSUs) due to a collision eviction being corrupted in certain cases. This occurs when the flow cache entry being evicted and the incoming snoop are different sizes. In the 2.3.x bitstream design, the IPv4 and SYN VIP flow cache entries and snoops are the same size, and the IPv6 flow cache entries and snoops are larger than IPv4/SYN VIP. There are no FSU-related issues when a cache entry is evicted due to a collision by a same size snoop, and there are no issues when an eviction is explicitly requested by software via the evict opcode.

Conditions:
VIPRION B2250 blade with ePVA acceleration, IPv6.

Impact:
Cannot enable full acceleration for an IPv6 VIP.

Workaround:
None.

Fix:
ePVA IPv6 feature is now available in this release.


474252-1 : Applying ASM security policy repeatedly fills disk partition on a chassis

Component: Application Security Manager

Symptoms:
Applying ASM security policy repeatedly on a chassis will cause /var disk partition to fill.

Conditions:
ASM security policy is applied repeatedly on a chassis.

Impact:
/var disk partition is filled.

Workaround:
Delete the contents of /var/ts/var/cluster/send.

Fix:
An ASM security policy can be repeatedly applied on a chassis without filling the disk partition.


474251-1 : IP addresses are not properly cleaned from lookup tables, so there might be no room for new IP addresses to be collected.

Component: Application Visibility and Reporting

Symptoms:
IP addresses are not properly cleaned from lookup tables, so there might be no room for new IP addresses to be collected.

System might post many messages in the avrd log, including ones similar to the following:

-- AVRDATA_QUERY|WARNING|... lib/avrdata/query/http_main_query.c:0547| HTTP Main, got an entity with invalid key: 2, 3, 0
-- AVRDATA_QUERY|WARNING|... lib/avrdata/query/http_main_query.c:0841| Skip the entity with invalid key

Conditions:
This occurs when using AVR when the system is idle after traffic IP lookups.

Impact:
New IP addresses might not be collected. It is possible that AVR statistics could be incorrect, or could fail to report any statistics.

Workaround:
None.

Fix:
IP addresses are now properly cleaned from lookup tables, making room so new IP addresses can be collected.


474231-5 : RAM cache evictions spikes with change of access policy which may lead to slow webtop rendering

Component: Access Policy Manager

Symptoms:
When there is a high load on the system and a user changes an access policy, it can lead to slow rendering of the webtop or the access page.

Conditions:
This issue occurs when there is a high load with change of access policy around that time.

Impact:
The impact of this issue is slow webtop/access page rendering.

Workaround:
This issue has no workaround at this time.

Fix:
Access policy changes are handled gracefully.


474226-2 : LB_FAILED may not be triggered if persistence member is down

Component: Local Traffic Manager

Symptoms:
LB_FAILED may not be triggered if persistence member is down.

Conditions:
This occurs when the following conditions exist: - Incoming connection has cookie matching persistence entry. - Persisted pool member has been marked down. - No other pool members are available.

Impact:
Cannot utilize LB::reselect command.

Workaround:
None.

Fix:
LB_FAILED event is correctly triggered when persistence pool member is not available or offline.


474172 : BIG-IQ at times cannot discover BIG-IP running TMOS 11.6.0 - 11.6.0 HF3, failure reason: Failed getting time zone.

Component: TMOS

Symptoms:
BIG-IQ attempt to obtain BIG-IP provisioning state using REST API (GET request using HTTP/HTTPS) fails as the forwarder to service the requests is not available.

Conditions:
Any BIG-IQ GET request e.g., to obtain provisioning state of the BIG-IP. This occurs with version 11.6.0 - 11.6.0 HF3 only.

Impact:
Any script using REST API to manage the BIG-IP or BIG-IQ attempting to manage BIG-IP will fail.

Workaround:
Run the following two commands sequentially:
bigstart restart restjavad
bigstart restart icrd

Fix:
Improved TMOS 11.6.0 - 11.6.0 HF3 handling of GET commands from BIG-IQ to BIG-IP systems.


474166-4 : ConfigSync operation failing with rarely occurring sFlow error

Component: TMOS

Symptoms:
An sFlow error might rarely occur during sync of a device.

Conditions:
This might occur when modifying an iApp (especially when deleting) and then attempting a sync operation.

Impact:
Sync operation might fail. This occurs rarely. When this occurs, the system posts a message similar to the following: 'Can't save/checkpoint DB object, class:sflow_http_virtual_data_source status:13'

Workaround:
Use any method of forcing a sync, such as set-sync-leader, and electing to overwrite files. For more information, see SOL13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation, available here https://support.f5.com/kb/en-us/solutions/public/13000/800/sol13887.html.

Fix:
The ConfigSync operation completes successfully, and the sFlow error no longer occurs.


474058-5 : When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions.

Conditions:
This issue occurs when the BIG-IP system is configured as a SAML Service Provider and BIG-IP receives a signed assertion that contains empty "Reference URI" in Signature element.

Impact:
The impact of this issue is that APD restarts.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed issues that caused APD to restart when the BIG-IP system is configured as a SAML Service Provider and BIG-IP receives a signed assertion that contains an empty Reference URI in the Signature element.


474002-4 : Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys

Component: Local Traffic Manager

Symptoms:
If a BIG-IP virtual server is configured with a Server SSL profile, and a pool member or server selects a DHE-based ciphersuite (e.g. DHE-RSA-AES128-SHA), the BIG-IP system might not successfully complete an SSL handshake with the server.

Conditions:
This occurs when the following conditions exist: - HTTPS Pool member or server. - Virtual server with Server SSL profile. - Server is configured with 2048-bit or larger Diffie-Hellman keys.

Impact:
Traffic to affected pool members fails, although the pool members are marked up by HTTPS monitors.

Workaround:
Either disable the use of ephemeral Diffie-Hellman (DHE) key exchange on the backend servers, select a smaller set of DH parameters on the backend servers, or disable DHE ciphersuites in affected virtual servers' Server SSL profiles.

Fix:
BIG-IP system now successfully completes an SSL handshake with a server that is using Diffie-Hellman parameters that are 2048-bits or larger.


473772 : SNMP reports the incorrect product name for the BIG-IP 10350 NEBS platform.

Component: TMOS

Symptoms:
SNMP reports the incorrect product name for the BIG-IP 10350 NEBS platform.

Conditions:
This occurs when using SNMP to report the BIG-IP 10350 NEBS platform name when running 11.6.0 HF2.

Impact:
SNMP reports the incorrect platform name: BIG-IP 10050N, instead of the correct platform name: BIG-IP 10350N.

Workaround:
Use TMSH to view the correct platform name.

Fix:
SNMP now reports the correct product name for the BIG-IP 10350 NEBS platform.


473771 : No URL path in the Browser Automation alert

Component: Fraud Protection Services

Symptoms:
Vtoken alerts are sent without the protected URL path in alert payload. This impacts alerts analysis, since it is impossible to determine the origin URL of the alert.

Conditions:
1. Automatic transactions enabled on a URL.
2. Automatic transaction alert is generated.

Impact:
No URL path in the Browser Automation alert. This makes vtoken alerts analysis difficult and more time consuming.

Workaround:
None.

Fix:
Fixed the client_request_uri so there is now a URL path in the Browser Automation alert.


473759-1 : Unrecognized DNS records can cause mcpd to core during a DNS cache query

Component: Local Traffic Manager

Symptoms:
mcpd cores during a DNS cache record query if a DNS record with an unknown type is in the cache. mcpd attempts to translate the record's type into a text string, but ends up with a NULL pointer instead.

Conditions:
A DNS record with a type unknown by mcpd must exist in the DNS cache during the query.

Impact:
mcpd cores, causing either a failover (if there is a standby unit) or an outage while mcpd restarts (if there is no standby unit).

Fix:
Unrecognized DNS records no longer cause mcpd to core during a DNS cache query.


473728-3 : Incorrect HTML form handling.

Component: Access Policy Manager

Symptoms:
If one of the HTML forms on a page is added dynamically, it is possible that other forms cannot be submitted via portal access.

Conditions:
- HTML form added dynamically.
- absolute action path for one of another forms on this page.

Impact:
Action path may be rewritten incorrectly and the form cannot be submitted.

Workaround:
None.

Fix:
Now absolute action path for any form in HTML page is rewritten correctly at submit time.


473697-6 : HD Encryption check should provide an option to choose drive

Component: Access Policy Manager

Symptoms:
HD Encryption check only allows the administrator to check for all HD encryption status of all drives on the system, including temporary drives like USB. There is no way for the administrator to check the encryption status of only the system drive.

Conditions:
APM, HD encryption check, and Edge client

Impact:
Cannot check encryption status of only the system drive.

Workaround:
None.

Fix:
HD Encryption check now provides a way to check encryption status of all drives or system drive only.


473685-1 : Websso truncates cookie domain value

Component: Access Policy Manager

Symptoms:
Cookies assigned during back end authentication may not be returned to back end servers. The failures require the set-cookie header contain a domain assignment and the domain value must begin with a dot.

Conditions:
401 response from a back end has Set-Cookie headers containing domain assignments that begin with a dot.

Impact:
Applications protected by the above authorization may not work.

Workaround:
An iRule can be used to catch the 401 response. If it contains one or more Set-Cookie headers, check each for a domain attribute. Remove the initial dot in the domain value, if present.

Fix:
WebSSO processes domain fields in Set-Cookie headers correctly.


473680-1 : Multiple DHCP solicit packets may not succeed.

Component: Policy Enforcement Manager

Symptoms:
Some DHCP solicit packets might be dropped.

Conditions:
If the same server flow is used for multiple requests only one of them will succeed, the other request may never succeed. The request is dropped by the BIG-IP system.

Impact:
The assignment of an address to an end node may be delayed as some DHCP Solicit packets might be discarded.

Workaround:
None.

Fix:
In this release, multiple requests succeed using a single server flow, and the system sends the request back to the client using original connflow.


473641-1 : Missing a tunnel FDB endpoint configuration in VXLAN tunnels could result in memory leak

Component: TMOS

Symptoms:
For VXLAN tunnels with flooding type "multipoint" and "none", if a tunnel FDB endpoint is missing in the configuration and that endpoint sends traffic to the BIG-IP, memory leak could occur when the BIG-IP receives the traffic.

Conditions:
Missing a tunnel FDB endpoint in the configuration.

Impact:
Memory leak could occur.

Workaround:
Ensure that a tunnel FDB endpoint is configured if that endpoint is expected to send traffic to the BIG-IP.

Fix:
No memory leak occurs even if a tunnel FDB endpoint is missing in the configuration and that endpoint sends traffic to the BIG-IP.


473527-2 : IPsec interop problem when using AES-GCM.

Component: TMOS

Symptoms:
BIG-IP AES-GCM negotiation through IKEv2 does not accept the case of no integrity algorithm. This can happen with the tunnel configured to use AES-GCM.

Conditions:
When configuring IPsec tunnel to use AES-GCM to inter-operate between two BIG-IPs of version 11.6 and 12.0, or configuring IPsec tunnel on a BIG-IP of 11.6 to inter-operate with another vendor using AES-GCM.

Impact:
The IPsec tunnel will not be established.

Workaround:
For BIG-IP only, ensure both sides of the tunnel are the same release level.

Fix:
Do not include integrity algorithm for AES-GCM.


473517-2 : 'OID not increasing error' during snmpwalk

Component: TMOS

Symptoms:
The following message when querying SNMP ipCidrRouteTable: 'Error: OID not increasing: IP-FORWARD-MIB::ipCidrRouteDest.172.27.96.0.255.255.255.0.0.0.0.0.0
 >= IP-FORWARD-MIB::ipCidrRouteDest.172.27.96.0.255.255.255.0.0.0.0.0.0'. Also, querying specifically for ipCidrRouteAge OID under ipCidrRouteTable, can cause snmpd to core.

Conditions:
This occurs when there are dual management routes in the default routing table, main. For example:

# ip route show table main / ip route show
...
172.27.96.0/24 dev eth0 proto kernel scope link src 172.27.96.18
172.27.96.0/24 dev eth0 scope link src 172.27.96.18 metric 9
...

Impact:
snmpwalk error and/or snmpd core.

Workaround:
Delete the duplicate route with metric 9: ip route del 172.27.96.0/24 dev eth0 scope link src 172.27.96.18 metric 9

Fix:
snmpwalk now finishes successfully without 'OID not increasing' error, so snmpd no longer core.


473488-6 : In AD Query agent, resolving of nested groups may cause apd to spin

Component: Access Policy Manager

Symptoms:
Access policy daemon (apd) consumes approximately 100% CPU and puts a heavy load on the network sometimes when resolving nested groups in AD Query. The AD Group Cache updates in a loop.

Conditions:
This issue occurs when the user belongs to a parent domain, and is a member of a group that belongs to a sub-domain.

For example, user belongs to parent.com,
group belongs to child.parent.com;
the user is a member of the group. The
"fetch nested groups" option is enabled for AD Query.

Impact:
The impact of this issue is that the user will be unable to resolve nested groups and unable to finish AD Query.

Workaround:
There is no workaround at this time.


473415-1 : ASM Standalone license has to include URL and HTML Rewrite

Component: TMOS

Symptoms:
After an upgrade to 11.6.0, the system now reports 'URI Translation (Not Licensed)', yet the license package has not changed. There was no issue when running 11.4.1 with an ASM Standalone license and using the URL Rewrite functionality with URI Translation (under Local Traffic :: Profiles :: Services :: Rewrite).

Conditions:
This occurs when the following conditions are met:
-- Running 11.6.0.
-- ASM Standalone license.
-- URL Rewrite functionality with URI Translation.

Impact:
An ASM Standalone license generated for 11.6.0 does not include ltm_rewrite_uri. Therefore, regardless of what is configured in a rewrite profile, the profile is inoperative when assigned to a virtual server.

Workaround:
None available.

Fix:
In this release, ltm_rewrite_html and ltm_rewrite_url are enabled when mod_asm is enabled, so the system functions as expected for URL Rewrite functionality with URI Translation operations.


473410-1 : Policy Diff on merging missing URLs

Component: Application Security Manager

Symptoms:
Policy Merge fails when trying to propagate a missing URL from one Security Policy to another.

Conditions:
Policy Diff is performed on two Security Policies and one has URLs defined that the other does not.

Impact:
Policy Merge Fails

Workaround:
None.

Fix:
Policy Diff no longer fails when trying to merge a missing URL to another security policy.


473409-1 : Route domain stats can not be reset by using F5-BIGIP-LOCAL-MIB::ltmRouteDomainStatResetStats

Component: TMOS

Symptoms:
The operation does not reset the statistics.

Conditions:
Always.

Impact:
Stats are not reset.

Fix:
Added backend support, so this stat reset now works.


473386-4 : Improved Machine Certificate Checker matching criteria for FQDN case

Component: Access Policy Manager

Symptoms:
Machine cert check agent might fail if the certificate was issued with extended fields or to a domain machine.

Conditions:
This issue occurs when the machine is outside of domain and the certificate is issued to a domain machine.

Impact:
Machine cert check agent might fail on MAC OS X/Windows for the machines currently outside of domain.

Workaround:
This issue has no workaround at this time.

Fix:
Machine cert check agent matching criteria for FQDN has been improved.


473377-5 : BIG-IP as IdP may rejects AuthnRequest with specific NameID format

Component: Access Policy Manager

Symptoms:
BIG-IP as IdP rejects authentication request stating InvalidNameID Policy when received Authentication request contains NameID format "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"

Conditions:
BIG-IP is configured as an IdP.
Received authentication request contains NameID format "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" (Note SAML2.0).

Impact:
SAML Authentication request is rejected.

Workaround:
Reconfigure SAML SP to create AuthnRequest with either
1. The following NameID format
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
2. Empty NameID format

Fix:
Fixed to accept NameID format
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified


473348-6 : SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later

Component: TMOS

Symptoms:
The hbInterval determines the amount of time the snmpd daemon can wait for a response. Software versions 11.2.x use an hbInterval of 60 sec. Software versions 11.3.0 and later use an hbInterval of 300 sec.

Conditions:
When upgrading from version 11.2.x to version 11.3.0 or later.

Impact:
After upgrade, the hbInterval is still set to 60 sec and not set to 300 sec. An snmpd core is created.

Workaround:
Edit bigipTrafficMgmt.conf and set hbInterval value to 300 using the following procedure:
1. Run the command: bigstart stop snmpd.
2. Change the value of hbInterval in /config/snmp/bigipTrafficMgmt.conf and save the file.
3. Run the command: bigstart start snmpd.

Fix:
When upgrading from a release that did not have the hbInterval set to 300, the new release now has hbInterval set to 300.


473344-6 : Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.

Component: Access Policy Manager

Symptoms:
Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.

Conditions:
APM access policy is configured with Kerberos authentication and the attempted authentication session was was initially created on a different VIP.

Impact:
Error occurs with no error message. The system should post an error message similar to the following: (Failure VIP Name): Kerberos Request-Based Auth failed because session was initially created on a different VIP (Original VIP Name). Please either disable RBA on the originating access profile, or remove the domain cookie.

Workaround:
Either disable RBA on the originating access profile, or remove the domain cookie.

Fix:
With the fix, APMD correctly handles the request for Kerberos Request-Based Auth, and posts the proper error message.


473255-3 : Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.

Component: Access Policy Manager

Symptoms:
Portal Access could incorrectly rewrite Javascript submit() method if it's called in scope of 'with' statement and without object.

Impact:
Form cannot be submitted from script on page.

Workaround:
Create an iRule which adds explicit object reference to submit() call.

Fix:
Fixed an issue where Portal Access could incorrectly rewrite a form submit initiated from Javascript.


473210 : Chassis Temperature Status not showing Nitrox3x3 temperatures

Component: TMOS

Symptoms:
On a system with Nitrox3x3 addon cards, the system hardware sensors don't include temperature readings for the Nitrox 3x3 sensors.

Conditions:
This occurs on BIG-IP 12050/12250 platforms

Impact:
No information about the sensors on the Nitrox3x3 card is reported to the user.

Fix:
F5 support for new hardware platforms.


473200-2 : Renaming a virtual server causes unexpected configuration load failure

Component: TMOS

Symptoms:
Manually renaming a virtual server causes unexpected configuration load failure.

Conditions:
This occurs when all the following conditions are met:

-- The BIG-IP system configuration containing a virtual server that was renamed by editing bigip.conf manually
-- The virtual server has an empty pool, or has a pool with pool members and a monitor.

Impact:
Cannot reload configuration. The system posts the following error:
01020056:3: Error computing object status for virtual_server broken (old_virtual_server_name). Unexpected Error: Loading configuration process failed.

Workaround:
Note: Traffic may be temporarily disrupted while the updated configuration loads.

Perform any one of the following:
-- Remove the pool assignment from the virtual before renaming.
-- Ensure the pool contains members before renaming. If the pool has a monitor, temporarily remove the monitor and add it back after renaming.

To load the updated configuration, after renaming, issue 'bigstart restart'.

Fix:
Manually editing the system configuration and renaming a virtual server with an empty pool no longer causes an unexpected error when reloading the configuration.


473163-2 : RAID disk failure and alert.conf log message mismatch results in no trap

Component: TMOS

Symptoms:
Due to a mismatch between the definition of an alert for RAID disk failure in alert.conf, and the actual log message syntax, the appropriate SNMP traps are not issued when a disk is failing.

Conditions:
This happens when there is a RAID disk failure and the definition RAID disk failure in alert.conf is similar to the following: alert BIGIP_RAID_DISK_FAILURE "raid[0-9]: Disk failure .*?" {
   snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.96";
   lcdwarn description="RAID disk failure." priority="3"
  }

Impact:
Actual log message syntax matches the following: 'alert kernel: md/raid1:md12: Disk failure on dm-29, disabling device.' As a result, there is no SNMP trap for a failing disk, so no SNMP trap is issued, and the LCD message is not displayed.

Workaround:
For information about configuring custom traps, see SOL3727: Configuring custom SNMP traps, available here: https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html.

Fix:
RAID disk failure and alert.conf log message now match, so appropriate SNMP traps are now issued when a disk is failing.


473129-5 : httpd_apm access_log remains empty after log rotation

Component: Access Policy Manager

Symptoms:
The /var/log/httpd/access_log file remains empty after log rotation.

Conditions:
At least one log rotation which happens at 4:00am every day of the box time

Impact:
access_log are missing

Workaround:
"bigstart restart httpd_apm" must be part of the cronjob every day [around 4:30am] after log rotation.

Fix:
Logging to access_log continues after log rotation.


473105 : FastL4 connections reset with pva-acceleration set to guaranteed

Component: TMOS

Symptoms:
With 'pva-acceleration' set to 'guaranteed', the BIG-IP system can take up to five seconds to detect that one of either the client-side or server-side connections has not been offloaded to the ePVA hardware.

Conditions:
This occurs with 'pva-acceleration' set to 'guaranteed' and only one of client or server connections is offloaded to hardware.

Impact:
This results in the connection that has not been offloaded being reset five seconds after being established.

Workaround:
None.

Fix:
FastL4 connections are now handles correctly with pva-acceleration set to guaranteed, and are no longer reset.


473092-1 : Transparent Proxy + On-Demand Cert Auth will reset

Component: Access Policy Manager

Symptoms:
After evaluating the access policy with an on-demand cert auth agent, there will be a connection reset.

Conditions:
This issue occurs under these conditions: SWG Transparent Proxy with a On-Demand Cert Auth agent.

Impact:
The user is not redirected back to their original landing URI. However, in known reproductions the access policy has already completed, and been set to allow. Future requests from the user will be correctly proxied to the backend.

Workaround:
If on-demand cert auth is needed, there is no workaround.


473088-4 : Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile

Component: TMOS

Symptoms:
The BIG-IP system does not allow you to configure a virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile. If you attach a ClientSSL profile, however, the configuration is allowed, which is incorrect behavior.

Conditions:
Create a virtual server, add tcp, request-adapt, and one-connect profiles along with ClientSSL.

Impact:
This unsupported configuration might have many unknown side effects in TMM.

Workaround:
Do not configure a virtual server with one-connect and requestadapt or responseadapt profiles.

Fix:
Configurations of request-/response-adapt combined with one-connect along with ClientSSL profiles are now handled correctly.


473037-1 : BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP

Component: TMOS

Symptoms:
BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP. If multiple connections are attempted, the same port is computed.

Conditions:
This occurs on BIG-IP 2000/4000 platforms with SCTP configured.

Impact:
This causes 'Inet port collision' log errors, and the connection is terminated.

Workaround:
None.

Fix:
BIG-IP 2000/4000 platforms now support RSS with L4 data on SCTP.


473033-5 : Datastor Now Uses Syslog-ng

Component: TMOS

Symptoms:
Datastor did not use the normal syslog facility, causing some very rare disk full errors in /var/log.

Conditions:
When datastor is heavily overloaded or experiencing a traffic pattern that it was not designed for, it can generate copious notice messages to its log.

Because datastor writes directly to its log, log rotation may seem to work, but inadvertently leave a large, hidden file in /var/log.

Impact:
In very rare cases, this hidden large file may cause out of disc errors, preventing logging from occurring.

Workaround:
Log rotate can be configured to restart datastor if this becomes an issue.

Fix:
Datastor now uses syslog-ng.


472969-1 : If you try to create more than 264 AVR profiles, avrd might crash.

Component: Application Visibility and Reporting

Symptoms:
The maximum number of AVR profiles in the system is 264.
If you try to create more than 264 AVR profiles, avrd might crash.

Conditions:
Creating more than 264 AVR profiles

Impact:
avrd crashes.

Fix:
The maximum number of AVR profiles in the system is 264.
If you try to create more than 264 AVR profiles, MCP now generates the following message:
"Can't generate more than 264 AVR profiles", and the system will not create the profiles.


472944-3 : SMTPS race condition after STARTTLS may cause incorrect SMTP responses

Component: Local Traffic Manager

Symptoms:
After STARTTLS handshake, SMTP communication fails due to one of the following reasons:
  - BIG-IP system responses to SMTP client are not synchronized (that is, the responses do not match the requested commands).
  - SMTPS profile activation mode is 'require' and the BIG-IP system responds with '530 Must issue a STARTTLS command first.

Conditions:
This occurs when the following conditions are met: -- A virtual server configured with an SMTPS profile. -- After the STARTTLS handshake on the client side and the BIG-IP system has sent an RSET command to SMTP server, the BIG-IP system receives a command (such as HELO or EHLO) from an SMTP client before the BIG-IP system receives the RSET response from SMTP server.

Impact:
SMTP communication using the SMTPS profile might not succeed. intermittently or consistently.

Fix:
SMTP commands received after STARTTLS are now correctly buffered by SMTPS profile until the SMTP server is ready to receive them.


472942-2 : tmm crash while changing acceleration policy

Component: WebAccelerator

Symptoms:
If the JPEG-XR quality value in the acceleration policy is changed while traffic is running, TMM can crash.

Conditions:
Change JPEG-XR quality quality with request queuing enabled. TMM will crash if a request hits the TMM that owned the cached JPEG

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't use the Optimize to Client setting.

Fix:
TMM no longer crashes when the JPEG-XR quality value in the acceleration policy is changed while traffic is running.


472860-3 : RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Component: Policy Enforcement Manager

Symptoms:
The RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Conditions:
Session created via iRule running on the RADIUS virtual server.

Impact:
RADIUS session statistics are not incremented.

Workaround:
None.

Fix:
The session statistics for sessions created by RADIUS is now incremented whenever the user runs an iRule on the RADIUS virtual server, that creates a new session.


472825-2 : The Dashboard charts may dip when a blade is rebooted.

Component: Access Policy Manager

Symptoms:
The dashboard charts for active sessions and established session counts drop suddenly.

Conditions:
This happens when both of the following conditions are met
1. A blade is coming up online to join other already running blades.
2. Session event, i.e., user login or logout, occurs while the blade is coming up.

Impact:
The charts will remain inaccurate until next session event occurs.

Workaround:
The charts will be updated to correct value if new session is created.

Fix:
Dashboard no longer displays a dip in active session count when primary blade comes back from a reboot.


472767-1 : Adding slots to running guests with host-iso can become stuck

Component: TMOS

Symptoms:
An added guest slot continually waits for a product image

Conditions:
the guest is running a version provided by a block-device-image or block-device-hotfix
the guest is not running the deployed version of software
there are no local copies of the iso in /shared/images on the guests

Impact:
additional guest slots will remain down until the installation image source is corrected

Workaround:
copy each guest's running version's iso into /shared/images of each guest cluster and wait for the iso to sync to all members before inserting a new blade when running 11.6.0

Fix:
Adding slots to running guests with host-iso no longer becomes stuck.


472748-1 : SNAT pool stats are reflected in global SNAT stats

Component: Local Traffic Manager

Symptoms:
There is a virtual server with SNAT pool configured. And a global default SNAT also configured similar to SNAT pool configuration. Traffic that hits virtual and uses the virtual SNAT pool to translate the source address. The same traffic stats will be reflected in default global SNAT though the default SNAT is not being used.

Conditions:
A virtual server has a SNAT configured. There is a global default SNAT configured similar to the configured SNAT pool.

Impact:
SNAT pool stats are reflected in global SNAT stats.

Workaround:
Configure the default SNAT in a different VLAN.

Fix:
The system now releases the default SNAT from the virtual server if there is a SNAT configuration directly associated with the virtual server.


472696-1 : Multiple Mozilla Network Security Services vulnerabilities

Vulnerability Solution Article: K16716


472607 : VCMP: Warning messages in AVR log

Component: Application Visibility and Reporting

Symptoms:
You see the following in the avr log:
"AVRDATA_QUERY|WARNING|Jul 21 17:21:44.775|3101|lib/avrdata/query/http_main_query.c:0488| HTTP Main, got an entity with invalid key: 3, 3, 0"

Conditions:
It is not known what causes this to happen.

Impact:
Beyond the log messages, it is not known if there is any other impact. It is possible that AVR statistics could be incorrect, or could fail to report any statistics.

Fix:
VCMP: We fixed an issue where the system incorrectly displayed the following warning message in the AVR log: "HTTP Main, got an entity with invalid key".


472585-3 : tmrouted crashes after a series configuration changes

Component: Local Traffic Manager

Symptoms:
When multiple route domains with multiple routing protocols with heartbeat enabled are repeatedly created and deleted, the tmrouted daemon may restart.

Conditions:
This occurs when the following conditions are met: -- Heartbeat is enabled. -- Multiple route domains and routing protocols are created and deleted in a short time interval.

Impact:
The tmrouted crashes and it might lead to packet loss with regard to forwarding.

Workaround:
None.

Fix:
The tmrouted functions normally when multiple route domains with multiple routing protocols, with heartbeat enabled, are created and deleted repeatedly.


472571-6 : Memory leak with multiple client SSL profiles.

Component: Local Traffic Manager

Symptoms:
If multiple client SSL profiles are attached to a virtual server, memory will leak each time any profile is changed.

Conditions:
Multiple client SSL profiles are attached to a virtual server.

Impact:
Memory will leak a small amount of memory.

Workaround:
None.

Fix:
Multiple client SSL profiles attached to a virtual server no longer causes memory to be leaked.


472532-4 : Cipher dhe-rsa-aes256-sha256 is missing from the SSL cipher list

Component: Local Traffic Manager

Symptoms:
Cipher dhe-rsa-aes256-sha256 is missing from the ssl cipher list.

Conditions:
This issue occurs under all conditions.

Impact:
The impact of this issue is that the user will be unable to connect with the specified cipher.

Workaround:
N/A

Fix:
Cipher id 0x006b (dhe-rsa-aes256-sha256) has been added.


472446-2 : Customization group template file might cause mcpd to restart

Component: Access Policy Manager

Symptoms:
A config sync or tmsh transaction might fail and make mcpd restart if the config sync or tmsh transaction includes a misconfigured object and simultaneously includes a customization group template file.

If strict updates are enabled on iApp and Adv Customization is performed that MCPd could crash tpp.

Conditions:
The config sync or tmsh transaction includes a misconfigured object and includes a customization group template file.

Impact:
The config sync or tmsh transaction fails, and mcpd exits. Note: Avoid configurations that put customization group template file objects through a config sync or tmsh transaction, when that transaction might contain an object configured with an invalid value. This results in a configuration error.
Here is one example of the types of messages that may be displayed when this occurs:

-- info mcpd[12395]: 01071528:6: Device group '/Common/f5omb' sync inconsistent, Incremental config sync may not be complete on one or more devices in this devicegroup, Sync status may not be consistent until incremental config sync is complete.
-- err mcpd[12395]: 01070734:3: Configuration error: Cannot apply template as cache path for (customization template file logon.inc customization group /Common/ap_deptSharePt_act_logon_page_ag) cannot be empty.
-- err mcpd[12395]: 01070596:3: An unexpected failure has occurred, - apm/validation/APMCustomizationFileObject.cpp, line 1825, exiting...
-- info sod[5467]: 010c0009:6: Lost connection to mcpd - reestablishing.
-- err zxfrd[12033]: 0153e0f7:3: Lost connection to mcpd.

Workaround:
None.

Fix:
This release corrects the configuration error that occurred in the config sync or tmsh transaction whose configuration included a misconfigured object and a customization group template file.


472376-3 : A SIP virtual server may crash while trying to send a message if the connection is in the process of shutting down

Component: Service Provider

Symptoms:
A SIP virtual server may try to access a freed data structure while sending a message if the connection is in the process of shutting down.

Conditions:
Conditions leading to this issue include: SIP virtual server.

Impact:
TMM will crash, which will disrupt traffic and can cause a system to go offline / failover while processes restart.

Workaround:
This issue has no workaround at this time.

Fix:
The crash that can occur if a SIP virtual server is trying to send a message while a connection is shutting down will no longer occur.


472365-4 : The vCMP worker-lite system occasionally stops due to timeouts

Component: TMOS

Symptoms:
The VCMP host side of the worker-lite system has a shorter timeout that the VCMP guest side. This can cause a worker-lite VCMP host to silently stop processing worker-lite requests for a VCMP guest.

Conditions:
This issue affects worker-lite based VCMP hosts running any version of VCMP guests that are processing SSL and compression traffic.

Impact:
SSL and compression traffic does not pass through VCMP guests running on an affected VCMP host. The system posts error messages in /var/log/ltm, similar to the following: Device error: crypto codec 'device-name' queue is stuck.

Workaround:
To resume processing of SSL and compression traffic in a VCMP guest, restart the guest tmm by issuing a 'bigstart restart tmm' from within the guest. Restarting a VCMP guest by setting its state from 'deployed' to 'provisioned' and then back to 'deployed' also resumes processing of SSL and compression traffic.

Fix:
Corrected a VCMP timeout issue that might have prevented a VCMP guests from processing SSL and compression traffic.


472256-3 : tmsh and tmctl report unusually high counter values

Component: Access Policy Manager

Symptoms:
When running the command 'tmctl profile_access_stat', the values displayed for sessions_eval_cur, sessions_active_cur, and/or sessions_estab_cur mignt be unusually high.

Conditions:
The issue might appear if the following events happen, in sequence:
1. Some sessions have been established.
2. On a chassis system, a blade restarts. On an appliance system, tmm restarts on the active system, which triggers failover.
3. Some of the existing sessions log out after the chassis or appliance is back online.

Impact:
The profile access stat might report inaccurate readings. The system returns results similar to the following: -- sessions_active_cur 18446744073709551615. -- sessions_eval_cur 18446744073709551615.

Workaround:
None.

Fix:
tmsh and tmctl now report the expected correct counter values.


472216-2 : Duration counter for customized Edge Client

Component: Access Policy Manager

Symptoms:
The session duration counter does not display properly if Edge Client customization includes logo with size which differs from the size of the default logo.

Conditions:
This is visible on the Edge Client if you are displaying a custom logo.

Impact:
The impact is cosmetic.

Fix:
Fixed alignment of connection duration counter for customized BIG-IP Edge Client.


472148-7 : Highly fragmented SSL records can result in bad record errors on Nitrox based systems

Component: Local Traffic Manager

Symptoms:
If a highly fragmented SSL record is decrypted by a system with a Cavium Nitrox card, the system will incorrectly respond with a bad SSL record error.

Conditions:
Highly fragmented SSL records and a system with a Cavium Nitrox card.

Impact:
Lost SSL connections.

Workaround:
This issue has no workaround at this time.

Fix:
The Nitrox driver was updated to properly handle highly fragmented SSL records.


472122-4 : DHCPv4: When configured in forwarding mode, BIG-IP will support client messages that use either UDP 67 or 68 as the source port.

Component: Policy Enforcement Manager

Symptoms:
When BIG-IP is configured in forwarding mode and is connected to a DHCP relay agent, if the relay agent sends DHCP packets to the DHCP server using UDP 68, which is not RFC 2131 compliant, instead of 67, as the source port, BigIP drops DHCP reply packets from the DHCP server.

Conditions:
1) BIG-IP configured in forwarding mode, and sits between a DHCP relay agent and the DHCP server.
2) DHCP relay agent does not comply to RFC by using UDP 68 as the source port.

Impact:
BIG-IP drops DHCP server reply packets, which uses UDP 67 as destination port, to the DHCP relay agent.

Fix:
Properly handles port translation when non-compliant UDP port 68 is received in packets from the DHCP relay agent.


472117-2 : Analytics scheduled report: "predefinedReportName" and "multiLeveledReport" are mutually exclusive

Component: Application Visibility and Reporting

Symptoms:
Analytics scheduled report: You create a non-loadable configuration by changing "predefinedReportName" to "multiLeveledReport", or the reverse for an "analytics application-security scheduled-report".

Conditions:
Trying to modify an existing scheduled-report type from predefined to multi-leveled or vice versa caused error message. This was true for both tmsh and REST-API.

Impact:
The entire system configuration is not loaded.

Workaround:
Manually edit /config/bigip.conf so that "predefinedReportName" and "multiLeveledReport" do not appear together in the same Analytics scheduled report.

Fix:
REST API: You can now modify a scheduled-report type, and it will automatically reset the other type's attribute ("predefinedReportName" or "multiLeveledReport").


472093-1 : APM TMUI Vulnerability CVE-2015-8022

Vulnerability Solution Article: K12401251


472092-3 : ICAP loses payload at start of request in response to long execution time of iRule

Component: Service Provider

Symptoms:
A long-running iRule in ICAP_REQUEST can cause the loss of payload while the iRule is running, resulting in the beginning of the payload being omitted in the request to the ICAP server. (Note that headers are unaffected.)

Conditions:
This issue occurs when the following conditions are met: -- request-adapt or response-adapt is used. -- IVS with ICAP. -- iRule on ICAP_REQUEST event that takes a long time to execute.

Impact:
ICAP request to ICAP server can lose the beginning of the payload.

Workaround:
When possible, keep iRule duration short by minimizing processing in ICAP_REQUEST and avoiding unnecessary processing, or move the processing elsewhere.

Fix:
The complete request payload is now sent to the ICAP server, even in the presence of a long-running iRule in ICAP_REQUEST.


472062-3 : Unmangled requests when form.submit with arguments is called in the page

Component: Access Policy Manager

Symptoms:
Expressions like form.submit(something) are not being rewritten by Portal Access.
This may cause direct URL or unmangled paths in request. Such request will fail and application could stop working.

Impact:
Web Application could send unmangled requests and stop working.

Workaround:
iRule workaround is possible, but it will be unique for each web application.

Fix:
Calls of form.submit with arguments are now correctly handled by Portal Access.


472051-1 : Manually adding username/password in ZebOS can cause imi to core

Component: Local Traffic Manager

Symptoms:
Manually adding a username and encrypted password into ZebOS, either by using imish command line, or by modifying zebos.conf directly, might cause imi to core.

Conditions:
Manually modifying the zebos.conf configuration file or adding a non-existing user using imish.

Impact:
The user interface to ZebOS, imi, might core. Other functionality should not be affected.

Workaround:
Do not add the configuration manually in ZebOS. Use the BIG-IP system facilities for adding/modifying ZebOS users.

Fix:
imi no longer cores when attempting to add a user via the imish command line.


471926-1 : Static subscriber sessions lost after bigstart restart

Component: Policy Enforcement Manager

Symptoms:
Sessions are not created on standby device

Conditions:
Bigstart restart active device. Standby will become active and sessions should be created on new active. Before the old active comes online, Bigstart restart the new active.

Impact:
Sessions are not created on new active device

Workaround:
N/A

Fix:
Corrected intermittent HA issues in static subscriber provisioning


471874-1 : VDI plugin crashes when trying to respond to client after client has disconnected

Component: Access Policy Manager

Symptoms:
VDI plugin crashes when trying to respond to client after client has disconnected.

Conditions:
Client has disconnected, VDI plugin tries to send response to the client.

Impact:
VDI plugin crash.

Fix:
The VDI plugin does not crash when trying to respond to a client after the client has disconnected.


471860-3 : Disabling interface keeps DISABLED state even after enabling

Component: TMOS

Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.

Conditions:
This occurs when using both tmsh and the GUI.

Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.

Workaround:
You can reboot correct the indicator.

Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.


471827-1 : Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist

Component: TMOS

Symptoms:
Early syslog-ng starts up with a config file that references /var/run/httpd.pipe, but it does not exist and syslog-ng logs the following:

<date> <host> notice syslog-ng: Error opening file for reading; filename=\'/var/run/httpd.pipe\', error=\'No such file or directory (2)\'

Conditions:
First boot of a newly installed system uses a different syslog-ng.conf file, but only on the first boot of a newly installed system.

After first boot, the real syslog-ng config file is used.

The following log appears in /var/log/boot.log
[only in 11.x releases]:

Sep 4 10:17:35 localhost notice syslog-ng: Error opening file for reading; filename=\'/var/run/httpd.pipe\', error=\'No such file or directory (2)\'

Impact:
There is no actual impact due to this behavior because:

(1) syslog-ng is restarted with the correct syslog-ng configuration later in the boot.
(2) httpd is not started until later which means there is no actual usage of /var/run/httpd.pipe.

Fix:
Prior to starting the early syslog-ng, create the missing file /var/run/httpd.pipe. This also happens later when etc/init.d/syslog-ng is run, but does nothing because the early syslog-ng startup script creates the missing file.


471825-3 : Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322.

Component: Access Policy Manager

Symptoms:
Emails sent by Email agent, when received by certain SMTP servers, contain an empty body. Email needs to comply with RFC 5322 and should include the Date: header.

Conditions:
Certain SMTP servers (new Microsoft hosted email service) send an empty email body when the Date: header is missing from the email message

Impact:
Empty email body received.

Workaround:
None.

Fix:
Emails sent by the Email agent now include the Date: header in compliance with RFC 5322.


471821-1 : Compression.strategy "SIZE" is not working

Component: Local Traffic Manager

Symptoms:
The Compression strategy Size is not working as expected. Instead of performing compression in the software, the system use the hardware compression provider to compress HTTP server responses.

Conditions:
1. Compression.strategy "SIZE"
2. Create a http vs with http compress profile

Impact:
Compression data is done in hardware rather than software.

Workaround:
Set compression.providerbusy to 0

Fix:
Compression.strategy "SIZE" would cause software to do the compression.


471819-2 : The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.

Component: Global Traffic Manager

Symptoms:
The big3d agent restarts periodically if a v11.4.0 or earlier system with Common Criteria mode enabled is updated with a newer version of the big3d agent.

Conditions:
A v11.4.0 or earlier system is updated to run a newer version of the big3d agent and Common Criteria mode is enabled.

Impact:
The impact of this issue is periodic restarting of the big3d agent.

Workaround:
Disable Common Criteria mode.

Alternatively, restore the prior version of the big3d agent.

Fix:
The big3d agent has been modified to run in a mode that eliminates inconsistencies with version 11.4.0 and earlier.


471772-1 : APM does not support VMware View application remoting.

Component: Access Policy Manager

Symptoms:
VMware View 6 has introduced support for application remoting. This is currently not functional in APM.

Conditions:
Deployments where VMWare View 6 has been deployed

Impact:
Unable to use View's application remoting features through APM.

Fix:
APM now supports VMware View application remoting.


471766-2 : Number of decoding passes configuration

Component: Application Security Manager

Symptoms:
The decoding passes number selected in the "Evasion technique detected" sub-violation setting affects URI and parameter input. However, this setting does not affect the number of decoding passes that the system performs on headers, which is always two.

Conditions:
Headers legally may have more than two or more levels of percent decoding

Impact:
A false positive violation is issued.

Fix:
The number of decoding passes for headers is now taken from the "Evasion technique detected" sub-violation setting.


471714-1 : Certain SMTP servers (Windows) do not receive complete email due to missing CRLF header terminator in Emails generated by APM Email agent.

Component: Access Policy Manager

Symptoms:
Emails sent by the APM Email Agent when received by certain SMTP servers do not contain subject and body. This is caused by an incomplete header terminating character (LF) used in the Email Agent. CRLF needs to be used at the end of header and as a separator between the header and email body as per RFC 5322.

Conditions:
Certain SMTP servers does not accept the LF terminator used in the Emails generated by APM Email agent.

Impact:
Email message with Empty body received by certain SMTP server.

Workaround:
None.

Fix:
The APM Email agent now generates emails using CRLF at the end of the header and as a separator between the header and the email body, conforming to RFC 5322.


471625-8 : After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM

Component: Local Traffic Manager

Symptoms:
After deleting external data-group, importing a new or existing external data-group does not propagate to TMM.

Although the import/modify individually seem to work as expected with no errors displayed in the web interface, the ltm log shows 'update queued', but does not show 'update finished' for the imported/modified datagroup.

tmctl ext_class_stat command shows that the deleted data-groups are still in the TMM and existing data-groups stay the same and do not reflect the modification that are made to them via GUI.

Conditions:
The issue occurs when working in an administrative partition other than Common.

Impact:
iRules associated with the data-groups do not behave as expected if data-group is deleted and afterwards when data-group modifications are made.

Workaround:
There are two options for workarounds: 1. Use short names for the data-group files. It is the long names that are problematic. This is the recommended workaround. 2. Reboot. This causes the mcpd to re-load the data-groups and corrects the situation.

Fix:
After deleting external data-group, importing a new or editing existing external data-group now works as expected.


471496-2 : Standby node sends a summary LSA for the default route into a stub area with the same metric value as that of Active node.

Component: TMOS

Symptoms:
Active and standby nodes are sending summary LSAs for a default route into a stub area with a metric value of 1.

sh ip route displays default route with active and standby nodes as gateways.

Conditions:
HA pair is configured to be in an ospf session for a stub area with DR and BDR ospf routers. Area 0 is configured on the HA pair.

Impact:
The traffic from DR or BDR nodes in the stub area might be sent to the standby node.

Fix:
Standby node sends LSA summary for the default route with a value of 16777215. The OSPF routers in the stub area pick an active node as the gateway for the default route.


471467 : gtmparse segfaults when loading wideip.conf because of duplicate virtual server names

Component: Global Traffic Manager

Symptoms:
gtmparse segfaults when loading wideip.conf with duplicate virtual server names, or whose names differ only by spaces.

Conditions:
wideip.conf contains duplicate virtual server name definitions, or the virtual server names are unique only because of leading or trailing spaces.

Impact:
gtmparse segfaults during a wideip.conf load, causing GTM configuration load to fail.

Workaround:
Change virtual server definitions so that there are no duplicate named virtual servers. Note that adding only leading or trailing spaces does not result in a unique virtual server name.

Fix:
gtmparse will now throw descriptive errors when encountering duplicate vs names in wideip.conf, for example:

./gtm/wideip.conf:61: "opt_vs_long_def: vs set name vs_1 on vs 10.221.43.28:1545 failed, duplicate name exists" at character '1545' in line:

      name "vs_1"
      address 10.221.43.28:1545


471452-2 : Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.

Component: Access Policy Manager

Symptoms:
When URLs from multiple browser tabs start an access policy, the session is created with the landing URL from the first tab that started the session, not with URL that continued and finished creating the access session.

Conditions:
Accessing the access policy VIP with different landing URLs before access policy session created. This causes the access policy to run from two different landing URLs.

Impact:
This may cause BIG-IP as SAML SP unable to establish a session with IdP. In the case of LTM and APM, the user is always redirected to the URL from first tab after policy execution finishes.

Workaround:
None.

Fix:
When URLs from multiple browser tabs start an access policy, the landing URL is set to the URL from the browser that finished the access policy execution.


471421-5 : Ram cache evictions spikes with change of access policy leading to slow webtop rendering

Component: Access Policy Manager

Symptoms:
When there is a high load on the system and a user changes an access policy, it can lead to slow rendering of the webtop or the access page.

Conditions:
High load with change of access policy around that time.

Impact:
Slow webtop/access page rendering.

Fix:
Access policy changes are now handled gracefully.


471331-2 : APM::RBA reset due to a leaked HUDEVT_REQUEST_DONE

Component: Access Policy Manager

Symptoms:
Sometimes the APM RBA plugin resets and writes an error to the log that includes this phrase:
[0x19fd874:459] Internal error (APM::RBA requested abort (trans end error)). The problem can happen intermittently and usually occurs when multiple tabs are used.

Conditions:
Most reproductions involve multiple tabs. End user starts access policy in one tab, and is delivered a login page. Then the end user opens a new tab, and attempts to evaluate the access policy in that tab. The reset comes from the RBA plugin, but this can be reproduced without Kerberos being configured.

Impact:
There are intermittent connection resets. Depending on the URL of the second tab, it should have terminated the existing session and started a new one, or it should have rendered a 404 page explaining that the access policy is already running in a different tab.

Workaround:
None.

Fix:
Fixed intermittent resets when access policy execution in progress simultaneously from multiple browser tabs.


471318-1 : AD/LDAP group name matching should be case-insensitive

Component: Access Policy Manager

Symptoms:
AD/LDAP Group Name mapping fails due to the case sensitive matching. It should be case insensitive.

Conditions:
This occurs when using AD/LDAP Group name mapping.

Impact:
Cannot find the intended group.

Workaround:
None.

Fix:
AD/LDAP Group Name mapping now is using case-insensitive comparison. This is correct behavior.


471125 : Fixed issue causing EdgeClient to work improperly behind environment with CaptivePortal.

Component: Access Policy Manager

Symptoms:
BIG-Ip Edge Client may display a window that will not close with the content of F5 probe file, however Network Access (NA) works.

Conditions:
Special environment with captive portal and proxy.

Impact:
User can be confused by window shown.

Fix:
Resolved rare condition that caused BIG-IP Edge Client to work improperly when a client uses proxy to connect to the BIG-IP system.


471117-4 : iframe with JavaScript in 'src' attribute not handled correctly in IE11

Component: Access Policy Manager

Symptoms:
If an HTML page contains an iframe with JavaScript code in the src attribute, some web applications might not work correctly through portal access in Internet Explorer 11.

Conditions:
Conditions leading to this issue include Internet Explorer 11 and iframe with JavaScript in the src attribute: <iframe src="javascript: some code...">

Impact:
Some Web applications may work incorrectly.

Workaround:
This issue has no workaround at this time.

Fix:
If an HTML page contains an iframe with JavaScript code in the src attribute, it is handled correctly in Internet Explorer 11 through Portal Access.


471103-1 : Ignoring null values for parameters with different content types

Component: Application Security Manager

Symptoms:
You cannot configure the system to ignore a null value for parameters defined as file upload regardless of the content-type of the parameter in the request. Following the multipart null flow, the system first looks into the content type defined for the parameter in the request itself. If the parameter is defined as textual, the system does not allow a null to appear there, regardless of the policy configuration for that parameter.

Conditions:
Parameter is defined in the multipart request as textual and has a null in it.

Impact:
A null in request violation occurs.

Workaround:
N/A

Fix:
There is a new internal parameter: 'ignore_null_in_multipart_text'. When the internal parameter is set, the system does not issue a null in request violation when a null appears in the request.

If the parameter is defined as file upload in the security policy, no violation is issued.
If the parameter is defined as something else, the system issues the violation 'null in multipart request'.
If the parameter is not defined in the security policy, the system issues the violation 'null in request'.


471059-4 : Malformed cookies can break persistence

Component: Local Traffic Manager

Symptoms:
Clients sending a malformed cookie (that is, a space character that precedes the persistence cookie) might prevent the parsing of a valid persistence cookie.

Conditions:
HTTP request contains malformed cookie value that occurs before the BIG-IP system persistence cookie, For example: Cookie:foo=bar =bar; BIGipServerhttp=60361226.20480.0001

Impact:
Persistence is ignored.

Workaround:
None.

Fix:
Cookie values containing space character are parsed properly.


471014-14 : OpenSSL vulnerability CVE-2014-5139

Vulnerability Solution Article: K15567


470842-1 : Apache Axis vulnerability CVE-2012-5784

Vulnerability Solution Article: K14371


470813-1 : Memory corruption in f5::rest::CRestServer::g_portToServerMap

Component: TMOS

Symptoms:
Abort during guestagentd static deinitialization

Conditions:
Daemon and threads are shutdown

Impact:
Crash in guestagentd and CRestServer

Workaround:
N/A

Fix:
Fix crash on shutdown in guestagentd and CRestServer


470779-1 : The Enforcer should exclude session awareness violations when counting illegal requests.

Component: Application Security Manager

Symptoms:
Getting False positive by blocking requests.

Conditions:
Session Awareness is enabled.

Impact:
Release session status from being blocked/logged can be renewed if illegal traffic runs at the same time even with 'Disallowed access...' violation only

Workaround:
N/A

Fix:
The Enforcer now excludes session awareness violations when counting illegal requests for session awareness actions.
Previously, these violations were counted and therefore prematurely caused the session status to be "Blocked".


470756-6 : snmpd cores or crashes with no logging when restarted by sod

Component: TMOS

Symptoms:
Prior to sod restarting snmpd following a heartbeat timeout, there are often no snmpd warning/error logs leading up to the restart condition that might indicate root-cause.

Conditions:
snmpd can be blocked waiting for mcpd responses to its database queries. This is typically experienced when CPU utilization is very high.

Impact:
sod continues restarting snmpd (and generating a core dump) as long as the blocking conditions continue for longer than the configured snmpd heartbeat interval. During this time, external MIB queries might timeout/fail.

Workaround:
Address CPU utilization issues.

Fix:
The snmpd daemon now periodically logs warning messages regarding slow query responses from mcpd. snmpd also attempts to maintain heart-beat communication with sod under these conditions.


470715-5 : Excessive IP fragmentation on tmm_bp vlan causes ftp data loss with vlan name >= 16 characters long

Component: Local Traffic Manager

Symptoms:
When a vlan name is >= 16 characters including the /Common/ folder name prefix, the internal packet size will exceed the configured MTU size of 1582 on the MPI channel. This causes excessive IP fragmentation on tmm_bp vlan and high cpu usage. In some cases it can also cause packet loss.

Conditions:
Vlan names (16 characters or longer) are being used. This length also counts the name of the partition.

Impact:
This can cause excessive IP fragmentation on tmm_bp vlan and high cpu usage. In some cases it would also cause packet loss.

Workaround:
Use shorter vlan names.

Fix:
A new db variable vlan.backplane.mtu has been added to configure tmm_bp vlan mtu size, and the new default backplane MTU is set to to 1640.

Behavior Change:
A new db variable vlan.backplane.mtu has been added to configure tmm_bp vlan mtu size, and the new default backplane MTU is set to to 1640.


470627-2 : Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE

Component: TMOS

Symptoms:
When Virtual Edition (VE) is licensed with limited throughput, tmm checks and enforces rate limits. However, due to the nature of clustering in data plane, individual tmm processes performs the check independently (that is, divided by the number of tmms on the system). Thus, the check result is not accurate from global rate perspective. In this case, the system log messages that indicates data rate exceeds licensed rate.

Conditions:
Multiple tmm in VE and licensed with limited date rate, when only some of the tmms are processing traffic.

Impact:
Message indicating data rate exceeds licensed rate.

Workaround:
None.

Fix:
Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in Virtual Edition no longer occurs.


470559 : TMM crash after traffic stress with rapid changes to Traffic capturing profiles

Component: Application Visibility and Reporting

Symptoms:
Rare condition of TMM crash due to traffic stress with rapid changes made to Traffic capturing profiles.

Conditions:
1. Traffic capturing feature is on, under heavy traffic.
2. Modifications are being made to traffic capturing configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Turn off traffic capturing feature, or minimize making changes to the Traffic capturing profile while under heavy load.

Fix:
A rare condition was fixed where TMM crashed due to traffic stress with rapid changes made to Traffic capturing profiles.


470414-4 : Portal Access rewrite daemon may crash while processing some Flash files

Component: Access Policy Manager

Symptoms:
rewrite process starts consuming 100% of CPU and then it's killed.
Symptoms: high load of the box, rewrite core files.

Conditions:
This happens in a very rare situation when flash files were produced with specification violations. Specifically, list of objects within tag DefineSprite is not terminated with tag End while it always should be terminated this way.

Impact:
Portal Access is temporarily unavailable.
Core file for 'rewrite' process is generated.

Fix:
Portal Access no longer crashes when rewriting some incorrect Adobe Flash files.


470394-2 : Priority groups may result in traffic being load balanced to a single pool member.

Component: Local Traffic Manager

Symptoms:
Priority groups may result in traffic being load balanced to a single pool member.

Conditions:
This occurs when the following conditions are met: -- Multiple priority groups. -- Slow ramp feature enabled (TCP profile). --
Active priority group goes offline. -- Member in the newly active group goes offline then online (triggering slow ramp feature).

Impact:
Traffic is improperly load balanced.

Workaround:
Disable slow ramp feature in the TCP profile.

Fix:
The BIG-IP system calculates the correct number of members in the active priority group when the slow ramp feature is triggered.


470225-4 : Machine Certificate checker now correctly works in Internet Explorer 11

Component: Access Policy Manager

Symptoms:
Machine Certificate checker hangs in Internet Explorer 11.x if you are not using compatibility mode.

Conditions:
Machine certificate used in Internet Explorer version 11.x with compatibility mode turned off.

Impact:
Cannot pass APM policy

Workaround:
Add APM hostname to compatibility view list.

Fix:
Machine Certificate checker now works correctly in Internet Explorer 11.


470205-2 : /config/.../policy_sync_d Directory Is 100% Full

Component: Access Policy Manager

Symptoms:
After a policy sync operation, the Policy Sync history file objects remain within the /config/.../policy_sync_d directory.

Conditions:
This issue is further exacerbated when customization an/or sandbox (hosted content) files are associated with the profiles being synced.

Impact:
Over time the saved number and size of the Policy Sync history files can grow to fill all available space.

Workaround:
The psync-history objects and related data files can be manually deleted by running the following commands from within tmsh context:
`cd /Common/PolicySyncHistory`
`delete apm policy psync-history all`
`save sys config partitions all`

Please note that the above steps will remove all psync-history and related file objects from your local device. Which means, you will no longer have entries within the history tab of your Policy Sync page of the Admin GUI.

Fix:
After a policy sync operation, the Policy Sync history file objects no longer remain within the /config/.../policy_sync_d directory as expected.


470191-2 : Virtual with FastL4 with loose initiation and close enabled might result in TMM core

Component: Local Traffic Manager

Symptoms:
Virtual with FastL4, loose initiation and loose close enabled might result in TMM core.

Conditions:
The problem can occur when the following conditions are met:
 - Virtual server with FastL4 profile.
 - FastL4 profile has loose initiation and loose close enabled.
 - TCP FIN is received that is not associated with an existing connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not enable loose initiation and loose close on FastL4 profile

Fix:
FastL4 component now validates existence of connection peer upon reception of TCP FIN.


469960-1 : Managing apd connection from tmm

Component: Access Policy Manager

Symptoms:
apd and logd consumes a large percentageof CPU.

Conditions:
APM Session receives TCPRST or no response when under heavy connection request load from tmm for authentication, which leaves unprocessed requests in the queue.

Impact:
APD (authentication server) become unresponsive, which causes all new user sessions to fail.

Workaround:
None.

Fix:
The system now handles a large number of connection requests for authentication using a throttling mechanism to manage the requests.


469786-1 : Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule

Component: Application Security Manager

Symptoms:
A wrong display of the request status (as a blocked request) for requests that were only alarmed.

Conditions:
Web scraping in alarm mode, ASM iRules in place.

Impact:
A wrong display of the request status as if it is a blocked request when it was alarmed request.

Workaround:
This issue has no workaround at this time.

Fix:
When web scraping mitigation configuration mode is set to Alarm (log) and there is an ASM iRule, the iRule no longer displays requests as being blocked when they are actually logged and not blocked.


469739-4 : ConfigSync may fail if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile

Component: Local Traffic Manager

Symptoms:
MCPD may generate one of the following validation errors as a result of a ConfigSync, or a config load, or attaching an SSL profile to a virtual server, or modifying a virtual server:

0107149e:3: Virtual server /Common/name-of-virtual-server has more than one clientssl/serverssl profile with same server name.
010717e1:3: Client SSL profile cannot contain more than one set of same certificate/key type.

Conditions:
This occurs when HA pairs have dissimilar cert-key-chain names within an SSL profile, and the changes were synchronized to the peer device. Either the ConfigSync will fail (if the SSL profile was attached to a virtual server), or the ConfigSync will succeed, but on the receiving device, the SSL profile will have two cert-key-chain objects.

This happens given the following conditions:
- Systems are performing a full (not incremental) sync
- SSL profile is attached to a virtual server
- cert-key-chain sub-object has differing names on the two devices

Impact:
Depending on the manifestation of this issue one of the following can happen:
- administrator may be prevented from performing further configuration operations
- administrator may be prevented from synchronizing the configuration
- the configuration may not load

Workaround:
Find the client-ssl profile name for the virtual server that fails to load.

List and compare the cert-key-chain names of the client-ssl profile on the devices in the HA configuration.

Choose the correct cert-key-chain name and ensure the cert-key-chain name is the same on all devices.

Synchronize the configuration.

Fix:
The ConfigSync operation completes successfully if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile.


469705-4 : TMM might panic when processing SIP messages due to invalid route domain

Component: Local Traffic Manager

Symptoms:
TMM might panic when processing SIP messages due to invalid route domain.

Conditions:
SIP Requests are being processed with a via header that does not contain an 'rport' attribute. SIP profile attached to the virtual server has 'dialog aware' enabled.

Impact:
TMM panics with following string: 'domain != RT_DOMAIN_NONE'.

Workaround:
Disable the 'dialog aware' option on the SIP profile, or configure SIP OneConnect.

Fix:
TMM sets a known route domain when processing SIP Requests to prevent panics caused by an invalid route domain.


469512-2 : TMM aborted by SOD due to heartbeat failure when trying to load huge firewall policies.

Component: Advanced Firewall Manager

Symptoms:
TMM gets terminated by SOD daemon due to heartbeat failure.

Conditions:
This might occur intermittently when trying to load huge firewall policies.

Impact:
This might (intermittently) trigger TMM abort by DOS due to heartbeat failure.

Workaround:
Disable TMM heartbeat.

Fix:
TMM is no longer terminated by SOD due to heartbeat failure (when trying to load huge firewall policies).


469115-3 : Management client-ssl profile does not support multiple key/cert pair.

Component: Local Traffic Manager

Symptoms:
Management SSL client-ssl profile does not support multiple key/cert pair.

Conditions:
Management client-ssl profile.

Impact:
It supports only one key/cert pair which is stored in profile key/cert/chain/passphrase. cert-key-chain in client-ssl profile is not a valid selection. Selecting cert/key pair from cert-key-chain could cause problem.

Fix:
Management SSL client-ssl profile should ignore cet-key-chain structures and get the unique cert/key pair from profile key/cert/chain/passphrase.


469100-5 : JavaScript index expressions with a comma are not properly rewritten

Component: Access Policy Manager

Symptoms:
If there are expressions like a[b,c] within JavaScript code, these expressions will return a[b] instead of a[c] after rewriting with Portal Access.
This could lead to JavaScript exceptions, or silent flaws in logic of application.

Impact:
This issue leads to exceptions or broken logic of customer's backend application.

Workaround:
This issue has no workaround at this time.

Fix:
JavaScript index expressions with list of values are now correctly rewritten by Portal Access.


469033 : Large big3d memory footprint.

Component: Global Traffic Manager

Symptoms:
The big3d process might take up a large amount of memory.

Conditions:
Using GTM in various configurations.

Impact:
Large big3d memory footprint. This is a configuration- and usage-dependent issue.

Workaround:
None.

Fix:
Reduced big3d memory footprint.


468837-5 : SNAT translation traffic group inheritance does not sync across devices

Component: TMOS

Symptoms:
When a snat-translation object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.

Conditions:
This is relevant for any setup with multiple devices in a CMI failover device group.

Impact:
The inherited-traffic-group property must be manually maintained on all devices.

Workaround:
Enable the 'full sync' option instead of using incremental sync.

Fix:
SNAT translation traffic group inheritance now syncs across devices using incremental sync.


468790-2 : Inconsistent SafeNet key deletion in BIG-IP and Safenet HSM

Component: Local Traffic Manager

Symptoms:
Under some conditions, when deleting a SafeNet key, the key is deleted from HSM but not from the BIG-IP system.

Conditions:
This issue happens when the BIG-IP system satisfies the following conditions:
1. A SafeNet-generated key is in use by a clientSSL profile.
2. Safenet HSM is installed.

Impact:
If this clientSSL profile is currently used by a virtual server, then SSL connection to this virtual server fails since the key is not in HSM.

Workaround:
1. Remove the key/cert from the clientSSL profile, so that they become 'not in use'.
2. Delete the not-in-use key/cert from the BIG-IP system.
2. Configure another key/cert in the clientSSL profile.

Fix:
In this release, when deleting a SafeNet key, the key is deleted from HSM as well as from the BIG-IP system


468519-1 : BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file.

Component: Global Traffic Manager

Symptoms:
Config reload fails when renewing the license or performing a new install based on the current config.

This appears to be the result of a invalid bigip_gtm.conf which is used to load the config rather than the mcpdb.bin.

Conditions:
If any virtual servers are configured with a dependency list that includes other virtual servers from the same BIG-IP system, BIG-IP DNS creates an invalid bigip_gtm.conf file.

Impact:
BIG-IP DNS config will fail to load when triggered to load from config file

Workaround:
None.

Fix:
Depends-on block is populated correctly with the virtual server info and no error was thrown when reloading BIG-IP DNS config.


468517-5 : Multi-blade systems can experience active/standby flapping after both units rebooted

Component: TMOS

Symptoms:
After rebooting multi-bladed BIG-IP systems configured for failover, one or more of the systems has some of its blades flap from active to standby.

Conditions:
Rebooting systems fairly close in time from one another (about a minute apart). Traffic group must reference an HA group.

Impact:
Invalid redundant status.

Workaround:
Modify the traffic group to no longer reference an HA group:
tmsh modify cm traffic-group traffic-group-1 ha-group none.

Fix:
Multi-blade systems no longer experience active/standby flapping after both units are rebooted, so the following MCPD error message no longer occur at the secondary blades: err mcpd[6528]: 010717b5:3: HA group (HA) cannot be removed. It is used by traffic group (/Common/traffic-group-1 ).


468514-4 : Receiving several ConfigSync requests in a short period of time may cause the mcpd process to restart and produce a core file

Component: TMOS

Symptoms:
Receiving several configuration synchronization (ConfigSync) requests, in a short period of time, may cause the mcpd process to exhaust memory resources, restart, and produce a core file.

Note: The Automatic Sync feature can exacerbate this issue. The Automatic Sync feature is disabled by default.

As a result of this issue, you may encounter one or more of the following symptoms:

Performing a ConfigSync operation causes the BIG-IP system to experience a brief service interruption while the mcpd process restarts.
If configured as part of a high availability (HA) group, the BIG-IP system fails over.
The BIG-IP system generates an mcpd core file.

Conditions:
Receiving several configuration synchronization (ConfigSync) requests with a short interval.

Impact:
The BIG-IP system may experience a brief service interruption while the mcpd process restarts.

Workaround:
None.

Fix:
Sync of a folder delete or create now will send an incremental sync if possible. Sync of a folder modify that changes the device group still will trigger a full load; this is necessary and does not indicate an issue.


468478-5 : APM Portal Access becomes unresponsive.

Component: Access Policy Manager

Symptoms:
APM Portal Access becomes unresponsive.

Conditions:
Using APM Portal Access with application cookies that require more than 32 KB of storage.

Impact:
APM Portal Access becomes unresponsive and rewrite plugins consume 100% of the CPU.

Workaround:
None.

Fix:
Now, when the 32 KB cookie storage limit is reached, the oldest application cookie is discarded, allowing the application to continue processing new data.


468473-2 : Monitors with domain username do not save/load correctly

Component: TMOS

Symptoms:
Using the Traffic Management Shell (tmsh) to create or modify an object with a string parameter may fail with an error.

Conditions:
This issue occurs when the following condition is met:
• You use the tmsh utility to create or modify an object with a string that uses a backslash (\) to escape a double quotation mark (") character.

Impact:
Users may not be able to modify strings by using the tmsh utility.

Workaround:
The username field must be adjusted in the /config/bigip.conf file to specify the username field with a domain using a \\ syntax. For example: domain\user would need to be configured as: domain\\user.

Fix:
tmsh utility does not process backslashes and embedded double quotation marks as expected.


468472-7 : Unexpected ordering of internal events can lead to TMM core.

Component: Local Traffic Manager

Symptoms:
TMM may core and failover with the following tcp4 assert: ../modules/hudfilter/tcp4/tcp4.c:937: %svalid pcb%s.

Conditions:
If the TCP profile receives a spurious event it can cause TMM to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Unexpected ordering of internal events no longer leads to TMM core.


468175-8 : IPsec interop with Cisco systems intermittent outages

Component: TMOS

Symptoms:
Occasionally, traffic going through an IPsec tunnel from BIG-IP systems to Cisco systems stops after a certain period of time and recovers after an hour.

Conditions:
This issue occurs when there is more than one pair of IPsec SAs negotiated and triggers redundant SA removal on the Cisco router.

Impact:
IPsec tunnel stops passing traffic until the trouble IPsec SA expires and the new set of IPsec SAs are negotiated.

Workaround:
Delete the trouble IPsec SAs

Fix:
The system now works correctly, without stopping traffic going through an IPsec tunnel from BIG-IP systems to Cisco systems.


468137-6 : Network Access logs missing session ID

Component: Access Policy Manager

Symptoms:
Without session ID in client logs, it's hard to correlate client and server-side logs.

Impact:
Hard to troubleshoot client logs

Fix:
Now Network Access components print session ID in four messages:
Starting pending session ID: %sessionid,
Session %sessionid established,
Session %sessionid closed:
Status, and Failed to open session %sessionid.


468021-3 : UCS file from earlier version may not load into 11.5.0 or later image

Component: TMOS

Symptoms:
When attempting to upgrade to 11.5.0 or later, from an earlier release, some .ucs files may cause the system to run out of memory, and the kernel to kill the process.

You may also see an error: "UCS application failed; unknown cause."

Conditions:
In the .ucs file, in bigip.conf, is a section like this:

ltm profile client-ssl /Common/my-clientssl {
...
    defaults-from /Common/wom-default-clientssl
...
}

The problem happens because /Common/wom-default-clientssl and /Common/clientssl-insecure-compatible was not defined in a couple of our fixup scripts, resulting in infinite recursion in another fixup script.

Impact:
It can be impossible to upgrade the software image to 11.5.0 or later because the config fixup exits in error.

Workaround:
A workaround is to change instances of "wom-default-clientssl" and "clientssl-insecure-compatible" to "clientssl" in the configuration files in the UCS archive.

Fix:
"wom-default-clientssl" and "clientssl-insecure-compatible" were added to two fixup scripts, and code to prevent infinite recursion was added to another script.


467945-3 : Error messages in AVR monpd log

Component: Application Visibility and Reporting

Symptoms:
Following errors (similar) appear in the monpd log:
 monpd|INFO|Jun 18 13:40:08.947|12463| [stat_bridge_thread::load_file, ] Some rows of load_stat_asm_http_ip_1403124000.1 not loaded (18194 rows affected)

Conditions:
In rare cases that include stress traffic and other rare conditions.

Impact:
There can be very small percentage of lost statistics (approximately 0.002%)

Workaround:
No workaround.

Fix:
We fixed an issue where the system had duplicated data, leading to display of the following warning message in the AVR monpd log:
"Some rows of load_stat_asm_http_ip_xxxxxxxxxx.x not loaded (xxxxx rows affected)".


467930-1 : Searching ASM Request Log for requests with specific violations

Component: Application Security Manager

Symptoms:
Filtering the ASM Request Log for requests that match some violations did not return expected results.

Conditions:
This issue occurs when the Request Log Filter is used for specific violations such as "Web Scraping detected."

Impact:
Request Log search does not return expected matches.

Workaround:
This issue has no workaround at this time.

Fix:
The Request log filter for violations now functions as expected. Previously, filtering the ASM Request Log for requests that match some violations did not return expected results.


467868-3 : Leak due to monitor status reporting

Component: Local Traffic Manager

Symptoms:
The mcpd memory steadily increases until it runs out. Running "strings" on the resulting core file reveals many instances of a monitor error message.

Conditions:
Must have a monitor configured that generates an error message.

Impact:
Slow system performance, unexpected crash and failover.

Workaround:
Disable the monitor.

Fix:
Previously, mcpd might leak memory when returning an error message that contained the reason for a monitor failure. The message now reports the reason without leaking memory.


467849-6 : In some cases user cannot go to external sites through proxy when vpn is connected

Component: Access Policy Manager

Symptoms:
In some cases user cannot go to external sites through proxy when vpn is connected

Conditions:
-Edge client from APM is used to establish VPN to a FirePass server.
- User's machine cannot resolve DNS name of the site that user is attempting to connect to.
- Proxy server is used.

Impact:
User cannot browse external sites.

Workaround:
None

Fix:
Added new configuration option "Do not enforce IP scopes in Proxy-Auto-Configuration". Administrators who want support for such scenario can enable this option in their NA configuration.


467776-1 : Fix in the Guardium to ASM protocol

Component: Application Security Manager

Symptoms:
Guardium doesn't find a message from ASM. The username doesn't appear in the Guardium logs.

Conditions:
A big response arrives.

Impact:
The username doesn't appear in the guardium logs

Workaround:
N/A

Fix:
We moved the Guardium message notification from the RESPONSE event to the RESPONSE_DONE event. Username now appears in the Guardium logs.


467693-1 : sysObjectID SNMP OID returns 'linux' instead of BIG-IP platform.

Component: TMOS

Symptoms:
sysObjectID SNMP OID returns 'linux' instead of BIG-IP platform.

Conditions:
Poll for sysObjectID OID.

Impact:
sysObjectID OID value does not uniquely identify the BIG-IP product. Polling for sysObjectID OID always returns value 'linux':

snmpget -v2c -c 'community' localhost sysObjectID.0
RFC1213-MIB::sysObjectID.0 = OID: NET-SNMP-TC::linux

Workaround:
None.

Fix:
sysObjectID OID now correctly returns the appropriate BIG-IP platform.


467646 : IDE DMA timeouts can result in stuck processes

Component: TMOS

Symptoms:
If the device experiences an IDE DMA timeout, some processes become unresponsive and the kernel logs messages containing 'DMA timeout error' in kern.log. An unfulfilled request from the kernel of the IDE device might result in uninterruptible, stuck processes.

Conditions:
This occurs on VIPRION B4100/B4100N (A100), B4200/B4200N (A107) blades and on Virtual Edition (VE) configurations deployed with IDE storage drivers (Xen, Hyper-V).

Impact:
This condition can cause the i/o request to never complete and result in unresponsive and uninterruptible processes. Various symptoms result depending on the affected process. Some conditions might require a power cycle to correct.

Fix:
IDE DMA timeouts no longer result in become unresponsive on VIPRION B4100/B4100N (A100), B4200/B4200N (A107) blades and on Virtual Edition (VE) configurations deployed with IDE storage drivers (Xen, Hyper-V).


467633-5 : WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases)

Component: WebAccelerator

Symptoms:
TMM coring, or exhibiting strange behavior. Checking the WAM stats reveals an underflow for bytes_minified in wam_css_stat, for example:

active parses bytes_parsed bytes_queued partial_parses partial_parse_bytes
------ ------ ------------ ------------ -------------- -------------------
     0 4 612 0 4 586

annotations resets parser_errors bytes_minified images_inlined
----------- ------ ------------- -------------------- --------------
          5 0 0 18446744073709551564 0

images_bytes_inlined images_uninlined images_uninlined_expiry
-------------------- ---------------- -----------------------
                   0 0 0

Conditions:
The CSS data that is being minified must already be minified and contain no extraneous whitespace.

Impact:
TMM may core or behave unexpectedly. The wam_css_stat stat's bytes_minified will be incorrect.

Workaround:
Disable CSS minification.

Fix:
Extra spaces are no longer added to the minified CSS.


467256-2 : Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat

Component: Access Policy Manager

Symptoms:
If there were multiple EPSEC packages installed on a BIG-IP system and if a UCS backup is taken subsequently, that UCS backup will contain all the files causing the UCS to become huge. Installing this UCS may fail due to disk space limitations.

Conditions:
For this issue, multiple EPSEC packages have to be installed in the system and the UCS of this system is created.

Impact:
UCS fails to install due to its large size.

Workaround:
One can do the following:
1. Delete the EPSEC package from the GUI.
2. Then go the /config/filestore/files_d/Common_d/epsec_package_d/ Find the extra files for which there is no corresponding entry in /config/bigip.conf.
3. Delete those extraneous files manually using rm.

Fix:
When you delete EPSEC packages using the GUI, APM now correctly deletes the corresponding EPSEC ISO file from the filestore (/config/filestore/files_d/Common_d/epsec_package_d/).

Before creating archives, administrators are now required to delete non-active EPSEC packages using the GUI to make sure that non-active EPSEC ISO files are not included in the archives.

Although this issue has been resolved for newly downloaded EPSEC ISO files, you might still need to perform some cleanup:

1. You must remove previous leftover EPSEC ISO files as follows:
a. Delete the EPSEC package from the GUI: Select System > Software Management > Antivirus Check Updates; select an existing EPSEC package from the list and click Delete.
b. Go to /config/filestore/files_d/Common_d/epsec_package_d/ and find files for which there is no corresponding entry in /config/bigip.conf.
c. Delete those extraneous files manually using the rm command.
2. You cannot import huge previously created UCS archives. Instead, you should delete non-active
EPSEC packages prior to creating a UCS.
3. If you want to include only one (active)
EPSEC ISO in a UCS archive, you must first delete non-active EPSEC packages using the GUI.


467196-5 : Log files limited to 24 hours

Component: TMOS

Symptoms:
In this release, the max log size setting is 1024. This causes large systems (multiple blades, high-availability) to truncate log files, and often prevent log files from storing messages for more than 24 hours.

Conditions:
Multiple blades in a high-availability configuration.

Impact:
Cannot have log files spanning more than 24 hours. This makes it very difficult to use the log when diagnosing problems, because the system overwrites the files before the customer can report the issue.

Workaround:
Change the max-file-size for logrotate from '1024' (the default) to '0' to prevent logrotate from truncating log files. This workaround is also documented in SOL16015: The BIG-IP system may truncate log files, available here: https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16015.html.

This can be done from tmsh by running a command such as:
    tmsh modify /sys log-rotate max-file-size 0

Fix:
The max log size setting is now greater than 1024, which allows large systems (multiple blades, high-availability) to store messages for more than 24 hours.


467106-1 : Loading ucs file after install 11.6.0 on top of 11.5.0 failed when Gx reporting is enabled.

Component: Policy Enforcement Manager

Symptoms:
After installing BIG-IP 11.6.0 on top of BIG-IP 11.5.0, a saved ucs file might need to be loaded. If the Gx reporting is enabled, the ucs file loading will fail.

Conditions:
1. upgrade from BIG-IP 11.5.0 to BIG-IP 11.6.0
2. load saved ucs file

Impact:
Old ucs file cannot be used after upgrading from BIG-IP 11.5.0 to BIG-IP 11.6.0

Workaround:
disable Gx reporting

Fix:
After the fix, an upgrade to BIG-IP 11.6.0 from BIG-IP 11.5.0 followed by a UCS load completes successfully.


466877-6 : When BIG-IP is used as SAML SP, signatures created by IBM Tivoli Federated Identity Manager may fail validation

Component: Access Policy Manager

Symptoms:
Signature validation fails when received signed assertion is generated by IBM Tivoli Federated Identity Manager.

Conditions:
This issue occurs when the BIG-IP system is configured as SP and received assertion is signed.

Impact:
Issue impacts SSO, users cannot login with SAML.

Workaround:
This issue has no workaround at this time.

Fix:
Issue with signature validation is fixed.


466797-6 : Added warning message when maximum session timeout is reached

Component: Access Policy Manager

Symptoms:
Perviously when EdgeClient reaches maximum session timoeut it simply disconnects with no indication of reason.

Conditions:
Session reaches maximum timeout

Impact:
User may be confused

Fix:
Now BIG-IP Edge Client shows warning about session expiration when maximum session timeout is reached.


466761-4 : Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.

Component: Service Provider

Symptoms:
Heartbeat, UDP packet with only double CRLF, on existing SIP flow might result in connection loss.

Conditions:
SIP heartbeat message, a UDP packet with double CRLF, sent by the client to the server.

Impact:
Connection might be terminated.

Workaround:
None.

Fix:
The heartbeat SIP message, which is a UDP packet with CRLF, is ignored and connection is maintained.


466745-3 : Cannot set the value of a session variable with a leading hyphen.

Component: Access Policy Manager

Symptoms:
Cannot set the value of an ACCESS::session variable with a leading hyphen.

Conditions:
Using a leading hyphen for the value of the session variable, for example: ACCESS::session set data var_name -value.

Impact:
Cannot use hyphen in session variable value. The system posts and error message similar to the following: err tmm3[12741]: 01220001:3: TCL error: /Common/pass <ACCESS_POLICY_AGENT_EVENT> - bad option name (line 1)setting variable var_name for sid (null) failed (line 1)Illegal argument (line 1) (line 1) invoked from within "ACCESS::session data set var_name "-foo""

Workaround:
This issue has no workaround at this time.

Fix:
In this release, an extra parameter, made up of two dashes (--), was added. When -- is inserted before a value, the value can start with a hyphen; for example, "ACCESS::session set data var_name -- -value".


466612-1 : Missing sys DeviceModel OID for VIPRION C2200 chassis

Component: TMOS

Symptoms:
The SNMP sysObjectID OID returns a value of Unknown for VIPRION C2200 chassis.

Conditions:
Affected versions of BIG-IP running on VIPRION B2xxx-series blades in a VIPRION C2200 chassis.

Impact:
The VIPRION C2200 chassis is not identified as such by the SNMP sysObjectID OID.

Workaround:
None.

Fix:
The sys DeviceModel OID for VIPRION C2200 (Viprion2200) chassis is now present in the F5-BIGIP-SYSTEM-MIB.


466325-6 : Continuous policy checks on windows might fail incorrectly in some cases

Component: Access Policy Manager

Symptoms:
If continuous software check (for antivirus, firewall and so on) is configured to ignore certain configurations (state, last scan time, and so on.) and any of these configurations changes on the client system, then continuous check kills the session.

For example, if a continuous antivirus software check on server is configured to ignore the last scan time, for example, and if antivirus last scan time changes in the middle of the policy (or if a scan completes in the middle while in connection), then continuous software check kills the session.

This happens because recurrent software check compares the entire result string of the antivirus check with the result string returned by the first check.

Conditions:
This occurs when all of the following are true:
1. Software checks (Antivirus, Firewall, and so on), Windows File, or Windows Process are included in the access policy.
2. Continuous software check is enabled.
3. The client is a Windows-based system.

Impact:
The impact of this issue is that continuous checks could kill the session.

Workaround:
This issue has no workaround at this time.

Fix:
Continuous policy checks now do not kill the session if a property that was configured to be ignored changes on the client side.


466266-1 : In rare cases, an upgrade (or a restart) can result in an Active/Active state

Component: TMOS

Symptoms:
After upgrading or restarting, the system starts up in an active state even if the peer system is already active.

Conditions:
An upgrade or system restart for an active/standby pair. The issue occurs intermittently and is timing-dependent. There is code executed during sod's initialization that attempts to detect when communication between mcpd and sod has gone bad; this code does this by checking for "end transaction" messages. If 30 or more messages from mcpd are received without an "end transaction" message, sod will reset its connection with mcpd. While the connection is being reset, it is possible for sod to miss messages from mcpd. Depending on which messages it misses, sod may end up in a bad state and exhibit the symptoms of this bug. If this occurs after an upgrade, it does not matter which version one is upgrading from.

Impact:
The impact of this issue is that both systems take traffic.

Workaround:
Restarting the 'sod' daemon on the system after an upgrade or reboot clears the condition. This causes the system to go offline and will disrupt traffic.

Standard BIG-IP appliance:
bigstart restart sod

VIPRION system:
clsh bigstart restart sod

Fix:
In this release, the system ensures that an upgrade or a restart can never result in an Active/Active state.


466116-3 : Intermittent 'AgentX' warning messages in syslog/ZebOS log files

Component: TMOS

Symptoms:
When routing protocols ospfv2, ospfv3, bgp, rip, ripng are configured to exchange routing information, the system posts agentx-related warning messages in the syslog/zebos log files similar to the following:

<date+time> warnings: <protocol> : AgentX: process_packet (<state name> state), ...
<date+time> warnings: <protocol> : AgentX: requested pdu : 1

Conditions:
This occurs when a BIG-IP system is configured for SNMP traps on the ZebOS routing protocols.

Impact:
These warning messages are cosmetic and may be logged intermittently, possibly resulting in a large number of messages.

Fix:
Benign agentx warning messages are no longer logged for the routing protocols ospfv2, ospfv3, bgp, rip, ripng.


466007-2 : DNS Express daemon, zxfrd, can not start if it's binary cache has filled /var

Component: Local Traffic Manager

Symptoms:
DNS Express daemon, zxfrd, can not start if it's binary cache has filled the /var directory.

Conditions:
Using DNS Express and the /var directory is filled.

Impact:
Zxfrd will continually restart.

Workaround:
No workaround, but if in zxfrd restart loop due to this issue we mitigate by deleting /var/db/tmmdns.bin and then bigstart restart zxfrd.

Fix:
DNS Express daemon, zxfrd, will now check to see if /var is full or if the tmmdns.bin database file is corrupted. If either of these conditions is true, zxfrd will not continually restart.


465951-2 : If net self description size =65K, gtmd restarts continuously

Component: Global Traffic Manager

Symptoms:
The gtmd process restarts continuously.

Conditions:
This issue occurs when the net self <IP> description >= <65K string>
'Description', 'Location', 'Contact', or 'Comment' field for the device (Device Management>Devices>Properties) > = <65K string>

Impact:
When this happens, gtmd is unable to perform its duties.

Workaround:
This issue has no workaround at this time.

Fix:
An issue that caused gtmd to restart because of long descriptions has been fixed.


465675-3 : Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.

Component: TMOS

Symptoms:
Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.

Conditions:
Using deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.

Impact:
User is unable compile MIB (using smidump) if deprecated objects are not ignored.

Workaround:
Modify MAX-ACCESS to read-only.

Fix:
MAX-ACCESS clause is now correct for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.


465607-7 : TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.

Component: Local Traffic Manager

Symptoms:
TMM cores with the TMM log showing the error 'Assertion "flow in use" failed.' This is an infrequent race condition.

Conditions:
This is an infrequent race condition. The actual set of events that leads to this core is unknown. However, this requires FastHTTP to be configured, and it is known that this happens when the FastHTTP connection is closing.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use FastHTTP.

Fix:
The system now provides checks to mitigate the race condition on close of FastHTTP to avoid the core.


465590-9 : Mirrored persistence information is not retained while flows are active

Component: Local Traffic Manager

Symptoms:
Mirrored persistence information is not retained. This is most visible on long-running flows, where the mirrored entry is removed while the flow is still active.

Conditions:
Mirrored flows with persistence profiles assigned to the VIP, or when persistence profiles are marked to mirror persistence entries.

Impact:
If a failover occurs, a new load balancing pick is made for new flows.

Fix:
Mirrored persistence records are now correctly retained.


465317-1 : Failure notice from '/usr/bin/set-rsync-mgmt-fw close' seen on each boot.

Component: TMOS

Symptoms:
The ltm log file will have a line per cluster member at boot that contains a message similar to this: Background command '/usr/bin/set-rsync-mgmt-fw close' failed. The command exited with status 1.

Conditions:
Observable in a log file after boot. Only applies to VIPRION chassis.

Impact:
The message is innocuous and can be safely ignored.

Workaround:
None needed.

Fix:
An error like this formerly appeared on chassis boot: Background command '/usr/bin/set-rsync-mgmt-fw close' failed. The command exited with status 1.

This message was always harmless but now no longer appears.


465052-6 : Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing

Component: Local Traffic Manager

Symptoms:
TMM cores when executing an HTTP::cookie command in an iRule. If the command does not have the minimum required number of arguments, the code is not checking for this condition; it assumes they are there.

Conditions:
An iRule command must execute an HTTP::cookie command (such as "HTTP::cookie sanitize") with missing required arguments.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure all HTTP::cookie commands in iRules have the correct number of arguments.

A work around is to add a line "log local0. some text" before the line "HTTP::cookie sanitize". Then, there will be no tmm crash.

Fix:
Check to make sure all required arguments are present in an HTTP::cookie command prior to attempting to use them.


465012-4 : Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access

Component: Access Policy Manager

Symptoms:
Rewrite plugin may crash on large javascript files and tags when webtrace or debug log for Portal Access is enabled.

Conditions:
Portal Access log level is set to "Debug", or
Web Application Trace feature of Portal Access is active.

Impact:
Portal Access is temporarily unavailable.
Core file for 'rewrite' process is generated.

Workaround:
Disable webtrace
Change Portal Access log level to Notice

Fix:
Fixed an issue where Rewrite plugin could crash when collecting webtrace or debug logs for Portal Access.


464992-7 : Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac fails to recognize DC component in certificate common name field. Edge Client fails to pass machine certificate inspection if domain component is included in search regular expression.

Conditions:
BIG-IP Edge Client for Mac, machine certificate agent, DC component in common name search regex

Impact:
BIG-IP Edge Client for Mac might fail to log in.

Fix:
BIG-IP Edge Client for Mac now passes Machine Certificate inspection when domain component is included in search criteria.


464870-7 : Datastor cores and restarts.

Component: TMOS

Symptoms:
Datastor cores and restarts. This occurs potentially because of generational issues, object replacement from archive, and the possibility that an object was deleted in the interim.

Conditions:
Traffic patterns that shift from low to moderate velocity with strong tiling to decoherent, high velocity traffic can cause this to occur when request queuing is turned on.

Impact:
Temporary cache outage. The cache must then be completely reseeded. A datastor core file is written, and datastor is restarted.

Fix:
Fixed potential crash and removed some extraneous time stamps from logged messages.


464801-2 : Intermittent tmm core

Component: Local Traffic Manager

Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an intermittent tmm core


464651-2 : Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core.

Component: Local Traffic Manager

Symptoms:
Two or more root certificates with the same 'subject' and 'issuer' but different serial numbers may cause the tmm to core.

The core was due to an assert failure in size caused by a loop in certificate chain construction.

Conditions:
When multiple certificates with the same 'subject' and 'issuer' are in a CA file, and the CA file is configured in SSL profile as trusted CAs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Keep only one certificate for a given 'subject' and 'issuer' in CA file.
Do not leave two certificates with the same 'subject' and 'issuer' in a CA file.

Fix:
Resolved a failure when the customer installs another self-signed certificate with same subject/issuer before a self-signed certificate expires.


464547-1 : Show proper error message when VMware View client sends invalid credentials to APM

Component: Access Policy Manager

Symptoms:
The View client shows no information or error page if the user types the wrong password or username

Conditions:
Bad credentials supplied to Vmware View client connecting using APM.

Impact:
End user would not know if the failed login was caused by bad credentials or for another reason.

Fix:
VMware View client displays a proper message when a user enters invalid credentials.


464252-2 : Possible tmm crash when modifying html pages with HTML profile.

Component: TMOS

Symptoms:
With certain combinations of append_to_tag/prepend_to_tag rules and input fragments, HTML profile could get stuck in an infinite loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove HTML profile from virtual server.
Or, modify profile rules in a way that would not cause loop.

Fix:
Fixed an issue in HTML profile which could cause an infinite loop while processing HTML page with certain rules.


464163-3 : Customized cert-key-chain of a client ssl profile might be reverted to its parent's.

Component: Local Traffic Manager

Symptoms:
In some circumstance, when loading the configuration a client ssl profile with a custom cert-key-chain might be overwritten.

Conditions:
Customized cert-key-chain of a client ssl profile.

Impact:
The cert-key-chain of a profile is not what is expected.

Fix:
Customized cert-key-chain of the child client-ssl profile is reverted to parent's profile cert-key-chain during config load.


464132-2 : Serverside SSL cannot be disabled if Rewrite profile is attached

Component: TMOS

Symptoms:
Cannot disable serverside SSL via iRule command or CPM policy.

Conditions:
This occurs on a virtual server that meets the following conditions:
 - Rewrite profile
 - Serverssl profile
 - iRule using the 'SSL::Disable serverside' command in an HTTP_REQUEST event or a CPM policy with a 'server-ssl disable' action and an http-uri condition.

Impact:
Cannot disable serverside SSL.

Workaround:
Utilize iRule with 'SSL::Disable serverside command in the SERVER_CONNECTED event.

Fix:
Allows serverside SSL to be disabled by iRule or CPM policy.


464043-3 : Integration of Firmware for the 2000 Series Blades

Component: TMOS

Symptoms:
Integration of Firmware for the 2000 Series Blades.

Conditions:
When firmware has changes that benefit platforms, it is internally released and updated in the latest version of software.

Impact:
This will improve functioning of the hardware.

Workaround:
None. This is an action item.

Fix:
Integration of Firmware for the 2000 Series Blades.


464024-4 : File descriptor leak when running some TMSH commands through scriptd

Component: TMOS

Symptoms:
File descriptors for pipes are leaking when executing some TMSH commands through scriptd.

Conditions:
TMSH commands must execute via scriptd (for example, running tmsh::modify in an iCall, but there may be other conditions that lead to the leak).

Impact:
iCall scripts cease to function, and scriptd must be restarted. Eventually the system logs error messages similar to the following: err scriptd[11946]: 014f0013:3: Script (/Common) generated this Tcl error: script did not successfully complete: the pipe system call failed, Too many open files.

Fix:
All pipes are closed when a TMSH command is completed, so file descriptors no longer leak when running some TMSH commands through scriptd.


463959-1 : stpd attempts to connect to slots in a chassis that are empty

Component: TMOS

Symptoms:
In a chassis environment stpd attempts to connect to slots that are empty. These connection attempts are unsuccessful and will result in repeated stpd errors in the ltm log:

err stpd[7707]: 01290003:3: Attempt to send 15 bytes to inettcp://127.3.0.4:4401 timed out after 8 seconds

Conditions:
This issue exists when there is one or more empty slots in a chassis.

Impact:
Repeated stpd errors in the ltm log. This is a cosmetic error that can be ignored safely.

Workaround:
None.

Fix:
The stpd process now checks to ensure that a slot is populated before attempting to connect to that slot.


463902-3 : Hardware Compression in CaveCreek may cause excessive memory consumption.

Component: Local Traffic Manager

Symptoms:
Closely related to BZ456859. Symptoms appear as slow, but unbounded, growth in xfrag allocation.

Conditions:
Highly-varying compression payload sizes, plus time.

Impact:
Tmm may segfault and leave a core that indicates a high xfrag memory usage.

Workaround:
Do not use hardware compression.

Fix:
Flat-buffer allocator for hardware compression tuned to be less greedy.


463776-2 : VMware View client freezes when APM PCoIP is used and user authentication fails against VCS 5.3

Component: Access Policy Manager

Symptoms:
VMware View client freezes

Conditions:
APM PC-over-IP (PCoIP) is used and user authentication fails against View Connection Server (VCS) 5.3.

Impact:
VMware View client freezes, user unable to log in

Workaround:
This issue has no workaround at this time.

Fix:
VMware View client does not freeze when APM PC-over-IP (PCoIP) is used and user authentication fails against View Connection Server 5.3.


463715-3 : syscalld logs erroneous and benign timeout messages

Component: TMOS

Symptoms:
The syscalld timeout mechanism might cause premature logging of OPERATION_TIMEOUT messages.

Conditions:
No specific configuration is required.

Impact:
The system posts the message: syscalld[21190]: 0127000a:3: OPERATION_TIMEOUT 'command' may be hung or taking a long time.

This may cause some operations, such as establishing CMI trust, to fail and need to be launched again.

Fix:
syscalld's timeout mechanism no longer emits an OPERATION_TIMEOUT message, unless the message appropriately reflects the condition of the system.


463696-5 : FIPS keys might not be recoverable from UCS

Component: Local Traffic Manager

Symptoms:
FIPS exported keys get created only on the unit on which the FIPS key is created or imported. This FIPS exported key does not get created on the HA peer.

Conditions:
HA setup with multiple FIPS devices.

Impact:
The UCS created on such a HA peer does not contain the FIPS .exp key files. Restoring such a UCS does not recover the FIPS keys. If a FIPS unit is returned to F5 Networks for a replacement unit, the recovery of FIPS keys is not straightforward on the new unit, or might not be possible.

Workaround:
Manually copy the .exp file from the peer or generate the UCS on the peer and load it manually. You can use the command line to scp copy all FIPS exported keys from /config/ssl/ssl.cavfips/ from one HA peer to the other and also vice versa, so that each of them have all the FIPS exported key files.

Fix:
FIPS exported keys now get created on the HA peer as well as on the unit on which the FIPS key is created or imported.


463230-1 : Aced service does not recover if child process dies.

Component: Access Policy Manager

Symptoms:
If a child process is killed, cored, or dies, the parent process does not restart it and the service stops serving SecurID authentication.

Conditions:
In some exceptional cases, the child process exits.

Impact:
SecurID authentication failed, but service recovered by runsv.

Fix:
Now, aced can restart a child process only. There is no need to exit the main process and restart all the children.


463202-7 : BIG-IP system drops non-zero version EDNS requests

Component: Local Traffic Manager

Symptoms:
If a query from a client contains a non-zero EDNS version, the query is dropped instead of sending an appropriate response.

Conditions:
This occurs with DNS profile/processing when a client sends a query with non-zero EDNS version.

Impact:
Dropped queries, retries, and then time-outs occur.

Fix:
If the EDNS version is not zero, the query passes through the filter and is not dropped.


462727-1 : TMM crash when processing ACCESS::session iRule without an attached Access Policy

Component: Access Policy Manager

Symptoms:
When using the ACCESS::session create iRule without an Access Policy in place, TMM cores.

Conditions:
This occurs when the following conditions are met:
1. No Access Policy is attached to virtual server and
2. The ACCESS::session create iRule is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Fix:
This version allows the iRule, ACCESS::session create, to work even when an access policy is not attached to the virtual server.


462714-2 : Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server

Component: Local Traffic Manager

Symptoms:
A source address persistence record created on a virtual server with a FastL4 profile times out and is aged out even while traffic is flowing through that flow. The traffic that results in this issue is UDP with checksum of 0.

Conditions:
The profile has to be FastL4. Traffic that is either UDP with checksum of 0, or SCTP, or ESP, are definitely affected.

Impact:
Source address persistence is not usable as the entry ages out when it should not.

Workaround:
None.

Fix:
Source address persistence record no longer times out unexpectedly on FastL4 profile virtual server.


462598-4 : Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.

Component: Access Policy Manager

Symptoms:
When the APM Access renderer or renderer pool (used for serving internal pages) goes down for an unknown reason, tmm goes into retry loop and sod kills the tmm.

Conditions:
For the problem to occur, at the very least, APM must be in use. The problem showed up in the past with a mangled iRule in place.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This has only been observed with an incorrectly formed iRule. So it is likely that fixing an associated iRule to operate as intended will resolve the problem. If this occurs without an associated iRule, there is no workaround.

Fix:
Now when an APM renderer or renderer pool (used for serving internal pages) goes down, APM detects the unavailability and sends a TCP Reset to the client.


462514-1 : Support for XMLHttpRequest is extended

Component: Access Policy Manager

Symptoms:
JavaScript exceptions occur.

Conditions:
The problem occurs with web-application JavaScript code using XMLHttpRequest.

Impact:
Web-application logic and behavior can be broken.

Workaround:
There is no workaround at this time.

Fix:
XMLHttpRequest rewriting is improved, so that patched objects behave the same way (or close enough) as original ones on a given browser.


462258-8 : AD/LDAP server connection failures might cause apd to stop processing requests when service is restored

Component: Access Policy Manager

Symptoms:
AD/LDAP server connection failures might cause APM apd to stop processing requests when service is restored.

These symptoms accompany the problem:
- Too many file descriptors open by apd.
- 'Too many open files' error messages in the log file.
- Running qkview to gather diagnostic data reveals the information similar to the following in 'netstat -pano' from qkview:
tcp 270 0 127.0.0.1:10001 10.10.225.85:53212 ESTABLISHED 12191/apd off (0.00/0/0)
tcp 269 0 127.0.0.1:10001 10.10.225.4:56305 ESTABLISHED 12191/apd off (0.00/0/0)
tcp 272 0 127.0.0.1:10001 10.10.57.10:57508 CLOSE_WAIT 12191/apd off (0.00/0/0)
tcp 0 0 127.1.1.1:56230 127.7.0.1:389 ESTABLISHED 12191/apd keepalive (1909.72/0/0)

The last line with timer 'keepalive (1909.72/0/0)' indicates that apd has been waiting for a response for too long. Other lines with Recv-Q '272' indicate that apd is not reading incoming requests as expected (specifically, that the internal worker queue is overloaded because all threads are waiting for the one hanging thread to be processed).

Conditions:
This occurs between the connect and search phases of the AD/LDAP server connection operation, most likely when a AAA Server is configured to use pool as a backend. In this case, apd can always connect locally to layered virtual server, but the pool monitor has a server availability check interval, so a lag in the request to an unavailable server might cause apd to hang.

Impact:
Potential connection failures to backend server.

Fix:
Active Directory and LDAP server connection operations time out in 3 minutes, so a thread does not block any other, and service can recover as soon as the connection to the backend is restored.


461949 : Virtual server with Portal Access and DOS profile resets connection

Component: Anomaly Detection Services

Symptoms:
Virtual server resets connection.

Conditions:
Requests are dropped on a virtual server that meets all of the following criteria: -- APM Access Policy. -- DOS Profile with Application Enabled. -- SSL profile on serverside.

Impact:
The system posts an error similar to the following: err apd[4646]: 01490000:3: AccessPolicyD.cpp func: 'process_request()' line:
736 Msg: EXCEPTION AccessPolicyD.cpp line:653 function: process_request - error 4 reading/parsing response from socket.

Workaround:
Either disable the DOS profile on the virtual server, or disable the SSL profile on the serverside.

Fix:
Virtual server with Portal Access, DOS profile, and SSL profile configuration no longer resets connections.


461597-11 : MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac does not follow HTTP 302 redirect if new site has an untrusted self-signed certificate.

Conditions:
BIG-IP Edge Gateway and Mac Edge Client and HTTP 302 redirect to new site with untrusted certificate

Impact:
User might not be able to log in if HTTP 302 redirect is configured for a site with an untrusted certificate.

Workaround:
Configure APM with trusted certificate or configure client machine to trust APM's certificate

Fix:
BIG-IP Edge Client for Mac now follows HTTP 302 redirect if the new site has an untrusted self-signed certificate and the user will be able to log in successfully.


461189-5 : Generated assertion contains HEX-encoded attributes

Component: Access Policy Manager

Symptoms:
When a BIG-IP system serving as SAML identity provider (IdP), generates an assertion, the message might contain HEX-encoded values.

Conditions:
This occurs when user authenticates against LDAP/AD/RADIUS, and retrieved from AAA server attributes contain non-ASCII values. These non-ASCII values are then used by BIG-IP as Identity Provider in generated Assertion.

Impact:
SAML SSO might fail if Service Provider is not be able to process HEX-encoded attributes.

Workaround:
There is no workaround for IdentityProvider. On Service Provider side, assertion attribute values that begin with '0x' could be treated as HEX encoded. Such values can be HEX decoded after SP processed assertion.

Fix:
BIG-IP as Identity Provider now base64-encodes non-UTF8 attributes, as expected.


461084-3 : Kerberos Auth might fail if client request contains Authorization header

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header prior to the "HTTP 401" challenge, authentication fails.

Conditions:
An auth request to the BIG-IP systems contains Authorization header; Kerberos Auth is configured.

Impact:
Authentication can fail and the client might see a login prompt again when the IP address changes.

Workaround:
None

Fix:
Client's Kerberos auth will succeed now.


460946-2 : NetHSM key is displayed as normal in GUI

Component: Local Traffic Manager

Symptoms:
A NetHSM' key type is displayed as 'normal' in the GUI when it should be displayed as 'nethsm'.

Conditions:
When a key is created using NetHSM.

Impact:
The 'Security Type' field of the key's property appears to be 'Normal,' when it should be NetHSM.

Fix:
NetHSM key is displayed as normal in GUI as NetHSM, as expected.


460833-1 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This symptom may occur under the following conditions:

1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.

Fix:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.


460730-7 : On systems with multiple blades, large queries can cause TMM to restart

Component: TMOS

Symptoms:
When executing a chunked query (such as "show sys connection") that returns a lot of data, the primary MCP can get overwhelmed by the amount of data it is receiving from both its blade's TMMs and the secondary MCPs. It gives the data from its own TMMs priority, which eventually causes the secondary MCPs to run out of memory. At this point the MCP memory safeguards kick in and the secondary MCPs stop receiving data from their TMMs. The TMMs wait 20 seconds under these conditions, and if they have been unable to send data to MCP during that time, they exit and restart.

Conditions:
System must have multiple blades and execute a chunked query (for connection data or persistence records, for example) that returns a lot of data.

Impact:
TMM restarts and the system is unusable during that time.

Workaround:
This issue has no workaround at this time.

Fix:
Increased MCP's throughput by limiting the amount of data sent in a given chunk.


460715-5 : Changes in captive portal probe URL

Component: Access Policy Manager

Symptoms:
The system uses a Microsoft-specific captive portal detection URL (http://www.msftncsi.com/ncsi.txt).

Conditions:
Using APM.

Impact:
With this bug we are trying trying to change it to F5 captive portal detection URL (http://www.f5.com/apps/all/avail.txt), and at the same time provide an ability for the customers to change behavior through modifying client settings in the registry.

Workaround:
None.

Fix:
The system now uses an F5 Networks-specific captive portal probe URL in BIG-IP Edge Client for Windows instead of the default Microsoft-specific captive portal detection URL.
An administrator for a Windows-based system can override use of the F5 captive portal URL by changing the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\F5 Networks\RemoteAccess.[ActiveWebProbeHost| ActiveWebProbePath | ActiveWebProbeContent].


460627-3 : SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists

Component: Local Traffic Manager

Symptoms:
When the SASP monitor starts up, it can attempt to open a new TCP connection to the GWM server when another connection exists to it.

Conditions:
This happens when a GWM server sends the SendWeight messages to SASP monitor immediately after the registration of the pool member is complete, but the registration of all the pool members is not complete.

Impact:
The SASP monitor fins an existing TCP connection to the GWM server.

Workaround:
This issue has no workaround at this time.

Fix:
The Send Weight messages are processed only after the registration of all the pool members is complete. Monitor logging has been vastly improved. In addition, there was a crashing bug that caused the SASPD_monitor process to be restarted. That bug has been fixed.


460427-2 : Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.

Component: Access Policy Manager

Symptoms:
In Chassis IntraCluster environment; when the Primary blade or its TMM goes down for any reason, (e.g., crash, restart, or shut down) the system posts 'IPv4 Addr collision' messages in APM logs.

Conditions:
This happens when a Chassis platform is used in IntraCluster mode with APM's Network Access.

Impact:
Address collision is reported in the logs, and affected clients (that have duplicate IP addresses - both the original ones and the new ones) might intermittently lose connectivity.

Workaround:
None.

Fix:
Now the TMM leasepool IP information for the primary blade is mirrored on the oldest secondary blade, so the system no longer posts 'IPv4 Addr collision' messages.


460176-4 : Hardwired failover asserts active even when standalone

Component: TMOS

Symptoms:
In BIG-IP software versions 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, and 12.0.0, the serial failover 'Active' signal is asserted even if the unit is not configured to be in a high availability (HA) pair. A unit can become Standalone if the configuration is reset, or if a return merchandise authorization (RMA) is performed. If the serial cable is still connected to its peer, then the HA peer may defer the Active status to the Standalone system, which does not actually take over and process traffic.

Conditions:
Serial cable failover in-use between two members of an HA pair.

Impact:
Traffic is interrupted when the Active unit transitions to Standby.

Workaround:
During an RMA, the serial cable failover can be temporarily disabled on the Active unit by issuing the following command:

tmsh modify sys db failover.usetty01 value disable

Fix:
A Standalone unit does not spuriously assert that it is Active if the unit is not configured to be in a high availability (HA) pair when the serial cable is connected during failover. (This is the version 10.x behavior.)


459671-2 : iRules source different procs from different partitions and executes the incorrect proc.

Component: Local Traffic Manager

Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.

Conditions:
Multiple iRule procs defined in multiple admin partitions.

Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.

Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.


458928-5 : APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.

Component: Access Policy Manager

Symptoms:
APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.

Conditions:
This occurs when using client based Kerberos authentication without an authparam.

Impact:
APMD process cores and restarts.

Workaround:
None.

Fix:
If an authparam is not found in the local cache, an empty string will be returned to the caller. This is correct behavior.


458450-2 : The ECA process may produce a core file when processing HTTP headers

Component: Access Policy Manager

Symptoms:
The ECA process may produce a core file when processing HTTP headers.

As a result of this issue, you may encounter one or more of the following symptoms:

In the /var/log/apm file, you may observe log messages similar to the following example:
notice eca[20847]: 01620010:5: ** SIGSEGV **
notice eca[20847]: 01620010:5: fault time: < date >

The ECA process generates a core file in the /var/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP APM system is configured with the ECA log level of debug.
-- The ECA process receives and attempts to process an HTTP cookie header, where the cookie value is greater than 1023 characters.

Impact:
The ECA process temporarily stops processing traffic and then restarts.

Workaround:
Do not enable the debugging log.

To work around this issue, you can revert the log level setting for the ECA (log.eca.level) process back to the default of Notice. To do so, perform the following procedure:

Impact of workaround: Debug logging is disabled for the ECA process.

Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh

Type the following command:
modify /sys db log.eca.level value Notice

Save the configuration change by typing the following command:
save /sys config

To exit the tmsh utility, type the following command:
quit

Fix:
ECA can properly handle HTTP cookie header longer than 1023 characters when log level is set to debug.


458348-2 : RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.

Component: Local Traffic Manager

Symptoms:
Packets originating from the RESOLV:: iRule commands and sFlow are not routed correctly when using non-default CMP hashing on external and internal VLANs.

Conditions:
External and internal VLANs have, respectively, src-ip and dst-ip cmp hashing configured.

Impact:
Packets are dropped.

Fix:
RESOLV:: iRule commands and sFlow now function correctly when using non-default CMP hashing.


458104-3 : LTM UCS load merge trunk config issue

Component: TMOS

Symptoms:
Performing the ucs sys load command does not overwrite trunk interface configuration, it merges with the existent setting. When loading UCS with RMA flag, you may not get expected results. The expected outcome is that the trunk is overwritten, not merged.

Conditions:
Current configuration has a trunk with several interface members.

The UCS to be loaded contains the same trunk name but with other interfaces.

Impact:
The trunk incorrectly appears as merged, having both sets of interfaces.
 
The config on disk bigip_base.conf shows the correct config.
Reboot does not resolve the issue.

Workaround:
1. Restore the BIG-IP configuration to factory default settings using the command sequence: -- load sys config default. -- load sys ucs example.ucs no-license. -- save sys config.
2. Force the mcpd process to reload the BIG-IP configuration with the command sequence: touch /service/mcpd/forceload. -- load sys ucs example.ucs no-license. -- save sys config.

Fix:
Trunk config member interfaces are no longer merged during load. Only the trunk member interfaces defined in the config are present after a load.


457934-4 : SSL Persistence Profile Causing High CPU Usage

Component: Local Traffic Manager

Symptoms:
Some connections through a virtual server using SSL persistence hang and cause a high CPU condition in tmm.

Conditions:
This occurs only when SSL persistence is configured as the default persistence profile, and there is a fallback profile of either source_addr or dest_addr.

Impact:
Large increase in CPU usage on the box and a percentage of SSL connections through the virtual server are delayed and eventually reset

Workaround:
None.

Fix:
SSL Persistence Profile now operates correctly, and does not cause high CPU usage.


457760-5 : EAM not redirecting stdout/stderr from standard libraries to /var/log/apm

Component: Access Policy Manager

Symptoms:
Logs from standard libraries were not redirected to /var/log/apm in EAM plugin.

Conditions:
Stdout/stderr from standard libraries are affected.

Impact:
stderr/ stdout from standard libraries were not logged and that impacted troubleshooting effort.

Workaround:
No workaround to log stderr/stdout

Fix:
[OAM] Redirecting stdout/stderr from standard libraries to /var/log/apm. This is now fixed.


457252-1 : tmm crash when using sip_info persistence without a sip profile

Component: TMOS

Symptoms:
Tmm crashes. You see the following in /var/log/ltm:
notice hudfilter_init: filter 'SIPP' init failed.

Conditions:
Configuring a virtual server with sip_info persistence but a sip profile is not assigned.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Make sure you configure a sip profile on any virtual that has sip_info persistence configured.

Fix:
If you try to configure sip_info persistence on a virtual without a sip profile, you will get a validation error: 01070651:3: SIP persistence on virtual server /Common/test requires a TCP/UDP/SCTP profile, SIP profile, and cannot be used with an FTP/HTTP profile.


456911-3 : Add BIG-IP hostname to system's static DNS host entries

Component: Access Policy Manager

Symptoms:
In a GTM deployed configuration BIG-IP resolves to different IP addresses. If the IP address used when establishing a network access connection is different while accessing (after the network access is established) a corporate resource, then this corporate URL access will be denied.

Conditions:
GTM deployment. BIG-IP network access configuration and corporate resource resolves to different BIG-IP than the one to which network access is established.

Impact:
Access to corporate resources might be denied.

Workaround:
Configure BIG-IP system with static host DNS entry.

Fix:
A certain scenario in GTM deployment was fixed where access to certain corporate resource might be denied despite network access connection.


456763-5 : L4 forwarding and TSO can cause rare TMM outages

Component: Local Traffic Manager

Symptoms:
In certain rare circumstances using L4 forwarding and TSO, the MSS sizes on client and server sides in combination with internal processing can cause an internal mismatch resulting in a TMM crash.

Conditions:
This applies only when using L4 forwarding virtuals with TSO; additional exact external conditions are still under investigation.

Impact:
This issue causes a failover or TMM outage.

Workaround:
This issue has no workaround at this time.

Fix:
TMM will properly handle cases when the MSS sizes would have led to underflow.


456413-5 : Persistence record marked expired though related connection is still active

Component: Local Traffic Manager

Symptoms:
A persistence record might be marked expired even though its corresponding connection is still active and passing traffic.

Conditions:
This occurs when using persistence.

Impact:
Persist records disappear in spite of flow activity that is more recent than the persist timeout.

Workaround:
Set the timeout of persist to at least 33 seconds longer than the related flow timeout.

Fix:
Persistence records are maintained when connection and persistence timeouts are with 33 seconds of each other.


456403-2 : Citrix Storefront native protocol

Component: Access Policy Manager

Symptoms:
APM does not support native Citrix StoreFront protocol when APM is configured in proxy mode with Citrix StoreFront. It does support the legacy protocol, but this means that clients can connect to only one application.

Conditions:
This occurs in deployments using Citrix StoreFront.

Impact:
Clients can only connect to one application.

Fix:
Now APM supports native Citrix StoreFront protocol when APM is configured in proxy mode with Citrix StoreFront. To enable this protocol with existing configurations, please recreate accounts in Citrix Receiver clients.


455840-7 : EM analytic does not build SSL connection with discovered BIG-IP system

Component: Local Traffic Manager

Symptoms:
EM analytic does not build SSL connection with discovered BIG-IP system.

Conditions:
When using management SSL client profile.

Impact:
EM analytic cannot connect to discovered BIG-IP system.

Fix:
Enterprise Manager analytics now works with BIG-IP systems running version 11.5.0 or later.


455762-1 : DNS cache statistics incorrect

Component: Local Traffic Manager

Symptoms:
DNS Cache statistics might skew high due to shared information between TMMs incrementing the same statistic multiple times.

Conditions:
Any DNS Cache might see this issue.

Impact:
DNS Cache Statistics are listed as higher than they should have been.

Workaround:
This issue has no workaround.

Fix:
DNS Cache Statistics are no longer being incremented multiple times for the same action.


455651-5 : Improper regex/glob validation in web-acceleration and http-compression profiles

Component: TMOS

Symptoms:
The use of regex or glob patterns in certain MCP configuration objects leads to inconsistent parsing across MCP and TMM. For glob patterns, for example, the TMM produces an error indicating that the regex is invalid, while entries such as *.js are correctly treated as globs.

Conditions:
MCP configuration objects supporting regex and glob inclusion/exclusion patterns lead to inconsistent parsing across MCP/TMM.

Impact:
Cacheable objects are improperly cached or are not cached, or objects are deflated or are not deflated in opposition to the customer's intent.

Workaround:
None.

Fix:
The parsing of regex and glob patterns has been improved for consistent behavior across MCP and TMM.


455284-4 : Monitor traffic rejected with ICMP message, causing node down

Component: Access Policy Manager

Symptoms:
Firewall rules intended to restrict access to an APM daemon running on the BIG-IP system might incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321.

Conditions:
This can occur even if a BIG-IP system is not provisioned for APM or SWG.

Impact:
This may result in monitors incorrectly failing, and pool members incorrectly marked down. A packet capture of the monitor traffic will show the BIG-IP system receive a SYN/ACK from a pool member, and respond with an ICMP port unreachable error.

Workaround:
As a workaround, add these iptables commands to the '/config/startup' script, and reboot the BIG-IP system (or manually run these commands once). These commands modify the firewall rule to prevent interference with monitoring:

  /sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable
  /sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
  /sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset

Fix:
Firewall rules no longer incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321.


455264-3 : Error messages are not clear when adding member to device trust fails

Component: TMOS

Symptoms:
If you cannot reach the IP address of a device that you are adding to a device trust then the error message does not properly display in the GUI. For some errors the message is empty and for some errors the message contains unformatted xml data.

Conditions:
This problem occurs when adding a peer or subordinate to the device trust where the IP address cannot be reached.

Impact:
User cannot be sure what the problem with adding the device really is.

Workaround:
Verify that the address is correct and that you are able to route to the device you are trying to add to the device trust.

Fix:
During trust initiation when the peer is unreachable, the system now posts the error message is "This device is not found."


455020-1 : RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout

Component: Carrier-Grade NAT

Symptoms:
The minimum of the Real Time Streaming Protocol (RTSP) and TCP profile timeouts is applied to the RTP and RTCP connflows associated with an RTSP connection.

Conditions:
This problem can leave UDP connflows for RTP and RTCP open for a shorter time period than desired.

Impact:
The shorter timeout (either RTSP profile or TCP profile) is used for the idle timeout on RTP and RTCP flows associated with an RTSP connection.

Workaround:
To workaround this issue configure both the TCP and the RTSP profile so that the idle timeout periods are the same.

Fix:
With the fix, the RTP and RTCP timeouts use the value configured in the RTSP profile.


455006-7 : Invalid data is merged with next valid SIP message causing SIP connection failures

Component: Service Provider

Symptoms:
SIP phone connections fail.

Conditions:
SIP over UDP.

Impact:
SIP phone connections fail.

Workaround:
Create a packet filter to discard the invalid UDP datagrams.

Fix:
Invalid UDP datagrams that interfered with SIP processing are now dropped.


454692-4 : Assigning 'after' object to a variable causes memory leaks

Component: Local Traffic Manager

Symptoms:
Assigning 'after' object to a variable prevents the release of the 'after' object and its related connflow object, resulting in a memory leak for 'connflow', 'tcl (variable)', 'tclrule_pcb', and 'filter (variable)'.

Conditions:
This occurs when using the 'after' iRule command and assigning it to a variable.

Impact:
TMM crash or TMM memory usage increases.

Workaround:
Unset the variable containing the 'after' object, for example:

when HTTP_REQUEST priority 800 {
   set SCRIPT_ID [\
       after $static::one_second {
            log local0. "$LOG_MSG"
         } \
    ]
}

when CLIENT_CLOSED {
   unset SCRIPT_ID
}

Fix:
Assigning 'after' object to a variable no longer causes memory leaks.


454493-1 : VMWare View applications are not available on BIG-IP APM webtops

Component: Access Policy Manager

Symptoms:
VMWare View applications are not available on BIG-IP APM webtops.

Conditions:
Beginning in BIG-IP APM 11.6.0 HF4, VMware Horizon 6 View applications can be made available on BIG-IP APM webtops. When you integrate the BIG-IP APM system with VMware View Connection Servers, BIG-IP APM webtops can now present View applications as well as remote desktops.

Impact:
In versions prior to BIG-IP APM 11.6.0 HF4, the BIG-IP APM system can only present VMware Horizon 6 View remote desktops. VMware Horizon 6 View applications are only available from View desktop resources.

Workaround:
None needed. This is expanded functionality.

Fix:
VMware View applications are available on APM webtop now.


454492-1 : Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures

Component: Local Traffic Manager

Symptoms:
BIG-IP uses SHA1 in handshake signature, even though the client indicates support for stronger hash algorithms.

Conditions:
When BIG-IP acts as TLS server (applies to clientssl SSL Profile):

- SSL Profile "SSL Sign Hash" set to ANY. The use of other choices is not recommended.
- Client sends signature_algorithms extension that includes SHA256.
- ECDSA X.509 certificate has additional logic. If the TLS client doesn't send signature_algorithms, BIG-IP will choose SHA256.

Impact:
The updated code respects client signature_algorithms extension. If possible, BIG-IP now prefers SHA256 in the handshake signature based on the content of the signature_algorithms extension.

BIG-IP further upgrades the hash algorithm to SHA384 from SHA256 when P-384 is used, e.g. when P-384 ECDSA X.509 certificate is used in the handshake. This additional enhancement only applies to the code base starting from 12.0; it was not ported to the 11.x code base.

The signature_algorithms extension is defined in TLS 1.2. It's not not present in prior versions of the protocol.

This logic attempts to avoid the use of SHA1 in TLS handshake, whenever possible. This change does not affect signatures used in X.509 certificates as these signatures are created by the X.509 CAs and not by BIG-IP.

The only time SHA1 will be used in the handshake signature is when either of the following is true:
- RSA key is used and the signature_algorithms extension is missing or
- signature_algorithms is present and only lists SHA1.
These conditions are expected to not hold for modern TLS clients, resulting in the upgrade to the SHA256 or better.

Behavior Change:
Respect client signature_algorithms extension. If possible, prefer SHA256 in handshake signature.


453959-3 : UDP profile improvement for flexible TTL handling

Component: Policy Enforcement Manager

Symptoms:
The UDP virtual used by PEM treats TTL differently than the standard UDP forwarding virtual. The standard UDP forwarding virtual decrements TTL whereas the PEM UDP virtual reinitializes TTL to 255. In the event that there is a routing loop in the network which traverses a BIG-IP running PEM, this behavior would prevent TTL from expiring and thus exacerbate the effects of the loop.

Conditions:
This inconsistency of TTL handling between standard LTM virtual and PEM virtual (with PEM enabled).

Impact:
A PEM virtual doesn't have the flexibility to decrement the TTL value on PEM UDP listener because it is always reset to 255.

Workaround:
There is no workaround for this.

Fix:
With this improvement, you will have the flexibility to define the TTL handling behavior (decrease by 1 vs. resetting to 255). This can be archived by change db variable(tmm.udp.ttl.mode) on 11.6.0 hotfix:

tmsh modify sys db tmm.udp.ttl.mode value "decrement"


452482-7 : HTTP virtual servers with cookie persistence might reset incoming connections

Component: Local Traffic Manager

Symptoms:
Incoming TCP connection to HTTP virtual server receives RST during 3-way handshake

Conditions:
Incoming connection matches existing cookie persistence record and would be persisted to a pool member whose connection limit has been reached.

Impact:
TCP connection fails.

Fix:
Cookie persistence records are ignored when the connection limit of the persisted pool member has been reached. This results in incoming connections to be offloaded to another pool member (if available).


452464-4 : iClient does not handle multiple messages in one payload.

Component: Access Policy Manager

Symptoms:
iClient does not handle multiple messages in one payload leading to possible memory leak symptoms.

Conditions:
If by chance multiple messages arrive as one from the BIG-IP Edge Client.

Impact:
Possible memory leak symptoms.

Workaround:
This issue has no workaround at this time.

Fix:
If multiple messages arrive from BIG-IP Edge Client in one payload, the system processes them correctly.


452443-2 : DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured

Component: Local Traffic Manager

Symptoms:
DNS cache resolver or validating resolver does not function properly and fails to resolve DNS requests.

Conditions:
BIG-IP system is using non-default cmp hashes configured on its egress VLANs.

Impact:
It is difficult to both use non-default cmp hashes on system VLANs and use a DNS cache resolver on the same BIG-IP system.

Workaround:
Configure a separate VLAN for the cache resolver's use that uses the default cmp hash. Set the system's default route to direct resolver traffic to this VLAN. This VLAN can be placed in a new route domain, if other features require route domain zero's default route pointing elsewhere.

Fix:
DNS cache resolver or validating resolver now functions properly, successfully resolving DNS requests when using non-default cmp hashes configured on its egress VLANs.


452439-5 : TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads

Component: Local Traffic Manager

Symptoms:
There is a bug caused by race condition in the library used by the AFM Sweep/flood feature. When the Sweep/flood feature is enabled, if one TMM process has multiple threads, one thread may attempt to access the memory released by another thread at some time. In this situation, TMM may crash due to access an invalid memory segment.

Conditions:
(1) AFM sweep/flood enabled
(2) A single TMM process has multiple threads.
(3) race condition occurs

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable thread or disable sweep/flood

Fix:
TMM will not crash when enabling DOS sweep/flood detection feature regardless of threading.


452416-1 : tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values

Component: Access Policy Manager

Symptoms:
On a multi-blade chassis, tmctl leasepool_stat for some slots may not be in sync. In addition, query of snmp apmLeasepoolStatTable returns values that do not match the tmctl leasepool_stat output for the current primary slot.

Conditions:
The issue occurs after a blade or tmm of a blade restarts.

Impact:
Incorrect stats only. No impact to fuctionality.

Fix:
The system now uses the correct system object to track current primary slot, which ensures that counters in leasepool_stat that have global context (that is, cur_member, cur_assigned, cur_free, max_assigned) are synced to all blades.


452293-4 : Tunneled Health Monitor traffic fails on Standby device

Component: TMOS

Symptoms:
Monitor traffic fails on the Standby devices when using a floating local endpoint address for the tunnels.

Conditions:
Tunnels are configured with a floating local endpoint address.

Impact:
Failover takes longer because the status of the pool server on the Standby device needs to be rediscovered upon failover.

Workaround:
This issue has no workaround at this time.

Fix:
Monitors now work on the Standby devices in an HA configuration.


452010-3 : RADIUS Authentication fails when username or password contain non-ASCII characters

Component: Access Policy Manager

Symptoms:
RADIUS Authentication fails when the logon name contains non-ASCII characters.

The problem is caused due to failure in conversion from UTF-8 to Windows-1252.

Conditions:
RADIUS authentication is configured and username/password contain non-ASCII characters.

Impact:
Users are not able to log in.

Workaround:
There is no workaround for this issue.

Fix:
Now it is possible to configure charset decoding behavior. You can decode usernames and passwords into CP-1252 (original behavior) or use UTF-8 charset (in this case, RADIUS Auth sends the username and password unmodified).


451494-2 : SSL Key/Certificate in different partition with Subject Alternative Name (SAN)

Component: TMOS

Symptoms:
You are unable to create an SSL key/certificate in partition other than Common, with Subject Alternative Name (SAN)

Conditions:
In a partition other than Common, create a new SSL key/certificate with SAN.

Impact:
SSL key/certificate is not created.

Workaround:
Use tmsh to create an SSL key/certificate with SAN in a partition other than Common.

Fix:
You can now create an SSL Key/Certificate in partition other than Common, with Subject Alternative Name (SAN).


451433-7 : HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe)

Component: TMOS

Symptoms:
Combining HA group with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe results in traffic going to failed device.

Conditions:
HA-group should not be combined with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe. If these mechanisms are combined, the failsafe causes all traffic groups to go to standby on the failed device.

Impact:
Because the HA Group score might favor the failed device, there could be no active traffic group on any device.

Workaround:
Replace the failover VLAN or Gateway with an HA group. Note: HA group should not be combined with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe. If these mechanisms are combined, the failsafe causes all traffic groups to go to standby on the failed device.

Fix:
If a device goes to standby due to a failsafe operation, the HA Group Scores on that device are forced to zero, so that the traffic groups can become active on an active device. This is the correct behavior.

Behavior Change:
In the previous code, if a user configured both HA Group Score and an HA Failsafe, when the failsafe triggered, all traffic groups on the failed device would transition to Standby. However, the group score for that device would remain at the prior value so that the traffic group would not become active on another device. The result was a traffic group that was not active on any device.

With this change, the traffic group score on the failed device is forced to 0, since the failsafe condition indicates that the device is not acceptable to host any traffic group. The HA Group scoring algorithm then activates the traffic group on the best remaining non-failed device.


451301-1 : HTTP iRules break Citrix HTML5 functionality

Component: Access Policy Manager

Symptoms:
HTTP iRules break Citrix HTML5 functionality.

Conditions:
This issue occurs when HTTP iRule is used on the Citrix HTML5 virtual server.

Impact:
Citrix HTML5 functionality breaks

Workaround:
Use "priority 1" for HTTP iRules.

Fix:
Now HTTP iRules do not affect Citrix HTML5 functionality.


451224-3 : IP packets that are fragmented by TMM, the fragments will have their DF bit

Component: Local Traffic Manager

Symptoms:
IP packets that are fragmented by TMM, the fragments will have their DF bit set if tm.pathmtudiscovery is set to enable (this is the default setting for this dbvar). This is perfectly compliant with RFC standards, and it is the correct thing to do.

Conditions:
IP packet that needs to be fragmented by TMM due to MTU restriction on the egress VLAN/interface. Non RFC compliant downstream switches that do not want to see the DF bit set in IP fragments.

Impact:
Non-RFC compliant switches by other vendors may reject a fragment with DF bit leading to packet being dropped or treated as a bad packet by them.

Workaround:
Setting tm.pathmtudiscovery to disable results in DF bit not being set on the fragments.

Fix:
tm.pathmtudontfragoverride dbvar introduced. If the value is changed from 'disable' (this is the default) to 'enable', then DF bit will not be set in IP fragments generated by TMM.


451218-2 : TLS1.x padding vulnerability CVE-2014-8730.

Vulnerability Solution Article: K15882


450814-10 : Early HTTP response might cause rare 'server drained' assertion

Component: Local Traffic Manager

Symptoms:
Early HTTP response from the server might cause 'server drained' assertion and traffic disruption.

Conditions:
This occurs when the server sends an early response, which might occur if the server responded before the system completed processing the entire incoming HTTP request data from the client.

A filter other than HTTP is also required on the chain.

Impact:
The system posts a 'server drained' assertion and traffic is disrupted.

Workaround:
None, however, this issue occurs very rarely.

Fix:
HTTP will not cause a "server drained" assertion if a server ends a connection in an early server response.


450241-3 : iControl error when discover ASM from EM

Component: Application Security Manager

Symptoms:
iControl request for iControl:ASM/Policy::get_list() fail

EM connections fail to ASM devices

Conditions:
iControl fails to call to the ASM portion of iControl, and produces an error message.

<faultstring
     xsi:type="xsd:string">Exception caught in ASM::urn:iControl:ASM/Policy::get_list()
    Exception: Common::OperationFailed
     primary_error_code : 0 (0x00000000)
     secondary_error_code : 0
     error_string : Unset policy</faultstring>

Impact:
Discovery and refreshing devices fails, and EM cannot manage devices with ASM.

Workaround:
This issue has no workaround.

Fix:
EM can now discover ASM devices.


450033-5 : Sometimes VMware View client 2.3 for Windows can't launch desktops via APM

Component: Access Policy Manager

Symptoms:
Sometimes VMware View client 2.3 for Windows cannot launch desktops using APM.

Conditions:
APM configured as PCoIP Proxy.

Impact:
VMware View client 2.3 for Windows cannot launch desktops.

Workaround:
Apply the following iRule:

when HTTP_REQUEST {
    if { [HTTP::path] == "/broker/xml" && [HTTP::header Expect] == "100-continue" } {
        SSL::respond "HTTP/1.0 100 Continue\r\n\r\n"
    }
}

Fix:
VMware View client 2.3 for Windows can consistently launch desktops using APM.


449891-7 : Fallback source persistence entry is not used when primary SSL persistence fails

Component: Local Traffic Manager

Symptoms:
The existing source persistence record is not used as fallback for a second SSL request from the same source. The second request may be load balanced to a different pool member than the first one. Sometimes multiple source persistence records may be created pointing to different pool members.

Conditions:
SSL persistence configured as primary persistence method on a SSL VIP.
Source persistence configured as fallback persistence method.
The same client sends a second SSL request, but sends a different session ID so that SSL persistence look up fails.

Impact:
Requests are load balanced to different pool members instead of the same one. In other words, source fallback persistence does not work.

Workaround:
There is no workaround for this issue.

Fix:
Fallback source persistence entry is now used when primary SSL persistence fails.


449453-5 : Loading the default configuration may cause the mcpd process to restart and produce a core file.

Component: TMOS

Symptoms:
Loading the default configuration may cause the mcpd process to restart and produce a core file.

Conditions:
This issue occurs when the following condition is met:

After you successfully load a UCS file that was created on a different system, you attempt to restore the system to factory defaults by loading the default configuration.
When you load the default configuration, if the mcpd process is unable to decrypt the master-key, or attributes exist that were encrypted with a key other than the current master-key, the mcpd process restarts and produces a core file. These situations may occur if an RMA has occurred and you install a UCS from one device to another device of the same type, if the device unit key becomes corrupted, or if the master key file (/config/bigip/kstore/master) becomes corrupted.

Impact:
The BIG-IP system may temporarily fail to process traffic and fail over if configured as part of a high-availability system.

Workaround:
None.

Fix:
Fixed crashes in mcpd and other daemons when the master-key cannot be decrypted, or when attributes exist that were encrypted with a key other than the current master-key. These situations may occur when a RMA occurs, when moving a UCS from one device to another device of the same type, if the device unit key becomes corrupted, or if the master key file (/config/bigip/kstore/master) becomes corrupted.


448493-10 : SIP response from the server to the client get dropped

Component: Service Provider

Symptoms:
SIP responses are not forwarded to the client. Instead, the system drops those SIP responses.

Conditions:
This occurs when using SIP OneConnect with an iRule that uses the node/snat command in SIP_RESPONSE event in the iRule to direct the SIP response from the server.

Impact:
Some SIP flows do not complete, which affects the SIP clients.

Workaround:
Remove the node/snat command from SIP_RESPONSE event processing in the iRule.

Fix:
iRules node/snat command in the iRule SIP_RESPONSE event now works correctly.


447874-5 : TCP zero window suspends data transfer

Component: Local Traffic Manager

Symptoms:
HTTP pipeline request might cause TCP window stay at 0 and not recover.

Conditions:
This intermittent issue occurs when HTTP pipeline requests are sent, and those requests use the GET method.

Impact:
When this occurs, the resulting TCP zero window suspends data transfer. It is possible that the TCP window will be reduced to 0 (zero) and never recover.

Workaround:
None.

Fix:
HTTP pipeline request no longer causes TCP window stay at 0 when HTTP pipeline requests are sent, and those requests use the GET method.


447302-3 : APM incorrectly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode.

Component: Access Policy Manager

Symptoms:
When your access policy uses 'redirect' as the ending (policy result is 'redirect'), Citrix ICA Patcher fails with error:
Jan 29 04:17:15 bigip3 err tmm[29825]: 01490000:3: ICA Patcher: Invalid session a5cced0f8a360d58829a8551b6bed4e8

Conditions:
This can be encountered if your access policy ends with Redirect instead of Allow.

Impact:
Clients will be unable to connect.

Workaround:
Use 'allow' policy ending and do redirect in ACCESS_POLICY_COMPLETED event.

Fix:
APM correctly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode.


447272-2 : Chassis with MCPD audit logging enabled will sync updates to device group state

Component: Local Traffic Manager

Symptoms:
If mcpd audit logging is enabled on a chassis, updates to device group state will be recorded on every configuration change, even if CMI is not configured or no synchronizable object was modified.

Conditions:
This only applies on chassis systems with at least one secondary blade, and the log messages only appear if mcpd audit logging is enabled.

Impact:
Updates to device group state will be recorded on every configuration change.

Workaround:
This issue has no workaround at this time.

Fix:
If mcpd audit logging is enabled on a chassis, updates to device group state were in past versions recorded on every configuration change, even if CMI was not configured or no synchronizable object was modified. This no longer happens, and these log messages are now only generated if the state actually changes.


447254-1 : Core in parked transaction due to evicted stand-in document

Component: WebAccelerator

Symptoms:
TMM core error in a previously parked transaction

Conditions:
* Stand-in is enabled on the policy.
* Request queueing is turned on in the policy
* Document may have been removed from entity due to not matching policy on node.

Impact:
Loss of service.

Workaround:
* Disable stand-in and/or Request queueing

Fix:
TMM will no longer crash. If the stand-in document is NULL, the transaction will be bypassed and treated as if not found in cache.


447075-1 : CuSFP module plugged in during links-down state will cause remote link-up

Component: TMOS

Symptoms:
If a CuSFP module is plugged into a port that is in a links-down state while connected via a cable to a remote switch or other network connection, the remote switch will report a links-up state.
A port on the BIG-IP or VIPRION device may be in a links-down state while BIG-IP is not in a running state, or if the network interface has been administratively disabled.

Conditions:
Issue has been primarily observed with VIPRION B2100 or B2150 blades.
However, the problem could potentially occur on other VIPRION blades or BIG-IP appliances which employ a Broadcom hardware switch (i.e., most F5 hardware products).
BIG-IP appliances which do NOT employ a Broadcom hardware switch include:
BIG-IP 2000-/4000-series appliances.

Impact:
The remote switch may erroneously attempt to direct traffic to what is seen as an active link, which the BIG-IP or VIPRION device will not be able to process.

Workaround:
You may work around this problem by any of the following methods:
1. Unplug the cable connecting the CuSFP (Copper SFP) module to the remote network connection before plugging the CuSFP into the port on the BIG-IP or VIPRION device.
2. Wait until the port on the BIG-IP or VIPRION device is in an enabled/links-up state before plugging in the CuSFP.
3. Enable the port on the BIG-IP or VIPRION device after plugging in the CuSFP.

Fix:
A remote network connection no longer shows as Up/Link when a CuSFP module is plugged into a port on a BIG-IP or VIPRION device that is in a links-down state, while connected via a cable to the remote switch/other network connection.


447043-3 : Cannot have 2 distinct 'contains' conditions on the same LTM policy operand

Component: Local Traffic Manager

Symptoms:
Cannot express conditions such as 'user-agent contains 'Android' AND 'Mobile'. LTM policies have operands that can be matched against a set of values, causing a match when the operand matches one of these values. There is no way to use current functionality to match all of the values. One specific situation in which this is needed is to configure 'contains'.

Conditions:
Specify an ltm rule with 2 conditions with the same operand and match type, for example:

           conditions {
                0 {
                    http-header
                    name User-Agent
                    contains
                    values { Android }
                }
                1 {
                    http-header
                    name User-Agent
                    contains
                    values { Mobile }
                }

Impact:
The policy does not work. The system posts an error message similar to the following: Failed to compile the combined policies.

Fix:
LTM policies now allow for rules to have multiple conditions on the same operand and same match type so that 'user-agent contains 'Android' AND 'Mobile' can now be expressed by specifying:

           conditions {
                0 {
                    http-header
                    name User-Agent
                    contains
                    values { Android }
                }
                1 {
                    http-header
                    name User-Agent
                    contains
                    values { Mobile }
                }


447013-4 : The Citrix Client Detection process may incorrectly prompt for the installation of client software.

Component: Access Policy Manager

Symptoms:
The Citrix Client Detection process may incorrectly prompt for the installation of client software.

As a result of this issue, you may encounter one or more of the following symptoms:

During subsequent access sessions, when accessing the Citrix resource, the webtop session displays the following message:

-- Citrix client not detected
-- Clicking the Skip button of the Citrix client download allows the Citrix session to initiate.
-- Enabling the Add APM virtual server to the Internet Explorer Compatibility view setting eliminates the "Citrix client not detected" prompt.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP APM system is configured for Citrix replacement mode.
-- You are using Internet Explorer 11.
-- Citrix client software is installed on your device.
-- You establish a new access session and attempt to access the Citrix resource.

Impact:
The BIG-IP APM webtop prompts you to install the Citrix client software.

Workaround:
To work around this issue, you can add the BIG-IP APM virtual server to the Internet Explorer Compatibility view setting on the client device.

Impact of workaround: Performing the suggested workaround should not have a negative impact on your system

Fix:
The Citrix Client Detection process now correctly prompts for the installation of client software.


446860-4 : APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348

Component: Access Policy Manager

Symptoms:
APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 (ActiveSync client fails to login to APM with large POST body)

Conditions:
ActiveSync client large POST body tries to log into APM.

Impact:
ActiveSync client with large POST body cannot log in even when tmm.access.maxrequestbodysize DB variable is configured

Workaround:
This issue has no workaround at this time.

Fix:
Now APM Exchange Proxy honors the tmm.access.maxrequestbodysize DB variable.

Modify the tmm.access.maxrequestbodysize DB variable with a value larger than the maximum email body size you would like to support.
The maximum supported value is 25000000 (25MB).


446830-3 : Current Sessions stat does not increment/decrement correctly.

Component: Local Traffic Manager

Symptoms:
Current Sessions stat does not increment/decrement correctly.

Conditions:
On a virtual server with an HTTP filter, if either side closes the connection after the HTTP request has been forwarded to the server but before the server has sent its response, the pool member's cur_sessions stat is incremented but not decremented.

Impact:
Difficult to determine an accurate number of Current Sessions. Current Sessions stat appears unexpectedly large, for example, Current Sessions : 18446744073709551615, rather than as expected, Current Sessions : 0.

Workaround:
None.

Fix:
On a virtual server with an HTTP filter, Current Sessions stat now increments/decrements correctly if either side closes the connection after the HTTP request has been forwarded to the server but before the server has sent its response.


446526-7 : TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.

Component: Local Traffic Manager

Symptoms:
When a TCP virtual server, or a UDP virtual server without datagram-LB mode enabled, runs an iRule which suspends itself, and the traffic that virtual server is handling is destined for the DNS cache, subsequent responses attempting to execute an iRule crash TMM because the first response is suspended. Those subsequent responses should be queued before attempting to execute the iRule.

Conditions:
Configuration contains TCP virtual server, or a UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enable datagram-LB mode on the UDP profile. There is no workaround in the case of TCP.

Fix:
TMM no longer restarts when configuration contains TCP virtual server, or a UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules.


445911-6 : TMM fast forwarded flows are offloaded to ePVA

Component: TMOS

Symptoms:
TMM fast forwarded flows are offloaded to ePVA, which is incorrect behavior.

The symptom various depending on the FastL4 profile's PVA acceleration setting.

If PVA acceleration is set to full, then the connection is established and handled by software (TMM). It is not offloaded to the ePVA.

If PVA acceleration is set to guaranteed, then the connection will be reset.

Conditions:
This occurs when a virtual is configured with a FastL4 profile using HW acceleration (ePVA).

Impact:
TMM fast forwarded flows are offloaded to ePVA, which is incorrect behavior.

Workaround:
For versions 11.3.x and 11.4.0, there is no workaround. On version 11.4.1 or later, you can use the following command to turn off tmm fast forward when using the guaranteed hardware acceleration mode: 'tmsh modify sys db tmm.ffwd.enable value false'.

Fix:
TMM fast forwarded flows are no longer offloaded to ePVA, which is correct behavior.


444710-6 : Out-of-order TCP packets may be dropped

Component: Local Traffic Manager

Symptoms:
Out-of-order TCP packet will be dropped if it occurs during 3-way handshake.

Conditions:
Client initiates TCP connection to BIG-IP with ACK segment arriving after (i.e., out-of-order) a second packet.

Resultant sequence:

1. Client - BIG-IP : SYN
2. BIG-IP - Client : SYN-ACK
3. Client - BIG-IP : PSH, ACK (w/Segment #2) =-- Out-of-order ; Must be retransmitted.
4. Client - BIG-IP : ACK (w/Segment #1)

Impact:
Packet must be retransmitted by client.

Workaround:
None.

Fix:
Out-of-order segments received before 3WHS is completed are no longer dropped.


443298-2 : FW Release: Incorporate VIPRION 2250 LOP firmware v1.20

Component: TMOS

Symptoms:
This is a standard bug used for tracking the incorporation of Firmware changes.

Conditions:
The purpose of this change is to integrate a firmware package into the BIG-IP build.

Impact:
None expected.

Workaround:
None.

Fix:
FW Release: Incorporated VIPRION 2250 LOP firmware v1.20 into BIG-IP.


443006-1 : In low memory situations initializing the HTTP parser will cause the TMM to crash

Component: Local Traffic Manager

Symptoms:
When the TMM is low in memory and HTTP is configured, the configuration process may initialize a new HTTP parser. If that initialization fails, then the TMM may crash.

Conditions:
A virtual containing HTTP is configured or re-configured when the TMM is under extreme memory pressure.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Configuring a HTTP filter during extreme memory pressure will no longer cause the TMM to crash.


442884-1 : TMM assert "spdy pcb initialized" in spdy_process()

Component: Wan Optimization Manager

Symptoms:
TMM assert "spdy pcb initialized" in spdy_process() caused by a HUDEVT_ABORTED on a zero'd SPDY ctx from iSession.

Conditions:
This may happen when using APM + iSession + SPDY filter.
The problem happen when iClient unexpectedly closes the connection (by sending FIN) before handshaking complete.
FIN force the HUDEVT_ABORTED may come to SPDY before HUDEVT_FLOW_INIT (because INIT event may delayed in iSession due to HANDSHAKE).

We believe the iClient sends FIN as result of some miss-configuration.

Impact:
TMM Asserts.

Workaround:
1. Fix iClient configuration.
2. Remove SPDY profile from the chain.

Fix:
We fixed iSession code for proper serve HUDEVT_ABORTED and HUDEVT_FLOW_INIT events.
Now if HUDEVT_ABORTED arrives and HUDEVT_FLOW_INIT event was not passed up, iSession sends up HUDEVT_FLOW_INIT and forwards up HUDEVT_ABORTED only after that.


442871-1 : BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) instances created using OpenStack interfaces may fail to detect the Kernel-based Virtual Machine (KVM) hypervisor.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are deploying a BIG-IP VE instance on a KVM hypervisor.
-- You are using the OpenStack interface tool set to perform the deployment.

Impact:
As a result of this issue, you may encounter one or more of the following symptoms:

-- The BIG-IP VE instance fails to start.
-- When starting the BIG-IP VE instance, diagnostic messages may indicate that the hypervisor is not recognized.

Workaround:
To work around this issue, you can modify your OpenStack compute nodes to run all instances as KVM. To do so, perform the following procedure:

Note: The workaround assumes that your compute nodes use KVM as the default hypervisor.

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

1. Log in to the OpenStack compute node as the root user.
2. Using an editor, create a file in the /etc/nova directory named release.
3. Add the following content to the new file:

[Nova]
vendor = Red Hat
product = Bochs
package = RHEL 6.3.0 PC

4. Restart all services or reboot the compute note.
5. Redeploy a new BIG-IP VE instance using the OpenStack interface tool set.

Fix:
BIG-IP VE instances created using OpenStack interfaces now detect the KVM hypervisor. Important: If you performed the steps to work around this issue (as described in the known issue for this bug), removing the workaround might require a license change.


442698-10 : APD Active Directory module memory leak in exception

Component: Access Policy Manager

Symptoms:
The APD Active Directory module might leak memory if an exception happens.

Conditions:
exception happens when request is being processed

Impact:
session request failed, apd leaks a memory

Workaround:
NA

Fix:
APD is now more robust and handles exceptions in AD module properly.


442647-5 : IP::stats iRule command reports incorrect information past 2**31 bits

Component: Local Traffic Manager

Symptoms:
Due to a mistaken internal object-size conversion, the statistical data used by the IP::stats iRule command reports a negative number when the data exceeds 2**31.

Conditions:
Transferring more than 2 gigabytes or 2 billion packets on a connection that then uses IP::stats commands in an iRule will show a negative number.

Impact:
iRules cannot rely on the validity of the IP::stats counters when more than 2 gigabytes have been transferred.

Workaround:
Upgrade to a fixed version.

Fix:
iRules now uses a 64-bit object


442539-1 : OneConnect security improvements.

Component: Local Traffic Manager

Symptoms:
OneConnect security improvements.

Conditions:
OneConnect security improvements.

Impact:
OneConnect security improvements.

Workaround:
None.

Fix:
OneConnect security improvements.


442535-5 : Time zone changes do not apply to log timestamps without tmm restart

Component: Advanced Firewall Manager

Symptoms:
When the timezone of the BIG-IP system changes, logging timestamps are not updated to the new timezone.

Conditions:
This occurs when the timezone of the BIG-IP system changes.

Impact:
/var/log/ltm logs will have the correct time from the other processes that log, but tmm logs will have the incorrect time. The time remains incorrect until tmm or the system is restarted. There are potential issues with processes that depend on correct localtime in tmm.

Workaround:
In tmsh, run one or both of the following commands: 'restart tmm'. -- bigstart restart tmm.

Fix:
tmsh modify sys ntp timezone <timezone> will now send a message to TMM so it will reload the timezone.


442231-2 : Pendsect log entries have an unexpected severity

Component: TMOS

Symptoms:
Pendsect logs non-errors with a 'warning' severity.

Conditions:
This occurs when pendsect is executed.

Impact:
Unexpected log entries. When pendsect is executed and does not find any disk errors, it logs the following at the warning level: warning pendsect[21788]: pendsect: /dev/sdb no Pending Sectors detected. This is not an error. The message is posted at the incorrect severity level and does not indicate a problem with the BIG-IP system.

Workaround:
None needed. This is cosmetic.

Fix:
Adjusted severity level of various logs generated by pendsect script, so that informational messages are not logged as warnings.


441512-4 : ConfigSync failing with sFlow error

Component: TMOS

Symptoms:
An sFlow error may occur during sync of a device.

Conditions:
Exact conditions are unknown and difficult to reproduce, but some possible conditions include sync operations following delete/create of a virtual server or profiles (either directly or by deleting/creating an iApp), sync following failover,

Impact:
Sync might fail, which can impact connection mirroring, and other system operations. The system posts an sflow message similar to the following: 'Can't save/checkpoint DB object, class:sflow_http_virtual_data_source status:13'.

Workaround:
Force the mcpd process to reload the BIG-IP configuration. For more information, see SOL13030, Forcing the mcpd process to reload the BIG-IP configuration, available here: Link: https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html.

Fix:
Sync now completes successfully, without sflow error.


441355-1 : Enable change password within vmview client when password doesn't meet the AD policy requirements

Component: Access Policy Manager

Symptoms:
Previously VMWare View client hung/disconnected if the attempt to change an expired password had failed due to the AD policy requirements.

Conditions:
User's password is expired but the new password provided doesn't meet the policy requirements.

Impact:
VMWare View client freezes/hangs, user gets confused.

Fix:
Improved VMware View native client error reporting and prompting for the new password.


441297-3 : Trunk remains down and interface's status is 'uninit' after mcpd restart

Component: TMOS

Symptoms:
Trunk down and interface's status is 'uninit' and log files indicate mcpd restarted.

Conditions:
This occurs upon mcpd restart on 2000/4000 series platform.

Impact:
Failover as a result of mcpd restart. Trunks are unable to pass traffic. The interface that report the status 'uninit' are able to pass traffic after mcpd and related services restart; the message is cosmetic only.

Workaround:
Run the command: tmsh restart sys service pfmand. The restart of pfmand helps update the interface status, which in turn helps update the trunk status.

Fix:
Trunk now comes up without error messages after mcpd restarts on 2000/4000 series platforms.


441239-1 : Event Correlation is not enabled on vCMP guests if the disk is SSD.

Component: Application Security Manager

Symptoms:
The event correlation page says "event correlation not supported on this platform"

Conditions:
This can occur when looking at event correlation on VCMP guests.

Impact:
Event correlation does not work on VCMP guests.

Fix:
Event Correlation is now enabled on vCMP guests if the disk is SSD, but only if the host is running BIG-IP version 11.6.0 HF4 or later.


441058 : TMM can crash when a large number of SSL objects are created

Component: Local Traffic Manager

Symptoms:
Administrative operations which trigger a full reload of SSL cert, key, or CRL files can cause TMM to abort. TMM will miss its heartbeat, at which time it will be killed by sod daemon via SIGABRT.

Conditions:
Configuration contains a large number of SSL certs, keys and/or CRLs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove any unused SSL objects from configuration.

Fix:
The system now loads the virtual IP addresses and associated SSL Certs/Keys in batches, so that TMM config load no longer exceeds its allowed CPU time.


440752-1 : qkview might loop writing output file if MCPD fails during execution

Component: TMOS

Symptoms:
If qkview is executed, and while it is executing, a problem arises with MCPD, it is possible that qkview may enter a loop where it continually writes the following lines to the file ./mcp_module.xml: end_transaction.

Conditions:
1. qkview is run while mcpd is executing properly.
2. mcpd enters unstable state while qkview is running.

Impact:
Disk can fill up, causing a system failure.

Workaround:
Do not run qkview if mcpd has been acting unpredictably.

Fix:
Qkview MCP module has been corrected to prevent qkview from looping infinitely when failing to connect to MCPD.


440346-5 : Monitors removed from a pool after sync operation

Component: TMOS

Symptoms:
Monitors might be removed from a pool after sync operation.

Conditions:
If devices are in a failover device group, and this group contains a pool with multiple health monitors enabled, then using the 'Overwrite Configuration' option.

Impact:
Monitors might be removed from a pool on the devices that received a sync.

Fix:
Monitors are no longer removed from a pool on the devices that received a sync.


440154-3 : When IKEv2 is in use, user can only associate one Traffic Selector object with the IKE Peer object

Component: TMOS

Symptoms:
Only one Traffic Selector can be associate with one IKE Peer when IKEv2 is in use.

Conditions:
When IKEv2 is selected to negotiate IPsec Tunnel

Impact:
User can only associate one Traffic Selector per IKE Peer

Fix:
User can associate multiple Traffic Selector MCP objects with one IKE Peer object


439880-2 : NTLM authentication does not work due to incorrect NetBIOS name

Component: Access Policy Manager

Symptoms:
Internally, the BIG-IP system assumes that the NetBIOS name always matches the prefix of the DNS name. For example, if the domain name is sales.company.com, then the NetBIOS name must be SALES. If the NetBIOS name does not meet this assumption, NTLM and/or Kerberos front-end authentication never work even when configured correctly.

Under a Disjoint Namespace Scenario deployment, the NetBIOS name and prefix of the DNS name do not match, and the BIG-IP system cannot establish an SCHANNEL with the Active Directory server.

Conditions:
NetBIOS name does not match with the suffix of the DNS name.

Impact:
NTLM front-end authentication does not work as there is no SCHANNEL to Active Directory which can be used to verify the user's credentials.

Workaround:
Change the ActiveDirectory deployment to match its NetBIOS and DNS name.

Fix:
BIG-IP 11.6.0 HF6 introduced the Apm.NetBIOS.DomainName db variable as a global NetBIOS domain name. When the variable is defined with a non-default value, that value will be used as NetBIOS domain name during configuration. When the variable is defined with the default value (which is "<null>"), then APM reverts to extracting NetBIOS domain name from FQDN. This means when this db variable is set with a non-default value, only one NetBIOS domain is usable. Note: Support for the Apm.NetBIOS.DomainName db variable is discontinued in version 12.0.0 and later.
For BIG-IP 12.0.0, when you create a Machine Account in APM, APM performs a domain join, retrieves the NetBIOS domain name from the Active Directory server, stores it in the configuration, and uses it for NTLM authentication.
To use the new behavior, delete the existing machine account and recreate it. Otherwise, the machine account continues to obtain the NetBIOS name the way it did before version 12.0.0.


439559-2 : APM policy sync resulting in failover device group sync may make the failover sync fail

Component: TMOS

Symptoms:
If an APM policy sync puts the new policy on a member of a sync-failover device group then the sync of the sync-failover group may fail.

Conditions:
* At least three devices in trust.
* Two devices in a sync-failover device group.
* Two devices in a sync-only device group suitable for APM policy sync.
* The policy is synchronized from a device that is not in the sync-failover device group.

Impact:
Sync will fail, but full load sync will then succeed.

Workaround:
Using a full load sync (the force option on the GUI sync page) will work.

Fix:
If an APM policy sync puts the new policy on a member of a sync-failover device group then the sync of the sync-failover group used to fail. This now succeeds.


439518-3 : Portal access resource item modifications are not synced

Component: Access Policy Manager

Symptoms:
This issue is seen with policies that use Portal Access with any resource item. If the policy is synced for the first time, all the corresponding resources are seen to be synced correctly to the target. However, if the resource item is modified and we try to sync again, the resource item modifications are not synced over to the target devices.

Conditions:
The following conditions are necessary to trigger this issue.
The policy should have portal access resource and the resource item should have been modified before syncing the same policy again.

Impact:
Resource item modifications are not synced over to the target devices.

Fix:
A user can now sync the changes to all location-specific objects, such as, optimized-app in network-access, or pool item in pool, after setting the Use Source Configuration on Target option to YES in the policy sync dialog box.


439343 : Client certificate SSL authentication unable to bind to LDAP server

Component: TMOS

Symptoms:
When LDAP Client Certificate SSL Authentication is configured to bind to the LDAP server with a password, the bind fails due to an incorrect password.

Conditions:
LDAP client certificate SSL authentication enabled
LDAP server requires password to bind

Impact:
Client certificates cannot be authenticated

Fix:
LDAP client certificate SSL authentication sends correct bind password to LDAP server


438809-6 : Brute Force Login

Component: Application Security Manager

Symptoms:
In this release, you can configure the Brute Force Login protection with more granular detection rates.

Conditions:
Low traffic environment that typically sees less than 1 login failure per second but still wishes to trigger Brute Force prevention.

Impact:
Unable to appropriately configure Brute Force prevention.

Fix:
To improve brute force mitigation, we made the following changes:

-We added a new internal parameter: bf_num_sec_per_value. This defines how many seconds is a single measure unit for a failed login. For example, if you want to configure 7 failed logins per 5 seconds, in the Configuration utility configure "7" as the threshold value (the "Failed Login Attempts Rate reached" setting in the Detection Criteria area of the Brute Force Protection Configuration screen), and from the command line configure "5" as the value of this internal parameter.

If this value is configured, the system will detect an attack only by the threshold (and not by the increase). If this value is configured, all traffic from suspicious IP addresses are blocked. The default value for the internal parameter is 1 second.

-In the Configuration utility, we removed the validation for all the threshold and minimal values. You can put now very low values such as 1 or 2 in the detection and suspicious criteria.


438792-5 : Node flapping may, in rare cases, lead to inconsistent persistence behavior

Component: Local Traffic Manager

Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). Further requests in certain circumstances may hang (the client will be left waiting for a response).

Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.

Impact:
Inconsistent persistence behaviors. If persistence records are examined, you might find multiple, conflicting entries. This is an intermittent issue.

Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:

when PERSIST_DOWN {
    persist delete source_addr [IP::client_addr]
}

For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.

Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.


438730-5 : DNS Filtering driver causes crash/BSOD

Component: Access Policy Manager

Symptoms:
DNS Relay proxy service causing Client App tunnel crash or BSOD (DRIVER_FAULT).

Conditions:
Using DNS relay filtering driver in Windows XP SP3.

Impact:
Client App tunnel crash/BSOD. This is an intermittent issue.

Fix:
Fixed BSOD caused by DNS relay filtering driver in very specific condition on Microsoft Windows XP SP3.


438674-5 : When log filters include tamd, tamd process may leak descriptors

Component: TMOS

Symptoms:
The log filter functionality in TMOS allows users to publish logs from a specific set of processes to various log destinations.

Conditions:
Configure log filter that includes tamd.

Impact:
Client authentication might fail. When a log filter includes tamd, the tamd process might start to leak descriptors.

Workaround:
Do not define log filters that include tamd (tamd is included in 'all').

Fix:
The BIG-IP system no longer sends tamd log messages to the configured remote log destinations.


437744-4 : SAML SP service metadata exported from APM may fail to import.

Component: Access Policy Manager

Symptoms:
SAML SP service metadata exported from APM contains elements in incorrect order which might cause it to fail to be imported by other implementations.

Conditions:
When SAML metadata is exported from BIG-IP when it is acting as SAML Service Provider, the order of
'SingleLogoutService' and 'AssertionConsumerService' are not right.

Impact:
Import of SAML metadata with SAML IdP from BIG-IP as SP might fail.

Workaround:
Edit exported metadata: change the order of elements in the SPSSODescriptor so that SingleLogoutService element goes first in the sequence.

Fix:
SAML metadata elements are exported in correct order.


437743-6 : Import of Access Profile config that contains ssl-cert is failing

Component: Access Policy Manager

Symptoms:
An access profile configuration that uses an SSL Certificate fails to import. This happens because of a change in the method to import SSL certificates.

Conditions:
Access Profile configuration contains (SSL) Certificate File object, that is configurations that include OCSP responder, Certificate Authority Profile or ServerSSL Profile.

Impact:
Serious. It's not possible to import configs that contain above mentioned objects to another box, which might prevent users from distributing profiles manually or properly importing a backup/

Workaround:
You can either exclude above-\ mentioned objects prior to export and then recreate them after the import or (not recommended) edit the config manually and import the SSL certificate prior to import.

Fix:
You can import an access profile that includes an SSL certificate object in its configuration objects.


437627-5 : TMM may crash if fastl4 vs has fragmeneted pkt

Component: Local Traffic Manager

Symptoms:
TMM may crash if a fast L4 profile has a fragmented packet

Conditions:
fastl4 configure
incoming fragmented packets

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In fast L4 profile, enable option "Reassemble IP Fragments"

Fix:
Improved handling of a fragmented packet that could cause a crash if using a fastL4 profile.


436682-5 : Optical SFP modules shows a higher optical power output for disabled switch ports

Component: TMOS

Symptoms:
Some optical SFP/SFP+ modules may continue to provide optical power output higher than the specified detection threshold when the port has been disabled. As a result, the remote connected device may indicate a false positive link state.

Conditions:
The SFP or SFP+ module switch port has been disabled on the BIG-IP system. The problem occurs due to the optical transmitter in the SFP/SFP+ module not being disabled when the switch port itself is in a disabled state.

The problem may occur with certain optical SFP/SFP+ modules, including all or a subset of individual modules with the following part numbers:
OPT-0010-00 (1G-SR)
OPT-0011-00 (1G-LR)
OPT-0016-00 (10G-SR)
OPT-0017-00 (10G-LR)

For a list of F5 supported Fiber Gigabit Ethernet SFP, XFP, SFP+ and QSFP+ modules, see SOL6097: Specifications of the Fiber Gigabit Ethernet SFP, XFP, SFP+ and QSFP+ module ports on BIG-IP system platforms, available here: https://support.f5.com/kb/en-us/solutions/public/6000/000/sol6097.html.

Impact:
Link status may be incorrectly reported as up on remote connected device.

Workaround:
To work around this issue, when disabling an affected switch port on the BIG-IP system, you can also disable the connected port on the remote device.

Fix:
Optical SFP/SFP+ modules now show the correct optical power output for disabled switch ports, which no longer attributes to false link states.


436201-6 : JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11

Component: Access Policy Manager

Symptoms:
JavaScript can misbehave when encountering the 'X-UA-Compatible' META tag from clients using Microsoft Internet Explorer 11.

Conditions:
Internet Explorer 11 and meta http-equiv='X-UA-Compatible' content='IE=10'.

Impact:
Web application malfunction.

Workaround:
Use an iRule.

Fix:
JavaScript now correctly handles the X-UA-Compatible meta tag from clients using Microsoft Internet Explorer 11.


433972-13 : New Event dialog widget is shifted to the left and Description field does not have action widget

Component: Access Policy Manager

Symptoms:
When you access Microsoft SharePoint 2013 through APM and use a rewrite profile, the rewritten New Event dialog box is shifted to the left and action widgets are not displayed above the Description field.

Conditions:
The problem occurs in Internet Explorer 11 with meta http-equiv='X-UA-Compatible' content='IE=10'.

Impact:
SharePoint 2013 malfunctions.

Workaround:
You could potentially use an iRule to mitigate the problem.

Fix:
Portal Access now correctly displays a New Event window for Microsoft SharePoint 2013 from Internet Explorer 11.


433847-1 : APD crashes with a segmentation fault.

Component: Access Policy Manager

Symptoms:
Uninitialized CRLDP or OCSP field might cause a crash because of possible memory corruption.

Conditions:
This occurs when there is an uninitialized field in the Crldp or OCSP module.

Impact:
APD crashes with a segmentation fault. Uninitialized field might cause a crash trying to free the client connection.

Fix:
Crashes because of an uninitialized field in the CRLDP or OCSP module no longer occur.


433466-4 : Disabling bundled interfaces affects first member of associated unbundled interfaces

Component: TMOS

Symptoms:
When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1).

Conditions:
Disabling bundled interfaces affects first member of associated unbundled interfaces.

Impact:
Traffic unable to pass due to ports 'Down' status.

Workaround:
Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.

Fix:
Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces.


432900-9 : APM configurations can fail to load on newly-installed systems

Component: Access Policy Manager

Symptoms:
APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this:

Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: EPSEC::In copy_file - src (/config/filestore/files_d/Common_d/epsec_package_d/:Common:EPSEC:Images:epsec-1.0.0-160.0.iso_14866_1) dst (/shared/apm/images/epsec-1.0.0-160.0.iso)
Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: Failed in file copy errno=(No such file or directory)
....
01071558:3: EPSEC - File Copy to /shared location failed Unexpected Error: Loading configuration process failed.

Conditions:
If the system is fresh from manufacturing or has had a recent formatting installation, it is vulnerable to this upgrade defect. The failure is only observed if the configuration being applied contains elements of APM.

Impact:
After booting into an upgraded system, the configuration will fail to load. A load failure can also be observed when manually loading a UCS file.

Workaround:
Create the directory /shared/apm and try to load the configuration again.

Fix:
Releases with this fix will load the configuration properly. There is no need for users to first create the /shared/apm directory.


432423-5 : Need proactive alerts for APM license usage

Component: Access Policy Manager

Symptoms:
Customer would like APM to generate proactive alerts when license usage reaches a certain threshold

Conditions:
N/A

Impact:
Without proactive alert, customer will not know that license consumption is near the maximum allowed and, hence, will not be prepared for the event of license being exhausted.

Workaround:
N/A

Fix:
Support for generating a license usage alert when a threshold is crossed has been added.


432102-6 : HTML reserved characters not supported as part of SAML RelayState

Component: Access Policy Manager

Symptoms:
If the RelayState parameter includes HTML and XHTML special characters, then BIG-IP as IdP or BIG-IP as SP does not process them correctly, and does not send complete RelayState value to the Peer.

Conditions:
Using special characters

Impact:
SAML integration may not work properly with other products when configured RelayState parameter includes special characters.

Workaround:
To use reserved characters in HTML (",',&,<,>) as part of SAML RelaySate, convert them to their HTML entities (&#34;, &#39;, &#38;, &#60;, &#62;).

Fix:
When the BIG-IP system is configured as a SAML Identity Provider (IdP) or Service Provider (SP), it now URL encodes (or decodes, as applicable) the RelayState parameter.


431980-1 : SWG Reports: Overview and Reports do not show correct data.

Component: Access Policy Manager

Symptoms:
When traffic is very sparse, the report may be incorrect and omit information due to skipped aggregation process of collected data.
The original fix caused heavy spikes to the CPU every 5 minutes.

Conditions:
Very sparse traffic with significant gaps.

Impact:
AVR reports may be incorrect.

Workaround:
This issue has no workaround at this time.

Fix:
Aggregation of data when traffic is very sparse with significant gaps is now done correctly, and also occurs when data is queried, instead of every 5 minutes in order to avoid a 5 minute CPU spiking issue.


431810-5 : APMD process core due to missing exception handling in execute agents

Component: Access Policy Manager

Symptoms:
APMD cores due to a missing exception handling in APMD while executing access policy agent.

Conditions:
This occurs when using APM.

Impact:
APMD might core due to a missing exception handling in APMD while executing access policy agent.

Fix:
Processing is now provided for exceptions that could occur when using a Kerberos Auth agent in a multi-domain SSO configuration.


431634-6 : tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails

Component: TMOS

Symptoms:
If you have a gtm server object for which you wish to modify its virtual servers, the following tmsh command fails:

modify gtm server <gtm-server-name> virtual-servers replace-all-with <vs-name>

with this error:

"The requested Virtual Server (/Common/<gtm-server-name> ) was not found."

Conditions:
You have a gtm server object whose virtual servers you are attempting to modify via the replace-all-with method.

Impact:
You cannot set the virtual server(s) on a gtm server object via the replace-all-with method in tmsh.

Workaround:
You still can still add and delete virtual servers to the gtm server object via tmsh, you just cannot use the replace-all-with method to accomplish this.

Fix:
Fixed replace-all-with command in relation to GTM Virtual Servers.


431467-1 : Mac OS X support for nslookup and dig utilities to use VPN DNS

Component: Access Policy Manager

Symptoms:
Network access from browser or Edge Client on Mac does not change system DNS configuration the way that the nslookup and dig utilities expect. Once network access is established, the nslookup and dig utilities do not utilize DNS servers and DNS search suffixes set by SSL VPN.

Conditions:
NA access with DNS servers and DNS search suffixes, Network Access from browser or Edge Client on Mac OS X.

Impact:
The system should behave as expected except for the nslookup, dig, and host utilites.

Fix:
The nslookup, host and dig utilities are now able to use DNS server and DNS search suffixes set by SSL-VPN.


431283-7 : iRule binary scan may core TMM when the offset is large

Component: Local Traffic Manager

Symptoms:
Binary command does not check if the offset argument is beyond the internal buffer boundary, this may core TMM. Here is an example:

binary scan [TCP::payload] @${offset_num}c var1

if "offset_num" is larger than payload buffer length, TMM may core.

Conditions:
Here is an example:

binary scan [TCP::payload] @${offset_num}c var1

if "offset_num" is larger than payload buffer length, TMM may core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Check payload length and compare with the offset argument before using the command.

Fix:
Check the offset value before moving the cursor.


431149-6 : APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"

Component: Access Policy Manager

Symptoms:
In scenarios where there are multiple slots on a chassis in an HA pair (in both vCMP and chassis only mode), the error "Access Policy configuration has changed on gateway" might be displayed when a user connects to a virtual server.

Conditions:
It can occur in conditions when :
 - right after when the whole chassis is rebooted
 - secondary/slave slot's tmm cores.
 - disabling a slot on chassis

Impact:
Customer would see following message when they connect to virtual server "Access Policy configuration has changed on gateway"

Workaround:
To work around the problem, type the command "bigstart restart apd" on the primary slot.

Fix:
The issue is fixed by having the primary blade of the chassis/vCMP to recreate config snapshots if a secondary blade transitions from online to offline and vice versa.


430799-3 : CVE-2010-5107 openssh vulnerability

Vulnerability Solution Article: K14741


430323-4 : VXLAN daemon may restart when 8000 VXLAN tunnels are configured

Component: TMOS

Symptoms:
VXLAN daemon may restart when 8000 VXLAN tunnels are configured.

Conditions:
8000 VXLAN tunnels are configured.

Impact:
VXLAN daemon restart.

Fix:
VXLAN daemon does not restart when 8000 VXLAN tunnels are configured.


429885-6 : Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics)

Component: Advanced Firewall Manager

Symptoms:
When AFM is operating in Default Deny mode, traffic that does not match a Virtual or Self IP is dropped/rejected silently without any counter increment or logging (if global default drop logging is enabled).

Conditions:
VIP/SelfIP Default Action is set to Drop/Reject.
Global Default Action is set to Drop and global rule logging is enabled.

Traffic does not match any virtual or selfip.

Impact:
While there is no impact on the traffic that does not match virtual or Self IP (and is correctly being dropped), the issue is not updating any counters or logging (if enabled).

Workaround:
This issue has no workaround at this time.

Fix:
When operating in firewall (AFM) mode i.e. default deny, the BIG-IP system will now count and log (if enabled) any traffic that does not match a Virtual or Self IP and is being dropped/rejected.


429018-2 : tmipsecd cores when deleting a non-existing traffic selector

Component: TMOS

Symptoms:
tmipsecd cores when a to-be-removed traffic selector is not found in the internal database on tmipsecd.

Conditions:
This is a rare race condition.

Impact:
IPsec tunnel flapping and core dump.

Fix:
TMIPSECD logs a critical message instead of coring, and IPsec tunnel flapping and core dump no longer occurs when deleting a non-existing traffic selector.


428387-2 : SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')

Component: Access Policy Manager

Symptoms:
SAML AuthRequest and Assertion generation could fail if the configuration (IdpEntityID, ACS, SAML Attributes, and so on) contain special XML characters, such as [&,<,>,",'].

Conditions:
- Assertion signing is enabled on BIG-IP as IdP.
- SAML Configuration (IdpEntityID, ACS, not-encrypted SAML Attributes, ACS URL, SP Entity ID, SLO URL) contains special characters, e.g. [&,<,>,",']

Impact:
SAML AuthRequest and Assertion generation could fail.

Workaround:
You can replace special XML character with XML-escape codes in the configuration:
" &quot; ' &apos; < &lt; > &gt; & &amp;

For example, replace "http://f5.com/acs_url?user=5&password=pass"

with "http://f5.com/acs_url?user=5&amp;password=pass"

Fix:
The BIG-IP system, when configured as an Identity Provider (IdP), can now successfully create SAML assertions even when the BIG-IP configuration contains special XML characters.


428163-3 : Removing a DNS cache from configuration can cause TMM crash

Component: Local Traffic Manager

Symptoms:
Removing a DNS cache from the configuration with outstanding packets on the server side can cause a TMM crash if those responses time out after the resolver removed.

Conditions:
This occurs with DNS traffic in progress when removing a configured DNS cache from the configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This occurs with DNS traffic in progress. Disabling the listener using that cache and waiting 60 seconds before removing the cache prevents this from occurring.

Fix:
Deleting a cache resolver no longer results in outstanding packet issues.


428068-3 : Insufficiently detailed causes for session deletion.

Component: Access Policy Manager

Symptoms:
When a session is deleted for a reason unrelated to explicit admin action, a generic log message appears: 'Session deleted due to user inactivity or errors.' The message does not distinguish user inactivity from 'error', so the log message indicates a possible error when perhaps none had occurred.

Conditions:
Normal user inactivity is indistinguishable from numerous other causes related to policy actions.

Impact:
Cannot troubleshoot a session termination cause because there is no ability to determine whether the session was deleted because of normal user inactivity or due to some other cause.

Workaround:
None.

Fix:
The session deletion cause has been added as an enhancement to the session deletion log functionality.


427174-7 : SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620

Vulnerability Solution Article: K15630


426939-5 : APM Polices does not work in VIPRION 4800 chassis if there is no slot1

Component: Performance

Symptoms:
Access policies does not get executed according to the configuration in a VIPRION 4800 chassis. User will not be able to use those policies.

Conditions:
This issue happens only on VIPRION 4800 and only if there is no active slot1 as primary or standby

Impact:
User will not be able to use the access polices that are configured in BIG-IP

Workaround:
Always use slot1 in the VIPRION 4800

Fix:
Access policies now work properly in VIPRION 4800 with no slot1.


426328-8 : Updating iRule procs while in use can cause a core

Component: Local Traffic Manager

Symptoms:
When updating an iRule that is in process or parked and has existing connections and uses a proc, a core can occur due to incorrect internal reference counting.

Conditions:
High traffic iRule that both parks and uses a proc.

Impact:
The BIG-IP system might temporarily fail to process traffic, and fail over if configured as part of a high availability (HA) pair.

Workaround:
Disable listener before updating iRule. For more information, see SOL14654: Updating an iRule that uses sideband connections may cause TMM to core, available here: http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14654.

Fix:
Updating an iRule that uses sideband connections no longer causes TMM to core.


426209-2 : exporting to a CSV file may fail and the Admin UI is inaccessible

Component: Access Policy Manager

Symptoms:
If there are a large number of APM report records, exporting them to a CSV file might fail and the Admin GUI can then become inaccessible.

Conditions:
When the amount of report data is large.

Impact:
The Admin UI is inaccessible.

Workaround:
Avoid exporting large amounts of report data.


425980-3 : Blade number not displayed in CPU status alerts

Component: TMOS

Symptoms:
Messages displayed on the VIPRION chassis LCD display always reference the blade number of the Primary blade in the chassis at the time that the message was issued.
The slot number where the blade-specific condition is not included in message in the LCD display.
In the case of CPU status alerts, where the CPU temperature is too high or the CPU fan speed is too low, the identification of the blade is not included in the console output or log messages produced by the system_check utility.

Conditions:
Affects:
VIPRION B4100 (PB100), B4200 (PB200) and B4300-series blades in VIPRION C4400, C4480 and C4800 chassis.
VIPRION B2100, B2150 and B2250 blades in VIPRION C2400 and C2200 chassis with external LCD displays attached.

Impact:
It may not be possible to accurately determine which blade has actually experienced a blade-specific condition reported on the chassis LCD display.

Workaround:
Use one of the following commands to examine the CPU measurements to determine which CPU on which blade is experiencing excessive temperature and/or slow fan speed:
1. tmsh show sys hardware
2. tmctl cpu_status_stat

Fix:
The system_check utility now logs the blade number as part of CPU status alerts to the system console and log messages.
Such detail is not made available on the LCD display.


424831-6 : State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover

Component: Local Traffic Manager

Symptoms:
Failovers between devices in a HA pair might result in an unexpected disruption of traffic (for instance, if virtual servers are configured for mirroring).

Persistence / session table information would similarly be missing on the newly-active system.

Conditions:
Platform that supports hardwired failover, configured for hardwired failover. (Note: this excludes chassis-based platforms, as well as VCMP guests and VEs)

Network failover disabled.

Impact:
- Failovers may result in unexpected disruption of traffic that failed to be mirrored.

   - Session database (SessionDB things, iRule session table, persistence table, etc) will not be mirrored, as expected, which may result in unknown unexpected traffic failures.

Workaround:
Enable network failover, then restart all TMMs.

Note: workaround will temporarily disrupt traffic.

Fix:
State Mirroring now works for HA configurations that use only hardwired (serial) failover, without network failover.


423282-8 : BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence

Component: Access Policy Manager

Symptoms:
JavaScript does not work if a page contains conditional comments inside its head tag.

Conditions:
Presence of conditional comments contain very first script tag.

Example:
<html>
<!--[if lt IE 9]>
  <script src="foo.js"></script>
<![endif]-->
<script>
document.write("foo");
</script>
</html>

Impact:
JavaScript does not work.

Workaround:
To work around the problem, use an iRule. The exact commands to use depend on the situation.

Fix:
The issue has been fixed by adding necessary JavaScript includes into every conditional branch.


422460-8 : TMM may restart on startup/config-load if it has too many objects to publish back during config load

Component: TMOS

Symptoms:
TMM restarts without any core file on startup or when mcpd is loading the configuration if the size of configuration is considered large (e.g., more than 1000 passive monitors).

TMM restarts without any core file while running "tmsh show sys connection" or "tmsh show sys connection" with a large connection table (e.g., 500 KB and 600 KM, respectively).

Conditions:
This issue occurs when all of the following conditions are met:

-- The mcpd process loads a large configuration with thousands of objects.
-- The platform is running 12 or more TMM instances (BIG-IP 11000/11050 platforms, or VIPRION B4300 blades).

Or:

-- You run "tmsh show sys connection" or "tmsh show sys connection all-properties".
-- The platform is running 12 or more TMM instances (BIG-IP 11000/11050 platforms, or VIPRION B4300/B4450 blades).

Impact:
Traffic processed by the affected TMM instance is interrupted while TMM restarts. TMM might enter a restart loop and restart multiple times, without producing a core file. You might see errors similar to the following in log/tmm or log/daemon:
-- LTM01 crit tmm11[28599]: 01010020:2: MCP Connection aborted, exiting. -- LTM01 emerg logger: Re-starting tmm. This might cause serious traffic disruption.

Workaround:
This workaround is a mitigation and may not work in all cases; the zero-window timeout may need to be adjusted to a higher value for some configurations.

To work around this issue, increase the timeout used for the MCP connection.

1. Open the tmm_base.tcl file for modification.
2. Locate the tcp _mcptcp stanza.
3. Add the following line:
   zero_window_timeout 300000

This lengthens the timeout, which avoids the restart. For more information, see K14498: The mcpd connection to TMM may time out on either startup or configuration load and cause TMM to restart, available here: https://support.f5.com/csp/article/K14498.

Fix:
For most configurations, TMM no longer restarts on startup/config-load if it has too many objects to publish back during config load. The mitigation fix increases an internal buffer. This provides sufficient time for most configurations. Some configurations might require still more time. If the issue still occurs, you can increase the zero-window timeout until the configuration loads without problems. To completely address the issue,


422107-8 : Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set

Component: Local Traffic Manager

Symptoms:
DNS transparent cache may have RRSIG in the responses for queries without DO bit set.

Conditions:
DNS transparent cache receives a DNS query without DO bit set.
If the query is answered by a DNSSEC zone of a pool member. The response returned to the client will contain RRSIG.

Impact:
Responses contain unnecessary RR sets. Not RFC compliant.

Workaround:
None.

Fix:
Queries answered by DNS transparent cache will no longer add RRSIG to the response if DO bit is not set in the query.


422087-5 : Low memory condition caused by Ram Cache may result in TMM core

Component: Local Traffic Manager

Symptoms:
As a result of this issue, you may encounter the following symptoms:
- The TMM process crashes with a SIGABRT

- The BIG-IP system fails over to the peer system in a high-availability configuration.

- The BIG-IP system generates a TMM core file in the /var/core directory.

Conditions:
- Associating a Web Acceleration profile with a virtual server

- TMM has become deficient in memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround for this issue.

Fix:
Tmm no longer crashes in certain low memory conditions with Ram Cache enabled.


421971-9 : Renewing certificates with SAN input in the GUI leads to error.

Component: TMOS

Symptoms:
Renewing an existing certificate fails using the GUI if a user provides Subject Alternative Name (SAN) as input.

Conditions:
Using the GUI, provide SAN while renewing certificate.

Impact:
Cannot renew certificate using the GUI.

Workaround:
Do not provide SAN information while renewing certificates. As an alternative, you can create a new certificate with a SAN.
Impact of workaround: Performing the suggested workaround should not have a negative impact on your system.

Fix:
Renewing an existing certificate now succeeds if a user provides Subject Alternative Name (SAN) as input in the GUI.


421901-2 : The 'Restore down' button can be hidden for full-screen RDP resources.

Component: Access Policy Manager

Symptoms:
The issue occurs when a user clicks the 'Restore down' button. After that RDP is inside a window but the maximize button is grayed out so user is not able to restore window to full screen.

Conditions:
This occurs for VPN users using RDP resources.

Impact:
End users report that they are unable to restore the window to full screen.

Fix:
You can specify showrestorebutton:i:0 in Custom Parameters for a remote desktop of the RDP type. The Restore down button will no longer display.


421012-3 : scriptd incorrectly reports that it is running on a secondary blade

Component: TMOS

Symptoms:
scriptd might indicate that it is running on a secondary blade, even when the process is running on a primary blade or an appliance. The error condition generates this log message: 014f000f:7: Becoming secondary cluster member

Conditions:
The conditions under which this occurs are not well understood, but it is a rare occurrence.

Impact:
Perpetual iCall handlers do not run, so scripts running under the control of a daemon do not run.

Workaround:
Issue the command 'bigstart restart scriptd' on an affected blade or device.

Fix:
scriptd no longer incorrectly reports that it is running on a secondary blade when it is not.


420438-3 : Default routes from standby system when HA is configured in NSSA

Component: TMOS

Symptoms:
In an NSSA configuration with a DR, BDR, and HA-configured BIG-IP systems, there are three default routes, one each from DR, BDR, and the standby BIG-IP system. The standby BIG-IP system should not send out any default routes.

Conditions:
This occurs when using OSPF in an NSSA configuration with a DR, BDR and HA pair BIG-IP systems.

Impact:
Traffic is incorrectly directed to the standby and dropped.

Workaround:
None.

Fix:
There are now no default routes from the standby BIG-IP system in an HA pair. This is correct behavior.


420341-6 : Connection Rate Limit Mode when limit is exceeded by one client also throttles others

Component: Local Traffic Manager

Symptoms:
Connection Rate Limit Mode is set to Per Virtual Server and Source Address, you might encounter unexpected results. Once a particular client is above the limit, other clients (other source IP addresses) are also throttled by the system.

Conditions:
This occurs in the following manner: There is a configured connection rate limit per virtual server per client; one client exceeds the configured rate limit; and the virtual server also throttles other, unrelated clients.

Impact:
The virtual server throttles clients that are not exceeding the connection rate limit.

Workaround:
None.

Fix:
Connection Rate Limit Mode when limit is exceeded by one client no longer throttles others.


420204-3 : FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long

Component: TMOS

Symptoms:
Starting 11.4.0, 'tmsh delete sys crypto fips by-handle handle#' command is expected to throw an error if the key object corresponding to this FIPS key handle exists in BIG-IP config. However, this does not work if the key name is longer than 32 characters because the operation relies on key name being the same as the FIPS key label, which is not the case for keynames of greater than 32 chars.

Conditions:
BIG-IP contains a FIPS key object with a name that is longer than 32 characters. User attempts 'tmsh delete sys crypto fips by-handle handle#' for this FIPS key handle. The expected error does not occur, and the operation deletes the FIPS key from the FIPS card, which makes the BIG-IP key object invalid.

Impact:
The corresponding BIG-IP key object is now invalid with no corresponding FIPS key in FIPS card. Traffic using this key object will fail.

Workaround:
Use keynames shorter than 32 characters for FIPS keys.

Fix:
The BIG-IP system now posts an error if the user tries to manually delete a particular FIPS key by-handle while its corresponding key object exists in BIG-IP configuration, regardless of the length of the key name. IMPORTANT: FIPS key deletion by-handle should still be executed with caution because the FIPS handle might belong to keys in different boot locations of the BIG-IP configuration. Deleting those FIPS keys does not throw an error, but will make FIPS keys in the other boot locations invalid and unusable.


420107-2 : TMM could crash when modifying HTML profile configuration

Component: TMOS

Symptoms:
Modification of configuration for a virtual with HTML profile attached may cause a tmm crash if there are open connections with html content.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable virtual server (or make sure that it does not have open connections in any other way) before modifying configuration.

Fix:
Fixed an issue in HTML profile which could cause a tmm crash during configuration change on a virtual with open connections.


418890-2 : OpenSSL bug can prevent RSA keys from rolling forward

Component: Local Traffic Manager

Symptoms:
When trying to upgrade from version 10.x to version 11.x, SSL keys can fail to roll forward. The roll-forward process does not handle what appears to be an OpenSSL bug (tested through OpenSSL 1.0.1c).

Conditions:
This occurs when rolling forward RSA keys from version 10.x to 11.x.

Impact:
Rather than receiving the expected decrypt failure unable to load Private Key with a bad decrypt, approximately 0.3% respond differently, where the return is non-zero and does not contain 'bad decrypt'. In this case, the system considers the key bad even though it is fine.

Workaround:
None.

Fix:
All SSL keys from version 10.x can be loaded correctly using the UCS file.


418850-1 : Do not restrict AD to be the last auth agent for View Client

Component: Access Policy Manager

Symptoms:
Previously we required that AD Auth agent to be the last authentication agent in the policy to make it work correctly with native VMware View client.

Conditions:
User's password got expired and user is requested to change it.

Impact:
User got error message even for successful password change.

Fix:
If used, the AD Auth agent no longer needs to be the last authentication agent in an access policy for VMware View. Now username, password, and domain from AD Auth are preserved and passed to the backend.


418664-4 : Configuration utility CSRF vulnerability

Component: TMOS

Symptoms:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342

Conditions:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342

Impact:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342

Fix:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342


417068-6 : Key install or deletion failure on FIPS key names longer than 32 chars on some platforms

Component: Local Traffic Manager

Symptoms:
Key operations might not succeed as expected when the key names are longer than 32 characters.

Conditions:
This occurs with keynames longer than 32 characters on the 6900 (D104), 8900 (D106), 8950 (D107), 11999 (E101), 11050 (E102), 10000/10050/10200/10250 (D113) platforms.

Impact:
FIPS key install and key deletion might fail. Deletion of the FIPS key with a keyname longer than 32 characters deletes the key from the BIG-IP configuration but does not delete the key from the FIPS card. Similarly, importing a key with keyname longer than 32 characters into the FIPS card fails.

Workaround:
Use keynames of a maximum of 32-characters for FIPS keys.

Fix:
FIPS key labels longer than 32 characters now get truncated to 32 characters. Those keys with the same first 32 characters are truncated, and the system attaches an underscore and number to a total of 32 characters; for example fipssamplekeylabelof32characte_1, fipssamplekeylabelof32characte_2, and so on. BIG-IP uses the FIPS handles when querying the FIPS cards for keys, so the fact that the FIPS key labels are different from the BIG-IP key names does not matter and does not affect traffic.


416734-1 : Multiple Perl Vulnerabilities

Vulnerability Solution Article: K15867


416388-1 : vCMPD will not reattach to guest

Component: TMOS

Symptoms:
If a vcmp guest is deleted while vcmpd is not running (aka vcmpd has crashed and is coming back up), vcmpd will not reattach to that guest because mcpd never said it exists and as a result will never shut it down.

Conditions:
vCMPD deleted while vCMPD is not running

Impact:
Vcmpd should be changed to scan that directory at startup to check for any "lost" guests and kill them if necessary.

Workaround:
N/A

Fix:
On vcmpd startup, handle any guest deletions that happened while vcmpd wasn't running


416372-4 : Boost memory allocator vulnerability CVE-2012-2677

Vulnerability Solution Article: K16946


416292-1 : MCPD can core as a result of another component shutting down prematurely

Component: TMOS

Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.

Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.

Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.

Fix:
Ensured that the active device sync connection is destroyed when mcpd is shutting down.


416115-14 : Edge client continues to use old IP address even when server IP address changed

Component: Access Policy Manager

Symptoms:
Edge client goes in reconnect loop if the server it connected to went down and DNS assigned a new IP Address to server host name.

Conditions:
1) Edge clients connected successfully to a server.
2) Server goes down and DNS resolves the server host name to a different IP address

Impact:
- Client goes in a reconnect loop and needs to be restarted to successfully connect to new IP address.

Workaround:
Restart Edge Client

Fix:
Now BIG-IP Edge Client resolves the host name during reconnection and initiates full reconnection after an IP address change is detected.


413708-5 : BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.

Component: TMOS

Symptoms:
When SNMP IPv6 UDP queries are directed from client to self-ip, response from the BIG-IP system does not preserve source port. An ephemeral source port will be used, instead of the source port 161.

Conditions:
SNMP IPv6 UDP query only.

Impact:
SNMP query fails.

Fix:
A problem of SNMP IPv6 UDP response from the BIG-IP system with an ephemeral source port has been solved.


410398-3 : sys db tmrouted.rhifailoverdelay does not seem to work

Component: TMOS

Symptoms:
The problem is that the sys db tmrouted.rhifailoverdelay value <value> does not seem to take any effect, and the route is being withdrawn, sometimes before the newly active device is able to advertise the virtual address, leaving a blackhole route.

Conditions:
This occurs during a failover.

Impact:
Temporary black hole for a route.

Fix:
Fixed tmrouted to not bypass rhifailoverdelay during op-state change.


410101-3 : HSBe2 falls off the PCI bus

Component: TMOS

Symptoms:
While restarting the host tmm on a VCMP capable platform, an HSB on one of the blades stops responding and cannot be found, causing all tmms on the blade to fail to pass traffic. A large packet burst may be observed when this happens. Restarting the blade will clear the condition.

Conditions:
It is not known what triggers this condition. It was observed on BIG-IP 10000 and 12000 platforms, as well as B4300 blades. This is an intermittent issue that was seen rarely, restarting the host tmm seemed to trigger it more frequently.

Impact:
Traffic is interrupted, tmms non responsive on the blade or VCMP instance with the affected HSBe2

Fix:
Fixed a lockup issue with HSBe2


410089-2 : Linux client hangs after receiving the application data

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Linux hangs when connecting to APM configured as Citrix WI replacement.

Conditions:
APM is configured for Citrix WI replacement mode and Citrix Receiver for Linux is used.

Impact:
Unable to use Citrix Receiver for Linux.

Fix:
Now APM correctly handles connections from Citrix Receiver for Linux.


409323-3 : OnDemand cert auth redirect omits port information

Component: Access Policy Manager

Symptoms:
On-Demand Cert Auth redirect does not honor a port other than 443 in virtual server.

Conditions:
On-Demand Cert Auth is used in an access policy that's assigned to a virtual server with non-standard port.

Impact:
The redirect URL is missing the port information, hence subsequent client connections aren't successful.

Workaround:
N/A

Fix:
On Demand Cert Auth support for non standard port has been added to include the port information from VS as part of redirect URL.


408851-7 : Some Java applications do not work through BIG-IP server

Component: Access Policy Manager

Symptoms:
Some Java applications do not work through the BIG-IP server.

Impact:
Users are unable to use some web applications that use Java applets.

Fix:
Fixed bug that resulted in incorrect loading of Java applets (Java applications).


407350-4 : Client side checks on Windows Phone 8

Component: Access Policy Manager

Symptoms:
Client side checks, such as antivirus, firewall, file, process, and so on, should be skipped for Microsoft Windows Phone 8, but are not skipped.

Conditions:
Access Profiled configured to use client side checks. Windows Phone 8 clients attempt to establish connection

Impact:
Windows Phone 8 users are prompted to install client components, but they cannot.

Fix:
Client side checks, such as antivirus, firewall, file, process, and so on, will be skipped for Microsoft Windows Phone 8.


406001-3 : Host-originated traffic cannot use a nexthop in a different route domain

Component: Local Traffic Manager

Symptoms:
If a route uses a nexthop in a different route domain, traffic originating from the host will not be forwarded to that nexthop.

Conditions:
Multiple route domains, gateway route that matches traffic using a nexthop in a different route domain.

Impact:
Nodes reached by the route cannot be monitored.

Workaround:
none

Fix:
Host-originated traffic can now use a nexthop in a different route domain.


405769-3 : APM Logout page is not protected against CSRF attack.

Component: Access Policy Manager

Symptoms:
User with active APM session could be tricked into logging out from BIG-IP by visiting attacker's website and clicking on a link which would perform CSRF against APM logout page.

Conditions:
An attacker can create a link to BIG-IP's logout page on an external malicious web-site. Alternatively, such link could be sent to user via email. If user is tricked to clicking this link, user's BIG-IP APM session will be terminated.

Impact:
APM session could be terminated by an attacker.

Fix:
A new configuration db variable, Tmm.Access.LogoutUrlRefererHeaderCheck was added to perform a Referer header check on all requests to APM logout page.
 
The new db variable is disabled by default. Enabling this variable will cause a Referer header check to be performed for all requests that attempt to terminate an APM session.

Use caution when enabling this db variable because it may affect logout functionality in some cases. Specifically, any custom iRules used to redirect users to logout URLs may not function properly. In addition, SAML single logout (although terminating a user's session) may reset the browser connection under certain conditions when the db variable is enabled.


405752-1 : TCP Half Open monitors sourced from specific source ports can fail

Component: TMOS

Symptoms:
TCP Half Open monitors; when sourced from ports 1097 (except on some platforms), 1098, 1099, and 3306; will fail. Upon receipt of SYN-ACK from the monitored device, TMOS will filter the packet and respond with ICMP port unreachable.

Conditions:
Use one or more TCP Half Open monitors. Port 1097 will not be affected on the BIG-IP 800, 1600, 3600, 3900, 6900, 8900 (and derivative), 11000, or 11050 platforms.

Impact:
May result in false monitor failures.

Workaround:
1. Use a monitor type other than TCP Half Open.
2. Modify iptables by removing the relevant iptable rules.

For all platforms:
    
-- /sbin/iptables -D INPUT -p tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable.
-- /sbin/iptables -D INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.
-- /sbin/iptables -A INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.

Then, for platforms where port 1097 is affected:

-- /sbin/iptables -D INPUT -p tcp --dport 1097:1099 -j REJECT --reject-with icmp-port-unreachable
-- /sbin/iptables -D INPUT -p tcp -m tcp --dport 1097:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
-- /sbin/iptables -A INPUT -p tcp -m tcp --dport 1097:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset

Or for platforms where port 1097 is not affected:

-- /sbin/iptables -D INPUT -p tcp --dport 1098:1099 -j REJECT --reject-with icmp-port-unreachable
-- /sbin/iptables -D INPUT -p tcp -m tcp --dport 1098:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
-- /sbin/iptables -A INPUT -p tcp -m tcp --dport 1098:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset

Fix:
TCP Half Open monitors sourced from certain ports now handle traffic as expected.


405635-2 : Using the restart cm trust-domain command to recreate certificates required by device trust.

Component: TMOS

Symptoms:
The device trust manages the certificates and keys SSL connections require between devices used for configuration synchronization. You should always have the necessary certificates and keys. If they are not present, device trust fails.

Conditions:
This might occur after manually removing the 'cm' stanzas from the config file, and reloading the configuration.

Impact:
No certificates and keys exist. If there are no certificates and keys, device trust cannot be set up, and the system cannot complete the SSL connections necessary for config synchronization.

Workaround:
To recreate the certs and keys, run the command: restart cm trust-domain.

Fix:
This release contains a new tmsh command 'restart cm trust-domain' to restart device trust in this circumstances.


405611-3 : Configuration utility CSRF vulnerability

Component: TMOS

Symptoms:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143

Conditions:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143

Impact:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143

Workaround:
None.

Fix:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143


403991-8 : Proxy.pac file larger than 32 KB is not supported

Component: Access Policy Manager

Symptoms:
Proxy.pac file larger than 32 KB is not downloaded and edge client may fail to provide network access.

Conditions:
BIG-IP APM, MAC Edge Client, network access, proxy.pac URL pointing to the file greater than 32 KB.

Impact:
User might not be able to access internal resources and Edge Client might go into connect/disconnect loop.

Fix:
BIG-IP Edge Client for Mac now supports Proxy.pac file size of up to 1 MB; previously, the limit was 32KB.


402793-12 : APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients

Component: Access Policy Manager

Symptoms:
VPN connection on Linux and Mac clients can slow down and may loose some packets while performing secure re-negotiation on TLS or DTLS Network Access tunnel.

Conditions:
Secure re-negotiation configured on APM virtual server.

Impact:
Users can experience disconnects or traffic loss on APM Network Access connection.

Workaround:
n/a

Fix:
APM clients for Linux and Mac modified to perform better during secure re-negotiation.


402412-8 : FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.

Component: Local Traffic Manager

Symptoms:
When FastL4 performs hardware acceleration at TCP handshake, FastL4 handshake timeout is not honored.

Conditions:
When FastL4 performs hardware acceleration at SYN time, once a flow is offloaded to hardware, the flow switches to using idle timeout instead of standard established timeout.

Impact:
FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.

Workaround:
None.

Fix:
FastL4 no longer switches to idle timeout before data is received, so the 5-second TCP handshake timeout holds until the first data arrives, at which time it switches to idle timeout.


401893-3 : Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies

Component: TMOS

Symptoms:
You will be unable to use the tilde (~) character in the fields Response Headers Allowed and Encrypt Cookies when using the GUI.

Conditions:
Attempting to use the tilde character in HTTP Profile fields Response Headers Allowed and Encrypt Cookies in HTTP Profiles.

Impact:
The GUI errors out with an error: Bad Characters. Only the following special characters are allowed: period, dash and underscore (.-_). Multiple arguments should be separated by spaces."

Workaround:
Use tmsh to create/update HTTP Profile fields Response Headers Allowed and Encrypt Cookies that need a tilde character.

Fix:
The tilde character can now be used in HTTP Profile fields Response Headers Allowed and Encrypt Cookies.


400726-4 : No support for multi-valued attributes inside SAML assertion.

Component: Access Policy Manager

Symptoms:
When the BIG-IP system acts as a SAML IdP, you cannot create the assertion with multi-valued attributes. When the BIG-IP system acts as a SAML SP and there is a multi-valued attribute inside the assertion, then the BIG-IP system processes only the first value of that multi-valued attribute.

Conditions:
Administrator attempts to configure SAML multi-valued attribute.

Impact:
End user might not be able to access the SP service Or he might end up getting partial service depending on how the SP is configured.

Workaround:
None

Fix:
APM now supports multi-valued SAML attributes inside a SAML assertion.


400456-3 : HTTP monitors with long send or receive strings may not save or update

Component: TMOS

Symptoms:
HTTP monitors with long send or receive strings may not save or update. When you attempt to save or update an affected monitor configuration, a warning message similar to the following example appears on the Configuration utility screen:
Some Fields below contain errors. Correct them before continuing.

Value may not contain literal newline characters.

Conditions:
You use a Google Chrome or Safari web browser.
You attempt to configure a long send or receive string that contains word wraps within the text box of the Configuration utility.

Impact:
You are unable to create or update affected HTTP monitors using the Configuration utility.

Workaround:
To work around this issue, you can use the Internet Explorer or Firefox browser. Alternatively, you may use the Traffic Management Shell (tmsh) to create the HTTP monitor.


398657-8 : Active Session Count graph underflow

Component: Access Policy Manager

Symptoms:
On all platforms, the active session count might be significantly large at times likely due to a counter underflow.

Conditions:
N/A

Impact:
Wrong active session graphs are presented at certain times.

Workaround:
N/A

Fix:
The active session count graphs no longer becomes significantly large at times due to a counter underflow.


394236-3 : MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -

Component: TMOS

Symptoms:
MCP exits unexpectedly and you see a trace in the ltm log file similar to:

Feb 9 12:54:41 localhost err mcpd[9995]: 01070596:3: An unexpected failure has occurred, There is no active database transaction, status: 0 - EdbDbConnection.cpp, line 133, exiting...

Conditions:
Unexpected MCP exit.

Impact:
MCP is already exiting, so there is no impact.

Fix:
Changed ordering of shutdown operations to avoid MCP error message for benign condition.


392121-1 : TMSH Command to retrieve the memory consumption of the bd process

Component: Application Security Manager

Symptoms:
There is no tmsh commands to retrieve the memory consumption of the bd process.

Conditions:
tmsh commands don't show bd process memory usage.

Impact:
Difficult to diagnose memory consumption issues.

Workaround:
Review messages individually in /var/log/ts/bd.log.

### For ASM bd current memory consumption use the following grep command

cat /ts/log/bd.log | grep "UMU: total"
UMU: total 106 ( 0M) VM (1639M) RSS (164M) SWAP ( 0M) trans 0
UMU: total 106 ( 0M) VM (1639M) RSS (163M) SWAP ( 0M) trans 0
UMU: total 5 ( 0M) VM (1612M) RSS (163M) SWAP ( 0M) trans 0

### For XML memory consumption in bd process do the following on a big-ip.

*WARNING*: The following steps enable debug prints to the bd.log it may cause to an excessive io, handle with care on production boxes.

1. add the following 3 lines the /etc/ts/bd/logger.cfg

MODULE=BD_XML;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;

2. Run a CLI tool.
/usr/share/ts/bin/set_active.pl --update_logger_cfg

To stop the debug prints, remove the 3 mentioned lines from the logger.cfg file and run the CLI tool again.

Fix:
The following command now reports memory consumption of the bd process:
tmctl asm_memory_util_stats

For specific fields -s option can be used, for example:
tmctl asm_memory_util_stats -s total_xml_mem_used,total_xml_max_mem


389484-4 : OAM reporting Access Server down with JDK version 1.6.0_27 or later

Component: Access Policy Manager

Symptoms:
Cannot connect to Access Server.

When running eamtest tool to check the functionality between OAM and the access server are working correctly, the following error is seen:

Preparing to connect to Access Server. Please wait.

Access Server you specified is currently down. Please check your Access Server.oamconfig[2368]: Could not configure OAM

Conditions:
The problem occurs only when OAM server is installed with JDK version 1.6.0_27 or later.

Impact:
Cannot connect to backend OAM server using BIG-IP AccessGate.

Workaround:
Install older version of JDK than v1.6.0_27.

Fix:
Applied OAM ASDK patch given by Oracle, so OAM no longer reports Access Server down with JDK version 1.6.0_27 or later.


389328-7 : RSA SecurID node secret is not synced to the standby node

Component: Access Policy Manager

Symptoms:
When RSA SecurID node secret files are created on the active node, the files are not synced to the standby node. As a result, user will not be able to log on after switchover.

Conditions:
RSA node secret files are created on the active node after the first successful authentication.

Impact:
Service will be inaccessible after switchover.

Workaround:
1. Copy node secret files /config/aaa/ace/Common/<rsa_securid_aaa_server>/sdstatus.12 and /config/aaa/ace/Common/<rsa_securid_aaa_server>/securid from the active node to the same directory on the standby node.

2. Wait for at least 30 seconds

3. Execute the command "tmsh save sys config" to commit the changes to disk.

Fix:
The SecurID node secret file monitoring algorithm was updated so that a new node secret file can be detected. Also, aced now authenticates with mcpd so that any node secret file object changes will be accepted by the mcpd.


388274-3 : LTM pool member link in a route domain is wrong in Network Map.

Component: TMOS

Symptoms:
Pool member link in a route domain in Network Map is broken.

Conditions:
This occurs for pool members that exist in a route domain.

Impact:
System cannot correctly read the % used with route domains.

Workaround:
None.

Fix:
LTM pool member link in a route domain is now in the correct Network Map.


384451-6 : Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions

Component: Local Traffic Manager

Symptoms:
SSL per-virtual stats might cause SSL profile cert/keys/chain to be instantiated per-virtual server.

Conditions:
This occurs when using cert/keys/chain in SSL profile virtual servers.

Impact:
In this case, cert/keys/chain are duplicated and those duplicates might cause excessive memory use and disk activity which might lead to SIGABRTs and low-memory conditions.

Workaround:
None.

Fix:
Improved memory management when there are duplicated keys or certs.


383784-5 : Remote Auth user names containing blank space cannot login through TMSH.

Component: TMOS

Symptoms:
Remote Auth user names containing blank space cannot login through TMSH.

Conditions:
Remote authentication configuration needs to be setup, and the BIG-IP system should be configured to use remote authentication rather than local auth.

Impact:
Users cannot log into the box using TMSH.

Fix:
Remote user authentication now allows blank space in user names.


382157-3 : Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats

Component: TMOS

Symptoms:
Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats.

Conditions:
Running the following command returns data inconsistent with sflow statistics: snmpwalk -v2c -c public localhost F5-BIG-IP-SYSTEM-MIB::sysVlanStatTable.

Impact:
Incorrect interpretation of vlan stats. As a result of fixing this issue, F5-BIG-IP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.

Workaround:
None.

Fix:
The IF-MIB::ifXTable was implemented to use the same stats as sflow. The F5-BIG-IP-SYSTEM-MIB::sysVlanStatTable is obsolete.

Behavior Change:
F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.


376120-4 : tmrouted restart after reconfiguration of previously deleted route domain

Component: TMOS

Symptoms:
When a non-default route domain is configured for dynamic routing, then subsequently deleted and re-added, tmrouted might restart.

Conditions:
Non-default route domains in use.

Impact:
Dynamic routing for all route domains is interrupted.

Fix:
tmrouted no longer restarts when reconfiguring a previously deleted route domain.


375887-4 : Cluster member disable or reboot can leak a few cross blade trunk packets

Component: Local Traffic Manager

Symptoms:
Using the cluster member 'disable' command with a trunk that spans blades might cause a brief period where received broadcast and multicast packets egress out the enabled trunk members of the cluster.

Conditions:
This occurs on a trunk that spans blades.

Impact:
To an external device running spanning tree protocol or variant, this can look like a loop.

Workaround:
None.

Fix:
Cluster member disable or reboot no longer leaks a few cross-blade trunk packets.


375246-1 : Clarification of pool member session enabling versus pool member monitor enabling

Component: TMOS

Symptoms:
In previous documentation of LocalLB::Pool::set_member_monitor_state and set_member_session_enabled_state lead to some confusion for those using the API.

Conditions:
Reading the documentation.

Impact:
Confusion in the expected behavior for both functions.

Workaround:
Experimentation with the SOAP api and observation of BIG-IP behavior.

Fix:
When set_member_session_enabled_state sets a pool member to disabled, then current connections will be maintained, but no more connections will be allowed.

When set_member_monitor_state sets a pool member to disabled, then all connections will be killed immediately and no more connections will be allowed.


374339-4 : HTTP::respond/redirect might crash TMM under low-memory conditions

Component: Local Traffic Manager

Symptoms:
HTTP::respond/redirect might crash TMM under low-memory conditions.

Conditions:
Under low-memory conditions, if a new HTTP connection triggers an HTTP::respond/redirect event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce memory usage

Fix:
HTTP::respond/redirect no longer crashes TMM under low-memory conditions.


372473-2 : mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes

Component: Local Traffic Manager

Symptoms:
A message beginning with 'mcp error: 0x1020003' may be logged to /var/log/tmm when TMM crashes.

Conditions:
TMM crashes.

Impact:
This is an MCP error that is logged erroneously upon TMM shutdown, and does not indicate an issue with MCP.

Workaround:
None.

Fix:
The message is no longer logged when TMM crashes.


372118-3 : import_all_from_archive_file and import_all_from_archive_stream does not create file objects.

Component: TMOS

Symptoms:
An attempt to transition certs/keys/etc. from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream results in the files being copied to the directories under /config/ssl/, but no file-objects are created on the target system.

Conditions:
This occurs when you attempt to transition certs/keys/etc. from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream.

Impact:
Files being copied to the directories under /config/ssl/, but no file-objects are created on the target system.

Workaround:
None.

Fix:
Attempting to transition certs/keys/etc from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream now creates the file-objects on the target system in addition to the files being copied to the directories under /config/ssl/.


366149-1 : ACL support for VPN tunnels

Component: Access Policy Manager

Symptoms:
ACL is not supported for connections between VPN tunnel clients.

Conditions:
Using APM network access.

Impact:
Cannot use ACL for connections between VPN tunnel clients.

Workaround:
None.

Fix:
ACLs are now supported for connections between VPN tunnel clients. The following steps describe how to run ACLs for VPN/APM Network access tunnel clients:


1. Create an iRule :

root@(bigip3923mgmt)(cfg-sync Standalone)(Eval:Active)(/Common)(tmos)# list ltm rule na_acl_leasepool
ltm rule na_acl_leasepool {
    when CLIENT_ACCEPTED {
       if { [ACL::eval -l7 ] == 0 } {
             log local0. "no l7 acl"
       }
}
}


2. Attach it to related rules (not as iRule for virtual server) for network access virtual. To do so, use following tmsh command (there is no GUI to attach the iRule as related rules for a virtual server):
    modify ltm virtual vs_https related-rules { na_acl_leasepool }


365219-2 : Trust upgrade fails when upgrading from version 10.x to version 11.x.

Component: TMOS

Symptoms:
Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log:

-- com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:425): Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:200)}.

-- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust.

Conditions:
Upgrading high availability version 10.x configurations that use the factory default admin password.

Impact:
Trust upgrade for version 10.x high availability configuration fails.

Workaround:
Change the default admin password in the 10.x configuration before upgrading to 11.0.0.

Fix:
Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment.


364994-7 : TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.

Component: Local Traffic Manager

Symptoms:
Version 11.3.0 and earlier, TMM may restart.
Version 11.4.0 and later, disabled connections may be reused.

Conditions:
A virtual server with an associated OneConnect profile.
A server side connection is disabled on the client side by the iRule ONECONNECT::reuse disable command.

Impact:
Version 11.3.0 and earlier, tmm can crash.
Version 11.4.0 and later, disabled connections may be reused.

Workaround:
Version 11.3.0 and earlier:

If HTTP::disable is being called in a client-side event, OneConnect must be disabled in a server-side event. This can be done by including 'ONECONNECT::reuse disable' in the client-side event (so a new connection is created), setting a variable, and then invoking ONECONNECT::reuse disable in SERVER_CONNECTED

Example:

  set oc_reuse_ss_disable 1
  ONECONNECT::reuse disable
  CACHE::disable
  COMPRESS::disable
  HTTP::disable

Add this (or merge with an existing SERVER_CONNECTED event in the iRule):

when SERVER_CONNECTED {
  if { [info exists oc_reuse_ss_disable] } {
    ONECONNECT::reuse disable
    ONECONNECT::detach disable
  }
}

11.4.0 and later:

Replace "ONECONNECT::reuse disable" with "set oc_reuse_ss_disable 1" in the iRule client-side event.

Add this (or merge with an existing SERVER_CONNECTED event in the iRule):

when SERVER_CONNECTED {
  if { [info exists oc_reuse_ss_disable] } {
    ONECONNECT::reuse disable
  }
}

Fix:
TMM no longer restarts when a OneConnect profile is applied to a virtual server and OneConnect reuse is disabled on the server side by an iRule.


364978-1 : Active/standby system configured with unit 2 failover objects

Component: TMOS

Symptoms:
If an active/standby system is misconfigured with unit 2 failover objects, two traffic groups are automatically created: traffic-group-1 and traffic-group-2.

Conditions:
This occurs when an active/standby system is misconfigured with unit 2 failover objects.

Impact:
For traffic-group-2, the default device points toward the unit 2 box. Instead, it should point to the unit 1 box, because it is an active/standby pair.

Workaround:
To work around this, modify the default device to point to unit 1 using a command similar to the following: tmsh modify /cm traffic-group traffic-group-2 default-device unit_1_device_name.

Fix:
Active/standby system configured with unit 2 failover objects now create one traffic group, which is correct behavior.


362267-3 : Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors

Component: TMOS

Symptoms:
If a user configures network failover on a VIPRION that uses a blade's management address as the unicast address, the other blades cannot use this address and issues an error message. This is correct operation.

Conditions:
System is configured with per-blade management addresses as unicast network failover addresses.

Impact:
The system posts error messages that appear severe. However, there is no impact to system functionality.

Workaround:
No workaround is needed (under these conditions, message is cosmetic), but the use of multicast failover avoids the messages.

Fix:
The system now tracks the set of active self-ips and management addresses, only issues errors when the unicast source ip is invalid, or does not behave as expected.


361367-3 : Create 8 MB-aligned partitions/volumes for VE images to improve disk I/O.

Component: TMOS

Symptoms:
On certain configurations/Hypervisors local disk subsystem might be on network share or SSD drives. In such cases I/O operations get significant degradation if they are NOT aligned on 4 KB/8 KB/64 KB/1 MB boundary (depending on the actual disk subsystem).

Conditions:
Disk subsystem used by the hypervisor is on network share, SAN or SSD disks.

Impact:
Low I/O performance on certain configurations where disk subsystem is on network share, SAN or SSD disks.

Workaround:
None.

Fix:
Partition alignment changes from cylinder to 8 MB boundary.

Behavior Change:
Partition alignment changes from cylinder to 8 MB boundary.


359774-6 : Pools in HA groups other than Common

Component: TMOS

Symptoms:
In v11.x, pools used in an HA group must be in Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.x fails.

Conditions:
HA group pools in administrative partitions other than Common.

Impact:
Upgrade fails.

Workaround:
None, except ensuring that all pools used in HA groups exist in the Common administrative partition.

Fix:
Upgrade script has been updated to append the full partition path names to pools in ha-groups when upgrading from 10.x to 11.x and ha-groups are defined. If the same pool name is used in multiple partitions, the pool in /Common will be used first. If the name exists in multiple partitions other than /Common, the first match is used, and a warning will be logged by the upgrade script.


356658-2 : Message logged when remote authenticated users do not have local account login

Component: TMOS

Symptoms:
Message is logged when remote authenticated users that do not have local account: alert [20843]: pam_unix(:account): could not identify user (from getpwnam())

Conditions:
Remote authentication is enabled and configured on the BIG-IP system. A remote user without a corresponding local user account logs in to the BIG-IP system.

Impact:
An alert-level log is generated for valid user login.

Fix:
The system no longer logs alert-level log when remote authenticated users that do not have local account login. The notice-level error is written to /var/log/secure, as expected.


355806-3 : Starting mcpd manually at the command line interferes with running mcpd

Component: TMOS

Symptoms:
Starting mcpd at the command line while mcpd is running causes issues.

Conditions:
Having a running mcpd and executing mcpd at the command line.

Impact:
Various issues on the system, such as some utilities may no longer interact with mcpd, etc.

Workaround:
Don't try to use the mcpd directly.

Fix:
You are now told the PID of the current mcpd and the executed command will exit abnormally.


355661-3 : sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address

Component: TMOS

Symptoms:
During system startup, particularly after an upgrade or 'load sys config', the sod daemon will repeatedly log errors failing to bind() to the appliance management address to listen for network failover packets. This is caused by a race condition between the chassis management daemon programming the management port address and the failover daemon attempting to access that address.

Conditions:
The management address is configured as a device unicast address.

Impact:
Excessive logging traffic at error level for a valid configuration.

Workaround:
None.

Fix:
The sod daemon has been modified to validate the unicast addresses against the configured management addresses and non-floating self-IPs, and retries the bind() without logging an error if a race condition occurs. The daemon now reports when it is successfully listening on each of the configured unicast addresses, and only logs bind() errors if the configured address is invalid, which is correct behavior.


353556-4 : big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed

Component: Global Traffic Manager

Symptoms:
Big3d keeps a SSL session cache for HTTPs monitors to improve performance, when the web server changes the SSL protocol, big3d fails to connect to the web server since it was using the cached SSL session.

Conditions:
Modify SSL protocol at the server side and restart the web server.

Impact:
Big3d is unable to correctly monitor the https web server.

Workaround:
restart big3d

Fix:
Fixed, now when big3d fails to connect to the https web server it will clear the session entry from the session cache and initiate a new SSL negotiation.


352925-2 : Updating a suspended iRule and TMM process restart

Component: Local Traffic Manager

Symptoms:
Updating a suspended iRule assigned via a profile causes the TMM process to restart when trying to return to the suspended iRule.

Conditions:
This occurs when the iRule is suspended and the TMM process is trying to restart.

Impact:
TMM restarts.

Workaround:
Assign the iRule to the virtual server instead of assigning it to the profile.

Fix:
Updating a suspended iRule no longer results in TMM process restart.


348000-1 : HTTP response status 408 request timeout results in error being logged.

Component: Local Traffic Manager

Symptoms:
HTTP response status 408 request timeout results in error being logged.

Conditions:
HTTP profile is attached to a virtual server. 408 response status is received from server and is not preceded by request from the client.

Impact:
The 408 response status received is consumed and the connection is reset. The response never makes it to the client. The following error is reported in the log: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS.

Workaround:
None.

Fix:
HTTP response status 408 request timeout no longer results in error being logged.


342013-6 : TCP filter doesn't send keepalives in FIN_WAIT_2

Component: Local Traffic Manager

Symptoms:
TCP filter does not send keepalives in FIN_WAIT_2 (half close state). This may result in connections to remain open when they should be closed.

Conditions:
The problem is the BIG-IP stops sending keepalives once the connection enters half close state, and the server sends keep-alives. This ends up keeping connections open indefinitely if the client disappears, or a firewall drops its flow entry, etc. It is never swept as the server keepalives reset the idle timeout.

Impact:
Possible open idle never ending connections.

Workaround:
None.

Fix:
This is fixed by sending keepalives even in half close state, as idle connections intentionally left open will still be allowed, and clients will be detected disappearing.


341928-4 : CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM.

Component: Local Traffic Manager

Symptoms:
TMM daemon crashes with accompanying log message: Assertion 'cmp dest set on incorrect listener type' failed.

Conditions:
A CMP enabled virtual targets (e.g. via 'virtual' iRule command) a CMP disabled virtual.

Impact:
Failover or network outage.

Workaround:
Avoid use of CMP disabled virtual servers.

Fix:
A CMP redirected looped virtual (i.e., VIP targeting VIP on different cluster node) no longer crashes TMM.


340406-10 : Localization of BIG-IP Edge Client for Macintosh

Component: Access Policy Manager

Symptoms:
Localization of BIG-IP Edge Client for Mac is complete now.
Some text was presented in English even when the OS ran in non-English locale.

Conditions:
The problem was seen with non-English locale and Edge Client for Mac.

Impact:
Some parts of Edge Client for Mac showed English text for non-English speakers.

Fix:
BIG-IP Edge Client for Mac is now completely localized.


339825-3 : Management.KeyCertificate.install_certificate_from_file failing silently

Component: TMOS

Symptoms:
If the iControl function Management.KeyCertificate.install_certificate_from_file fails, it does not return error.

Conditions:
Using iControl to install a certificate from a file.

Impact:
The method fails, but appears to succeed.


291469-2 : SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.

Component: TMOS

Symptoms:
The SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.

Conditions:
The following error message is reported in the /var/log/messages file: snmpd[1748]: Error allocating more space for arpcache. Cache will continue to be limited to 2048 entries.

Impact:
The ARP entries up to the boundary are returned. Any ARP entries after the boundary is reached are not returned.

Workaround:
None.

Fix:
Memory validation now allows arpcache to expand, so The SNMP query no longer fails to return ARP entries when the ARP table exceeds 2,048 entries.


238444-2 : An L4 ACL has no effect when a layered virtual server is used.

Component: Access Policy Manager

Symptoms:
A layer 4 ACL is not applied to the network access tunnel. As a result of this issue, you may encounter the following symptoms:

Unexpected network traffic may be allowed to pass.
Expected network traffic may be blocked.

Conditions:
This issue occurs when the following conditions are met:

-- The APM virtual server is targeting a layered virtual server, such as an SSO layered virtual server.
-- The referenced BIG-IP APM access policy is configured with a layer 4 ACL.
-- When an ACL is applied to a BIG-IP APM access policy, the access policy dynamically creates an internal layered virtual server that is used to apply the ACL. However, if the BIG-IP APM virtual server targets a layered virtual server, such as an SSO layered virtual server, traffic bypasses the dynamically-created internal layered virtual server and the ACL is not applied.

Impact:
Access control using a layer 4 ACL will not work. This may allow unwanted traffic to pass, or can block valid traffic.

Workaround:
None. However, a layer 7 ACL may be implemented if the network traffic is HTTP.

Fix:
ACL::eval irule can now be attached to layered virtuals (apm use case) to evaluate L4 ACLs


226892-13 : Packet filter enabled, default action discard/reject and IP fragment drop

Component: Local Traffic Manager

Symptoms:
With packet filter enabled with a default action of discard/reject, you might encounter the following symptoms: -- Packet captures show that the BIG-IP system is receiving return traffic for one or more connections, but failing to forward those packets. -- Some connections may fail. DNS traffic, or traffic with IP fragments, are more likely to fail due to how TMM handles connections. -- If logging is enabled for the affected packet filter rule, many entries similar to the following example are logged to the /var/log/pktfilter file: 'local/tmm notice tmm[4835]: 01250004:5: test_pf_rule (56687): reject on external, len: 98 [IPv4 84 192.168.1.1 -- 192.168.1.2 ICMP 0:0]'

Conditions:
After configuring packet filters, you may notice that the BIG-IP system is incorrectly dropping the return packets of certain connections.

This issue occurs when all of the following conditions are met: -- The BIG-IP platform and software version support Clustered Microprocessing (CMP). -- CMP is enabled globally. -- CMP is enabled for the specific traffic-handling object. -- Packet filtering is enabled with the Filter established connections option disabled (this is the default setting).

Impact:
The BIG-IP system incorrectly drops return packets, which may cause your applications to fail or work intermittently.

Workaround:
To work around this issue, you can either define additional packet filter rules that explicitly allow return traffic, or disable CMP for the affected traffic-handling object. If the object does not allow CMP to be disabled (for example a SNAT), you can first replace it with a virtual server. For more information, see SOL12831: Using packet filters in conjunction with CMP may cause intermittent drops on return traffic, available here" http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12831.html.

Fix:
Resolved intermittent issue when return packets were dropped after configuring packet filters for DNS traffic or traffic with IP fragments.


224903-5 : CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.

Component: TMOS

Symptoms:
CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.

Conditions:
CounterBasedGauge64 MIB values.

Impact:
CounterBasedGauge64 MIB values do not work with Network Management Systems.

Workaround:
None.

Fix:
In this release, the MIB has been changed from CounterBasedGauge64 to Gauge32, which matches the SNMP RFC.

Behavior Change:
In this release, the MIB has been changed from CounterBasedGauge64 to Gauge32, which matches the SNMP RFC.


223884 : Module not licensed message appears when APM is provisioned and APML is licensed.

Component: TMOS

Symptoms:
Module not licensed message appears when APM is provisioned and APML is licensed.

Conditions:
APM is provisioned and APML is licensed.

Impact:
It appears as if APML isn't licensed when it is.

Workaround:
Ignore the message.

Fix:
Module not licensed message will not appear when APM is provisioned and APML is licensed.



Known Issues in BIG-IP v11.6.x


TMOS Issues

ID Number Severity Description
641390-4 1-Blocking Backslash removal in LTM monitors after upgrade
653744 2-Critical ZebOS route-map set nexthop not being applied for neighbor outbound route-map
653376-3 2-Critical bgpd may crash on receiving a BGP update with >= 32 extended communities
646388-3 2-Critical TMM crash when moving to standby
638935-2 2-Critical Monitor with send/receive string containing double-quote may cause upgrade to fail.
625824-3 2-Critical iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
625456-2 2-Critical Pending sector utility may write repaired sector incorrectly
613542-4 2-Critical tmm core while running the iRule STATS:: command
613415-4 2-Critical Memory leak in ospfd when distribute-list is used
610354-2 2-Critical TMM crash on invalid memory access to loopback interface stats object
610295-3 2-Critical TMM may crash due to internal backplane inconsistency after reprovisioning
602642-1 2-Critical tmm assert "cipher_init_dual failed"
601445-1 2-Critical Memory leak configuring GTM topology with longest match
600396 2-Critical iControl REST may return 404 for all requests in AWS
593536-2 2-Critical Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations
555464-2 2-Critical HA channel flapping will cause SessionDB memory leak on standby due to unexpired entries
546760-2 2-Critical snmpd will crash when performing snmp query on ifXTable of ifMIB.
542898-3 2-Critical Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0
528343-2 2-Critical Loading cli preference that does not contain the user attribute will fail
518197 2-Critical Modifying the default antifraud profile causes device group sync failures
515764-4 2-Critical PVA stats only being reported on virtual-server and system-level basis.
513151-8 2-Critical VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID.
512634-1 2-Critical Add logging to indicate the nitrox3 compression engine is stalled.
493950-3 2-Critical Virtual Server with misconfigured profiles may block upgrade
489312-1 2-Critical IPsec IKEv2 tmm crash hud_ike_ingress_pkt()
657834-3 3-Major Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
655649-3 3-Major BGP last update timer incorrectly resets to 0
654011-3 3-Major Pool member's health monitors set to Member Specific does not display the active monitors
653888-3 3-Major BGP advertisement-interval attribute ignored in peer group configuration
652671-3 3-Major Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.
651136-3 3-Major ReqLog profile on FTP virtual server with default profile can result in service disruption.
650002-3 3-Major tzdata bug fix and enhancement update
648873-2 3-Major Traffic-group failover-objects cannot be retrieved via iControl REST
648621-2 3-Major SCTP: Multihome connections may not expire
648544-4 3-Major HSB transmitter failure may occur when global COS queues enabled
648316 3-Major Flows using DEFLATE decompresion can generate error message during flow tear-down.
647944-3 3-Major MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
647834-3 3-Major Failover DB variables do not correctly implement 'reset-to-default'
646603 3-Major LDAP search-timeout setting is not effective
645179-3 3-Major Traffic group becomes active on more than one BIG-IP after a long uptime
644979-3 3-Major Errors not logged from hourly 1k key generation cron job
644484-1 3-Major Inconsistent behavior between CLI and GUI for remote auth user passwords
644184-1 3-Major ZebOS daemons hang while AgentX SNMP daemon is waiting.
643799-2 3-Major Deleting a partition may cause a sync validation error
643459-2 3-Major Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy
642923-3 3-Major MCP misses its heartbeat (and is killed by sod) if there are a large amount of file objects on the system
642422-3 3-Major BFD may not remove dependant static routes when peer sends BFD Admin-Down
641543 3-Major bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled.
641450-1 3-Major A transaction that deletes and recreates a virtual may result in an invalid configuration
640416 3-Major tmsh command hangs when trust peer is deleted.
639774-4 3-Major mysqld.err rollover log files are not collected by qkview
639575-4 3-Major Using libtar with files larger than 2 GB will create an unusable tarball
638091-3 3-Major Config sync after changing named pool members can cause mcpd on secondary blades to restart
638089 3-Major LACP and CMP state simultaneous fail on A112 and A113 platform
636031-3 3-Major GUI LTM Monitor Configuration String adding CR for type Oracle
633824-3 3-Major Cannot add pool members containing a colon in the node name
633512-2 3-Major HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
633465 3-Major Curl cannot be forced to use TLSv1.0 or TLSv1.1
633110-1 3-Major Literal tab character in monitor send/receive string causes config load failure, unknown property
632825-4 3-Major bcm56xxd crash following 'silent' port-mirror configuration failure
631627-5 3-Major Applying BWC over route domain sometimes results in tmm not becoming ready on system start
631172-3 3-Major GUI user logged off when idle for 30 minutes, even when longer timeout is set
630610-3 3-Major BFD session interface configuration may not be stored on unit state transition
629834-2 3-Major istatsd high CPU utilization with large number of entries
629499-2 3-Major tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
628202-2 3-Major Audit-forwarder can take up an excessive amount of memory during a high volume of logging
628164-2 3-Major OSPF with multiple processes may incorrectly redistribute routes
627760-2 3-Major gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
626721-3 3-Major "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
626589-4 3-Major iControl-SOAP prints beyond log buffer
624626-1 3-Major Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
623930-2 3-Major vCMP guests with vlangroups may loop packets internally
623488-1 3-Major Custom adaptive reaper settings may be lost at upgrade time
623391-3 3-Major cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size
623371-3 3-Major After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed
623367-2 3-Major When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.
623336-2 3-Major After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS
623265-2 3-Major UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt
623055-3 3-Major Kernel panic during unic initialization
622619-3 3-Major BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
622183-3 3-Major The alert daemon should remove old log files but it does not.
622133-4 3-Major VCMP guests may incorrectly obtain incorrect MAC addresses
621909-5 3-Major Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
621273-4 3-Major DSR tunnels with transparent monitors may cause TMM crash.
621260 3-Major mcpd core on iControl REST reference to non-existing pool
621259-2 3-Major Config save takes long time if there is a large number of data groups
620659-2 3-Major The BIG-IP system may unecessarily run provisioning on successive reboots
619210-1 3-Major [FIPS] High CPU usage (11.5.4) or memory error messages (11.6.1) during stress test using FIPS keys
618319-3 3-Major HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked
618163 3-Major iControl REST transaction failure when specifying older schema version
617628-2 3-Major SNMP reports incorrect value for sysBladeTempTemperature OID
615107-3 3-Major Cannot SSH from AOM/SCCP to host without password (host-based authentication).
614493-2 3-Major BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.
614486-3 3-Major BGP community lower bytes of zero is not allowed to be set in route-map
612721-3 3-Major FIPS: .exp keys cannot be imported when the local source directory contains .key file
610906 3-Major Secondary mcpd restart on validation error, "user role partition already exists"
610417-3 3-Major Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
609772 3-Major Tilde character does not work on GET requests via iControl REST
609186-2 3-Major TMM or MCP might core while getting connections via iControl.
607961-4 3-Major Secondary blades restart when modifying a virtual server's route domain in a different partition.
606330-2 3-Major The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
605840-2 3-Major HSB receive failure lockup due to unreceived loopback packets
605800-2 3-Major Web GUI submits changes to multiple pool members as separate transactions
605792-4 3-Major Installing a new version changes the ownership of administrative users' files
604938-2 3-Major Log IPsec tunnel up/down events
604237-2 3-Major Vlan allowed mismatch found error in VCMP guest
604061-1 3-Major Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
602566-4 3-Major sod daemon may crash during start-up
602193-2 3-Major iControl REST call to get certificate fails if
601893-3 3-Major TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
601709 3-Major I2C error recovery for BIG-IP 4340N/4300 blades
601414-4 3-Major Combined use of session and table irule commands can result in intermittent session lookup failures
600944-3 3-Major tmsh does not reset route domain to 0 after cd /Common and loading bash
598650-2 3-Major apache-ssl-cert objects do not support certificate bundles
597564-1 3-Major 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items
596826-2 3-Major Don't set the mirroring address to a floating self IP address
596815-3 3-Major System DNS nameserver and search order configuration does not always sync to peers
596067 3-Major GUI on VIPRION hangs on secondary blade reboot
595617-2 3-Major Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.
595317-2 3-Major Forwarding address for Type 7 in ospfv3 is not updated in the database
592194-2 3-Major Rarely, an HSB transmitter failure occurs
590938-2 3-Major The CMI rsync daemon may fail to start
589698 3-Major HSB lockup on B2100 (A109) blade with vCMP running v11.6.0 final
589338 3-Major Linux host may lose ECMP routes on secondary blades
588646-3 3-Major Use of Standard access list remarks in imish may causes later entries to fail on add
587668-3 3-Major LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
584583-1 3-Major Timeout error when attempting to retrieve large dataset.
583754-5 3-Major When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
583475-2 3-Major The BIG-IP may core while recompiling LTM policies
582084-2 3-Major BWC policy in device sync groups.
581851-4 3-Major mcpd, interleaving of messages / folder contexts from primary to secondary blade
580499-1 3-Major Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled.
579694-2 3-Major Monitors may create invalid configuration files
579565-1 3-Major FIPS (ngfips) card-sync fails due to its lacking ability to properly handle "\" in the SO (security officer) password.
579035-2 3-Major Config sync error when a key with passphrase is converted into FIPS.
578551-2 3-Major bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
577831-1 3-Major VE does not boot without a vga console
576807-1 3-Major Firewall policies assigned to route domain may not sync across HA
575368-2 3-Major Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
572246 3-Major When a rewrite profile using the default settings is attached to a virtual server, all layer 3 connectivity will begin to fail.
571333-1 3-Major fastL4 tcp handshake timeout not honored for offloaded flows
570845-2 3-Major Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy
569331-4 3-Major Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP
569280-2 3-Major BIG-IP does not delete the SA on peer box after erase/modify ike-peer
568182-1 3-Major IPsec does not send phase 2 delete.
565137-1 3-Major Pool licensing fails in some KVM/OpenStack environments.
562452 3-Major Perpetual 'Loading...' banner when updating values in GUI System :: Preferences.
561444-3 3-Major LCD might display incorrect output.
559080-3 3-Major High Speed Logging to specific destinations stops from individual TMMs
557155-4 3-Major BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
553776-2 3-Major BGP may advertise default route with bad parameters
553446-3 3-Major Interface bfd session does not appear in configuration file or in show running-config
552176-1 3-Major LTM v11.6.0 iControl REST transaction w/multiple commands don't work as expected
548866-1 3-Major Tomcat might become unresponsive when the UI throws an Out of Memory Exception
547479-2 3-Major Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
546145-4 3-Major Creating local user for previously remote user results in incomplete user definition.
546085-2 3-Major On shutdown, SOD and other daemons very infrequently cores due to an internal processing error during the shutdown.
545946-2 3-Major Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load
545214-2 3-Major OSPF distance command does not persist across restarts.
545081-1 3-Major "tmsh install sys crypto cert" command fails to overwrite existing certificate
544989-2 3-Major distance cli command without access name in OSPF posts a memory allocation error.
544906-1 3-Major Issues when using remote authentication when users have different partition access on different devices
544463 3-Major The BIG-IP system's management port drops egress Ethernet multicast traffic
542664-1 3-Major No default boot volume is set when installing a vCMP guest from a hotfix iso.
542191-2 3-Major Snmpd V1 and V2c view based access.
540923-1 3-Major TMSH list node filtering no longer filters correctly.
539832-3 3-Major Zebos: extended community attributes are exchanged incorrectly in BGP updates.
539125-2 3-Major SNMP: ifXTable walk should produce the available counter values instead of zero
533174 3-Major Several "Standard MIB" OIDs were not supported correctly
528295-4 3-Major Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
528083-2 3-Major On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
528052-1 3-Major System remains OFFLINE after running tmsh run cm config-sync recover-sync
527206-3 3-Major Management interface may flap due to LOP sync error
527185 3-Major 'Data publisher not found or not implemented ...' errors in /var/log/ltm
526708-2 3-Major system_check shows fan=good on removed PSU of 4000 platform
524735-5 3-Major Use a DB variable to control whether IPsec interface should enforce policy check
524193-4 3-Major Multiple Source addresses are not allowed on a TMSH SNMP community
524123-3 3-Major iRule ISTATS::remove does not work
523985 3-Major Certificate bundle summary information does not propagate to device group peers
523797-3 3-Major Upgrade: file path failure for process name attribute in snmp.
522304-2 3-Major Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group
516167-3 3-Major TMSH listing with wildcards prevents the child object from being displayed
515649 3-Major config load failed after upgrading from 11.6.1 to 12.0.0
512853-2 3-Major Kerberos SSO fails if KDC is not specified
510425-4 3-Major DNS Express zone RR type-count statistics are missing in some cases
510200-1 3-Major Upon de-provisioning, ASM does not release disk resources.
509611-1 3-Major Asynchronous Tasks for Long-Running command control
508556-1 3-Major CSR missing SAN when renewing cert in GUI
507331-4 3-Major Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.
505123-7 3-Major sysObjectID returns 'unknown' platform on the VIPRION 4400
501949-1 3-Major BWC rate limit instability on large number of live dynamic flows
501947-2 3-Major Cannot delete keys/certificates whose names start with 0 (zero).
501418-2 3-Major OSPF: Multiple ECMP default routes not distributed to TMM
499694 3-Major LTM v10.2.x to v11.x upgrade misses partition name on node specific monitor
493250-2 3-Major BGP disabling graceful-restart in ZebOS does not persist and is automatically enabled
491406-1 3-Major TMM SIGSEGV in sctp_output due to NULL snd_dst
489499-4 3-Major chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd
488417-2 3-Major Config load failure with 'Input error: can't create user' after upgrade
488262-2 3-Major moving VLAN from route-domain being deleted in the same transaction can cause errors
488188-1 3-Major When qkview is killed, it might leave temporary files on disk
485164-2 3-Major MCPD cores when the Check Service Date in the license is not current.
483840-2 3-Major Serial number of a blade is not cleared in show command after it is moved
479115-1 3-Major stpd tries to use bcm56xxd before it has started which results in error messages in ltm log
474149-4 3-Major SOD posts error message: Config digest module error: Traffic group device not found
472308-3 3-Major Management IP address change interaction with HA heartbeat / failover traffic
471042-6 3-Major Datastor High Velocity Traffic Pattern Changes
468559-2 3-Major Config fails to load after upgrade to 11.5.1 when iApp requires PSM module.
455066-1 3-Major Read-only account can save system config
454941-2 3-Major IPsec IKEv1 configuration change resets all existing IPsec IKEv1 tunnels.
452660-4 3-Major SNMP trap engineID should not be configsynced between HA-pairs
441482-2 3-Major SWG is seen on platforms with less than 8 GB of memory
439399-3 3-Major Discrepancy between Throughput and Detailed Througput data
433055-6 3-Major BFD GTSM IMI shell commands don't work
425331-2 3-Major On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID
424542-3 3-Major tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
423928-2 3-Major syslog messages over 8 KB in length cause logstatd to exit
418349-1 3-Major Update/overwrite of FIPS keys error
393270-2 3-Major Configuration utility may become non-responsive or fail to load.
384995-4 3-Major Management IP changes are not synced to the device group.
382363 3-Major min-up-members and using gateway-failsafe-device on the same pool.
378967-1 3-Major Users are not synchronized if created in a partition
375434-4 3-Major HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
373949-4 3-Major Network failover without a management address causes active-active after unit1 reboot
369352-10 3-Major No verification prompt when executing 'load sys config default' for resource administrator role
368824-3 3-Major There is no indication that a failed standby cannot go active.
337934-1 3-Major remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly
660239-2 4-Minor When accessing the dashboard, invalid HTTP headers may be present
650019-3 4-Minor The commented-out sample functions in audit_forwarder.tcl are incorrect
648271-1 4-Minor vCMP guest is unable to install a hotfix for block-device-images
647812-2 4-Minor /tmp/wccp.log file grows unbounded
645589-1 4-Minor Password-less ssh access lost for non-admin users after tmsh load sys ucs
636823-2 4-Minor Node name and node address
634371-3 4-Minor Cisco ethernet NIC driver
634014-2 4-Minor Absolute timers may fire one second early during the leap second event
632668-3 4-Minor When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
631334-3 4-Minor TMSH does not preserve \? for config save/load operations
624909-3 4-Minor Static route create validation is less stringent than static route delete validation
624484-1 4-Minor Timestamps not available in bash history on non-login interactive shells
623536-4 4-Minor SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
616021-3 4-Minor Name Validation missing for some GTM objects
611054-3 4-Minor Network failover "enable" setting is sometimes ignored on chassis systems
609107-2 4-Minor mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
608348-2 4-Minor Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system
606799-3 4-Minor GUI total number of records not correctly initialized with search string on several pages.
603014 4-Minor Running "show node detail recursive" from root folder may result in error
602508-1 4-Minor Capture historical changes of config files
599033-2 4-Minor Traffic directed to incorrect instance after network partition is resolved
598289-2 4-Minor TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
595712-4 4-Minor Not able to add remote user locally
589862-4 4-Minor HA Grioup percent-up display value is truncated, not rounded
586348-2 4-Minor Network Map Pool Member Parent Node Name display and Pool Member hyperlink
584788-2 4-Minor Directed failover of HA pair using only hardwire failover will fail
583777-2 4-Minor [TMSH] sys crypto cert missing tab completion function
583084-2 4-Minor iControl produces 404 error while creating records successfully
582595-3 4-Minor default-node-monitor is reset to none for HA configuration.
581865-1 4-Minor 6900, 8900, 8950, or 11050 platforms missing swap storage
578843-2 4-Minor GUI strips out 0.0.0.0 masks from the SNMP Client Allow Lists.
577511 4-Minor The merged.state debugging file in qkview reports wrong method when input files are too volatile
575848-2 4-Minor Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated.
575176-2 4-Minor Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
573031-3 4-Minor qkview may not collect certain configuration files in their entirety
571560 4-Minor icrd may crash on shutdown
563560-3 4-Minor Intermittent iStats reset
562510-2 4-Minor BIG-IQ unable to license BIG-IP Virtual Edition (VE) instances in UDF/KVM Environments.
560584-1 4-Minor Disabling an IKE Peer sets all Common Settings values to default
559837-6 4-Minor Misleading error message in catalina.out when listing certificates.
557452-2 4-Minor Messages logged when the CAN daemon (cand) receives unsolicited data
551349-4 4-Minor Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade
550253-2 4-Minor SNMP query response for sysPacketFilterStatHits is incorrect
548268-2 4-Minor Disabling an interface on a blade does not change media to NONE
545799-2 4-Minor Dashboard fails to export derived throughput history
542292-2 4-Minor GUI might cause MIB files to be uncompressed when downloading from GUI with Chrome.
541693-2 4-Minor Monitor inheriting time-until-up and up-interval from parent incorrectly via GU
541550-1 4-Minor Defining more than 10 remote-role groups can result in authentication failure
540777-2 4-Minor SNMP requests fail and subsnmpd reports that it has been terminated.
539648 4-Minor Disabled db var Watchdog.State prevents vCMP guest activation.
530927-2 4-Minor Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
530530-2 4-Minor [mcpd] TMSH "range" filter for 'show sys log' fails to work as expected
528894-2 4-Minor Config sync after sub-partition config changes results extra lines in the partition's conf file
527720-2 4-Minor Rare 'No LopCmd reply match found' error in getLopReg
526642-2 4-Minor iRule with HTML commands inside can be attached to Virtual server without HTML profile
525847-2 4-Minor SNMP manager doesn't accept community name in double quotes in packet capture.
523992-8 4-Minor tmsh error map not included in /etc/alertd
516841-2 4-Minor Unable to log out of the GUI in IE8
516808-1 4-Minor tmsh listing of a nonexistent ltm monitor returns incorrect results.
507206-3 4-Minor Multicast Out stats always zero for management interface.
505992 4-Minor Erroneous MCPd Errors using tmsh reboot
503960-4 4-Minor The requested unknown (1936) was not found.
499348-1 4-Minor System statistics may fail to update, or report negative deltas due to delayed stats merging
495227-1 4-Minor tmsh displays wrong cert expiration date on 'show gtm iquery' (later than Jan 18 2038).
488560-1 4-Minor Duplicate 'Source Address Translation' field on Virtual Server properties page
483242-1 4-Minor GUI LTM Profile ClientSSL unable to recognize certificates/key with short names.
479262-5 4-Minor 'readPowerSupplyRegister error' in LTM log
476544-3 4-Minor mcpd core during sync
473213-4 4-Minor Emergency alert treated as critical on the 10000s, 10200v, 10250v, and 10350vN platforms.
473212 4-Minor Systems which do not use RAID show confusing RAID status on the LCD
466017-4 4-Minor Tab-completion does not work for TCP/HTTP profiles with ltm virtual profiles
465115-1 4-Minor Message about missing database variable found in ltm log.
464650-3 4-Minor Failure of mcpd with invalid authentication context.
439860-3 4-Minor Missing SNMP alerts for Virtual Server enabled/disabled.
417720-1 4-Minor BIG-IP LTM Log Indicates Chassis Power Turned Off During Fan Speed Failures
603092-3 5-Cosmetic "displayservicenames" does not apply to show ltm pool members
572655-2 5-Cosmetic Request Logging profile Template textarea wrapping set to soft wrap
522632 5-Cosmetic Qkview generates error-level message
504244 5-Cosmetic Secondary blade shows "unknown" sync status while primary show "in sync"
479888-2 5-Cosmetic BCM debug logging cannot be turned off once enabled
402414-1 5-Cosmetic Configured flow control not applied to Copper SFPs
396273-3 5-Cosmetic Error message in dmesg and kern.log: vpd r/w failed


Local Traffic Manager Issues

ID Number Severity Description
621452-3 1-Blocking Connections can stall with TCP::collect iRule
618905-3 1-Blocking tmm core while installing Safenet 6.2 client
657713-3 2-Critical TMM cored with SIGPFE panic string "Valid node"
655211-2 2-Critical bigd crash (SIGSEGV) when running FQDN node monitors
648320-1 2-Critical Downloading via APM tunnels could experience performance downgrade.
648037-3 2-Critical LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
647868 2-Critical bigd monitor stuck in fqdn-checking when DNS server unreliable
647757-1 2-Critical RATE-SHAPER:Fred not properly initialized may halt traffic
646643-3 2-Critical HA Standby Virtual Server with a lasthop pool may crash.
646604-3 2-Critical Client connection may hang when NTLM and OneConnect profiles used together
643631-1 2-Critical Server side connections on virtuals using VDI may become zombies.
643210-1 2-Critical Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
642400-1 2-Critical Path MTU discovery occasionally fails
639744-2 2-Critical Memory leak in STREAM::expression iRule
639039-3 2-Critical Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
637181-3 2-Critical VIP-on-VIP traffic may stall after routing updates
634259 2-Critical IP tuple nexthop object can be freed while still referenced by another structure
632400 2-Critical tmm may get stuck in a core loop during a failover event
625198-3 2-Critical TMM might crash when TCP DSACK is enabled
619071-2 2-Critical OneConnect with verified accept issues
618463-3 2-Critical artificial low route mtu can cause SIGSEV core from monitor traffic
609609 2-Critical TMM crash, Invalid action
609199-4 2-Critical Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
604926-1 2-Critical The TMM may become unresponsive when using SessionDB data larger than ~400K
603690-1 2-Critical CPU Saver option not working while the "latency" compression provider selection algorithm is in use.
603667-3 2-Critical TMM may leak or corrupt memory when configuration changes occur with plugins in use
600982-1 2-Critical TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
597978-4 2-Critical GARPs may be transmitted by active going offline
583700-2 2-Critical tmm core on out of memory
581746-3 2-Critical MPTCP traffic handling may cause a BIG-IP outage
566071-1 2-Critical network-HSM may not be operational on secondary slots of a standby chassis.
555156-3 2-Critical Changing monitoring configuration stops health checks for FQDN nodes.
527080 2-Critical Upgrade of invalid IP address or FQDN configuration.
515915-1 2-Critical Server side timewait close state cause long establishment under port reuse
511782-3 2-Critical The HTTP_DISABLED event does not trigger in some cases
503125-5 2-Critical Excessive MPI net traffic can cause tmm panics on chassis systems
477195-2 2-Critical OSPFv3 session gets stuck in loading state
477178-1 2-Critical Occasional crash when SSL session mirroring is enabled
476136 2-Critical notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE/TRUE)
474797 2-Critical Malformed SSL packets can cause errors in /var/log/ltm
464437-3 2-Critical Quickly repeated external datagroup loads might cause TMM crash.
423629-4 2-Critical bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
372332 2-Critical Unnecessary buffering of client-side egress in some circumstances.
663326 3-Major Thales HSM: "fipskey.nethsm --export" fails to make stub keys
662881-3 3-Major L7 mirrored packets from standby to active might cause tmm core when it goes active.
661881-3 3-Major Memory and performance issues when using certain ASN.1 decoding formats in iRules
660807-1 3-Major Clientside command with parking command crashes TMM
659919-3 3-Major Verified Accept prevents persist cookie from being inserted into responses
659596 3-Major bigd not rotating DNS servers when ICMP packet is not received
659519-3 3-Major Non-default header-table-size setting on HTTP2 profiles may cause issues
658214-3 3-Major TCP connection fail intermittently for mirrored fastl4 virtual server
657883-3 3-Major tmm cache resolver should not cache response with TTL=0
655767-2 3-Major MCPD does not prevent deleting an iRule that contains in-use procedures
655724-2 3-Major MSRDP persistence does not work across route domains.
655432-4 3-Major SSL renegotiation failed intermittently with AES-GCM cipher
653137-4 3-Major Virtual flaps when FQDN node and pool configured with autopopulate
651772-1 3-Major IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
651541-3 3-Major Changes to the HTTP profile do not trigger validation for virtual servers using that profile
650292-3 3-Major DNS transparent cache can return non-recursive results for recursive queries
648954-3 3-Major Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
647165 3-Major A monitor may unexpectedly transition from up to down and back to up.
647071-3 3-Major Stats for SNATs do not work when configured in a non-zero route domain
645635-3 3-Major Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
645197-2 3-Major Monitors receiving unique HTTP "success" response codes may stop monitoring after status change
645058-1 3-Major Modifying SSL profiles in GUI may fail when key is protected by passphrase
645036-2 3-Major Removing pool from virtual server does not update its status
644873-1 3-Major ssldump can fail to decrypt captures with certain TCP segmenting
643860-3 3-Major Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
643777-3 3-Major LTM policies with more than one IP address in TCP address match may fail
643582-1 3-Major Config load with large ssl profile configuration may cause tmm restart
643041-2 3-Major Less than optimal interaction between OneConnect and proxy MSS
641512-3 3-Major DNSSEC key generations fail with lots of invalid SSL traffic
640565-3 3-Major Incorrect packet size sent to clone pool member
640376-1 3-Major STPD leaks memory on 2000/4000/i2000/i4000 series
640369-3 3-Major TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
638696 3-Major DORA process fails when using "table" iRule command on DHCP virtual server in Relay Mode
637613-2 3-Major Cluster blade being disabled immediately returns to enabled/green
632968-1 3-Major supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails
627246-2 3-Major TMM memory leak when ASM policy configured on virtual
626798 3-Major Use of SPDY profile may crash tmm in rare conditions
626434-4 3-Major tmm may be killed by sod when a hardware accelerator does not work
623084-1 3-Major mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp
622017-5 3-Major Performance graph data may become permanently lost after corruption.
621736-3 3-Major statsd does not handle SIGCHLD properly in all cases
620896 3-Major mcpd failes to load configuration on upgrade if the transparent monitors are configured for FQDN nodes
619849-2 3-Major In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
618546 3-Major ClientSSL profile could incorrectly inherit cert-key-chain objects from parent profile
618254 3-Major Non-zero Route domain is not always used in HTTP explicit proxy
618161-3 3-Major SSL handshake fails when clientssl uses softcard-protected key-certs.
618131-2 3-Major Latency for Thales key population to the secondary slot after reboot
618104-3 3-Major Connection Using TCP::collect iRule May Not Close
615553-1 3-Major Reverse/transparent setting reverting to disabled on child monitor
615143-4 3-Major VDI plugin-initiated connections may select inappropriate SNAT address
613079-2 3-Major Diameter monitor watchdog timeout fires after only 3 seconds
612694-3 3-Major TCP::close with no pool member results in zombie flows
612086-2 3-Major Virtual server CPU stats can be above 100%
611691-3 3-Major Packet payload ignored when DSS option contains DATA_FIN
611482-1 3-Major Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
610302-2 3-Major Link throughput graphs might be incorrect.
609244-1 3-Major tmsh show ltm persistence persist-records leaks memory
608870 3-Major Fastl4 drops ICMP fragmentation needed messages (no PVA).
608753 3-Major [GTM] [monitor] upgrade issue for monitor backslash '\'
608551-4 3-Major Half-closed congested SSL connections with unclean shutdown might stall.
607803-2 3-Major DTLS client (serverssl profile) fails to complete resumed handshake.
607246-2 3-Major Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
607166-3 3-Major Hidden directories and files are not synchronized to secondary blades
604880-2 3-Major tmm assert "valid pcb" in tcp.c
604811 3-Major tmm core
604496-2 3-Major SQL (Oracle) monitor daemon might hang.
603550-3 3-Major Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
602329 3-Major syncookie header of HA channel mirror packets is not cleared
602136-3 3-Major iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
600614-2 3-Major External crypto offload fails when SSL connection is renegotiated
599821 3-Major Connections fail when using an iRule with 'persist add uie' in combination with the 'node' command.
598707 3-Major Path MTU does not work in self-IP flows
598204-1 3-Major In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
597879-3 3-Major CDG Congestion Control can lead to instability
597532-5 3-Major iRule: RADIUS avp command returns a signed integer
595921-2 3-Major VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
593390-2 3-Major Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
591666-2 3-Major TMM crash in DNS processing on TCP virtual with no available pool members
589400-3 3-Major With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
589006-3 3-Major SSL does not cancel pending sign request before the handshake times out or is canceled.
587705-7 3-Major Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
586621-3 3-Major SQL monitors 'count' config value does not work as expected.
584948-3 3-Major Safenet HSM integration failing after it completes.
584471-2 3-Major Priority order of clientssl profile selection of virtual server.
584310-2 3-Major TCP:Collect ignores the 'skip' parameter when used in serverside events
582234-2 3-Major When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
582207-4 3-Major MSS may exceed MTU when using HW syncookies
579252-2 3-Major Traffic can be directed to a less specific virtual during virtual modification
574262-1 3-Major Rarely encountered lockup for N3FIPS module when processing key management requests.
573366-1 3-Major parking command used in the nesting script of clientside and serverside command can cause tmm core
572895 3-Major TCP forwarded flows are reset when time wait recycle of port happens
572234-3 3-Major When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
572180-1 3-Major httpclass containing escaped backslashes are stripped on migration to LTM policy
571482-2 3-Major Unbalanced double-quotes may merge lines upon config save-then-load
570570-3 3-Major Default crypto failure action is now "go-offline-downlinks".
568229-2 3-Major [LTM][DNS] save-on-auto-sync with partitions fails for LTM DNS partition objects
563933-2 3-Major [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
562885 3-Major TMM segfault in flow_find_opaque_ctx() caused by corrupt opaque ctx.
560405-6 3-Major Optional target IP address and port in the 'virtual' iRule API is not supported.
560231-3 3-Major Pipelined requests may result in a RST if the server disconnects
559554-2 3-Major CHD congestion control can have erroneous very large cwnd.
558602-3 3-Major Active mode FTP data channel issue when using lasthop pool
557864 3-Major bigd restart when DNS server returns 0 address
555343-3 3-Major tmm may crash in fastl4 tcp virtual server
553830-2 3-Major Use of OneConnect may result in stalled flows
553521-1 3-Major TMM crash when executing route lookup in tmsh for multicast destination
550739-2 3-Major TMSH mv virtual command will cause iRules on the virtual to be dis-associated
550161-2 3-Major Networking devices might block a packet that has a TTL value higher than 230.
548611-1 3-Major Memory protection strategies can conflict
545796-3 3-Major [iRule] [Stats] iRule is not generating any stats for executed iRules.
545263-4 3-Major Add SSL maximum aggregate active handshakes per profile and per global
542009-2 3-Major tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message.
539439-1 3-Major Using the pool command in HTTP_PROXY_REQUEST event occasionally fails
538705-1 3-Major tmm assert 'valid private'
537209-2 3-Major Fastl4 profile sends RST packet when idle timeout value set to 'immediate'
536563-2 3-Major Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
536505-3 3-Major DHCPv6 - pool member not selected if it returns from DOWN state
532904-2 3-Major Some HTTP commands fail validation when it is in a proc and the proc is called from another proc
532828 3-Major Changing from a standard virtual server to a FastHTTP server may stop processing traffic
529627-1 3-Major LDAP StartTLS may fail on serverside when persistence is configured
529395 3-Major Local-only network IP forwarding virtual server not forwarding traffic on standby system
528401-1 3-Major Using an iRule to enable/disable a profile does not enable/disable the profile
528198-2 3-Major reject in iRule event FLOW_INIT may not respond with a RST
523973-1 3-Major Deletion of key/cert/csr fails to update bigip.conf.
522620-1 3-Major BIG-IP continues to monitor APM AAA pool with old monitor after monitor changed
520604-8 3-Major Route domain creation may fail if simultaneously creating and modifying a route domain
518258-1 3-Major The CLIENTSSL_CLIENTCERT iRule event may not be triggered.
517456 3-Major Resetting virtual server stat increments cur_conns stat in clientssl profile
516432-5 3-Major DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1.
516280-2 3-Major bigd process uses a large percentage of CPU
515139-5 3-Major Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics
514496-1 3-Major Modifying an in-use rate-shaping profile may prevent from being rate shaped
514419-5 3-Major TMM core when viewing connection table
513202-2 3-Major RPZ may not work as expected
511324-5 3-Major HTTP::disable does not work after the first request/response.
508486-2 3-Major TCP connections might stall if initialization fails
507554-1 3-Major Uneven egress traffic distribution on trunk with odd number of members
502129-3 3-Major Hash Cookie Persistence interacts poorly with persistence iRules
499615-3 3-Major RAM cache serves zero length documents.
499404-3 3-Major FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
494333-2 3-Major In specific cases, persist cookie insert fails to insert a session cookie when using an iRule
494084-2 3-Major Certain rapidly-terminating UDP virtuals may core on standby
490449-1 3-Major LSN translation may occur after an iRule error.
486735-4 3-Major Maximum connections is not accurate when TMM load is uneven
484542-2 3-Major QinQ tag-mode can be set on unsupported platforms
483653-2 3-Major In some traffic situations, virtuals using SSL can excessively buffer client data instead of closing the TCP window
483257-1 3-Major Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP
480982-5 3-Major pkcs11d with a high thread count can result in high CPU utilization
477950-3 3-Major Displayed SSL profile statistics might be incorrect
477897-2 3-Major After modifying the protocol profile on an SCTP virtual, the logs may contain error messages
475681-1 3-Major Changing virtual server type from Standard to Performance (HTTP) can make it impossible to connect to VIP
471288-5 3-Major TMM might crash with session-related commands in iRules.
471001-5 3-Major Standby responds to traceroute on mirror enabled forwarding virtual server
469566-1 3-Major HTTP OneConnect on wildcard non-translating virtual server does not reuse connections
468083-2 3-Major An LB_FAILED iRule that references an undefined value can cause Traffic Management Microkernel (TMM) failover.
462881-1 3-Major Configuration utility allows for mismatch in IP protocol and transport profile
456378-2 3-Major On a virtual server with the ipother profile assigned, iRule firing on CLIENT_ACCEPTED with discard or reject action may cause TMM to core
454209-3 3-Major TMM crash on UDP DNS virtual without datagram-load-balancing enabled
441079-5 3-Major BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
440431-3 3-Major Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
435055-1 3-Major ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert)
434517-10 3-Major HTTP::retry doesn't work in an early server response
433572-3 3-Major DTLS does not work with rfcdtls cipher on the B2250 blade
433323-2 3-Major Ramcache handling of Cache-Control: no-cache directive in Response
431480-2 3-Major Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
428864-7 3-Major Lowering virtual server connection limit does not work when traffic is being processed
424228-3 3-Major Parking iRules in CLIENT_DATA on virtual without assigned pool may not return
423392-5 3-Major tcl_platform is no longer in the static:: namespace
374067-4 3-Major Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections
367226-1 3-Major Outgoing RIP advertisements may have incorrect source port
352957-1 3-Major Route lookup after change in route table on established flow ignores pool members
345358-2 3-Major OneConnect Transforms do not recognize Connection header if it contains extra Header tokens.
333340 3-Major The bigd process is not compatible with IPv6 link-local unicast addresses
246726-4 3-Major System continues to process virtual server traffic after disabling virtual address
225634-5 3-Major The rate class feature does not honor the Burst Size setting.
222690 3-Major The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command.
653746-3 4-Minor Unable to display detailed CPU graphs if the number of CPU is too large
652577-3 4-Minor Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
651005-2 4-Minor FTP data connection may use incorrect auto-lasthop settings.
636348-1 4-Minor BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.
635971-1 4-Minor Cookie persistence to an offline pool member results in a connection failure.
631862-3 4-Minor Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
629033 4-Minor BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello).
625892-3 4-Minor Nagle Algorithm Not Fully Enforced with TSO
622876-2 4-Minor Certificate serial number is not displayed properly in OCSP Stapling logs.
622148-4 4-Minor flow generated icmp error message need to consider which side of the proxy they are
621843-3 4-Minor the ipother proxy is sending icmp error messages to the wrong side
618024-3 4-Minor software switched platforms accept traffic on lacp trunks even when the trunk is down
611161-5 4-Minor VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
604272-2 4-Minor SMTPS profile connections_current stat does not reflect actual connection count.
603380-4 4-Minor Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
599048-4 4-Minor BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option
598860-2 4-Minor IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
593396-3 4-Minor Stateless virtual servers may not work correctly with route pools or ECMP routes
592620-3 4-Minor iRule validation does not catch incorrect 'after' syntax
589039-2 4-Minor Clearing masquerade MAC results in unexpected link-local self IPs.
586138-3 4-Minor Inconsistent display of route-domain information in administrative partitions.
578097-1 4-Minor Enabling DNS resolver and proxy server pool at the same time by tmsh in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might cause OCSP responder not reached
564634-3 4-Minor Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool
558893-2 4-Minor TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT
554444-3 4-Minor LTM Policy resets connection when removing non-existant HTTP header
549569-2 4-Minor tmm may crash in the case of mem alloc fails.
544033-2 4-Minor Fragmented ICMP Echo to Virtual Address may not receive response
539026-1 4-Minor Stats refinements for reporting Unhandled Query Actions :: Drops
535122-1 4-Minor tmsh create sys ssl-cert command does not add .crt extension.
530877-4 4-Minor TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.
528228 4-Minor Monitor with alias port fails for FQDN nodes
527907-4 4-Minor TCP reject Virtual Servers may not respond with TCP reset
519064 4-Minor Maximum connections statistic on node incorrect, shows higher than connection limit
517202-1 4-Minor Microsoft Internet Explorer may fail SSL handshake
511985-4 4-Minor Large numbers of ERR_UNKNOWN appearing in the logs
503795-4 4-Minor [LTM] [DNS] [LOG] debug log information is logged even when "dnscacheresolver.loglevel" set to higher than debug
500402-2 4-Minor 'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh.
497104-1 4-Minor Log filled with 'hash grow: malloc failed' log messages.
490139-2 4-Minor Loading iRules from file deletes last few comment lines
487795 4-Minor Front panel Ethernet TX pause flow-control non-functional
477992-2 4-Minor Instance-specific monitor logging fails for pool members created in iApps
475896-2 4-Minor 'tmsh load /sys config from-terminal' (or from file) with a reference to an external file fails
462043-1 4-Minor DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms
418509 4-Minor Stream filter cannot match literal (
385243-1 4-Minor HSL::open irule causes Virtual Server to go green
222409-1 4-Minor The HTTP::path iRule command may return more information than expected
222034-7 4-Minor HTTP::respond in LB_FAILED with large header/body might result in truncated response
590966 5-Cosmetic When DNS server node is flapping, FQDN Template Pool Member state might not update properly.
524277 5-Cosmetic Missing power supplies issue warning message that should be just a notice message.
435044-3 5-Cosmetic Erroneous 'FIPS open failed' error on platforms without FIPS hardware


Performance Issues

ID Number Severity Description
454949-3 2-Critical AFM Optimizations to improve run-time and memory usage.
612115 3-Major Potential performance impact in APM-REWRITE configuration with large HTML content.
467018-1 3-Major On HSB platforms which don't have HW DoS, bad cksum pkts could cause perf drop


Global Traffic Manager Issues

ID Number Severity Description
663310-4 3-Major named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files
629530-3 3-Major Under certain conditions, monitors do not time out.
626141-1 3-Major DNSX Performance Graphs are not displaying Requests/sec"
607316 3-Major Devices in sync group end up with differing configs after ucs restore.
602300-2 3-Major Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
595293-3 3-Major Deleting GTM links could cause gtm_add to fail on new devices.
527387-1 3-Major Timeout config settings can result in incorrect monitoring
511865-1 3-Major [GTM] GTM external monitor is not correctly synced in GTM sync group without device group
500639-2 3-Major Setting log level for ZoneRunner has no effect.
468503-1 3-Major The Update Check operation reports a different version of IP geolocation database than what is installed.
370131-2 3-Major Loading UCS with low GTM Autoconf Delay drops pool Members from config
591705 4-Minor Domain-name-strict has been deprecated, but is still present in GUI, GUI OLH, and TMSH CLI help.
514431-1 4-Minor [TMSH][GTM] Add validation for special characters like Ctrl+k for gtm object names
506423-2 4-Minor [GTM] [ZoneRunner] Silent failure when adding a resource record is not successful


Application Security Manager Issues

ID Number Severity Description
618771-2 2-Critical Some Social Security Numbers are not being masked
577668-1 2-Critical ASM Remote logger doesn't log 64 KB request.
569583-1 2-Critical Secondary Blade Rejects All Traffic after being added to the chassis
568347-2 2-Critical BD Memory corruption
526829-2 2-Critical Enable client side encoding by default in DoS Layer 7
476616-3 2-Critical Set active fails after accept learning suggestion for illegal metachar Policy with encoding iso-8859-1
657531-3 3-Major High memory usage when using the ICAP server
625832-2 3-Major A false positive modified domain cookie violation
616169-2 3-Major ASM Policy Export returns HTML error file
614441-5 3-Major False Positive for illegal method (GET)
604923-3 3-Major REST id for Signatures change after update
590851-2 3-Major "never log" IPs are still reported to AVR
579531 3-Major bd_agent and bd are suddenly restarted, while there is no traffic nor configuration being processed
576705 3-Major ASM does not start up after TMM crash on a 3600 platform
572885-2 3-Major Policy automatic learning mode changes to manual after failover
567400-2 3-Major Policy Diff/Merge Does Not Work Correctly For Session Awareness Login Pages
561595-2 3-Major Guest user cannot see Event Correlation details
540928-3 3-Major Memory leak due to unnecessary logging profile configuration updates.
535904-2 3-Major BD crashes when attempting to access a closed connection
530102-2 3-Major Illegal meta characters on XML tags -
523522-1 3-Major In a device group, installing a UCS (on any one of the peers in group) does not propagate the ASU file (that is bundled with UCS) to other peers
513787-3 3-Major CSRF doesn't apply web application callback registered as XMLHttpRequest.onload in IE8-10
510281-1 3-Major learning_manager crash
507640-1 3-Major Importing Security Policy in Binary Format Fails
506597-1 3-Major False positive cookie hijacking violation after uploading big requests
504917-1 3-Major In ASM Manual Sync Only group, policies do not stay deleted or inactive on secondary after sync is pushed
494493-1 3-Major iControl REST for ASM Character Sets returns invalid characters (greater than 127 (0x7f) ) for Multi-Byte Encodings
456976 3-Major Web scraping/brute force may break application on IE6/IE7
427644-3 3-Major asm_config_server_rpc might crash during ASM policy sync
366605-1 3-Major response_log_size_limit does not limit the log size.
618693-2 4-Minor Web Scraping session_opening_anomaly reports the wrong route domain for the source IP
585095 4-Minor "Auto Apply New Signatures" is unchecked when there are no policies in current partition
557508-2 4-Minor "Expect 100-continue" support
557098-1 4-Minor correlation is continuously restarted with "An instance with pid xxxx is already running" error in the ltm log
519011-2 4-Minor Auditor role: Exporting the Request Log
513887-7 4-Minor The audit logs report that there is an unsuccessful attempt to install a mysql user on the system
512836-1 4-Minor ASM REST Error When Trying To Create a Custom Manual Signature Set
512687-4 4-Minor Policy parameter fields minimumValue and maximumValue do not accept decimal values through REST but accept decimal through GUI
481572-1 4-Minor Navigation parameter from POST data is not reported
567126 5-Cosmetic Inaccurate message on missing request log record in Manual Traffic Learning


Application Visibility and Reporting Issues

ID Number Severity Description
602654-3 2-Critical TMM crash when using AVR lookups
636104-4 3-Major If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
635561-3 3-Major Heavy URLs statistics are not shown after upgrade.
601536-3 3-Major Analytics load error stops load of configuration
574160-4 3-Major Publishing DNS statistics if only Global Traffic and AVR are provisioned
573764-3 3-Major In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
565412-1 3-Major AVR reports device-level mitigation as "Device Level" and not as "Aggregated"
560114-7 3-Major Monpd is being affected by an I/O issue which makes some of its threads freeze
528406 3-Major Errors in monpd log after upgrade from version 11.5.x regarding deprecated widgets
512303-1 3-Major Install does not complete (stays at 0%) because the UCS save operation hangs while backing up the AVR database.
508341-4 3-Major Scheduled-reports are not syncing the 'first-time' value on a sync group
639395-1 4-Minor AVR does not display 'Max read latency' units.


Access Policy Manager Issues

ID Number Severity Description
637308-5 2-Critical apmd may crash when HTTP Auth agent is used in an Access Policy
632798-1 2-Critical Double-free may occur if Access initialization fails
580225-3 2-Critical WEBSSO::select may crash tmm.
571556-2 2-Critical RBA may generate a core file when shutting down
559138-2 2-Critical Linux CLI VPN client fails to establish VPN connection on Ubuntu
556774-2 2-Critical EdgeClient cannot connect through captive portal
552342-2 2-Critical APMD logging at debug level may log passwords in clear text
537227-2 2-Critical EdgeClient may crash if special Network Access configuration is used
499800-1 2-Critical Customized logout page is not displayed after logon failure
481481-1 2-Critical APM on a multi blade chassis: On an idle machine 'rewrite' processes can takes up to half CPU cycles.
467059-1 2-Critical Customization GUI not showing proper error message when modify customization group file created from iApps
450136-5 2-Critical Occasionally customers see chunk boundaries as part of HTTP response
446187-7 2-Critical Manual start of a BIG-IP APM service may trigger 100 percent CPU utilization.
658852-1 3-Major Empty User-Agent in iSessions requests from APM client on Windows
654513-5 3-Major APM daemon crashes when the LDAP query agent returns empty in its search results.
649613-1 3-Major Multiple UDP/TCP packets packed into one DTLS Record
645684-1 3-Major Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
638780-1 3-Major Handle 302 redirects for VMware Horizon View HTML5 client
629921-2 3-Major [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
620829-4 3-Major Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
619811-4 3-Major Machine Cert OCSP check fails with multiple Issuer CA
619486-1 3-Major Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
619473-1 3-Major Browser may hang at APM session logout
618170-1 3-Major Some URL unwrapping functions can behave bad
615970-2 3-Major SSO logging level may cause failover
611485-4 3-Major APM AAA RADIUS server address cannot be a multicast IPv6 address.
609674-2 3-Major machine certificate check creates issuer string with DC with reverse order
605018-1 3-Major Citrix StoreFront integration mode with pass through authentication fails for browser access
601420-1 3-Major Possible SAML authentication loop with IE and multi-domain SSO.
597214-2 3-Major Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
583272-1 3-Major "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
574860-1 3-Major HTTP request dropped when using ACCESS::disable from iRule and a Per-Request Policy
572893-3 3-Major error "The modem (or other connecting device) is already in use or is not configured properly"
571718-2 3-Major LocalDB auth logs new password in debug log on password change
568445-3 3-Major User cannot perform endpoint check or launch VPN from Firefox on Windows 10
563503-1 3-Major Static RDP App Tunnel Resource connects to wrong backend server in some cases
563443-2 3-Major WebSSO plugin core dumps under very rare conditions.
561798-1 3-Major Windows edge client may show scripting error on certain 3rd party authentication sites
559402-1 3-Major Client initiated form based SSO fails when username and password not replaced correctly while posting the form
559159-1 3-Major [PORTAL] JavaScript errors when Application runs through Portal
557399-2 3-Major Browser could become unresponsive when page with specific script constructions is accessed through Portal Access
556088-3 3-Major In a chassis system with APM provisioned mcpd daemon on secondary blade will restart.
554074-1 3-Major If the user cancels a connection attempt, there may be a delay in estabilshing the next connection.
553925-2 3-Major Manual upgrade of Edge Client fails in some cases on Windows
553268-2 3-Major Edge client shows "Invalid Cookies" message on third party IdP sites
552444-2 3-Major Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
547692-2 3-Major Firewall-blocked KPASSWD service does not cause domain join operation to fail
543344-1 3-Major ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
541261-2 3-Major Clientless NA fails when iRule agent is present in access policy
539018-3 3-Major TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file.
531966 3-Major APM ACLs can block ICA file generation on APM Webtop
530092-1 3-Major AD/LDAP groupmapping is overencoding group names with backslashes
528424-3 3-Major IE11 on Windows 10 doesn't show tooltips/toast notifications when Network Access changes state
528139-3 3-Major Windows 8 client may not be able to renew DHCP lease
527668-1 3-Major "Minimize to tray" option doesn't work in IE with latest updates if APM is not in Trusted Sites list
527119-3 3-Major Iframe document body could be null after iframe creation in rewritten document.
522124-3 3-Major Secondary MCPD restarts when SAML IdP or SP Connector is created
519090-1 3-Major Assigning value to window.onerror in empty window lead to exception.
510802 3-Major Using ECA:metadata iRule command might cause MCPD failure.
508699-1 3-Major Import with reuse is failing if profile and resource are sharing the same name
495128-2 3-Major Safari 8 continues using proxy for network access resource in some cases when it shouldn't
489562 3-Major HTTP with NTLMSSP_NEGOTIATE message and with payload more than 4KB cause the NTLM front end authentication to stall
477547-1 3-Major Resource Assign Agent shows javascript error
474606-1 3-Major [Flash AS3] ApplicationDomain matching fails for relative URLs
447565-3 3-Major Renewing machine-account password does not update the serviceId for associated ntlm-auth.
442532-4 3-Major Log shows "socket error: resource temporarily unavailable"
441913-6 3-Major Empty Webtop when large number of resources assigned to access policy.
440505-7 3-Major Default port should be removed from Location header value in http redirect
439330-8 3-Major Javascript: getAttribute() returns mangled event handlers
435419-5 3-Major Install of partial epsec file causes mcpd to crash, followed by multiple cores.
399732-1 3-Major SAML Error: Invalid request received from remote client is too big
369407-1 3-Major Access policy objects are created inconsistently depending on whether created using wizard or manually.
611968-1 4-Minor JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
611958-1 4-Minor Sometimes wrong logon page is displayed
611327 4-Minor Using an established app tunnel may display a Java exception error message.
563651-3 4-Minor Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.
533956-1 4-Minor Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
528064-1 4-Minor GUI does not retain reflect connection type of "No Server" for AAA CRLDP server
516200-6 4-Minor HTML5 Receivers for Storefront 2.5 and 2.1 are not working on Google Chrome 40+
510034 4-Minor Access Policy memory is not cleared between access policy executions
469974-3 4-Minor APM New Session performance graph displays incorrect timed out/error value
439680-3 5-Cosmetic BIG-IP as SP fails to report unsupported key transport algorithms when processing encrypted assertions


WebAccelerator Issues

ID Number Severity Description
598908-3 2-Critical Passing an empty URI to AAM might cause tmm to core.
465234-3 2-Critical wamd process keeps restarting during provisioning on the BIG-IP 4000 series platforms.
621284-3 3-Major Incorrect TMSH help text for the 'max-response' RAMCACHE attribute
476460-6 4-Minor WAM Range HTTP header limited to 8 ranges
467589-2 4-Minor Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.


Wan Optimization Manager Issues

ID Number Severity Description
568795-1 3-Major Dedup Cache Refresh may fail to re-initialize WOM endpoint
499124-1 4-Minor wom_verify_config produces unneccesarily elevated messages in ltm log


Service Provider Issues

ID Number Severity Description
640407-4 2-Critical Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
639236-3 2-Critical Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
613297-1 2-Critical Default generic message routing profile settings may core
612135-1 2-Critical Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
359071-10 2-Critical The empty origin-realm in the Diameter request won't be accepted by LTM.
656811-3 3-Major Memory usage with MBLB SIP ingress buffer on standby
649933-3 3-Major Fragmented RADIUS messages may be dropped
629663-2 3-Major CGNAT SIP ALG will drop SIP INVITE
625542-4 3-Major SIP ALG with Translation fails for REGISTER refresh.
625098-1 3-Major SCTP::local_port iRule not supported in MRF events
624023-1 3-Major TMM cores in iRule when accessing a SIP header that has no value
620759-5 3-Major Persist timeout value gets truncated when added to the branch parameter.
609575-2 3-Major BIG-IP drops ACKs containing no max-forwards header
609328-1 3-Major SIP Parser incorrectly parsers empty header
603019-5 3-Major Inserted SIP VIA branch parameter not unique between INVITE and ACK
598700-8 3-Major MRF SIP Bidirectional Persistence does not work with multiple virtual servers
590091-1 3-Major Single-line Via headers separated by single comma result in first character second header being stripped.
583101-1 3-Major ADAPT::result bypass after continue causes bad state transition
482082-1 3-Major Possible response truncation when using an asynchronous iRule command in ICAP_RESPONSE event
632658-2 4-Minor Enable SIP::persist command to operate during SIP_RESPONSE event
617690-2 4-Minor enable SIP::respond iRule command to operate during MR_FAILED event
600431-2 4-Minor DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP
592780-1 4-Minor Radius AVP parsing might get out of sync on Vendor-Specific AVP iRules.
532294 5-Cosmetic Use of GTP Profile Requires Extended Protocols License


Advanced Firewall Manager Issues

ID Number Severity Description
580235 2-Critical PCCD cored when running 'bigstart restart pccd' command in v11.6.1
558088 2-Critical Expanding large objects in Security - Network Firewall - Address Lists does not work for IE
551635-2 2-Critical pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule
550926-3 2-Critical AFM rule with "unknown" source Geo-entity stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule
547550-3 2-Critical avrd reports incorrect stat values
631131-1 3-Major Some tmstat-adapters based reports stats are incorrect
610129-2 3-Major Config load failure when cluster management IP is not defined, but instead uses address-list.
608566-2 3-Major The reference count of NW dos log profile in tmm log is incorrect
594869-2 3-Major AFM can log DoS attack against the internal mpi interface and not the actual interface
591505-2 3-Major Policy may become unsyncable after changing contexts
590805-3 3-Major Active Rules page displays a different time zone.
564956-4 3-Major PCCD core and slow running SQL
558763 3-Major "Show All" option for large no. of security objects can cause poor performance in some browsers
556694-2 3-Major DoS Whitelist IPv6 addresses may "overmatch"
554826-2 3-Major TMM may crash with a SIGFPE panic if an AFM DOS profile is configured with Behavioral Analysis enabled
551849-3 3-Major If 1 tmm gets more than 1 Mpps then the 1m stats in dos_stats can be wrong
540054-3 3-Major tmm crash when DoS protection and behavior analysis enabled on virtual server
539687-1 3-Major No logs for Proactive Bot Defense drops.
534472 3-Major Collecting DoS stats using iControl REST doesn't work when the stat in question has a space in its name.
524009-1 3-Major Incorrect parsing of abnormal request headers during DOS attacks
511819 3-Major Using replace-all-with to modify a rule list doesn't work if you specify an existing rule name
510728-7 3-Major Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.
506452-2 3-Major Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1
497154-2 3-Major Clear schedue name when setting firewall rule state from Scheduled to Enabled/Disabled.
481725 3-Major Source Address Add field is not shown if some Source FQDN is set
478462-1 3-Major Whitelist count could increment incorrectly
426274-2 3-Major Firewall ACL Schedules may not work when configured with a daily schedule that starts before the specified start date and time
550204-3 4-Minor Any AFM Management Port rules disappear from iptables upon 'bigstart restart iptables'
504384-1 4-Minor ICMP attack thresholds
498150 4-Minor "General database error retrieving information" appears on Self Ip Security page after removing a rule and refreshing the page
496179 4-Minor Creating new Active Rule to assign policy to a VIP forces user to create rule
483093 5-Cosmetic Create button is not disabled for non-Common partition


Policy Enforcement Manager Issues

ID Number Severity Description
624744-4 2-Critical Potential crash in a multi-blade chassis during CMP state changes.
623922-1 2-Critical TMM failure in PEM while processing Service-Provider Disaggregation
622220-3 2-Critical Disruption during manipulation of PEM data with suspected flow irregularity
608009-4 2-Critical Crash: Tmm crashing when active system connections are deleted from cli
596134-5 2-Critical TMM core with PEM virtual server
542781-1 2-Critical Tmm crash observed during load testing
636633-1 3-Major DHCP: DHCP PEM sessions are not cleared (until idle timeout) after ip release from client in some cases
632721 3-Major Non-default hold time restricts multiple IP case
623037-1 3-Major delete of pem session attribute does not work after a update
588456-1 3-Major PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
548114-1 3-Major RAR for already deleted session returns RAA with 5012 error code
546516-1 3-Major PEM: TMM core when deleting sessions not aware to PCRF
461531-2 3-Major Content of 'Tower' column in 'Policy Enforcement/Subscribers/Active Sessions' table is displayed incorrectly.
403781 3-Major Web UI: Error when accessing PEM->Policy page by a non-admin(operator/firewall manager) user.
628869-1 4-Minor Unconditional logs seen due to the presence of a PEM iRule.
564431-1 4-Minor Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail
563262-1 4-Minor "pem classify" policy action parameters
412036 5-Cosmetic DHCP broadcast traffic will create a session if was processed on a PEM enabled UDP virtual


Carrier-Grade NAT Issues

ID Number Severity Description
609788-1 2-Critical PCP may pick an endpoint outside the deterministic mapping
608865-2 2-Critical CGNAT: LSN retries ignored in deterministic mode.
471835-1 2-Critical Invalid port blocks are incorrectly counted as active zombie blocks.
652400-1 3-Major During blade changes, PBA may cause a TMM restart
629871-3 3-Major FTP ALG deployment should not rewrite PASV response 464 XLAT cases
545986-1 3-Major dnatutil aborts when encountering parse errors
520682-2 3-Major In PBA mode subscribers cannot initiate more than 512 connections to the same server IP:port
510409-1 3-Major NAT64 ICMP may fail with SP DAG and a small number of IPv4 addresses.
487660-6 3-Major LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range
479260-1 3-Major FTP active mode does not work with LSN pool modes PBA and Deterministic when FTP profile port=any
457288-1 3-Major FTP active mode does not work with NAT64 and inherit enabled


Fraud Protection Services Issues

ID Number Severity Description
565616 2-Critical Keylogger Protection weakness in Internet Explorer
586457-1 3-Major Malicious words alerts are sent with missing HTML.
585094 3-Major tmm crash in FPS plugin
577697-2 3-Major WebSafe features do not support Non-UTF8 encodings.
529912 4-Minor Input Names that are configured as "Parameters" in BIG-IP and are getting encoded in special characters via the EncodedURI JavaScript function are ignored after the submission.


Global Traffic Manager (DNS) Issues

ID Number Severity Description
645615-3 2-Critical zxfrd may fail and restart after multiple failovers between blades in a chassis.
584374-1 2-Critical iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
655807-3 3-Major With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
654599-2 3-Major The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
653775-2 3-Major Ampersand (&) in GTM synchronization group name causes synchronization failure.
637227-3 3-Major DNS Validating Resolver produces inconsistent results with DNS64 configurations.
636853-1 3-Major Under some conditions, a change in the order of GTM topology records does not take effect.
636149 3-Major Multiple monitor response codes to single monitor probe failure
632423-2 3-Major DNS::query can cause tmm crash if AXFR/IXFR types specified.
628180-2 3-Major DNS Express may fail after upgrade
625671-2 3-Major The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
624876-3 3-Major Response Policy Zones can trigger even after entry removed from zone
624193-1 3-Major Topology load balancing not working as expected
619158-4 3-Major iRule DNS request with trailing dot times out with empty response
609527-1 3-Major DNS cache local zone not properly copying recursion desired (RD) flag in response
605260-3 3-Major [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
517609-2 3-Major GTM Monitor Needs Special Escape Character Treatment
366695-7 3-Major Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed
659969-2 4-Minor tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
657961-1 4-Minor The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown
644220-2 4-Minor Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
620346 4-Minor When auto-refresh is enabled on the statistics screen for wideip / pools, it refreshes to the wrong screen.


Traffic Classification Engine Issues

ID Number Severity Description
565790 3-Major Qosmos classification result is not propagated for response-based classification.


Device Management Issues

ID Number Severity Description
582996-1 3-Major iControl REST unavailable after first boot
563144 3-Major Changing the system's admin user causes many errors in the REST framework.


iApp Technology Issues

ID Number Severity Description
569270 3-Major BIG-IQ CM 4.6 incompatible with BIG-IP 11.6.1.
508074-1 3-Major Non-admin deployment causes iApp failure

 

Known Issue details for BIG-IP v11.6.x

663326 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys

Component: Local Traffic Manager

Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.

Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.

Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.

Workaround:
This can be worked around by directly using the Thales command, for example:

[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
  [default sha1] >


663310-4 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files

Component: Global Traffic Manager

Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.

Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.

Impact:
Zones cannot be loaded.

Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;


662881-3 : L7 mirrored packets from standby to active might cause tmm core when it goes active.

Component: Local Traffic Manager

Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.

Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


661881-3 : Memory and performance issues when using certain ASN.1 decoding formats in iRules

Component: Local Traffic Manager

Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.

Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.

Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.

Workaround:
None.

Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.


660807-1 : Clientside command with parking command crashes TMM

Component: Local Traffic Manager

Symptoms:
iRule parking command 'table lookup' inside clientside crashes TMM.

Conditions:
iRule parking command 'table lookup' inside clientside.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If possible, move the parking command outside clientside/serverside.


660239-2 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

Workaround:
None.


659969-2 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with

Component: Global Traffic Manager (DNS)

Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.

Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.

Impact:
Command does not complete successfully. This is an internal validation issue.

Workaround:
None.


659919-3 : Verified Accept prevents persist cookie from being inserted into responses

Component: Local Traffic Manager

Symptoms:
A virtual server that has the 'Verified Accept' TCP option enabled will fail to include persistence cookies in the first response on an HTTP connection.

Conditions:
Using cookie persistence when 'Verified Accept' is enabled in the TCP profile.

Impact:
BIG-IP behavior is inconsistent in use of persistence cookies, and may incorrectly load-balance subsequent requests from a client when the expectation is that those requests should have a persist cookie (except the BIG-IP never sent one).

Workaround:
Apply an iRule such as this to a virtual server with Verified Accept configured:
    when HTTP_REQUEST {
        # Bypass verified-accept handling on first request and force a LB decision / persist lookup
        if { [HTTP::request_num] == 1 } { LB::detach }
    }


659596 : bigd not rotating DNS servers when ICMP packet is not received

Component: Local Traffic Manager

Symptoms:
When the first DNS server becomes unavailable for FQDN node resolution, but no ICMP message is received, bigd does not rotate to the next DNS server. In the common case where a DNS server becomes unavailable, an ICMP message will notify bigd of server unavailability, and bigd will rotate to the next available DNS server. However, if network configuration fails to route this ICMP message back to bigd, the DNS server is assumed to remain available (and all subsequent DNS resolve operations will fail, as the DNS server is unavailable).

Conditions:
-- Multiple DNS servers are configured for FQDN resolution for 'bigd' monitors.
-- The first DNS server becomes unavailable.
-- ICMP messages are not received by 'bigd'.

Impact:
bigd continues to send FQDN node resolutions to the (now-unavailable) DNS server, which will fail to resolve (bigd will not rotate to the next configured DNS server). Existing resolved FQDN nodes and all associated monitors will continue to function normally.

Workaround:
Ensure network routes ICMP messages to bigd when the DNS server becomes unavailable.


659519-3 : Non-default header-table-size setting on HTTP2 profiles may cause issues

Component: Local Traffic Manager

Symptoms:
HTTP2 connection sent RST_STREAM due to protocol error in response to headers frame.

Conditions:
HTTP2 profile configured with header-table-size with value exceeding 4096.

Impact:
Periodic HTTP2 connection failure to the virtual.

Workaround:
Restore the default header-table-size setting for the HTTP2 profile.


658852-1 : Empty User-Agent in iSessions requests from APM client on Windows

Component: Access Policy Manager

Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.

Conditions:
'/isession' requests from APM client on Windows.

Impact:
Failure to establish a VPN tunnel.

Workaround:
None.


658214-3 : TCP connection fail intermittently for mirrored fastl4 virtual server

Component: Local Traffic Manager

Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.

Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.

Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.

Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.

Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.


657961-1 : The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown

Component: Global Traffic Manager (DNS)

Symptoms:
The edit button in the Pools section of a Wide IP create page does not place the pool name entry back into the select dropdown.

Conditions:
There must be a pool in the selected list, that pool must be highlighted when the edit button is clicked.

Impact:
The edit button does not work as intended.

Workaround:
Use the delete button and find the pool in the select dropdown to edit its ratio.


657883-3 : tmm cache resolver should not cache response with TTL=0

Component: Local Traffic Manager

Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.

Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.

Impact:
tmm cache resolver caches responses with TTL=0.

Workaround:
None.


657834-3 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent

Component: TMOS

Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions to be sent out. This will also cause SNMP traps to be sent if configured on the system.

Conditions:
- OSPF routing protocol configured.
 - System configured to send SNMP traps
 - OSPF instability/networking flaps.
 - The larger the amount of routes flapping the more likely to see the condition.

Impact:
There is no impact on the OSPF processing itself. The additional traffic will not cause failing adjacencies or loss of routing information.
However, this may cause many additional OSPF related traps to be sent; which may cause additional load on the external network monitoring system.

Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.


657713-3 : TMM cored with SIGPFE panic string "Valid node"

Component: Local Traffic Manager

Symptoms:
In a gateway pool, where the action is set to reject or drop when service is down. Sweeper will then expire and close all connflow. Then ub proxy's own timer triggers to close, it will cause tmm core.

Conditions:
In a gateway pool, when action is set to reject or drop when service is down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Set service-down-action to none or reselect.


657531-3 : High memory usage when using the ICAP server

Component: Application Security Manager

Symptoms:
High UMU memory when using the ICAP server.

Conditions:
-- ICAP is in use.
-- There are long requests (requests longer than 128 KB) that should get to the ICAP server.

Impact:
UMU memory goes up.

Workaround:
-- Decrease the max concurrent long requests.
-- Decrease the size for the long requests buffer size.
-- Make sure the ICAP server is up and running and responding quickly (the issue will be more visible when the ICAP server is lagging).


656811-3 : Memory usage with MBLB SIP ingress buffer on standby

Component: Service Provider

Symptoms:
Memory usage increases to high levels when the ingress-max profile setting is set to a large value.

Conditions:
Incoming SIP messages are mirrored to standby, then the flow is aborted on active.

Impact:
Degraded performance. With the built-in MBLB profile allocations will go up to 50 and stay there until the 'while' is killed on the client and the flow is allowed to expire. With a non-default MBLB profile, allocations will go as high as the ingress-max setting.

Workaround:
- Make sure there is at least one available pool member.
- Use default MBLB profile, or at least ingress-max set close to the default (50).


655807-3 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score

Component: Global Traffic Manager (DNS)

Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.

Conditions:
QoS load balance.

Impact:
Load balance decision is mostly impacted by packet rate.

Workaround:
None.


655767-2 : MCPD does not prevent deleting an iRule that contains in-use procedures

Component: Local Traffic Manager

Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.

MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:

    01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).

However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.

Conditions:
Must be using iRules that call into other iRules.

Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.

Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.


655724-2 : MSRDP persistence does not work across route domains.

Component: Local Traffic Manager

Symptoms:
MSRDP persistence doesn't work with non-default route domains.

Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.

Impact:
MSRDP persistence does not work.

Workaround:
Implement MSRDP persistence using iRules.


655649-3 : BGP last update timer incorrectly resets to 0

Component: TMOS

Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.

Output from 'sh ip route':

4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
                    [20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
                    [20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
                    [20/0] via 10.10.1.6, eno33554952, 00:00:00

Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.

Impact:
None. This is cosmetic.

Workaround:
None.


655432-4 : SSL renegotiation failed intermittently with AES-GCM cipher

Component: Local Traffic Manager

Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.

Conditions:
This failure is more likely to occur during mutual authentication.

Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.

Workaround:
Disable AES-GCM cipher.


655211-2 : bigd crash (SIGSEGV) when running FQDN node monitors

Component: Local Traffic Manager

Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.

Conditions:
bigd is configured for FQDN node monitors.

Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.

Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.


654599-2 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed

Component: Global Traffic Manager (DNS)

Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.

Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.

Impact:
The "Finished" button on that page does not save the changes made on that page.

Workaround:
Use TMSH.


654513-5 : APM daemon crashes when the LDAP query agent returns empty in its search results.

Component: Access Policy Manager

Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.

Conditions:
APM provisioned with AD authentication setup.

Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.

Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.

Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.


654011-3 : Pool member's health monitors set to Member Specific does not display the active monitors

Component: TMOS

Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.

Conditions:
Have a pool member with Health Monitors set to Member Specific.

Impact:
The specified active monitors will be saved but won't be displayed as active.

Workaround:
Use tmsh to view a pool member's active monitors.


653888-3 : BGP advertisement-interval attribute ignored in peer group configuration

Component: TMOS

Symptoms:
BGP peer-group advertisement-interval attribute may be ignored with default settings set on individual peers belonging to the peer-group.

Conditions:
- BGP configured with peer-groups.
- advertisement-interval configured with a non-default value

Impact:
The BGP peer will have an additional statement added indicating a default value of the advertisement-interval.

Workaround:
Manually set the advertisement-interval of the peer, instead of using the peer-group for this particular setting.


653775-2 : Ampersand (&) in GTM synchronization group name causes synchronization failure.

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.

Conditions:
A GTM synchronization group name with an ampersand (&) in the name.

Impact:
GTM sync groups does not synchronize.

Workaround:
Remove ampersand from sync group name.


653746-3 : Unable to display detailed CPU graphs if the number of CPU is too large

Component: Local Traffic Manager

Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.

Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.

Impact:
Administrator is unable to view the detail CPU graphs.

Workaround:
None.


653744 : ZebOS route-map set nexthop not being applied for neighbor outbound route-map

Component: TMOS

Symptoms:
BGP neighbor outbound route-map nexthop is not being applied

Conditions:
Advance routing configured with outbound route-map for BGP neighbor, and route-map have set nexthop entry.

Impact:
Incorrect nexthop advertised to peers when use with BGP neighbor outbound route-map

Workaround:
Use global redistribute route-map instead of neighbor specific outbound route-map.


653376-3 : bgpd may crash on receiving a BGP update with >= 32 extended communities

Component: TMOS

Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities

Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.

Impact:
bgpd may crash causing the BGP peering to reset

Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.


653137-4 : Virtual flaps when FQDN node and pool configured with autopopulate

Component: Local Traffic Manager

Symptoms:
Virtual address status flaps (RED :: BLUE :: DOWN :: UNCHECKED) when the FQDN node and pool are configured with autopopulate enabled, and the FQDN DNS response returns the same addresses.

Conditions:
-- FQDN node and pool are configured with autopopulate enabled.
-- FQDN DNS response returns the same addresses.

Impact:
The virtual server becomes unavailable, and later switches to unchecked.

Workaround:
None.


652671-3 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.

Component: TMOS

Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.

Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.

Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.

Workaround:
None.


652577-3 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.

Conditions:
- HA pair
 - Traffic-group with a MAC set in the MAC Masquerading setting.
 - Floating Self-IP using the above traffic-group
 - Make a change to the MAC Masquerading MAC address on the Active unit.
 - Run a config-sync from Active to Standby

Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.

Workaround:
Reboot or restart TMM.


652400-1 : During blade changes, PBA may cause a TMM restart

Component: Carrier-Grade NAT

Symptoms:
TMM will restart, and an ASSERT will appear in the logs that there have been too many retries.

Conditions:
-- A port block allocation configuration with very high CPU utilization.
-- The addition of a new blade.
-- Running a version earlier than 12.0.0.

Impact:
TMM will restart, so existing blocks and connections will be lost. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.


651772-1 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.


651541-3 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile

Component: Local Traffic Manager

Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.

Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.

Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.

Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.


651136-3 : ReqLog profile on FTP virtual server with default profile can result in service disruption.

Component: TMOS

Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.

Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.

Impact:
Service disruption, fail-over event.

Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.


651005-2 : FTP data connection may use incorrect auto-lasthop settings.

Component: Local Traffic Manager

Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.

Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'

(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'

With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'

(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'

Impact:
FTP data connection may fail to be established.

Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.


650292-3 : DNS transparent cache can return non-recursive results for recursive queries

Component: Local Traffic Manager

Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.

Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.

Impact:
Non recursive responses for recursive requests.

Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.


650019-3 : The commented-out sample functions in audit_forwarder.tcl are incorrect

Component: TMOS

Symptoms:
The commented-out sample "Transform" functions in audit_forwarder.tcl are not correct and should not be used.

Conditions:
Attempting to write your own Transform function in audit_forwarder.tcl using the examples.

Impact:
The Transform function may not work if the examples are followed.

Workaround:
Use the default Transform function as a starting point instead of one of the examples.


650002-3 : tzdata bug fix and enhancement update

Component: TMOS

Symptoms:
There have been changes to timezone data that impact tzdata packages:

* Mongolia no longer observes Daylight Saving Time (DST).

* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.

Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.

Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).

Workaround:
None.


649933-3 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.


649613-1 : Multiple UDP/TCP packets packed into one DTLS Record

Component: Access Policy Manager

Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.

However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.

Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.

Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.

Workaround:
None.


648954-3 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls

Component: Local Traffic Manager

Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:

    01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).

Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.

Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).


648873-2 : Traffic-group failover-objects cannot be retrieved via iControl REST

Component: TMOS

Symptoms:
When issuing a GET you get the following error message:
List property is not implemented! Detail [cm traffic-group failover-objects {...}].

(The ... represents the data that was presented as a list property.)

Conditions:
Trying to use iControl REST for getting failover-objects associated to floating traffic-groups

Impact:
No access to list of failover-objects associated to an specific floating traffic-group via the iControl REST interface

Workaround:
Use a different user interface (tmsh or GUI).


648621-2 : SCTP: Multihome connections may not expire

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.


648544-4 : HSB transmitter failure may occur when global COS queues enabled

Component: TMOS

Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.

Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.

Impact:
If this issue occurs then the BIG-IP is rebooted.

Workaround:
Do not use global COS queues.


648320-1 : Downloading via APM tunnels could experience performance downgrade.

Component: Local Traffic Manager

Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.

Conditions:
When downloading using APM tunnels.

Impact:
High number of packet drops and inferior performance.

Workaround:
None.


648316 : Flows using DEFLATE decompresion can generate error message during flow tear-down.

Component: TMOS

Symptoms:
Repeated entries in the ltm log will show a completion-code error (comp_code=4) as in the following:

  Zip engine ctx eviction (comp_code=4): ctx dropped.

Conditions:
The problem occurs when a flow that requests DEFLATE decompression is terminated when the compression engine is still in the middle of working on an incomplete DEFLATE block.

Impact:
False errors can appear:
  o In fields of tmctl rst_cause_stat table, false stats counters will increment for compression and packet errors.
  o Log entries with the "Zip engine... (comp_code=4)" appear in ltm log.

Monitors observing the ltm log or stats in the tmctl rst_cause_stat table will see false positives.

Workaround:
Disable hardware acceleration.


648271-1 : vCMP guest is unable to install a hotfix for block-device-images

Component: TMOS

Symptoms:
If a partial Hotfix image file is on the BIG-IP, a vCMP guest may attempt to install that improper image file since that guest does not have access to a MD5 checksum verification.

Conditions:
vCMP guest trying to install a hotfix image

block-device-image installation started in vCMP guest

Installing a hotfix when both a "good" hotfix image file and "bad" hotfix image file exist on the system.

Impact:
Software installations might fail on vCMP guests with a confusing error.

Workaround:
Remove the corrupt image files from the BIG-IP.


648037-3 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.

Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure a monitor for the pool.


647944-3 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server

Component: TMOS

Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.

Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:

- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.

Impact:
Traffic disrupted while mcpd restarts.


647868 : bigd monitor stuck in fqdn-checking when DNS server unreliable

Component: Local Traffic Manager

Symptoms:
FQDN monitors may be stuck in status 'fqdn-checking' in environments with an unreliable DNS server, such as when DNS queries frequently timeout.

Conditions:
FQDN monitors are configured; and the DNS server used to resolve FQDN nodes is intermittently available, leading to occasional timeouts to bigd from DNS queries.

Impact:
FQDN monitor status remains in 'fqdn-checking', even after the DNS server again becomes available. Monitors may eventually become "un-stuck", and monitors will (correctly) reset upon system restart.

Workaround:
Although there is no workaround, FQDN monitors are not recommended for use in environments where DNS servers are unreliable.


647834-3 : Failover DB variables do not correctly implement 'reset-to-default'

Component: TMOS

Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.

Conditions:
This is known to affect at least the following failover-related DB variables:

log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary

Impact:
The configuration change does not take effect.

Workaround:
Explicitly set the DB variable to the desired value.


647812-2 : /tmp/wccp.log file grows unbounded

Component: TMOS

Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.

Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.

Impact:
/tmp/wccp.log grows unbounded, filling up the disk.


647757-1 : RATE-SHAPER:Fred not properly initialized may halt traffic

Component: Local Traffic Manager

Symptoms:
RATE-SHAPER:Fred is not properly initialized and might halt traffic.

Conditions:
Initialize RATE-SHAPER:Fred as the drop policy using its default properties.

Impact:
Traffic is halted.

Workaround:
There are two possible workarounds:
-- Initialize the drop policy fred to the value of 9999 instead of default 0.
-- Use RED as drop policy instead of fred.


647165 : A monitor may unexpectedly transition from up to down and back to up.

Component: Local Traffic Manager

Symptoms:
A pool member or node monitor may unexpectedly transition from up to down and back to up even though the pool member or node has not failed.

Conditions:
One or more of FTP, IMAP, POP3 or SMTP monitors are in use. This might also occur with monitor types other than those listed.

Impact:
Unexpected monitor flapping even though the monitored object has not failed.

Workaround:
None.


647071-3 : Stats for SNATs do not work when configured in a non-zero route domain

Component: Local Traffic Manager

Symptoms:
When creating SNAT in a Route Domain different from 0, the command 'tmsh show ltm snat' does not report any statistics.

Conditions:
This occurs on all SNATs in a route domain other than 0.

Impact:
No statistics for the SNATs

Workaround:
None.


646643-3 : HA Standby Virtual Server with a lasthop pool may crash.

Component: Local Traffic Manager

Symptoms:
A long-running high availability (HA) Standby Virtual Server with a lasthop pool may crash.

Conditions:
HA Standby Virtual Server is configured with a lasthop pool.
It receives more than 2 billion (maximum value of 32 bit integer) connections.

Impact:
tmm on the next-active device crashes. The Active device isn't affected.

Workaround:
None.


646604-3 : Client connection may hang when NTLM and OneConnect profiles used together

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.


646603 : LDAP search-timeout setting is not effective

Component: TMOS

Symptoms:
With LDAP remote auth, LDAP search does not timeout when search-timeout is set.

Conditions:
-- Remote authentication configured with LDAP or Active Directory.
-- Search-timeout is set to some finite value.

Impact:
Login may be slow to fail when there is a problem with the LDAP server.

Workaround:
None.


646388-3 : TMM crash when moving to standby

Component: TMOS

Symptoms:
During the active to standby to transition while passing traffic, tmm crashes.

Conditions:
This can occur intermittently on the transition from active to standby. It is not known exactly what configuration causes this to occur.

Impact:
tmm crashes on the standby, then restarts.


645684-1 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.

Conditions:
This can occur when viewing Flash video while connected to APM.

Impact:
Flash applications might fail to render through Portal Access.

Workaround:
None


645635-3 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, configured units with sflow may incorrectly use 0.0.0.0 as Agent Address.

Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow configured

Impact:
sflow may incorrectly use 0.0.0.0 as Agent Address.

Workaround:
Posible workarounds (either):
 - Using larger guests (more than 2 cores)
 - Configuring cluster blade IP addresses


645615-3 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.


645589-1 : Password-less ssh access lost for non-admin users after tmsh load sys ucs

Component: TMOS

Symptoms:
During the load of ucs, the $HOME/.ssh/authorized_keys file is moved to /etc/ssh/<user> and then a symbolic link is pointed to that file in the $HOME/.ssh such that the ucs load modification of ownership won't break the password-less ssh access to the BIG-IP. The problem is that the /etc/ssh/<user> directory has no other-group read permissions and non-admin users can't read the file and hence the password-less access is denied and a password is requested.

Conditions:
Always happens as the permissions for /etc/ssh/<user> are 0700 (user read-write-execute only) and it is owned by root.

Impact:
Non-admin users lose password-less access to their BIG-IP after tmsh load sys ucs.

Workaround:
An admin user needs to manually change the permissions of the /etc/ssh and /etc/ssh/<user> permissions to be 0755.

A non-admin user has no such capability and thus has no workaround.


645197-2 : Monitors receiving unique HTTP "success" response codes may stop monitoring after status change

Component: Local Traffic Manager

Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) will accumulate in the monitor history; upon monitor status change (such as to "fail"), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from "success" to "fail"), notification from 'bigd' to 'mcpd' will fail due to this too-large history, resulting in the monitor remaining in its previous state (i.e., "success"). 'bigd' properly records the monitor status and continues to monitor; but 'mcpd' was not notified of that status change (due to message-send failure from the history being too large).

This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating "success"), as 'bigd' will elide/merge the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (for example, by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history will continue to grow for that monitor until a status-change is detected.

Conditions:
Web server returns unique HTTP/1.1 200 (success) codes; and success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from "success" to "fail").

Impact:
The monitor will remain in the "success" state, as the status-change will be "lost" ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.

Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes; thus, receiving the same return-code will elide/merge with previously accumulated values in the monitor history.


645179-3 : Traffic group becomes active on more than one BIG-IP after a long uptime

Component: TMOS

Symptoms:
Traffic-groups become active/active for 30s after an uptime of 331.40 days.

The amount of time that is required to trigger this issue is dependent on the number of traffic groups. The more traffic groups, the shorter amount of uptime required to encounter this issue.

For example:

For 7 traffic groups it would take ~710 days.
For 15 traffic groups it would take ~331 days.

Conditions:
Two more BIG-IPs defined in a device group for sync/failover.
There are multiple traffic groups configured.
The BIG-IPs have a long uptime.

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

You would have to reboot all the BIG-IPs in the device group every so often. And the time frame is dependent on the number of traffic groups.


645058-1 : Modifying SSL profiles in GUI may fail when key is protected by passphrase

Component: Local Traffic Manager

Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:

01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.

This can occur even when the passphrase already in the SSL profile is correct.

Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:

tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }

Impact:
User cannot update client SSL profile via the GUI.

Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.


645036-2 : Removing pool from virtual server does not update its status

Component: Local Traffic Manager

Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.

Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.

Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.

Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.

Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.


644979-3 : Errors not logged from hourly 1k key generation cron job

Component: TMOS

Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.

Conditions:
This occurs during hourly generation of ephemeral keys.

Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.

Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.


644873-1 : ssldump can fail to decrypt captures with certain TCP segmenting

Component: Local Traffic Manager

Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.

The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data

Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.

Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.

Workaround:
None.


644484-1 : Inconsistent behavior between CLI and GUI for remote auth user passwords

Component: TMOS

Symptoms:
If you have remote authentication configured you cannot set a password when creating a user, which is expected, as you are only setting privilege levels for remote users. In TMSH however you can set a password, though it is ignored.

Conditions:
This is seen when remote auth is enabled, and you try to create a user via tmsh.

Impact:
The password can be specified, but it is ignored, and there is no warning that it is ignored.


644220-2 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page

Component: Global Traffic Manager (DNS)

Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.

Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.

Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.

Workaround:
None.


644184-1 : ZebOS daemons hang while AgentX SNMP daemon is waiting.

Component: TMOS

Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is waiting for return from external script.

Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP calls an external script that takes several moments to return.

Impact:
Dynamic routing may be halted for the duration of AgentX daemon waiting for return from external script.

Workaround:
Do not configure AgentX to call external scripts that take several moments to return.


643860-3 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly

Component: Local Traffic Manager

Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:

-- In /var/log/tmm:
  notice MCP connection expired early in startup; retrying.

In/var/log/ltm:
  mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.

Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.

Impact:
The TMM processes will restart and fail to come up properly.

Workaround:
To recover, reboot the system.

Note: Do not perform file open operations on /dev/vnic. There is no need to.


643799-2 : Deleting a partition may cause a sync validation error

Component: TMOS

Symptoms:
Deleting a partition may cause the sync to peers to fail.

For example, on BIG-IP1:

tmsh delete auth partition P1
tmsh show cm sync-status
     Sync Summary
     Status Sync Failed
     Summary A validation error occurred while syncing to a remote device
     Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)

Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.

Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.

Impact:
The sync of this change may fail on peers.

Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.


643777-3 : LTM policies with more than one IP address in TCP address match may fail

Component: Local Traffic Manager

Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.

Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.

Impact:
The action configured with the match may not be taken.

Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option only available 13.0.0 and above.


643631-1 : Server side connections on virtuals using VDI may become zombies.

Component: Local Traffic Manager

Symptoms:
Listing connections with "tmsh show sys connections all" will show connections with only a server side whose age is greater than the configured idle timeout. As more zombie connections accumulate, the BIG-IP may run out of memory.

Conditions:
VDI is configured on the affected virtual.

Impact:
Zombie connections consume memory which cannot be reclaimed.


643582-1 : Config load with large ssl profile configuration may cause tmm restart

Component: Local Traffic Manager

Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.

Conditions:
Doing a full config load with large number of ssl profiles.

Impact:
Possible tmm restart.

Workaround:
Doing incremental sync of changes can avoid this issue.


643459-2 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.


643210-1 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM

Component: Local Traffic Manager

Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.

Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.

Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.

Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.


643041-2 : Less than optimal interaction between OneConnect and proxy MSS

Component: Local Traffic Manager

Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.

Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.

Impact:
Decreased throughput, possible congestion due to small segments.

Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.


642923-3 : MCP misses its heartbeat (and is killed by sod) if there are a large amount of file objects on the system

Component: TMOS

Symptoms:
MCP may timeout and get killed by sod, causing mcpd to restart.

Conditions:
If there are a large number (tens of thousands) of file objects configured, such as SSL keys/certs and config is loaded.

Impact:
The system will restart.

Workaround:
Reduce the number of file objects configured.


642422-3 : BFD may not remove dependant static routes when peer sends BFD Admin-Down

Component: TMOS

Symptoms:
As a result of a known issue, the BFD feature used in an Dynamic routing configuration, may not remove static routes when configured to be dependant on the liveliness of the BFD peer.

Conditions:
- BFD configured and up.
- Static route configured and dependant on the BFD status of the BFD peer.
- BFD peer enters maintenance mode by user configuration, setting the BFD session to admin-down.

Impact:
Static route may not be removed on BFD session configured by peer to be and traffic may still be routed.


642400-1 : Path MTU discovery occasionally fails

Component: Local Traffic Manager

Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.

Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.

Impact:
The connection may stall as large TCP segments are continually retransmitted.

Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.


641543 : bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled.

Component: TMOS

Symptoms:
If you have a custom bind-timeout value set for ldap system-auth, the custom value is honored for anonymous users but is ignored for explicit users.

Conditions:
ldap auth configured for remote authentication, and a custom bind timeout value is specified.

Impact:
The default timeout value of 10 seconds will be enforced for ldap auth.

Workaround:
None.


641512-3 : DNSSEC key generations fail with lots of invalid SSL traffic

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.


641450-1 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.


641390-4 : Backslash removal in LTM monitors after upgrade

Component: TMOS

Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.

Conditions:
This can occur on upgrade, with specific backslash escaping in LTM monitors. It is specific to LTM monitors. Example:

ltm monitor https /Common/my_https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv "Test string"
    recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
    send Test
    time-until-up 0
    timeout 16
    username test\\\"me
}

Impact:
The monitor will fail to load.

Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.


640565-3 : Incorrect packet size sent to clone pool member

Component: Local Traffic Manager

Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.

Conditions:
Clone pool is configured on a virtual server.

Impact:
Clone pool members may get traffic exceeding the link MTU.

Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.


640416 : tmsh command hangs when trust peer is deleted.

Component: TMOS

Symptoms:
When using tmsh to delete a peer, the command hangs, requiring your to CTRL-C to exit the command.

Conditions:
Using tmsh to remove a peer device from the trust group. For example:

modify cm trust-domain Root ca-devices delete { 10.1.1.100 } name bigip.example.com

Impact:
The tmsh command will hang.

Workaround:
Use the correct syntax and arguments for the command:

modify cm trust-domain Root ca-devices delete { device-name }

Or you can use the GUI to remove devices from a trust group.


640407-4 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF

Component: Service Provider

Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.

Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.


640376-1 : STPD leaks memory on 2000/4000/i2000/i4000 series

Component: Local Traffic Manager

Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.

Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.

ex. top -b -n 1 | grep stpd

The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.

Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.

Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.


640369-3 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.

Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan

TMM may respond directly using the auto-lasthop feature and not via the route lookup.

Impact:
Traffic may not follow the expected path.


639774-4 : mysqld.err rollover log files are not collected by qkview

Component: TMOS

Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.

Conditions:
This occurs when generating a qkview.

Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.

Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.


639744-2 : Memory leak in STREAM::expression iRule

Component: Local Traffic Manager

Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.

Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.

Impact:
This causes a memory leak in tmm.

Workaround:
None.


639575-4 : Using libtar with files larger than 2 GB will create an unusable tarball

Component: TMOS

Symptoms:
Programs such as qkview will create a .tar file (tarball) using libtar and if any of the files collected is greater than 2 GB, the output tar file cannot be read by /bin/tar.

Conditions:
The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.

Impact:
You will be unable to submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.

Workaround:
The qkview tarball can be extracted with /usr/bin/libtar, but the offending file will be a zero-length file. Alternatively, the offending file that is greater than 2 GB must be removed from the system prior to running qkview or other program that uses libtar.


639395-1 : AVR does not display 'Max read latency' units.

Component: Application Visibility and Reporting

Symptoms:
AVR does not display 'Max read latency' units.

Conditions:
AVR, ASM, DoS, or AFM are provisioned.

Impact:
No units are displayed.

Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.


639236-3 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute

Component: Service Provider

Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute

Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.

Impact:
REGISTER is rejected with a '400 Bad request' error message

Workaround:
None.


639039-3 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons

Component: Local Traffic Manager

Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.

Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.

Impact:
Dynamic routing information is lost and must be relearned.

Workaround:
When using dynamic routing, only change the host name during a maintenance window.


638935-2 : Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: TMOS

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.


638780-1 : Handle 302 redirects for VMware Horizon View HTML5 client

Component: Access Policy Manager

Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.

Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.

Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.

Workaround:
For versions 11.6.x and 12.x:
===============================

priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location [substr $location $path_index]
                regsub "/portal/" $new_location $vmview_html5_prefix new_location
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

======================
For version 13.0:
priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location "$vmview_html5_prefix[substr $location $path_index]"
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}


638696 : DORA process fails when using "table" iRule command on DHCP virtual server in Relay Mode

Component: Local Traffic Manager

Symptoms:
DORA process fails when using "table" iRule command on DHCP virtual server in Relay Mode.

Conditions:
1) Config DHCP proxy in Relay mode.
2) Config a rule which uses "table" command and attaches the iRule to DHCP listener.
3) Run DHCP DORA process through DHCP proxy.

Impact:
DORA process failed.

Workaround:
Do not use "table" command in iRule.


638091-3 : Config sync after changing named pool members can cause mcpd on secondary blades to restart

Component: TMOS

Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:

     01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>

Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create

Impact:
Secondary blades do not process traffic as they restart

Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).

To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.

1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.


638089 : LACP and CMP state simultaneous fail on A112 and A113 platform

Component: TMOS

Symptoms:
An internal traffic stoppage occurs and causes LACP ACTIVE trunk members to go down, and CMP state changes for the HOST and VCMP guests (if configured) on the impacted blade. The tmctl detailed statistics show sustained TX pause generated by HSB on one or more links and matching RX Pause received in interface_stat (on 4.1, 4.2, 4.3).

Conditions:
This happens when an internal FPGA device runs into a bad state under heavy traffic load. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Traffic no longer functions on the blade where stoppage occurs.

Workaround:
Reboot blade.


637613-2 : Cluster blade being disabled immediately returns to enabled/green

Component: Local Traffic Manager

Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.

Conditions:
This can occur intermittently under these conditions:

- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.

Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.

Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.


637308-5 : apmd may crash when HTTP Auth agent is used in an Access Policy

Component: Access Policy Manager

Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.

Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.

The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.

Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.

Workaround:
Use basic auth, or do not use HTTP Auth.


637227-3 : DNS Validating Resolver produces inconsistent results with DNS64 configurations.

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS Validating Resolver incorrectly validates DNS responses received from A queries made as a result of a front-end AAAA query received on a profile with DNS64 configured.

A SERVFAIL response may be sent to the client unless the Validating Resolver cache has previously successfully validated a front-end A query. In this scenario where the A records already exist in the cache, the expected DNS64 AAAA records are synthesized.

Conditions:
This issue may be observed with a DNS Validating Resolver configured on a DNS profile with DNS64 configured when processing AAAA queries.

Impact:
Incorrect SERVFAIL responses for AAAA queries that should get valid responses.

Workaround:
None.


637181-3 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.


636853-1 : Under some conditions, a change in the order of GTM topology records does not take effect.

Component: Global Traffic Manager (DNS)

Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.

Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.

Impact:
In certain configurations, the topology load balancing decision may not be made correctly.

Workaround:
Reload the GTM configuration or add/delete a topology record.


636823-2 : Node name and node address

Component: TMOS

Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.

Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1

Impact:
When you attempt to add the node to a pool, an error will occur:

Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1

Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.


636633-1 : DHCP: DHCP PEM sessions are not cleared (until idle timeout) after ip release from client in some cases

Component: Policy Enforcement Manager

Symptoms:
In some scenario, DHCP IP release messages received by BIG-IP do not trigger corresponding PEM sesssions to be removed from sessionDB. These sessions will removed after timeout.

Conditions:
1)RUN DHCP DORA process to create PEM sessions via DHCP(relay or forwarding mode)
2)Wait for sometime (1-2 minutes)
3)Send DHCP renewal message to BigIP.
5)Send DHCP release message to BigIP.
6)Check sessionDb to see if the corresponcing PEM session is deleted.

The problem only happens if the DHCP renewal/release did arrive at the tmm where sessionDB is located.

Impact:
Session deletion will not happen immediately.
But client does not typically send DHCP release, so the chance
for this to happen in real-world environments is small.

Workaround:
1)Delete PEM session manually or
2)Wait for PEM session to timeout


636348-1 : BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.

Component: Local Traffic Manager

Symptoms:
In the /var/log/ltm file you may observe an error message similar to the following example

01071837:3: The pool (/Common/http_pool) contains a reference to a gateway failsafe device (/Common/bigip1.f5.com), which does not exist on the system. Please specify a valid device for this configuration. Unexpected Error: Loading configuration process failed.

Conditions:
This issue occurs when all the following conditions are met:

-You have multiple BIG-IP systems in a High Availability (HA) configuration.
-You have configured System Gateway Failsafe
-You reset device trust
-You attempt to reload the configuration or reboot the device before recreating the device trust

Impact:
Configuration may fail to load

Workaround:
Remove Gateway Failsafe before resetting device trust


636149 : Multiple monitor response codes to single monitor probe failure

Component: Global Traffic Manager (DNS)

Symptoms:
A monitor probe failure to an external monitor (such as HTTP) will be logged by 'bigd' to '/var/log/ltm' when the probed resource is unavailable. In some cases for a probe resulting in an 'Unable to connect' error, multiple log entries will be made, with the *last* log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are "stale" and due to previous monitor probe behavior that was previously logged.

This is due to an error where the 'Could not connect' event appends a previous error message, rather than overwriting a possibly-present previous error message.

Conditions:
A monitor probe to an external monitor is attempted (such as over HTTP), resulting in an "Unable to connect" failure; and where that specific monitor previously reported an error (which is now appended).

Impact:
No system behavior is affected, but multiple log entries are made. The *final* log entry of "Could not connect" or "Unable to connect" is relevant, while the possible multiple log entries immediately above are "stale" and not relevant (as they are due to a previous issue that was previously successfully logged).

Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, user should consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.


636104-4 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.

Component: Application Visibility and Reporting

Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.

Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.

Impact:
Not seeing the pool member under the HTTP "pool" dimension.

Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.


636031-3 : GUI LTM Monitor Configuration String adding CR for type Oracle

Component: TMOS

Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.

Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.

Impact:
The /config/bigip.conf file contains CR characters in the file.

Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.


635971-1 : Cookie persistence to an offline pool member results in a connection failure.

Component: Local Traffic Manager

Symptoms:
Cookie persistence to an offline pool member results in a connection failure

Conditions:
Cookie persistence is configured.
The selected pool member is marked offline, either by monitoring or explicitly.

Impact:
No user connectivity.

Workaround:
Delete the persistence record, either manually or from an iRule.


635561-3 : Heavy URLs statistics are not shown after upgrade.

Component: Application Visibility and Reporting

Symptoms:
Heavy URLs statistics are not shown after upgrade.

Conditions:
Upgrading to newer version

Impact:
Missing statistics.

Workaround:
No workaround


634371-3 : Cisco ethernet NIC driver

Component: TMOS

Symptoms:
The Cisco Ethernet NIC driver is version 2.1.1.67

Conditions:
N/A

Impact:
Cisco recommends using the updated version 2.3.0.12


634259 : IP tuple nexthop object can be freed while still referenced by another structure

Component: Local Traffic Manager

Symptoms:
IP tuple nexthop object can be freed while still referenced by another structure.

Conditions:
Using LSN.

Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.

Workaround:
None.


634014-2 : Absolute timers may fire one second early during the leap second event

Component: TMOS

Symptoms:
Absolute timers that expire at midnight UTC may fire one second early when the leap second is inserted.

Conditions:
This occurs if an absolute timer is used to trigger a task, and the leap second occurs during the timer window. For example if an absolute timer of 60 seconds is scheduled and the leap second event occurs midway through that interval, the event will appear to fire one second earlier than expected.

Impact:
Impact to applications unknown. The system stays stable, and a timer may be fired off earlier than expected

Workaround:
None.


633824-3 : Cannot add pool members containing a colon in the node name

Component: TMOS

Symptoms:
You are allowed to create nodes that contain a colon in the node name. If you later try to add the named node (e.g. 10.1.20.10:80), adding the node will fail and you will get an error similar to the following:

0107003a:3: Pool member node (/Common/10.1.20.10) and existing node (/Common/10.1.20.10:80) cannot use the same IP Address (10.1.20.10).

Conditions:
This occurs when attempting to add a node to a pool where the node name contains a colon in it

Impact:
You are unable to add the node to the pool and will get a validation error.

Workaround:
First rename the node to not contain a colon in it, then you can add the node to the pool without error.


633512-2 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.

Component: TMOS

Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).

Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.

Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.

Workaround:
Do not configure Auto-Failback on VIPRION.


633465 : Curl cannot be forced to use TLSv1.0 or TLSv1.1

Component: TMOS

Symptoms:
Curl fails when connecting to server that does not accept TLSv1.1 or TLSv1.2 handshakes. This occurs even if the "--tlsv1.0" or "--tlsv1.1" options to the curl command are used.

Conditions:
Curl is used to attempt to connect to a server that does not understand TLSv1.1 and/or TLSv1.2 handshakes. This occurs when using software v11.5.4 HF2 or v11.6.1 HF1.

Impact:
Curl will fail.

Workaround:
Use "curl-apd" rather than "curl". curl-apd does not currently implement TLSv1.1 or TLSv1.2.


633110-1 : Literal tab character in monitor send/receive string causes config load failure, unknown property

Component: TMOS

Symptoms:
BIG-IP allows you to paste in monitor send or receive strings that contains tabs, but the tabs do not get quoted when it gets saved to the configuration. This will cause the configuration load to fail, with this error signature:

Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf
Syntax Error:(/config/bigip.conf at line: <line>) "<text>" unknown property

Conditions:
This can occur if you copy/paste a monitor send or receive string and paste it into the send/recv string field in tmsh or the GUI.

Impact:
The monitor will not work as expected, and subsequent config loads will fail on unknown property.

Workaround:
Since you are still able to use the BIG-IP GUI, you can update the monitor send or receive string using \t to represent the tab, and save the changes.


632968-1 : supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails

Component: Local Traffic Manager

Symptoms:
Clients are unable to establish an SSL session.

If the backend server sends a Certificate Request with Signature Hash Algorithms set to SHA256, the serverssl profile responds with Certificate + Certificate Verify containing signature signed by SHA1 when ssl-sign-hash in that profile is set to 'ANY'.
Since the backend server does not expect SHA1 the handshake fails.

Conditions:
* BIG-IP is communicating with a TLS server (applies to serverssl profile).
* TLS server is requesting client authentication (this is less common).
* TLS client using the supported_signature_algorithms extension (this is very common)
* TLS 1.2 is likely needed. TLS 1.0 doesn't support extensions.

Impact:
BIG-IP will sign the TLS handshake with the SHA1 algorithm, which will fail on the server.

Note that this issue is orthogonal to the issue of hash algorithm in X.509 certificates, e.g. "SHA1 in X.509 certificates".

Workaround:
No mitigation is known.


632825-4 : bcm56xxd crash following 'silent' port-mirror configuration failure

Component: TMOS

Symptoms:
A port-mirror configuration can fail 'silently', that is, no error from MCPD yet the following is logged in /var/log/ltm:

err bcm56xxd: 012c0011:3: Trunk port trouble with bcm_mirror_port_set() Entry exists bs_mirror.c(598).
err bcm56xxd: 012c0010:3: Trouble committing mirror settings to hardware: 0:21 bs_mirror.c(671).
err bcm56xxd: 012c0010:3: Trouble setting port mirror from 2.1 to 2.6 bsx.c(5173).

Once this happens, any subsequent port-mirror configuration will result in a deadlock condition and SOD will restart bcm56xxd.

If the port-mirror interfaces are part of a trunk, any trunk configuration will cause this condition. For example, adding a vCMP guest.

Conditions:
Prior 'silent' port-mirror configuration error followed by a subsequent port-mirror configuration command.

Impact:
bcm56xxd continuously restarts until the bad port-mirror configuration is removed.

Workaround:
None.


632798-1 : Double-free may occur if Access initialization fails

Component: Access Policy Manager

Symptoms:
Double-free may occur if Access initialization fails.

Conditions:
Access initialization failure occurs, possibly due to license issues.

Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.

Workaround:
None.


632721 : Non-default hold time restricts multiple IP case

Component: Policy Enforcement Manager

Symptoms:
When the hold time variable is set to non-default value, a subscriber can not have multiple IP addresses.

Conditions:
Hold time value set to non-default by using sys db variable.
a second IP address is provisioned.

Impact:
Cannot vary hold time for multiple-IP operation.

Workaround:
Use only the default hold time when using multiple IP addresses per subscriber.


632668-3 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds

Component: TMOS

Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.

Conditions:
System is using statically configured BFD sessions. System is forced offline.

Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.


632658-2 : Enable SIP::persist command to operate during SIP_RESPONSE event

Component: Service Provider

Symptoms:
Without this change, it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Conditions:
It is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Impact:
it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Workaround:
NA


632423-2 : DNS::query can cause tmm crash if AXFR/IXFR types specified.

Component: Global Traffic Manager (DNS)

Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.

Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.

Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.

Workaround:
Do not explicitly use AXFR or IXFR query types.

If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:

if { not [DNS::question type] ends_with "XFR" } {
    set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}


632400 : tmm may get stuck in a core loop during a failover event

Component: Local Traffic Manager

Symptoms:
During a failover event, it may be possible that the tmm cores on the newly active box causing another failover event where the next active box then cores again as well in a loop.

Conditions:
May occur during a failover event.

Impact:
Production traffic is no longer serviced or is severely hindered.

Workaround:
Restarting both active and standby units should stop core loop.


631862-3 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk

Component: Local Traffic Manager

Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.

Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).

Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.

Workaround:
Use following iRule for broken URLs:

when HTTP_RESPONSE {
  if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
    HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
  }
}

A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.


631627-5 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start

Component: TMOS

Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.

Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.

Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.

Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.

Workaround:
Remove BWC from route domain and then reapply the BWC back.


631334-3 : TMSH does not preserve \? for config save/load operations

Component: TMOS

Symptoms:
TMSH strips the escape characters for literal strings '\?' to be '?' in ltm monitor send/recv strings.

Conditions:
This condition manifests whenever the send/recv string in ltm monitor contains '\?'.

Impact:
This causes the BIG-IP to load incorrect monitor send/recv strings.

Workaround:
None.


631172-3 : GUI user logged off when idle for 30 minutes, even when longer timeout is set

Component: TMOS

Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.

Conditions:
User logged in to gui and idle for 20-30 minutes

Impact:
User is logged out of the GUI.

Workaround:
None.


631131-1 : Some tmstat-adapters based reports stats are incorrect

Component: Advanced Firewall Manager

Symptoms:
Stats are being collected in a wrong way for tmstat tables that are using partial-key. This leads to wrong values on reports.

Conditions:
Using partial key from tmstat-table on tmstat-adapter

Impact:
Wrong stats values for some reports.


630610-3 : BFD session interface configuration may not be stored on unit state transition

Component: TMOS

Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.

Conditions:
State transitions from online to offline.

Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.

Workaround:
Re-add statements manually.


629921-2 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.

Component: Access Policy Manager

Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.

Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth

Impact:
Backend server access is restricted.

Workaround:
None


629871-3 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Component: Carrier-Grade NAT

Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.

Conditions:
FTP ALG deployment.

Impact:
PASV response 464 XLAT cases overwritten.

Workaround:
None.


629834-2 : istatsd high CPU utilization with large number of entries

Component: TMOS

Symptoms:
With a large number of istats entries, statsd uses a large amount of CPU time to process istats.

Conditions:
This occurs when there is a large number of istats entries in iRules.

Impact:
istats processing is slow. CPU utilization by istatsd is high.

Workaround:
Reduce the number of istats entries. Periodically purge the the istats entries if possible.


629663-2 : CGNAT SIP ALG will drop SIP INVITE

Component: Service Provider

Symptoms:
SIP INVITE message is dropped.

Conditions:
Subscriber registers and then attempts to call out.

Impact:
Subscriber not able to make calls.

Workaround:
None.


629530-3 : Under certain conditions, monitors do not time out.

Component: Global Traffic Manager

Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".

Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.

Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.

Workaround:
Disable the affected resources, and then enable them again.


629499-2 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"

Component: TMOS

Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found

This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.

Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.

Impact:
Certain tmsh sys perf commands fail to work and give an error.

Workaround:
Restart statsd on all blades once the chassis is up.

e.g.

"bigstart restart statsd" on each blade.


629033 : BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello).

Component: Local Traffic Manager

Symptoms:
BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello). Instead, the BIG-IP system is sending SHA1 signature algorithms in the Server Hello first.

Conditions:
clientside / Server Hello.

Impact:
Minimal. SHA1 algorithms are listed first and they should be last.

Workaround:
None.


628869-1 : Unconditional logs seen due to the presence of a PEM iRule.

Component: Policy Enforcement Manager

Symptoms:
TMM log files will fill up.

Conditions:
Execution of an iRule with the following iRule command:

PEM::subscriber config policy get <subscriber-id> <e164 | imsi | nai | private | mac-address | dhcp | mac-dhcp | dhcp-custom | sip-uri>.

Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.

Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.


628202-2 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging

Component: TMOS

Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.

Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".

Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.

Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.


628180-2 : DNS Express may fail after upgrade

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may not answer DNSX zones without TMM restart / DNSX zone refresh on upgrade.

Conditions:
Upgrading from previous version.

Impact:
DNS Express may fail after TMM.

Workaround:
Restart TMM, or force TMM to reload the DNS express database by running "tmsh load ltm dns dns-express-db".


628164-2 : OSPF with multiple processes may incorrectly redistribute routes

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.


627760-2 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card

Component: TMOS

Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.

Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.

Impact:
No DNSSEC key of that name is present on FIPS card.

Workaround:
None.


627246-2 : TMM memory leak when ASM policy configured on virtual

Component: Local Traffic Manager

Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.

Conditions:
Memory leak could be observed via output of this TMSH command:
tmctl -c memory_usage_stat | grep -P '^name|hud_oob'
when ASM policy is configured on a virtual server. However this condition is not unique.

Impact:
TMM might run out of memory and eventually crash.

Workaround:
Try to disable ASM policy configuration on virtual server.


626798 : Use of SPDY profile may crash tmm in rare conditions

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the SPDY profile might result in a tmm crash due to incorrect processing of allocated memory.

Conditions:
SPDY profile is configured and applied to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround other than to remove the SPDY filter.


626721-3 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart

Component: TMOS

Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:

Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342

Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.

Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).

Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.


626589-4 : iControl-SOAP prints beyond log buffer

Component: TMOS

Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.

Conditions:
Logging for iControl SOAP is turned on with trace level.

Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.

Workaround:
Do not enable logging with trace level, which is not turned on by default.


626434-4 : tmm may be killed by sod when a hardware accelerator does not work

Component: Local Traffic Manager

Symptoms:
tmm may hang and crash (killed by the switchover daemon, sod), when the Cavium hardware accelerator does not come back after the reset from the driver.

Conditions:
This is a rarely seen occurrence. It is triggered when the Cavium hardware accelerator stops working.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Power cycling the system might correct the error.


626141-1 : DNSX Performance Graphs are not displaying Requests/sec"

Component: Global Traffic Manager

Symptoms:
The DNSX Performance graphs have a X and Y axis of Requests/second but the data actually shows total requests.

Conditions:
Always.

Impact:
The data displayed in the graph is not correct.


625892-3 : Nagle Algorithm Not Fully Enforced with TSO

Component: Local Traffic Manager

Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.

Conditions:
TCP Segmentation Offload is enabled.

Impact:
Sub-MSS packets increase overhead and client power consumption.

Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable


625832-2 : A false positive modified domain cookie violation

Component: Application Security Manager

Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.

Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.

Impact:
A false positive violation.

Workaround:
Remove the modified domain cookie violation from blocking.


625824-3 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory

Component: TMOS

Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, that causes swap space to increase continuously and might lead to exhaustion of swap space

Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem

Impact:
iControlPortal.cgi memory increases

Workaround:
Restart httpd to reload the iControl daemon.


625671-2 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.

Component: Global Traffic Manager (DNS)

Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.

Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.

Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.

Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.


625542-4 : SIP ALG with Translation fails for REGISTER refresh.

Component: Service Provider

Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.

Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.

Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.

Workaround:
None


625456-2 : Pending sector utility may write repaired sector incorrectly

Component: TMOS

Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.

When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)

For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements

Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.

Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades

Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.

The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:

# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device

# smartctl -i /dev/sda | grep "Sector Size"

Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical

Not Affected:
Sector Size: 512 bytes logical/physical

Impact:
Potential corruption of unknown files on BIG-IP volumes.


625198-3 : TMM might crash when TCP DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
All of the below are required to see this behavior:

DSACK is enabled

MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.

cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.

an iRule exists that changes any of the conditions above besides DSACK.

various client packet combinations interact in certain ways with the iRule logic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change any of the conditions above.


625098-1 : SCTP::local_port iRule not supported in MRF events

Component: Service Provider

Symptoms:
SCTP::local_port iRule not supported in MRF events

Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.

Impact:
SCTP::local_port won't work under MR events.


624909-3 : Static route create validation is less stringent than static route delete validation

Component: TMOS

Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.

Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.

Impact:
Unable to delete certain self-IPs.

Workaround:
In order to delete the self-IPs you can either:

1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.


624876-3 : Response Policy Zones can trigger even after entry removed from zone

Component: Global Traffic Manager (DNS)

Symptoms:
If an entry (resource record) is removed from a response policy zone it is possible that it may still trigger as a match for RPZ.

Conditions:
An RPZ zone contains an entry, for example badzone.example.com, that is subsequently removed.

Impact:
Entries that encounter this problem will continue to be blocked by RPZ.

Workaround:
Delete /var/db/zxfrd.bin and /var/db/tmmdns.bin and "bigstart restart zxfrd".

This recreates the databases without the remnants of the deleted entries.


624744-4 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.


624626-1 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility

Component: TMOS

Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:

01020036:3: The requested Certificate File (/Common/example.crt) was not found

Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.

Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.

Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:

tmsh delete sys crypto cert example
tmsh delete sys crypto key example


624484-1 : Timestamps not available in bash history on non-login interactive shells

Component: TMOS

Symptoms:
There are no timestamps in bash history when bash is initiated from tmsh.

Conditions:
This issue arises when an Administrator or Resource Administrator with tmsh as the default shell runs bash from tmsh and then runs the 'history' command.

Impact:
Running 'history' in bash will not include timestamps of commands.

Workaround:
Timestamps can be added to bash history by running the following command in bash: export HISTTIMEFORMAT="%Y-%m-%d %T ".


624193-1 : Topology load balancing not working as expected

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.

Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.

Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.

Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.


624023-1 : TMM cores in iRule when accessing a SIP header that has no value

Component: Service Provider

Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.

Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.


623930-2 : vCMP guests with vlangroups may loop packets internally

Component: TMOS

Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.

Conditions:
vCMP guest, vlangroups.

Impact:
High CPU utilization and potentially undelivered packets.

Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.


623922-1 : TMM failure in PEM while processing Service-Provider Disaggregation

Component: Policy Enforcement Manager

Symptoms:
TMM failure in PEM while processing Service-Provider Disaggregation.

Conditions:
System crashes when traffic flows and rules get executed on the flow.

Impact:
System crashes.

Workaround:
Set Service-Provider Disaggregation to sp as suggested by documentation.


623536-4 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent

Component: TMOS

Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.

Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable

Impact:
snmp traps are not sent

Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:

alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode \(all VIP\/SNAT\/Proxy connections disabled\)" {
   snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}


623488-1 : Custom adaptive reaper settings may be lost at upgrade time

Component: TMOS

Symptoms:
Beginning in 11.6.0, the adaptive-reaper was changed to use the default-eviction policy. The configuration migration script does not migrate the adaptive-reaper settings, so after upgrade the reaper settings are reset to their default.

Conditions:
Upgrade from 10.x to 11.6.0 or later.

Impact:
Settings may be unexpectedly changed as part of upgrade.

Workaround:
Inspect the values after upgrade and reconfigure them.


623391-3 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size

Component: TMOS

Symptoms:
cpcfg fails with errors similar to:

Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.

Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.

Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size

Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3


623371-3 : After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed

Component: TMOS

Symptoms:
When attempting to ssh in as a nonexistent user using SSH keypair, the connection closes.

Conditions:
1. Configure SSH keypair for passwordless login.
2. Set auth source to a remote type such as RADIUS, TACACS+, LDAP, Active Directory.
3. Set auth source back to local.
4. Attempt to ssh to BIG-IP using keypair as a user that does not exist in the BIG-IP local user directory.

Impact:
User does not see expected password prompt.

This can be used to check which usernames are valid on the BIG-IP system, but it requires SSH keys.

Workaround:
None known.


623367-2 : When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.

Component: TMOS

Symptoms:
Able to login to BIG-IP using root's keypair as a user which does not exist on either the BIG-IP or the RADIUS server.

Conditions:
1. Configure SSH keypair for passwordless login on the BIG-IP system.
2. Enable RADIUS auth on the BIG-IP system.
3. Attempt to ssh in to the BIG-IP as a user which does not exist on either the BIG-IP or the RADIUS server, using the keypair.

Impact:
With root SSH keys, can login as nonexistent user.

Workaround:
Set the default remote role to something other than admin.


623336-2 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS

Component: TMOS

Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.

Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)

Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.

This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt


623265-2 : UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt

Component: TMOS

Symptoms:
Inconsistent CA certificate chain creation, or certificate validation/verification when verification occurs against /config/ssl/ssl.crt/ca-bundle.crt.

Conditions:
A system is upgraded from v10.x to v11.x/v12.x, or a v10.x UCS is restored onto a v11.x/v12.x system.

Impact:
Inconsistent ca-bundle.crt upgrade/UCS load handling can lead to odd / non-deterministic behavior between devices, even an HA pair / cluster of devices. Non-determinism increases because ca-bundle.crt does not ConfigSync (and appears not to sync across blades in a chassis).

For example, on one device, the BIG-IP system might construct and send a full certificate chain in an SSL Server Hello, when ca-bundle.crt is specified as a Client SSL profile's 'chain', but on its peer, if the peer is using an older/inconsistent ca-bundle, the peer might be unable to construct a full certificate chain.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to AskF5 article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030), but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt


623084-1 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp

Component: Local Traffic Manager

Symptoms:
mcpd will fail to load the configuration if the pre 11.6.0 configuration had a dhcp virtual server is configured using any profile that is not /Common/udp.

Conditions:
In pre 11.6.0 having a dhcp type virtual server with a profile other than /Common/udp and then upgrading to 11.6.0 or above.

Impact:
mcpd fails to load the configuration. The BIGIP will not be operational until the configuration is changed and loaded.

Workaround:
Before the upgrade change the profile to /Common/udp.

The same change can be made to the bigip.conf file after the upgrade. Then load the config with tmsh load /sys config


623055-3 : Kernel panic during unic initialization

Component: TMOS

Symptoms:
During system initialization, the kernel panics during unic initialization.

Conditions:
This can occur on BIG-IP Virtual Edition if an error (on memory allocation, io etc.) occurs during unic initialization.

Impact:
The kernel panics, system will not boot.


623037-1 : delete of pem session attribute does not work after a update

Component: Policy Enforcement Manager

Symptoms:
it will not be possible to delete the session attribute through rules.

Conditions:
rules with session attribute update & delete

Impact:
unable to delete session attribute


622876-2 : Certificate serial number is not displayed properly in OCSP Stapling logs.

Component: Local Traffic Manager

Symptoms:
The certificate serial number is not displayed properly in OCSP Stapling logs.

Conditions:
These logs are seen when there are any errors when fetching and validating an OCSP response, and/or when SSL debug logs are enabled.

Impact:
Certificate serial number is not displayed properly.

Workaround:
None.


622619-3 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD

Component: TMOS

Symptoms:
MCPd cpu utilization is high and renders it unresponsive.

Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.

Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.

Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.


622220-3 : Disruption during manipulation of PEM data with suspected flow irregularity

Component: Policy Enforcement Manager

Symptoms:
tmm crashes.

Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


622183-3 : The alert daemon should remove old log files but it does not.

Component: TMOS

Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.

Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.

Impact:
The log filesystem may become completely full, and new log messages cannot be saved.


622148-4 : flow generated icmp error message need to consider which side of the proxy they are

Component: Local Traffic Manager

Symptoms:
when generating an error message from a flow, the icmp6 code does not check which side the messages needs to be crafted for.

Conditions:
error handling

Impact:
As a result generated ICMP error message might contain the wrong addressing

Workaround:
no workaround


622133-4 : VCMP guests may incorrectly obtain incorrect MAC addresses

Component: TMOS

Symptoms:
vCMP guests may be re-configured to use MAC addresses based off an all zero MAC address (00:00:00:00:00:00).

The 'tmsh show net vlan' command will show the vlan interfaces having mostly 0's in the MAC address:

-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:00:00:00:00:01
MTU 1500
Tag 3702
Customer-Tag

-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) 00:00:00:00:00:02
MTU 1500
Tag 3703
Customer-Tag

Conditions:
For this to manifest the vCMP host vcmpd process will have to have had a prior crash or be killed.
In this scenario vcmpd on restart uses a default zero-base MAC address for the guests.
The guests will not use the new zero-based MAC until services are restarted on the guest, on which the new MAC address will take effect.

Impact:
This can cause network issues and conflicts if occurring on multiple guests in the same VLAN as the same MAC addresses will be used.

Workaround:
Restart the guest from the hypervisor.


622017-5 : Performance graph data may become permanently lost after corruption.

Component: Local Traffic Manager

Symptoms:
During an upgrade, system reboot or restart of the statsd daemon, if a performance graph /var/rrd/*.info file is corrupt, the system is expected to backup the performance data before replacing it and starting with new empty graph data. It is then possible to manually recover the previous performance data.

However, if the /shared/rrd.backup directory already exists, the system restarts the performance graph with new data without backing up the previous data.

Conditions:
During startup of the statsd daemon (such as after an upgrade or reboot), the issue occurs if the following two conditions are present:
* The /var/rrd/<filename>.info files are corrupt (CRC value does not match contents).
* The /shared/rrd.backup directory exists.

Impact:
The previous performance graph data is not displayed, and is no longer available for manual recovery.

Workaround:
Old performance graph data can be extracted from the var/rrd directory of a QKView taken prior to the beginning of the problem.


621909-5 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members

Component: TMOS

Symptoms:
When a trunk on the BIG-IP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.

Conditions:
This can occur for two reasons:
-- Purposefully configuring an odd number of members.
-- A port goes down in a trunk that has an even number of members.

Impact:
Uneven traffic distribution.

Workaround:
None.


621843-3 : the ipother proxy is sending icmp error messages to the wrong side

Component: Local Traffic Manager

Symptoms:
the ipother proxy error handling sends ICMP error messages down the wrong side of the proxy. when a client-side error occurs, the error message is being sent to the server side

Conditions:
error handling of the ipother proxy

Impact:
ICMP error messages show up on the wrong side

Workaround:
no workaround


621736-3 : statsd does not handle SIGCHLD properly in all cases

Component: Local Traffic Manager

Symptoms:
- Performance graphs are not updating or are not existant.
- proc_pid_stat shows statsd time not increasing
- Top also shows that statsd is not taking any processor time.

Infact statsd is stuck on a wait in a signal handler.

Conditions:
If statsd receives a SIGCHLD signal it will get stuck and not process anything.

The following can trigger the issue:

rm -rf /shared/rrd.backup
- sed -i "s/^#CRC.*$/#CRC $RANDOM/" /var/rrd/throughput.info
- kill -HUP $(pgrep -f /usr/bin/statsd)

Impact:
No performance graphs are collected / generated

Workaround:
Restart statsd:
 - bigstart restart statsd


621452-3 : Connections can stall with TCP::collect iRule

Component: Local Traffic Manager

Symptoms:
Connection does not complete

Conditions:
A TCP::collect command with two arguments defers collection beyond the first client message, which should be sufficient to produce a response.

The Initial Sequence number in the SYN is < 2^31.

The first received packet after the SYN carries data.

Impact:
Connection fails.


621284-3 : Incorrect TMSH help text for the 'max-response' RAMCACHE attribute

Component: WebAccelerator

Symptoms:
The TMSH help text for the 'max-response' RAMCACHE attribute incorrectly states that for the default value of 0 (zero) unlimited cache entries are allowed. In reality the number of cache entries is limited to 10.

Conditions:
Invoking the TMSH man/help page on RAMCACHE.

Impact:
Incorrect TMSH help text

Workaround:
N/A


621273-4 : DSR tunnels with transparent monitors may cause TMM crash.

Component: TMOS

Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.

Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".

Impact:
Traffic disrupted while tmm restarts.


621260 : mcpd core on iControl REST reference to non-existing pool

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.


621259-2 : Config save takes long time if there is a large number of data groups

Component: TMOS

Symptoms:
Config save takes a long time to complete

Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration

Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM


620896 : mcpd failes to load configuration on upgrade if the transparent monitors are configured for FQDN nodes

Component: Local Traffic Manager

Symptoms:
In /var/log/ltm the following errors will be logged

Oct 6 07:01:11 localhost err tmsh[11209]: 01420006:3: Loading configuration process failed.
Oct 6 07:01:12 localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. -- 01070734:3: Configuration error: Transparent monitors are not currently available for FQDN nodes. Unexpected Error: Loading configuration process failed.

Conditions:
Running 11.6.0 or prior with transparent monitors configured for FQDN nodes and then upgrading to 11.6.1 or higher.

Impact:
The BIG-IP will stay INOPERATIVE until the configuration is changed and loaded.

Workaround:
After the upgrade, bigip.conf needs to be changed so that the transparent monitor is no longer configured for the FQDN node. After the edits are made, the config needs to be reloaded.


620829-4 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
None.


620759-5 : Persist timeout value gets truncated when added to the branch parameter.

Component: Service Provider

Symptoms:
Persist timeout value gets truncated when added to the branch parameter due to difference in storage type.

Conditions:
If the persist timeout value was higher that 65535 then the value gets truncated.

Impact:
Incorrect persist timeout get into affect for the call other than the value set in the config.

Workaround:
None.


620659-2 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
  info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
  info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.


620346 : When auto-refresh is enabled on the statistics screen for wideip / pools, it refreshes to the wrong screen.

Component: Global Traffic Manager (DNS)

Symptoms:
When the page refreshes, it loads the wideip statistics screen, rather than the wideip pool statistics screen.

Conditions:
Have wide IP & pools and visit the stats page and click on view detail under the "Pools" column with refresh enabled.

Impact:
It makes it hard for the user to view updated stats for that particular stats page because it cannot be auto-refreshed.

Workaround:
Clicking the << Back button and "view detail" again would update the page stats.


619849-2 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGABRT (killed by sod)

Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.

This issue occurs extremely rarely.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
disable verify accept.


619811-4 : Machine Cert OCSP check fails with multiple Issuer CA

Component: Access Policy Manager

Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.

Conditions:
This can only happen when issuing CA is not first in the CA file.

Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.

Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.

Follow these steps:

iRule:

1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"

Variable Assign:

3) Read this issuer cert from the session db and assign it back to the same session variable:

session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }


619486-1 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self

Component: Access Policy Manager

Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.

To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.

Conditions:
This can occur if a web application has javascript that modifies the value of window.self.

Impact:
Affected web-applications will not work when accessed through Portal Access.

Workaround:
None


619473-1 : Browser may hang at APM session logout

Component: Access Policy Manager

Symptoms:
Browser hangs at logout from APM session with RDP client and/or VMware View client.

Conditions:
- APM Virtual server with RDP client and/or VMware View client on webtop;
- active session on this webtop with opened client.

Impact:
Logout from APM session may take a long time (several minutes). In some cases, it may be necessary to restart browser.


619210-1 : [FIPS] High CPU usage (11.5.4) or memory error messages (11.6.1) during stress test using FIPS keys

Component: TMOS

Symptoms:
When running a stress test (for example, using Apache Bench tool) to aggressively connect virtual server whose clientSSL profile is using FIPS key;

in 11.5.4, you may observe high CPU usage by using "top" command on the system and "Clock advanced" messages in the ltm logs;

in 11.6.1, the above symptoms appeared in 11.5.4 are not seen, but ltm log prints a sequence of ERR_MEMORY_ALLOC_FAILURE at the beginning of the stress test.

Conditions:
1. The connection to the virtual server is using a clientSSL profile whose SSL key is a FIPS key.
2. The connection that uses the FIPS key is triggered very frequently (such as in a stress test). For example, from the client side, it runs this Apache Bench command "ab -c 1000 -n 1000000 https://10.10.10.100/" to test the virtual server.

Impact:
When the connections occupy too much of the CPU's resource, it could impact the performance of other tasks of the system.

Workaround:
When this issue occurs, you can try to mitigate it by any methods that restricts FIPS key usage in the SSL connection, for example, do not configure the clientSSL profile with the FIPS key as the default clientSSL profile of the virtual server, and add more non-FIPS clientSSL profiles to the virtual server, so that the connections are not always handled by the FIPS key.


619158-4 : iRule DNS request with trailing dot times out with empty response

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS request takes about 20 seconds to respond and the response is empty.

Conditions:
An iRule uses RESOLV::lookup or NAME::lookup to resolve a domain name that ends with a dot.

Impact:
The request does not properly resolve to an IP address.

Workaround:
Strip the trailing dot from the domain name before calling RESOLV::lookup or NAME::lookup.


619071-2 : OneConnect with verified accept issues

Component: Local Traffic Manager

Symptoms:
System may experience an outage.

Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed

Impact:
System outage.

Workaround:
Disabled verified accept when used with OneConnect on a VIP.


618905-3 : tmm core while installing Safenet 6.2 client

Component: Local Traffic Manager

Symptoms:
tmm core while installing Safenet 6.2 client.

Conditions:
Safenet 6.2 client installation

Impact:
Traffic disrupted while tmm restarts.


618771-2 : Some Social Security Numbers are not being masked

Component: Application Security Manager

Symptoms:
ASM does not block or mask some SSN numbers.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.

Impact:
The traffic passes neither masked nor blocked to the end client.

Workaround:
None.


618693-2 : Web Scraping session_opening_anomaly reports the wrong route domain for the source IP

Component: Application Security Manager

Symptoms:
When generating a web scraping attack of session opening anomaly type, there is an attack start/end event shown in the /var/log/asm and GUI: Security :: Event Logs : Application : Web Scraping Statistics. The event has a "source ip" field which should come along with the route domain. In the case of "session opening anomaly" the route domain is always zero. (For example: 127.0.0.1%0). Even there is a non-zero route domain configured.

Conditions:
Route domain is configured and a web scraping attack event triggers.

Impact:
Incorrect route domain field is shown in the GUI and /var/log/asm.

Workaround:
None. This is a cosmetic error. The system uses the correct route domain


618546 : ClientSSL profile could incorrectly inherit cert-key-chain objects from parent profile

Component: Local Traffic Manager

Symptoms:
Child clientSSL profile continues to inherit the cert-key-chain objects from parent clientSSL profile when it shouldn't.

Conditions:
Create a clientSSL profile is created by having cert/key field as defaults from parent profile, with a change in chain field. Make sure that no new cert-key-chain objects are added to the child profile.
In this case, since chain field is changed, the child profile shouldn't inherit any cert-kay-chain objects from the parent, but it does.

Impact:
Child clientSSL profile continues to inherit the cert-key-chain objects from parent clientSSL profile when it shouldn't.


618463-3 : artificial low route mtu can cause SIGSEV core from monitor traffic

Component: Local Traffic Manager

Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.

Conditions:
see above

Impact:
Traffic disrupted while tmm restarts.

Workaround:
configure correct MTU


618319-3 : HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked

Component: TMOS

Symptoms:
All members of a Sync/Failover Device Group report 'Active' for all traffic-groups, and 'Offline' for all peers. Configuration sync works appropriately.

Conditions:
This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026).

If this port is blocked, the devices cannot exchange failover status information.

Impact:
When devices cannot reach the failover address of their peer devices, failover traffic is not processed correctly and the device become active for all traffic groups. This results in duplicate IP addresses on the network for the objects in the traffic groups, which causes a disruption of service.

Workaround:
Ensure that the 'allow-service' parameter for the self-IP address includes the configured network-failover port.

Normally this is done with 'allow-service { default }' if using the default default-list, or an explicit entry can be used with 'allow-service { udp:1026 }'.


618254 : Non-zero Route domain is not always used in HTTP explicit proxy

Component: Local Traffic Manager

Symptoms:
Customer may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction.

Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.

Impact:
End-to-end connectivity failure.

Workaround:
Change configuration so that all services required are on the default route domain, 0.


618170-1 : Some URL unwrapping functions can behave bad

Component: Access Policy Manager

Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.

Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.

Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.


618163 : iControl REST transaction failure when specifying older schema version

Component: TMOS

Symptoms:
While performing iControl REST calls that specify 11.6.0 as the schema version, you get an error:

{"code":400,"message":"Error on connection or connection was closed by peer:1114","errorStack":[]}r

Conditions:
Using iControl REST while specifying the 11.6.0 schema, for example:

https://<ip_addr>/mgmt/tm/transaction/$trans_id?ver=11.6.0

Impact:
iControl REST call may fail intermittently.

Workaround:
Specify the current schema version.


618161-3 : SSL handshake fails when clientssl uses softcard-protected key-certs.

Component: Local Traffic Manager

Symptoms:
SSL handshake fails when clientssl uses softcard-protected key-certs.

Conditions:
Softcard-protection is enabled and token protection is disabled.

Impact:
SSL handshake fails

Workaround:
None known.


618131-2 : Latency for Thales key population to the secondary slot after reboot

Component: Local Traffic Manager

Symptoms:
It may take a significant amount of time for the Thales key to populate from the primary slot to the secondary slot after a reboot. The latency can be a few minutes.

Conditions:
This occurs for Thales netHSM installed on Chassis.

Impact:
The key can't be found at secondary slot and the ssl traffic may fail.

Workaround:
If SSL handshakes fail on secondary blades for newly created Thales keys, you may check secondary blades with
 
    nfkminfo -l
 
to see if the file is there. If not the file can be synchronized with rfs-sync --U.


618104-3 : Connection Using TCP::collect iRule May Not Close

Component: Local Traffic Manager

Symptoms:
The BIG-IP never sends a TCP FIN in response to a client FIN.

Conditions:
A finite TCP::collect iRule is in progress.

This is repeatable in the debug kernel; in the default kernel, there has to be execution delay in a CLIENT_DATA iRule.

Impact:
The connection does not close until the sweeper causes a RST.

Workaround:
Adding a TCP::close command to a CLIENT_DATA iRule may work.


618024-3 : software switched platforms accept traffic on lacp trunks even when the trunk is down

Component: Local Traffic Manager

Symptoms:
On software switched platforms tmm owned LCAP trunks still accept traffic even though the trunk is down from the control plane ( LACP status down).

Conditions:
LACP trunk with status down

Impact:
VLAN failsafe timers are erroneous reset, VLAN failsafe is broken.

Workaround:
no workaround


617690-2 : enable SIP::respond iRule command to operate during MR_FAILED event

Component: Service Provider

Symptoms:
When an message fails to route, it is not possible to return an error status back to the client.

Conditions:
When a message fails to route, the MR_FAILED event is raised for the message.

Impact:
Without this change, it is not possible for the script author to generate a response message to the client based on the routing failure.

Workaround:
NA


617628-2 : SNMP reports incorrect value for sysBladeTempTemperature OID

Component: TMOS

Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.

# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245

# tmsh show sys hardware

Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...

The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.

Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.

Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.

config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
  1 1 0 19 49 Blade air outlet temperature 1
  1 2 0 14 41 Blade air inlet temperature 1
  1 3 0 21 57 Blade air outlet temperature 2
  1 4 0 16 41 Blade air inlet temperature 2
  1 5 0 25 60 Mezzanine air outlet temperatur
  1 6 0 27 72 Mezzanine HSB temperature 1
  1 7 0 17 63 Blade PECI-Bridge local tempera
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
  1 9 0 25 68 Mezzanine BCM56846 proximity te
  1 10 0 22 69 Mezzanine BCM5718 proximity tem
  1 11 0 19 57 Mezzanine Nitrox3 proximity tem
  1 12 0 16 46 Mezzanine SHT21 Temperature


616169-2 : ASM Policy Export returns HTML error file

Component: Application Security Manager

Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.

Conditions:
It is not known what triggers this condition.

Impact:
Unable to export ASM Policies.

Workaround:
A) Restarting the asm_config_server.pl process, or restarting ASM usually clears up the issue.

B) Run "umask 0022" on the device

C) Download the file from the shell.


616021-3 : Name Validation missing for some GTM objects

Component: TMOS

Symptoms:
BIG-IP fails to load GTM Configurations where names of some objects contain a control character.

Conditions:
User creates a GTM object with a control character in the name.

Impact:
Causes the config to fail to load.

Workaround:
Remove control characters prior to creating gtm objects.


615970-2 : SSO logging level may cause failover

Component: Access Policy Manager

Symptoms:
SSO logging level may cause failover.

Conditions:
SSO logging level set to "Debug".

Impact:
TMM may crash. Core file may be generated.

Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".


615553-1 : Reverse/transparent setting reverting to disabled on child monitor

Component: Local Traffic Manager

Symptoms:
Child monitor failing. Reverse/transparent setting reverting back to disabled.

Conditions:
Parent monitor with reverse/transparent enabled and child monitor with reverse/transparent disabled.

Impact:
The child monitor begins to fail when the configuration is re-loaded.

Workaround:
Make sure child and parent monitors have the same reverse/transparent setting. Or don't use a custom monitor as a parent if you want to modify reverse/transparent settings.


615143-4 : VDI plugin-initiated connections may select inappropriate SNAT address

Component: Local Traffic Manager

Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual before reaching the external network, the selected SNAT address may be inappropriate for the egress vlan.

Conditions:
APM configuration with VDI functionality enabled and additional virtual matching the VDI-initiated connections.

Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.

Workaround:
No workaround short of removing the additional virtual matching the VDI traffic.


615107-3 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).

Component: TMOS

Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.

Conditions:
Presence of /etc/ssh directory on host.

Impact:
AOM/SCCP unable to connect to host without password.

Workaround:
None.


614493-2 : BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.

Component: TMOS

Symptoms:
Reset sent by BIG-IP system on ePVA accelerated active flows might contain stale sequence number and ACK number, which might be out of the receiver's valid RST window.

Conditions:
For example, server side pool member down events lead to BIG-IP reset of all client flows on the pool member. If these flows are actively offloaded in ePVA with heavy traffic at the time of pool member down and reset sending out time, the SEQ/ACK number for the sending RST by BIG-IP SW might not be recent, and therefore a RST with most SW aware SEQ/ACK will be encoded.

Impact:
These RST might be ignored by the receiver if it is out of the valid window. The receiver must rely on the idle or alive timeout to clean this up. Although the receiver must rely on its TCP alive or idle timeout to activate in order to clean up these connections, this is the standard TCP stack behavior.

Workaround:
None.


614486-3 : BGP community lower bytes of zero is not allowed to be set in route-map

Component: TMOS

Symptoms:
The bgpd process does not accept community attributes that contain values of the form ASN:0.

Conditions:
set the BGP community value to a value of form ASN:0

Impact:
if you attempt to configure a BGP daemon community attribute with a value of the form ASN:0, the system does not set the community value. This could also impact upgrading from the old versions to the version that doesn't support community values of the form ASN:0.

Workaround:
None


614441-5 : False Positive for illegal method (GET)

Component: Application Security Manager

Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----

Conditions:
This was seen after upgrade and/or failover.

Impact:
-- False positives.
-- BD has the incorrect security configuration.

Workaround:
Run the following command: restart asm.


613542-4 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED


613415-4 : Memory leak in ospfd when distribute-list is used

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.

Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.


613297-1 : Default generic message routing profile settings may core

Component: Service Provider

Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.

Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.

Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.

Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.


613079-2 : Diameter monitor watchdog timeout fires after only 3 seconds

Component: Local Traffic Manager

Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.

Conditions:
A Diameter monitor must be configured.

Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.

Workaround:
None.


612721-3 : FIPS: .exp keys cannot be imported when the local source directory contains .key file

Component: TMOS

Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.

Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).

Impact:
Unable to import the FIPS key

Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.


612694-3 : TCP::close with no pool member results in zombie flows

Component: Local Traffic Manager

Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.

Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).

Impact:
Connection does not tear itself down.

Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.


612135-1 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic

Component: Service Provider

Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.

Conditions:
Configuring a virtual server with generic message profile without message routing profile.

Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.

Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.


612115 : Potential performance impact in APM-REWRITE configuration with large HTML content.

Component: Performance

Symptoms:
Potential performance impact in APM-REWRITE configuration with large HTML content (for example, greater than 1 MB).

Conditions:
APM is provisioned and REWRITE-PORTAL profile is attached to the virtual for APM rewrite.

Impact:
Pages of higher size (greater than 1MB) take a long time to load and performance is slow.


612086-2 : Virtual server CPU stats can be above 100%

Component: Local Traffic Manager

Symptoms:
The CPU usage is reported as above 100%.

Conditions:
It is not known exactly what triggers this.

Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.

Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.


611968-1 : JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow

Component: Access Policy Manager

Symptoms:
JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow.

Conditions:
- IE8 only.
- Significant number of links: >1000.
- JavaScript event handlers presence.

Impact:
Web application performance slowdown.

Workaround:
None


611958-1 : Sometimes wrong logon page is displayed

Component: Access Policy Manager

Symptoms:
In some rare cases the APM logon page is delivered without the appropriate customization.

Conditions:
It is not known exactly what triggers this.

Impact:
APM logon page displayed with no customization, and there are un-replaced sessions variables


611691-3 : Packet payload ignored when DSS option contains DATA_FIN

Component: Local Traffic Manager

Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.

Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.

Impact:
The last packet of data is not received.

Workaround:
Disable MPTCP.


611485-4 : APM AAA RADIUS server address cannot be a multicast IPv6 address.

Component: Access Policy Manager

Symptoms:
In the 13.0.0 release, support for AAA RADIUS direct IPv6 is added. However, validation will prevent using a multicast address for AAA radius IPv6 address. If you upgrade from a previous version to this version, you will see a validation error when the configuration loads.

Conditions:
The validation error occurs if APM AAA RADIUS address is an IPv6 multicast address on BIG-IP version 13.0.0 and beyond.

Impact:
Support for AAA RADIUS direct IPV6 is added in BIG-IP version 13.0.0. And the new validation affects only IPv6 multicast address. So any working IPv4 configuration will not be affected by this validation.

Workaround:
Multicast IPv6 addresses are not supported for direct IPv6 RADIUS, ensure you are using unicast addresses.


611482-1 : Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .

Component: Local Traffic Manager

Symptoms:
Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule).

Conditions:
Universal persistence is configured. A loop of HTTP request is sent to tmm which doesn't own the record. Persistence lookup is performed, but finally the pool command is used for load-balancing pick.

Impact:
Discrepancy between persistence records.

Workaround:
Use persist, not pool command, to bind persistence record to a flow.


611327 : Using an established app tunnel may display a Java exception error message.

Component: Access Policy Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

When users attempt to use the established access session app tunnel, their Mac OS X device displays a Java exception error message similar to the following example:

An uncaught exception was raised. Choose "Continue" to continue running in an inconsistent state. Choose "Crash" to halt the application and file a bug with Crash Reporter. Choosing "Crash" will result in the loss of all unsaved data.

When the user selects Continue, the exception error message is immediately displayed again (loop).

When the user selects Crash, the established app tunnel is terminated.

Though the Java exception error message is displayed, the app tunnel functions as expected.

Conditions:
This issue occurs when all of the following conditions are met:

-- The local user device is running Mac OS X 10.12 (Sierra).
-- The BIG-IP APM system is configured with an app tunnel that is Java Tunnel-enabled.
-- The user established an access session using the Safari 10 web browser.
-- The user launches an app tunnel session.
-- The user attempts to use the established app tunnel.

Impact:
Cannot use Safari 10 web browser for an app tunnel that is Java Tunnel-enabled.

Workaround:
To work around this issue, you can use an alternate browser, or Apple Safari browser, or ignore the system generated error message while using the app tunnel.


611161-5 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Component: Local Traffic Manager

Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.

Impact:
There are very rare situations in which failsafe triggers but it should have not.

Workaround:
None.


611054-3 : Network failover "enable" setting is sometimes ignored on chassis systems

Component: TMOS

Symptoms:
The failover device group network-failover attribute has an effect on chassis systems. The high availability subsystem will continue to send network failover packets, and continue to operate normally, even if this is set to "disable".

Conditions:
This only affects chassis systems. On appliances, the setting takes effect, causing all devices to become Active simultaneously.

Impact:
System appears to failover normally even when the configuration is incorrect; however, if the system contains more than one traffic-group, the next-active calculation and other failover features do not function correctly.

Workaround:
Enable network-failover in the sync-failover device-group.


610906 : Secondary mcpd restart on validation error, "user role partition already exists"

Component: TMOS

Symptoms:
Configuration from primary fails validation on secondary blades.

Conditions:
Local user is configured with the same username as remote user. Subsequent modifications to the local user result in failed validation on the secondary.

Impact:
MCPd restarts.

Workaround:
Make sure no local user has the same username as a remote user.


610417-3 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.

Component: TMOS

Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2

If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established

Conditions:
This exists when configuring devices in a device cluster.

Impact:
Unable to configure stronger ciphers for device trust.

If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.

Workaround:
None.


610354-2 : TMM crash on invalid memory access to loopback interface stats object

Component: TMOS

Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.

Conditions:
TMM drops packets on its internal loopback interfaces.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.


610302-2 : Link throughput graphs might be incorrect.

Component: Local Traffic Manager

Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.

Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.

For example, there are two links defined and named "mylink" and "mylink2".

Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.

For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"

As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.

Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.


610295-3 : TMM may crash due to internal backplane inconsistency after reprovisioning

Component: TMOS

Symptoms:
In some scenarios on VE platforms TMM may crash due to backplane inconsistency shortly after a provisioning change.

Conditions:
- BigIP VE with performance limited license.
- Additional licensing/provisioning of modules raises performance limits. New TMM processes are started.
- No reboot has occurred after provisioning.

Impact:
TMM may core with panic: "Unexpected backplane address" in /var/log/tmm log files. Traffic disrupted while tmm restarts.

Workaround:
Reboot after provisioning if new license add-on keys raises performance of the BigIP.


610129-2 : Config load failure when cluster management IP is not defined, but instead uses address-list.

Component: Advanced Firewall Manager

Symptoms:
In Cluster setup with multiple blades, if configurations do not have management IP addresses assigned to individual blades, but instead assign a cluster management IP address list to the cluster of blades. The configuration load will fail. System posts an error message similar to the following: err mcpd[24235]: 01071824:3: The address list is referenced by one of the rules of the admin IP either directly or in a nested manner, and the entry is of a different address family from that of the Admin IP.

Conditions:
1. Cluster setup with multiple blades.
2. No management IP assigned to individual blades.
3. Assign cluster management IP address list to the cluster of blades.

Impact:
After reboot, configuration load failure on secondary blades.

Workaround:
Define the cluster management IP address as the destination (in rule) without using address list.


609788-1 : PCP may pick an endpoint outside the deterministic mapping

Component: Carrier-Grade NAT

Symptoms:
When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.

Conditions:
With PCP configured and enabled with a lsn-pool in deterministic mode.

Impact:
Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.

Workaround:
Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.


609772 : Tilde character does not work on GET requests via iControl REST

Component: TMOS

Symptoms:
When issuing an iControl REST GET request to a URL that contains a tilde (~), for example when specifying a folder, the REST call will return an error.

Conditions:
This occurs when performing an iControl REST GET request to any URL that contains contains a tilde character in the path name.

Impact:
iControl REST will respond with an error.

Workaround:
None.


609674-2 : machine certificate check creates issuer string with DC with reverse order

Component: Access Policy Manager

Symptoms:
Machine certificate check on MAC creates issuer string with incorrect domain component (DC) order if it has any domain component in the certificate.
For example, if DC in certificate says f5net.com, issuer DC string should look like "DC=f5net, DC=com" but instead, it's in reverse order (DC="com", DC="f5net").

Conditions:
Machine certificate check configured on BIG-IP systems, certificate contains DC components.

Impact:
Machine certificate check might fail.

Workaround:
For access policies with machine certificate check targeted towards MAC, the order of DC should be reversed (compared to access policy with machine certificate check targeted towards Microsoft Windows) in the regex configured in machine certificate check.


609609 : TMM crash, Invalid action

Component: Local Traffic Manager

Symptoms:
TMM crashes and restarts. Before the crash, you may see this signature in /var/log/ltm: tmm1[21502]: 011f0007:3: http_process_state_prepend - Invalid action:0x109040.

Conditions:
This intermittent issue may be seen if you have an iRule that performs HTTP::disable, and there are network issues between the BIG-IP system and the pool members.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


609575-2 : BIG-IP drops ACKs containing no max-forwards header

Component: Service Provider

Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.

Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.

Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".


609527-1 : DNS cache local zone not properly copying recursion desired (RD) flag in response

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNS query sets the RD flag, that setting is supposed to be copied to the response. When a DNS query is handled by a cache local zone, the RD flag is not set properly.

Conditions:
A DNS cache local zone must be configured and a DNS query with the RD flag set must be handled by this local zone.

Impact:
The flag is not set properly in the DNS response. This most likely will only be noticed by protocol validation tools as standard DNS clients generally do not check this bit.

Workaround:
Use an equivalent DNS Express configuration instead of the local zone.


609328-1 : SIP Parser incorrectly parsers empty header

Component: Service Provider

Symptoms:
If a SIP message contains an empty header, the following header will be included as the value of the empty header.

Conditions:
A SIP header without any value will incorrectly cause the next header to be used as the value.

Impact:
If the following header is needed for processing the message, it will not be seen (since it is incorrectly considered the value of the previous header).


609244-1 : tmsh show ltm persistence persist-records leaks memory

Component: Local Traffic Manager

Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.

Conditions:
This occurs when running tmsh show ltm persistence persist-records.

Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.

Workaround:
None.


609199-4 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join

Component: Local Traffic Manager

Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.

Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP.


609186-2 : TMM or MCP might core while getting connections via iControl.

Component: TMOS

Symptoms:
When getting the connections list over iControl using System.Connections.get_list(), TMM or MCP cores or exits.

Conditions:
Using iControl to view all connections, and there is a very large number of connections (1 million or more) in the list.

Impact:
TMM or MCP may core or exit. Traffic disrupted while tmm restarts.

Workaround:
None.


609107-2 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf

Component: TMOS

Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.

Conditions:
A folder is removed from a previously valid configuration file.

Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.

Workaround:
Do not remove folders from the configuration file.


608870 : Fastl4 drops ICMP fragmentation needed messages (no PVA).

Component: Local Traffic Manager

Symptoms:
The fastl4 profile drops ICMP fragmentation needed messages.

Conditions:
Use of fastl4 profile

Impact:
Path MTU discovery fails, poor performance.


608865-2 : CGNAT: LSN retries ignored in deterministic mode.

Component: Carrier-Grade NAT

Symptoms:
You see CPU spikes on BIG-IP when LSN is enabled an set to deterministic mode with the sys db tm.lsn.retries variable.

Conditions:
LSN enabled

Impact:
BIG-IP will try all endpoints before failing regardless of the tm.lsn.retries setting.


608753 : [GTM] [monitor] upgrade issue for monitor backslash '\'

Component: Local Traffic Manager

Symptoms:
On upgrading to 11.6.1, extra backslashes are added to GTM monitor strings.

Conditions:
This occurs when upgrading BIG-IP software from from 11.6.0-HF5 to 11.6.1 with GTM configured.

Impact:
Extra backslashes in the monitor string will cause the monitor to fail.

Workaround:
Manually edit monitor to remove extra backslash(es) after upgrade.


608566-2 : The reference count of NW dos log profile in tmm log is incorrect

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles, the log message in tmm log is showing incorrect reference cnt to the log profiles.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
This may lead to issues such as TMM crash if the reference count is not calculated correctly


608551-4 : Half-closed congested SSL connections with unclean shutdown might stall.

Component: Local Traffic Manager

Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.

Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.

Impact:
Possible stalled flow.

Workaround:
Use SSL client that sends clean shutdown.


608348-2 : Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system

Component: TMOS

Symptoms:
After deleting an iApp build from the f5.citrix_vdi.v2.3.0 template then running a config sync, the system that received the sync could have a tunnel object left over which should have been deleted.

Running 'tmsh load sys config verify' after this sync would give the following error.
01070734:3: Configuration error: The object (Tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect) is owned by a non-existent application (/Common/test-citrix-app-svc.app/test-citrix-app-svc).
Unexpected Error: Validating configuration process failed.

Conditions:
This occurs when the iApp has been deployed in a sync group, then the iApp is deleted, then a config sync is initiated.

Impact:
Config validation fails, and you must delete the tunnel manually.

Workaround:
On the system that received the sync, edit /config/bigip_base.conf to remove the following objects (replace "test-citrix-app-svc" with the name of the deleted iApp):
a. vlan from net route-domain: /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
b. net fdb tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
c. net tunnels tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect


608009-4 : Crash: Tmm crashing when active system connections are deleted from cli

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address by relay agent, tmm may crash when active system connections are deleted from cli or via aging.

Conditions:
1) BIG-IP in forwarding mode
2) giaddr field in unicast DHCP renewal packet is set to IP address of relay agent (Typically, it is set to 0 by the DHCP client)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This is not a typical network setup. Usually DHCP relay agent will not modify DHCP renewal packet to insert its own address as giaddr.


607961-4 : Secondary blades restart when modifying a virtual server's route domain in a different partition.

Component: TMOS

Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).

Conditions:
- Only happens on chassis.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.

Impact:
Traffic disrupted while secondary blades restart.

Workaround:
None.


607803-2 : DTLS client (serverssl profile) fails to complete resumed handshake.

Component: Local Traffic Manager

Symptoms:
DTLS client (serverssl profile) fails to complete resumed handshake.

Conditions:
This occurs when the BIG-IP system acts as a DTLS client.

Impact:
Possible failed resumed handshake.

Workaround:
Disable session reuse.


607316 : Devices in sync group end up with differing configs after ucs restore.

Component: Global Traffic Manager

Symptoms:
After a GTM UCS restore, Devices in sync group end up with differing configs.

Conditions:
Restoring an older UCS file in a GTM config, but the interface is marked down (not physically disconnected)

Impact:
Newer configuration objects will likely be deleted after the older configuration synchronizes to the sync group.

Workaround:
Ensure you disconnect the network interface before restoring an older UCS file as specified in SOL14083: Preventing synchronization when installing a UCS archive on a BIG-IP GTM system at https://support.f5.com/kb/en-us/solutions/public/14000/000/sol14083.html


607246-2 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires

Component: Local Traffic Manager

Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile

Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.

Impact:
Persistence fails after fallback expired.

Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.


607166-3 : Hidden directories and files are not synchronized to secondary blades

Component: Local Traffic Manager

Symptoms:
Hidden directories and files (those whose filenames start with '.') that are created on primary blade are not synced to secondary blades.

Existing hidden files that are edited on the primary blade are not synced to secondaries.

Conditions:
Multi-bladed system.

Impact:
The most common uses of hidden files are per-user shell configuration and history.

Workaround:
Manually copy configuration files onto other blades.


606799-3 : GUI total number of records not correctly initialized with search string on several pages.

Component: TMOS

Symptoms:
GUI total number of records not correctly initialized with search string on several pages.

Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.

Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.

Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.


606330-2 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.

Component: TMOS

Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.

Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.

Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.

Workaround:
Clear the BGP neighbor after changing the configuration.


605840-2 : HSB receive failure lockup due to unreceived loopback packets

Component: TMOS

Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***

Conditions:
Unknown.

Impact:
The unit is rebooted.

Workaround:
None.


605800-2 : Web GUI submits changes to multiple pool members as separate transactions

Component: TMOS

Symptoms:
You notice an unusually high amount of sync traffic when changing many pool members at once. In extreme cases, mcpd may run out of memory and crash.

Conditions:
When looking at a list of pool members, it is possible to choose to view many pool members at once, and you can then select them all and enable or disable them with one press of a button. Rather than sending all of the operations in a single transaction, the GUI code updates each pool member one by one. When there are a lot of pool members and auto-sync is being used, this can cause race conditions that can generate a large number of transactions going from the local machine to the remote machine.

Impact:
This can cause an unusually high amount of sync traffic to occur between devices in the sync group with auto-sync enabled. In extreme cases this can cause mcpd to crash and traffic is disrupted while mcpd restarts.

Workaround:
If you frequently need to enable/disable many pool members at once, there are a couple of options:
1. You can switch to manual sync during this operation.
2. You can minimize the number of pool members that are altered at once. The issue was observed when changing over 300 pool members at once.


605792-4 : Installing a new version changes the ownership of administrative users' files

Component: TMOS

Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.

Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.

Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.

Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.


605260-3 : [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0

Component: Global Traffic Manager (DNS)

Symptoms:
When a listener is created in a partition that has a default route domain set, you cannot make changes to the listener in the GUI via DNS -> Delivery -> Listeners. It gives 'Instance not found' error when you try to save the change. Also, a listener in the /Common partition cannot even be viewed when a partition that has a default route domain other than 0 is selected.

Conditions:
This occurs when using partitions that have default-route-domain set to something other than 0.

Impact:
You will be unable to make changes to the listener.

Workaround:
Use TMSH or through LTM GUI: Local Traffic :: Virtual Servers.


605018-1 : Citrix StoreFront integration mode with pass through authentication fails for browser access

Component: Access Policy Manager

Symptoms:
Citrix StoreFront integration mode with pass through authentication fails for browser access. After providing the credentials, browser access continuously asks for 'Can not complete the request', press 'OK'.

Conditions:
This occurs when the following conditions are met:
- APM is configured in integration mode with StoreFront.
- External access virtual server IP is used in Citrix gateway configuration 'Subnet IP address' column.
- (Request Header Insert) :: [X-Citrix-Via-Vip:10.10.10.10], 10.10.10.10 is the virtual server IP address. Request Header Insert is configured on the HTTP profile of the same virtual server.

Impact:
No browser access to StoreFront.

Workaround:
StoreFront combines multiple headers of the same name and cannot use the resulting value. You can workaround this issue by stripping multiple headers of type x-citrix-via-vip.
Make 10.10.10.10 the corresponding External access virtual IP address.

when HTTP_REQUEST {
   if { [HTTP::header count "X-Citrix-Via-Vip"] >= 2 } {
        HTTP::header remove "X-Citrix-Via-Vip"
        HTTP::header insert "X-Citrix-Via-Vip" "10.10.10.10"
    }
}


604938-2 : Log IPsec tunnel up/down events

Component: TMOS

Symptoms:
There is no way to detect via logging that the IPsec tunnel state has changed.

Conditions:
When an IPsec tunnel becomes ready (up) or not ready (down).

Impact:
It is difficult to react to changing network conditions without notification.


604926-1 : The TMM may become unresponsive when using SessionDB data larger than ~400K

Component: Local Traffic Manager

Symptoms:
There is a hard limit on messages sizes sent on the backplane on chassis platforms. Messages larger than the limit (~400K) are refused from being sent at a lower layer but buffered for resending at a higher layer. The messages are never sent which cases backplane communication to lockup.

Conditions:
The BIGIP must be chassis with more than one blade and client traffic must trigger the creation of SessionDB data larger than ~400K.

Impact:
The TMM will become unresponsive to client traffic. If left running under load, the TMM may run out of memory from buffering SessionDB data and crash.

Workaround:
The workaround is the avoid sending large SessionDB data. The TMM may be restarted in the event it does get stuck.


604923-3 : REST id for Signatures change after update

Component: Application Security Manager

Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.

Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.

Impact:
The REST id of the modified signatures is changed which may confuse REST clients.

Workaround:
Execution of the following script will repair an affected device:

perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'


604880-2 : tmm assert "valid pcb" in tcp.c

Component: Local Traffic Manager

Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.


604811 : tmm core

Component: Local Traffic Manager

Symptoms:
A tmm core was experienced during normal operation.

Conditions:
It is not known what exactly triggers this, but it may have occurred while removing the OneConnect profile from a virtual server while passing traffic.

Impact:
Traffic disrupted while tmm restarts.


604496-2 : SQL (Oracle) monitor daemon might hang.

Component: Local Traffic Manager

Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.

Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.

Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.

Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.


604272-2 : SMTPS profile connections_current stat does not reflect actual connection count.

Component: Local Traffic Manager

Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.

Conditions:
This occurs if you have an SMTPS virtual server configured.

Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.


604237-2 : Vlan allowed mismatch found error in VCMP guest

Component: TMOS

Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "

Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."

Impact:
Unable to use VLAN.

Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.


604061-1 : Link Aggregation Control Protocol May Lose Synchronization after TMM Crash

Component: TMOS

Symptoms:
Traffic does not pass through a trunk interface and /var/log/ltm contains messages such as:

lacpd[6636]: 01160011:6: Link 2.2 Actor Out of Sync
lacpd[6636]: 01160012:6: Link 2.2 Partner Out of Sync

Conditions:
1) BIG-IP 2000/4000 or similar platform where "qprop tmos.lacpd_depends_on_tmm == true"
2) Passive LACP trunk
3) tmm has crashed after box has come up
4) tmm startup delayed by dumping large core file
5) tmm startup delayed by large config or busy control plane

Impact:
Trunks created by LACP do not pass traffic.

Workaround:
Restart lacpd after tmm has come up again: "bigstart restart lacpd"

Alternatively, modify /etc/bigstart/scripts/tmm.finish to restart lacpd on tmm going down

Modify this line:
for d in admd asm avrd dosl7d; do

With these:
for d in lacpd admd asm avrd dosl7d; do
        if [ `$BIGSTART singlestatus $d` = "run" ]; then
            $BIGSTART restart $d &
        fi
    done


603690-1 : CPU Saver option not working while the "latency" compression provider selection algorithm is in use.

Component: Local Traffic Manager

Symptoms:
CPU Saver option not working while the "latency" compression provider selection algorithm is in use.

Conditions:
APM Edge Client over VPN tunnel. The issue tends to occur when CPR Saver is configured on the Edge Client on devices where hardware compression cannot perform the specific type of compression/decompression being requested.

Impact:
Edge Client shows the VPN tunnel as "Connected" but no traffic flow. This is an intermittent issue.

Workaround:
#1 Enable CPU Saver in the secure connectivity profile:

GUI: Access Policy :: Secure Connectivity :: profile_name :: Compression Settings :: Network Access :: CPU Saver [checkbox].

SHELL: tmsh modify apm profile connectivity dummy compress-cpu-saver true.


#2 Configure compression strategy to "SPEED" (from LATENCY)
SHELL: tmsh modify sys db compression.strategy value "speed".


603667-3 : TMM may leak or corrupt memory when configuration changes occur with plugins in use

Component: Local Traffic Manager

Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.

Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.

Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.

Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).


603550-3 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.

Component: Local Traffic Manager

Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.

As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.

-- Virtual stats 'Current SYN Cache' does not decrease.

Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).

Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.

Workaround:
None.


603380-4 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.

Component: Local Traffic Manager

Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.

Conditions:
ICMP unreachable packets.

Impact:
Very large number of log messages in /var/log/ltm.

Workaround:
None.


603092-3 : "displayservicenames" does not apply to show ltm pool members

Component: TMOS

Symptoms:
The db variable bigpipe.displayservicenames does not apply to the 'show ltm pool members' tmsh command.

Conditions:
This occurs when running tmsh show ltm pool members with bigpipe.displayservicenames enabled.

Impact:
The the IP address but not the service name is displayed.


603019-5 : Inserted SIP VIA branch parameter not unique between INVITE and ACK

Component: Service Provider

Symptoms:
The branch parameter of the inserted VIA header is sometimes the same between an INVITE and ACK message.

Conditions:
If the CSEQ number of a SIP message is the same, the inserted VIA header will contain the same branch parameter.

Impact:
SIP proxy servers which perform strict message validations may reject the call.


603014 : Running "show node detail recursive" from root folder may result in error

Component: TMOS

Symptoms:
When running "show node detail recursive" in tmsh, it may result in an error similar to:

01020036:3: The requested monitor instance (/Common/gateway_icmp 10.1.1.85 6666 ltm-pool-member) was not found.

Conditions:
Node exists in folder other than common and is configured with a monitor or set explicitly to "none". Error will be produced when you run "show node detail recursive" in tmsh.

Impact:
Unable to view detailed node information of all folders using single command.

Workaround:
Issue the command from each respective folder for which the information is desired. For example, if you with to view the contents of /Common and /HTTP you can run the following:

cd /Common
show node detail recursive
cd /HTTP
show node detail recursive


602654-3 : TMM crash when using AVR lookups

Component: Application Visibility and Reporting

Symptoms:
When trying to find/insert data into AVR lookups TMM/AVR core might occur.

Conditions:
AVR lookups in use.

Impact:
tmm crashes. The crash occur when two processes simultaneously try to access the same cell in the lookup. Traffic disrupted while tmm restarts.

Workaround:
None.


602642-1 : tmm assert "cipher_init_dual failed"

Component: TMOS

Symptoms:
With the tmm under memory pressure, setup of a new IPsec tunnel resulted in an assert "cipher_init_dual failed" when memory was not available.

Conditions:
The tmm under memory pressure and a new IPsec tunnel being created.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Monitor memory usage.


602566-4 : sod daemon may crash during start-up

Component: TMOS

Symptoms:
sod daemon produces core file during start-up

Conditions:
sod encounters an error during start-up and attempts to recover.

Impact:
sod restarts


602508-1 : Capture historical changes of config files

Component: TMOS

Symptoms:
Sometimes errors can be traced to config file changes but knowing what the config file had at the time of the problem is impossible to infer.

Conditions:
A user changes a config file and the system starts to have issues. The issues get reported, but the config file is changed again and we no longer can reproduce the issues.

Impact:
When investigating problems on BIGIP systems, the configuration files pose the biggest impact on how the system behaves. Having a historical recreation of the configuration files can help immensely in figuring out the problem.

Workaround:
The user can copy their config files into a backup directory every time a change is made and saved.


602329 : syncookie header of HA channel mirror packets is not cleared

Component: Local Traffic Manager

Symptoms:
You notice that L7 connections on the standby unit are increasing and may not be cleared until the tcp timeout.

Conditions:
This can occur when using mirroring when syn cookies are enabled. It is more severe with hardware syn cookies but still occurs with software syn cookies.

Impact:
Connections increase unnecessarily on the standby unit.

Workaround:
Although it does not completely clear the condition, you can disable hardware syncookies to work around this problem.

In tmsh:
modify /ltm profile tcp <profile_name> hardware-syn-cookie disable


602300-2 : Zone Runner entries cannot be modified when sys DNS starts with IPv6 address

Component: Global Traffic Manager

Symptoms:
Zone Runner entries cannot be modified if an IPv6 DNS name server is listed first. This can happen when a user runs the tmsh command
tmsh modify sys dns name-servers add { <IPv6> }

as the first dns name-server.
This will show in the /etc/resolv.conf file (an example)
nameserver 2001::1
nameserver 192.168.100.1

Conditions:
When an IPv6 nameserver is the first server defined.

Impact:
ZoneRunner records cannot be modified.

Workaround:
Do not use DNS server with IPv6 address or add IPv4 server at top of the list.


602193-2 : iControl REST call to get certificate fails if

Component: TMOS

Symptoms:
While using the iControl REST API, a call to /mgmt/tm/sys/crypto/cert results in a 400 or 500 error. The call to /mgmt/tm/sys/crypto/key works.

Conditions:
This can occur if any of the certificates contain non utf-8 characters.

Impact:
iControl REST API call will fail.

Workaround:
If possible, generate the certificate to only contain utf-8 characters.


602136-3 : iRule drop command causes tmm segfault or still sends 3-way handshake to the server.

Component: Local Traffic Manager

Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.

Conditions:
Client-side iRule that drops a connection.

Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server.

Workaround:
None.


601893-3 : TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.

Component: TMOS

Symptoms:
Tmm cores. There might be messages similar to the following notice in /var/log/ltm just before the crash: notice BWC: instance already exist. This is an extremely rarely occurring issue.

Conditions:
This extremely rare issue occurs when the following conditions are met:
Dynamic BWC use with dynamic change in rate for each instance.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use dynamic modification of rates for dynamic policies.


601709 : I2C error recovery for BIG-IP 4340N/4300 blades

Component: TMOS

Symptoms:
The I2C internal bus for the front switch on BIG-IP 4340N/4300 blades may not work.

Conditions:
This rarely happens.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.

Workaround:
bigstart restart bcm56xxd


601536-3 : Analytics load error stops load of configuration

Component: Application Visibility and Reporting

Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.

Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.

Impact:
Configuration fails to load, will not pass traffic.

Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.


601445-1 : Memory leak configuring GTM topology with longest match

Component: TMOS

Symptoms:
You see mcpd memory increasing on the sync peer, or mcpd crashes.

Conditions:
Anytime a GTM topology record is created when longest match is enabled. The more topology records that are configured the larger the leak.

Impact:
Performance will become slow and mcpd can run out of memory and crash.

Workaround:
None


601420-1 : Possible SAML authentication loop with IE and multi-domain SSO.

Component: Access Policy Manager

Symptoms:
When APM is configured with SAML authentication and multi-domain SSO, Internet Explorer may encounter authentication loop and never complete the access policy.

Conditions:
APM is configured with SAML authentication and multi-domain SSO.

Impact:
Using Internet Explorer, the client may not be unable to connect to its desired destination.

Workaround:
Chrome and Firefox do not seem to be affected.


601414-4 : Combined use of session and table irule commands can result in intermittent session lookup failures

Component: TMOS

Symptoms:
[session lookup] commands do not return the expected result.

Conditions:
An iRule which combines use of [table] and [session lookup] commands.

Impact:
Intermittent session functionality.

Workaround:
If possible, use table commands in lieu of session commands.


600982-1 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"

Component: Local Traffic Manager

Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.

Conditions:
No conditions to be set, however this is very rare in which a random number generator can technically generate the number Zero ( 0 ) Which would trigger this.

Impact:
Traffic disrupted while TMM restarts and failover occurs if a pair exists. Mirroring and LB may be lost with renegotiation for certain types of traffic.

Workaround:
None.


600944-3 : tmsh does not reset route domain to 0 after cd /Common and loading bash

Component: TMOS

Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common

Conditions:
Attempting to see the route table from the /Common partition after leaving another parition

Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.

Workaround:
Quit tmsh and restart.


600614-2 : External crypto offload fails when SSL connection is renegotiated

Component: Local Traffic Manager

Symptoms:
If and external crypto offload client is configured with an SSL profile and renegotiation is enabled for the SSL profile, the crypto client connection will fail when the SSL connection is renegotiated.

Conditions:
External crypto offload client configured with an SSL profile with renegotiation enabled.

Impact:
Crypto client connection to the crypto server will fail.

Workaround:
Disable renegotiation on the SSL profile.


600431-2 : DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP

Component: Service Provider

Symptoms:
TCL error in /var/log/ltm that looks like 'error Buffer error invoked from within "DIAMETER::avp data get 257 ip4 index 0"'

Conditions:
iRule that extracts ip address from a diameter avp.

Impact:
The iRule ends with an error.

Workaround:
Instead of
set data [DIAMETER::avp data get 257 ip4]

use an iRule such as

if { [DIAMETER::avp count 257] > 0 } {
        set data [DIAMETER::avp data get 257]
       binary scan $data S family
        switch $family {
            1 {
                # ipv4 should contains 4 bytes
                set ip [IP::addr parse -ipv4 $data 2]
                log local0. "ip = $ip"
            }
            2 {
                # ipv6 should contains 16 bytes
                set ip [IP::addr parse -ipv6 $data 2]
                log local0. "ip = $ip"
            }
            default {
                log local0.alert "address family $family is not supported"
            }
        }
    }


600396 : iControl REST may return 404 for all requests in AWS

Component: TMOS

Symptoms:
iControl REST queries may fail against specific versions of BIG-IP in AWS. When this issue is encountered, all queries fail for the entirety of the BIG-IP uptime. An error message mentioning "RestWorkerUriNotFoundException" will be returned. For instance, this basic query will always return 404:

curl -k -u admin:ADMINPASSWORD -sv -X GET https://1.2.3.4/mgmt/tm/ltm

* Trying 1.2.3.4...
* Connected to 1.2.3.4 (1.2.3.4) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: localhost.localdomain
* Server auth using Basic with user 'admin'
> GET /mgmt/tm/ltm HTTP/1.1
> Host: 1.2.3.4
> Authorization: Basic ....
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: 20 Jun 2016 17:49:39 UTC
< Server: com.f5.rest.common.RestRequestSender
...
{ [1093 bytes data]
* Connection #0 to host 1.2.3.4 left intact
{
   "errorStack" : [
      "com.f5.rest.common.RestWorkerUriNotFoundException: http://localhost:8100/mgmt/tm/ltm",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.cloneAndForwardRequest(ForwarderPassThroughWorker.java:293)",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:211)",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)",
      "at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)",
      "at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)",
      "at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:850)",
      "at com.f5.rest.common.RestServer.access$000(RestServer.java:43)",
      "at com.f5.rest.common.RestServer$1.run(RestServer.java:147)",
      "at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)",
      "at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)",
      "at java.lang.Thread.run(Thread.java:722)\n"
   ],
   "restOperationId" : 8827,
   "code" : 404,
   "referer" : "4.3.2.1",
   "message" : "http://localhost:8100/mgmt/tm/ltm"
}

Conditions:
It is not known what triggers this, it intermittently affects new BIG-IP instances running in Amazon Web Services (AWS EC2) cloud environments.

Impact:
All iControl REST queries (GETs, PUTs, POSTs, DELETEs) will fail always until the BIG-IP is restarted.

Workaround:
Restart the BIG-IP.


599821 : Connections fail when using an iRule with 'persist add uie' in combination with the 'node' command.

Component: Local Traffic Manager

Symptoms:
Connections are immediately terminated when using the 'node' command in an iRule along with 'persist add uie' in HTTP_RESPONSE. An error similar to the following is logged:

01220001:3: TCL error: /Common/resp_persist <HTTP_RESPONSE> - Prerequisite operation not in progress (line 1) (line 1) invoked from within "persist add uie static"

Conditions:
Using an iRule with the node command, no pool members, and persist add uie.

Impact:
Clients will fail to connect.

Workaround:
Place the destination into a pool, then select the pool using the "pool" command. The rest of the configuration and iRule can remain unchanged.


599048-4 : BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option

Component: Local Traffic Manager

Symptoms:
As part of the OCSP Stapling feature, the BIG-IP periodically connects to an OCSP server to certify to its clients that an SSL certificate has not been revoked. It was discovered that these side connections to OCSP servers incorrectly do not use the TCP TIMESTAMPS option.

Conditions:
Use of the OCSP Stapling feature.

Impact:
Usage of the TCP TIMESTAMPS option can help reduce the time a previously used tuple remains in TIME_WAIT on the OCSP server. Therefore, this can help ensure a new connection from the BIG-IP system to the OCSP server re-using a recent tuple is not rejected by the OCSP server. Note that there is little impact even if sporadically a single connection to the OCSP server fails. The BIG-IP will quickly try again, and clients that receive non-stapled SSL SERVER HELLO messages can perform their own validation of the returned SSL certificate.

Workaround:
None


599033-2 : Traffic directed to incorrect instance after network partition is resolved

Component: TMOS

Symptoms:
After a network partition is resolved, the BIG-IP high availability subsystem may select a different device to handle traffic than the external network.

Conditions:
If the external network does not respond to GARP (Gratuitous ARP) messages to direct IP traffic to the correct device after an Active/Active condition is resolved, then it may continue to send traffic to a device that is now in Standby mode.

Impact:
Traffic will be interrupted since the upstream network is sending traffic to a device that won't process it.

Workaround:
The administrator might be able to manually run a script or command to redirect traffic to the correct device that is hosting the virtual service.


598908-3 : Passing an empty URI to AAM might cause tmm to core.

Component: WebAccelerator

Symptoms:
Passing an empty URI to AAM might cause tmm to core.

Conditions:
This occurs when the following conditions are met:

-- AAM/WAM is provisioned and a virtual server with web acceleration policy is configured.
-- The virtual server has an iRule that strips the URI in the request.
-- IBR is configured in the acceleration policy.

Impact:
When AAM/WAM processes the request, it does not check whether the string is empty, which results in tmm crash. Traffic disrupted while tmm restarts.

Workaround:
Apply an iRule that inspects the URI in the request and inserts forward slash ( / ) when the URI is missing.


598860-2 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address

Component: Local Traffic Manager

Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.

Example:
ltm rule test_bug {
    when CLIENT_DATA {
    log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}

Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1

Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1

Conditions:
using IP::addr to convert an IPv6 to an IPv4 address

Impact:
Address is converted into an IPv4-compatible IPv6 address.


598707 : Path MTU does not work in self-IP flows

Component: Local Traffic Manager

Symptoms:
While performing an Update Check, the network connection fails. Path MTU is not working in self-IP initiated flows.

Conditions:
Network flows initiated by the Self IP address (in this case it was encountered while running Update Check)

Impact:
If the downstream router sends ICMP Path MTU messages back to the Self IP, the messages will be ignored and MTU will not be adjusted.


598700-8 : MRF SIP Bidirectional Persistence does not work with multiple virtual servers

Component: Service Provider

Symptoms:
Messages received by different virtual servers (sharing the same router) are not able to be properly routed using the call-id persistence.

Conditions:
A router with multiple virtual servers bridging between networks are not able to use the same call-id persistence entry for routing messages. Messages trying to use a persistence entry created by a different virtual server may be routed to the wrong device.

Impact:
Messages received on another virtual server trying to use the persistence entry will be routed to the wrong device.


598650-2 : apache-ssl-cert objects do not support certificate bundles

Component: TMOS

Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.

Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.

Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.


598289-2 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>

Component: TMOS

Symptoms:
In TMSH, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, TMSH gives an error. It also corrupts bigip.conf.

Conditions:
-- Use TM Shell to load configuration.
-- ltm pools have members that have names in the format of <ipv4>:<number>:<service port>

Impact:
TMSH fails to load system configuration file

Workaround:
None.


598204-1 : In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.

Component: Local Traffic Manager

Symptoms:
In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.

Conditions:
This occurs when the following conditions are met:
-- TCP profile.
-- syncookie mode.

Impact:
A TCP virtual server might use bigger MSS in syncookie mode and not honor the MSS specified in the profile. Some configurations require a smaller MSS for certain virtual servers, rather than using the VLAN's MTU to calculate the MSS.

Workaround:
None.


597978-4 : GARPs may be transmitted by active going offline

Component: Local Traffic Manager

Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.

Conditions:
Multiple traffic-groups configured and active goes offline.

Impact:
It is not expected that this will cause any impact.

Workaround:
Make the unit standby before forcing offline.


597879-3 : CDG Congestion Control can lead to instability

Component: Local Traffic Manager

Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.

Conditions:
Running the Debug TMM with CDG Congestion Control.

Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.

Workaround:
Use a congestion control algorithm other than CDG.

Switch to the default TMM.


597564-1 : 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items

Component: TMOS

Symptoms:
The 'tmsh load sys config' command incorrectly allows users to manually remove the 'app-service' statement from configuration items. For example, if a user is manually editing the bigip.conf file, and they remove the 'app-service' statement from a virtual server, 'tmsh load sys config' will not fail to load the config, which is incorrect.

Conditions:
A user manually edits a BIG-IP configuration file and improperly removes the 'app-service' statement from an object.

Impact:
The lack of the 'app-service' statement effectively disassociates the object from its Application Service. This can lead to further issues down the line. For example, if the object is then updated on a multi-blade VIPRION system, secondary blades will restart with an error similar to the following example:

May 6 08:18:27 slot2/VIP2400-R16-S10 err mcpd[32420]: 01070734:3: Configuration error: Configuration from primary failed validation: 010715bd:3: The parent folder is owned by application service (/Common/dummy.app/dummy), the object ownership cannot be changed to ().... failed validation with error 17241533.

Workaround:
Exercise caution when manually editing BIG-IP configuration files.


597532-5 : iRule: RADIUS avp command returns a signed integer

Component: Local Traffic Manager

Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.

Conditions:
iRules using RADIUS::avp to retrieve data

Impact:
iRules using the RADIUS::avp command will not work as expected.

Workaround:
The result can be casted to an unsigned integer after obtaining the value, as follows:

ltm rule radius_avp_integer {
    when CLIENT_DATA {
                set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
                set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}

Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.


597214-2 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
It is possible to use iRule to rename field names in original code.


596826-2 : Don't set the mirroring address to a floating self IP address

Component: TMOS

Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address

It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address. The tmsh command will complete without error.

Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.

Impact:
Mirroring does not work in this case. If you configured it this way using tmsh, the GUI will show the primary and secondary mirroring address as "None".

Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.

For more information about mirroring, see K13478: Overview of connection and persistence mirroring at https://support.f5.com/csp/#/article/K13478


596815-3 : System DNS nameserver and search order configuration does not always sync to peers

Component: TMOS

Symptoms:
Modifying the System DNS nameserver and search order configuration does not always sync during an incremental sync if modified in the GUI or tmsh modify sys db.

Conditions:
The device is in a failover device group with incremental sync turned on.

In the GUI, modify the DNS Lookup Server List or the DNS Search Domain List fields under System >> Configuration : Device : DNS.

In tmsh, tmsh modify sys db dns.nameserver (or dns.domainname), and in some cases tmsh modify sys dns name-servers (or search)

Impact:
Modifications will not change the sync status nor sync the change to peers.

Workaround:
Perform a full sync or use 'tmsh modify sys dns name-servers replace-all-with' or 'tmsh modify sys dns search replace-all-with'.

Optionally, to get this setting to sync, modify the file /config/BigDB.dat to set realm=common for [DNS.NameServers] and [DNS.DomainName] and restart mcpd on all devices in the failover device group. However, this file may get overridden on a hotfix or upgrade.


596134-5 : TMM core with PEM virtual server

Component: Policy Enforcement Manager

Symptoms:
TMM cores, this signature is contained in /var/log/ltm:
err tmm1[7822]: 011f0007:3: http_process_state_prepend - Invalid action:0x109010

Conditions:
A core may occur if a PEM virtual has a parked flow (through an iRule, persistence profile, or other mechanism), where an internal control event occurs while the flow is parked.

Impact:
Traffic disrupted while tmm restarts.


596067 : GUI on VIPRION hangs on secondary blade reboot

Component: TMOS

Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.

Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.

Impact:
GUI becomes unresponsive

Workaround:
bigstart restart httpd will clear this condition if it occurs.


595921-2 : VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.

Component: Local Traffic Manager

Symptoms:
VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.

Conditions:
Configuration of a virtual server on a VLAN group that does not have a Self-IP configured.

Impact:
Traffic destined for the virtual server might be rejected with an ICMP unreachable sourced from a loopback address.

Workaround:
Use a Self IP address on the VLAN group.


595712-4 : Not able to add remote user locally

Component: TMOS

Symptoms:
When a user has logged in remotely, using tmsh to add a user with the same name will fail:

01020066:3: The requested user role partition (raduser TestPartition) already exists in partition Common.

Conditions:
Remote authentication is configured and a remote user has logged in.

Impact:
Changing remote user to local fails.

Workaround:
Use "replace-all-with" for partition access:

create auth user raduser password raduser1 partition-access replace-all-with { TestPartition {role manager }}


595617-2 : Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.

Component: TMOS

Symptoms:
When modifying the ipsec-tunnel-profile, the BIG-IP system deletes the IKEv1 phase 2 SAs locally, but does not inform the remote IPsec peer.

Conditions:
- Configuration uses both IPsec 'interface' mode tunnel(s) and IKEv1.
- A user modifies ipsec-tunnel-profile. Namely found here:
  -- web UI 'Network : Tunnels : Profiles : IPsec Interface : ipsec-tunnel-profile'.
  -- tmsh 'net tunnels ipsec ipsec-tunnel-profile'.

Impact:
A traffic outage on one tunnel when the remote IPsec peer is generally plays the role of Initiator. The remote system, will not attempt to establish a new tunnel because it believes that a valid SA exists.

Workaround:
Delete the defunct IPsec SA from the remote peer. If the remote IPsec peer is also a BIG-IP system, then restarting tmipsecd can be employed, however this will cause all IPsec tunnels to restart.


595317-2 : Forwarding address for Type 7 in ospfv3 is not updated in the database

Component: TMOS

Symptoms:
The ospf nssa-external database is not updated when the global address on an interface that is used as a forwarding address is changed

Conditions:
remove the global address on the forwarding interface

Impact:
the packets will be sent to an incorrect interface.

Workaround:
clear ipv6 ospf process


595293-3 : Deleting GTM links could cause gtm_add to fail on new devices.

Component: Global Traffic Manager

Symptoms:
Once links are auto-discovered, if auto discovery is disabled and the links are deleted, they could become stuck in the Server > Virtual Server list, preventing new devices from joining the sync group. If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.

Conditions:
Links are auto-discovered
Auto discovery is disabled
The links are deleted

Impact:
If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.

Workaround:
None


594869-2 : AFM can log DoS attack against the internal mpi interface and not the actual interface

Component: Advanced Firewall Manager

Symptoms:
While under an attack that matches a DoS profile, BIG-IP may indicate that the interface is the internal mpi interface and not the interface that the attack is happening on.

Conditions:
This can occur in CMP-enabled systems.

Impact:
A valid DoS attack will be misreported


593536-2 : Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being "In Sync".

Conditions:
Device Service Cluster Device Group with incremental sync enabled. A ConfigSync occurred where a configuration transaction failed validation, and then a subsequent (or the final) configuration transaction was successful.

Impact:
BIG-IP incorrectly reports configuration is in-sync, despite the fact that it is not in sync. All sorts of failures or odd behavior or traffic impact can result from this.

Workaround:
Turn off incremental sync (by enabling "Full Sync" / "full load on sync") for affected device groups.


593396-3 : Stateless virtual servers may not work correctly with route pools or ECMP routes

Component: Local Traffic Manager

Symptoms:
Stateless virtual servers might not work correctly if the configured poolmember is reachable via a route pool or via several ECMP routes learned via dynamic routing.

Conditions:
- Stateless virtual server.
- Pool reachable via route pool or via ECMP routes.

Impact:
Traffic might be dropped.

Workaround:
Use other virtual server types to process this traffic.


593390-2 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.

Component: Local Traffic Manager

Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.

Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.

Impact:
Higher memory usage than necessary.

Workaround:
Always have iRules select profiles using the complete path.


592780-1 : Radius AVP parsing might get out of sync on Vendor-Specific AVP iRules.

Component: Service Provider

Symptoms:
Radius AVP parsing might get out of sync on Vendor-Specific AVP iRules and produce a Tcl error: Buffer error.

Conditions:
This occurs when there is an iRule looking for a specific Vendor-Specific AVP, and a Radius Packet that contains a different Vendor-Specific AVP, that comes alphabetically before the one in the iRule.

Impact:
Tcl Error and potentially a dropped request. The error is similar to the following: err tmm3[12353]: 01220001:3: TCL error: /Common <CLIENT_ACCEPTED> - Buffer error (line 1) (line 1) invoked from within "RADIUS::avp 26 string vendor-id 9 vendor-type 1.

Workaround:
None.


592620-3 : iRule validation does not catch incorrect 'after' syntax

Component: Local Traffic Manager

Symptoms:
iRule validation does not catch iRule with incorrect 'after' syntax, allowing an invalid iRule to be saved.

Conditions:
iRule with incorrect 'after' syntax. For example "after 5000 periodic" should be "after 5000 -periodic" (with a hyphen)

Impact:
Traffic handled by the iRule fails, generating the Tcl error 'invalid command name 'periodic' while executing 'periodic LB::reselect''.

Workaround:
Correct the syntax error.


592194-2 : Rarely, an HSB transmitter failure occurs

Component: TMOS

Symptoms:
A very rare HSB transmitter failure occurs. This is indicated by the following message in the tmm logs:
panic: hsb interface 1 DMA lockup on transmitter failure.

Conditions:
Although the exact conditions for this issue are unknown, this might be related to a 5250 platform or to a configuration containing a vCMP guest.

Impact:
Reboot of the unit.

Workaround:
None.


591705 : Domain-name-strict has been deprecated, but is still present in GUI, GUI OLH, and TMSH CLI help.

Component: Global Traffic Manager

Symptoms:
Domain-name-strict has been deprecated. The default is now domain-name-check allow-underscore.

Upon loading a pre-existing configuration file, the following warning message will be logged in /var/log/ltm:

-- Warning generated : value strict is deprecated. Forcing to allow-underscore.
-- Configuration warning: value strict is deprecated. Forcing to allow-underscore.

Upon loading a pre-existing configuration file, a warning will also be displayed in the console:

value strict is deprecated. Forcing to allow-underscore.

Conditions:
Loading a pre-existing configuration file containing domain-name-strict.

Impact:
Although warnings are posted, the files are still loaded.

However, GUI, GUI OLH, and TMSH CLI help have 'strict' as an option, and which is not accurate.

Workaround:
Do not use the 'strict' options, even though they are listed.


591666-2 : TMM crash in DNS processing on TCP virtual with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.


591505-2 : Policy may become unsyncable after changing contexts

Component: Advanced Firewall Manager

Symptoms:
This is a known issue due to internal framework in MCPD which marks configurable objects as either synced and non-synced. If the user applies the policy to a non-syncing context (non-floating self-IP), then that policy won't be synced across HA devices anymore.

Conditions:
A config with standalone firewall policy applied to synced and non synced context.

Impact:
A policy that is assigned to otherwise non-syncing context, e.g. non-floating self-IP, the attached policy will no longer be synced even if attached to a syncing object later.

Workaround:
Create a "local" policy for non-floating self-IP only.


590966 : When DNS server node is flapping, FQDN Template Pool Member state might not update properly.

Component: Local Traffic Manager

Symptoms:
When DNS server node is flapping, FQDN Template Pool Member state might not update properly.
- The corresponding FQDN Template Node updates correctly.
- FQDN Template Pool Members do not impact Pool health.
- Does not impact traffic.

Conditions:
Trigger DNS server UP/DOWN, or change DNS configuration to point to an unreachable/reachable DNS server.

Impact:
Can be confusing for administrators.

Workaround:
tmsh modify ltm pool <name> members modify { <name> { state user-up } }


590938-2 : The CMI rsync daemon may fail to start

Component: TMOS

Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.

Conditions:
The rsync daemon failed unexpectedly.

Impact:
Sync of file objects will fail with an error like this:

01070712:3: Caught configuration exception (0), Failed to sync files...

Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.


590851-2 : "never log" IPs are still reported to AVR

Component: Application Security Manager

Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag

Conditions:
Always

Impact:
Extra, unwanted logging for IP addresses flagged as "never log"

Workaround:
N/A


590805-3 : Active Rules page displays a different time zone.

Component: Advanced Firewall Manager

Symptoms:
Active Rules page displays a different time zone.

Conditions:
When Active Rules page is loaded after the BIG-IP system timezone has changed.

Impact:
GUI shows incorrect timezone.

Workaround:
Run the following command after changing BIG-IP timezone: bigstart restart tomcat.


590091-1 : Single-line Via headers separated by single comma result in first character second header being stripped.

Component: Service Provider

Symptoms:
Removing the first Via header strips the leading character from the second Via when headers are separated by a comma (',').

Conditions:
Multiple Via headers on single-line separated by a single comma (',').

Impact:
Leading character of 2nd Via header will be stripped e.g. 'SIP/2.0/TCP' becomes 'IP/2.0/TCP'.

Workaround:
None.


589862-4 : HA Grioup percent-up display value is truncated, not rounded

Component: TMOS

Symptoms:
The value displayed in "show sys ha-group detail" and "list sys ha-group" is shown as only the integer portion of the actual percent-up value.

Conditions:
When the number of "up" members in an HA Group results in a percent-up value that is not a whole number, the displayed value is truncated, not rounded.

Impact:
Incorrect display of the percent-up value. The score contribution is correct, and displayed rounded properly.


589698 : HSB lockup on B2100 (A109) blade with vCMP running v11.6.0 final

Component: TMOS

Symptoms:
An HSB lockup occurred on a B2100 (A109) blade running vCMP.

Conditions:
It is not yet known what triggers this.

Impact:
HSB lockup requires unit restart.

Workaround:
None.


589400-3 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Component: Local Traffic Manager

Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.

Impact:
Additional connection latency.

Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.

If init-cwnd is low, raising it might also help.

Disabling abc can also reduce the problem, but might have other negative network implications.


589338 : Linux host may lose ECMP routes on secondary blades

Component: TMOS

Symptoms:
As a result of a known issue, Linux host residing on the secondary blade may lose ECMP routes previously learned via a dynamic routing protocol.

Conditions:
- Multibladed chassis or vCMP guest
- ECMP routes learned via dynamic routing
- Restart of services or reboot of secondary blade

Impact:
ECMP Routes on Linux host of secondary blade lost.
This may cause an effect on host traffic, such as monitoring, remote logging, etc due to the lack of routing information

Workaround:
Restarting routing processes on the primary blade will cause the routes to propagate to the secondary blade.


589039-2 : Clearing masquerade MAC results in unexpected link-local self IPs.

Component: Local Traffic Manager

Symptoms:
BigIP advertises fe80::200:ff:fe00:0 as a selfip

Conditions:
masquerade MAC is from non-zero to zero

Impact:
May cause IP conflicts between HA devices

Workaround:
Restart tmm after setting masquerade MAC to none


589006-3 : SSL does not cancel pending sign request before the handshake times out or is canceled.

Component: Local Traffic Manager

Symptoms:
When TMM has many SSL handshake, for ephemeral key, SSL does not sign for ServerKeyExchange message. Then it is possible that sign request is pending on crypto SSL queue. Even the handshake is timeout or canceled, the sign request is still in the queue. This might cause memory accumulation.

Conditions:
When TMM has many SSL handshake, for ephemeral key, SSL should sign for ServerKeyExchange message.

Impact:
Even if the handshake times out or canceled, the sign request is still in the queue. This might cause memory accumulation.

Note: Although this issue was fixed in 11.5.4 HF3, the fix was reverted in 11.5.4 HF4, meaning that the issue is not fixed in 11.5.4 HF4.

Workaround:
None.


588646-3 : Use of Standard access list remarks in imish may causes later entries to fail on add

Component: TMOS

Symptoms:
The use of remarks in standard access lists in dynamic routing shell causes subsequent filters in the same ACL to fail to load.

Conditions:
Create a standard access list with a remark.
Add to the same list another entry to permit or deny a IP/range.

Impact:
The ACL does not load and error is returned.

Workaround:
No not use remarks in standard access lists or use an access list in the extended or named ranges.


588456-1 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).

Component: Policy Enforcement Manager

Symptoms:
When the BigIp is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP(giaddr) instead of ciaddr. Bigip DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.

Conditions:
1)BigIP in forwarding mode
2)giaddr field in unicast DHCP renewal packet is set to
IP address of relay agent(Typically, it is set to 0 by DHCP client)

Impact:
PEM Subscriber Session will age out


587705-7 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.

Component: Local Traffic Manager

Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.

Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.

Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.

Workaround:
None.


587668-3 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.

Component: TMOS

Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.

Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.

Impact:
Cannot clear the alert using the LCD.

Workaround:
Press the checkmark button followed by the left or right arrow buttons.


586621-3 : SQL monitors 'count' config value does not work as expected.

Component: Local Traffic Manager

Symptoms:
SQL monitors 'count' config value does not work as expected.

Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.

Impact:
SQL monitor might use a 'count' value that is incorrect.

Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.


586457-1 : Malicious words alerts are sent with missing HTML.

Component: Fraud Protection Services

Symptoms:
Malicious words alerts are sent with missing HTML.

Conditions:
Malicious words alert is sent.

Impact:
Difficult to investigate cause of alerts.

Workaround:
Implement beforeLoad function that attaches base64 encoded page HTML to all alert requests.


586348-2 : Network Map Pool Member Parent Node Name display and Pool Member hyperlink

Component: TMOS

Symptoms:
The Network Map was not displaying the correct node name and the link was taking you to an incorrect pool member.

Conditions:
Create a pool and pool member from a FQDN node. Add that pool to a virtual server. From the Network Map page the pool member link does not show the FQDN making it hard to tell what pool member it is. When you click on the pool member hyperlink it takes you to the incorrect pool member.

Impact:
This causes confusion because the pool members are difficult to identify without the FQDN and the link takes you to the incorrect pool member.


586138-3 : Inconsistent display of route-domain information in administrative partitions.

Component: Local Traffic Manager

Symptoms:
When IpAddress is displayed in GUI and TMSH, there exists some inconsistencies on how the route-domain of the address is displayed. This occurs for virtual servers and pool members.

Conditions:
IpAddresses configured for virtual servers and pool members outside the default-route-domain of the administrative partition.

Impact:
Although this is only a cosmetic issue, there might be confusion associated with the display inconsistencies.

Workaround:
None.


585095 : "Auto Apply New Signatures" is unchecked when there are no policies in current partition

Component: Application Security Manager

Symptoms:
On Attack Signature Update page, "Auto Apply New Signatures" is unchecked by default when there are no policies in the currently selected partition.

Conditions:
There are no policies in the currently selected partition.

Impact:
On Attack Signature Update page, "Auto Apply New Signatures" is unchecked by default.


585094 : tmm crash in FPS plugin

Component: Fraud Protection Services

Symptoms:
Internal TMM message counter is not decreased correctly.

Conditions:
When FPS sources a response (like injected JavaScript). And at some specific circumstances inside TMM (order of traffic events). When there are many requests on a persistent HTTP connection.

Impact:
Possible TMM crash.

Workaround:
Limit the number of requests on a persistent HTTP connection (e.g. max-requests=64). This prevents the counter - which is 7 bits long - to overflow.


584948-3 : Safenet HSM integration failing after it completes.

Component: Local Traffic Manager

Symptoms:
tmm cannot load the Safenet library, and the following log entry is found in /var/log/auditd/audit.log:

denied { read } for pid=4936 comm="tmm" name="libCryptoki2_64.so" dev=dm-1 ino=1441838 scontext=system_u:system_r:tmm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file.

Conditions:
This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory.

The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions.

Impact:
Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM.

Workaround:
Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly.

For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so.


584788-2 : Directed failover of HA pair using only hardwire failover will fail

Component: TMOS

Symptoms:
Units configured in a HA pair using only hardwire failover will not be able to use a targeted failover.

Conditions:
HA pair configured without network failover but with a hardwire failover.
Failover is attempted using one of the 2 following methods:

Via GUI
Device Management -> Traffic Groups
  check <traffic group>
    click "force to standby"
      again click "force to standby"


via tmsh
tmsh run sys failover standby device <peer device> traffic-group <traffic group name>

Impact:
Failover may fail with the following logs in /var/log/ltm
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c0044:5: Command: go standby <traffic group name> <device name> GUI.
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c002b:5: Traffic group <traffic group name> received a targeted failover command for <peer mgmt IP>.
Mar 15 10:28:00 <hostname> notice sod[8214]: 010c004b:5: Target device <traffic group name> is not responding, cannot failover.

Workaround:
Use an alternative failover method:
  - Device Management > Devices > Force to Standby
  - Device Management > Traffic Groups > [traffic Group name] > Force to Standby
  - tmsh run sys failover standby # without device


584583-1 : Timeout error when attempting to retrieve large dataset.

Component: TMOS

Symptoms:
The Rest API can timeout when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API looks like "errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET "

Conditions:
Configuration containing a large number of GTM pools and pool members (thousands).

Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.


584471-2 : Priority order of clientssl profile selection of virtual server.

Component: Local Traffic Manager

Symptoms:
When a SSL connection with specified server name is received in a virtual server from the client side, the BIG-IP system selects one clientssl profile for this connection based on the given server name. Currently the system matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the common names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.

The issue is, based on RFC6125, common name should be used as a 'last resort'. In other words, the third rule should be the second rule.

Conditions:
The issue occurs when all of the following conditions are met.
(1) The incoming SSL request includes SNI (server name) extension in the clienthello, used to specify its desirable SSL server.
(2) The given server name from the client side does not match any server name configured in all the clientssl profiles of the virtual server.
(3) The certificates used by the clientssl profile of the virtual server have subject alternative names (note that every certificate has common name but not necessarily subject alternative names).

Impact:
The virtual server might select a clientssl profile that is not preferred by the client side.

Workaround:
None.


584374-1 : iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.

Component: Global Traffic Manager (DNS)

Symptoms:
iRule command RESOLV::lookup causes tmm crash when resolving an IP address.

Conditions:
Using the RESOLV::lookup iRule command to resolve an IP address.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the RESOLV::lookup command to resolve an IP address.


584310-2 : TCP:Collect ignores the 'skip' parameter when used in serverside events

Component: Local Traffic Manager

Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.

Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.

Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.

Workaround:
None.


583777-2 : [TMSH] sys crypto cert missing tab completion function

Component: TMOS

Symptoms:
When pressing the tab key for the tmsh command "sys crypto cert", it does not display existing certificate names. You must manually type the certificate name that you want to operate.

Conditions:
This occurs in tmsh:

root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys crypto cert <------- press <tab>.
Options:
  all | <------------ nothing shows up.
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys crypto cert <------- press <tab>.
Options:
  all | <------------ nothing shows up.

Impact:
Not possible to select a certificate using tab complete.

Workaround:
Manually type the certificate name.


583754-5 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.

Component: TMOS

Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.

Conditions:
TMM must be down.

Impact:
Non-obvious / unhelpful error message is generated, leading to customer confusion.

Workaround:
N/A


583700-2 : tmm core on out of memory

Component: Local Traffic Manager

Symptoms:
tmm memory increases quickly, then crashes on out of memory condition

Conditions:
It is not known exactly what triggers this, but it was observed on a hardware platform processing a large number of ECDH ciphers.

Impact:
Traffic disrupted while tmm restarts.


583475-2 : The BIG-IP may core while recompiling LTM policies

Component: TMOS

Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.

Conditions:
Creating or modifying LTM policies.

Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.

Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.


583272-1 : "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth

Component: Access Policy Manager

Symptoms:
Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server.

The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this:
Location: https://[login.example.com]/my.policy

Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.

Conditions:
IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.

Impact:
Client is unable to authenticate.

Workaround:
None.


583101-1 : ADAPT::result bypass after continue causes bad state transition

Component: Service Provider

Symptoms:
Tcl command 'ADAPT::result bypass' does not work in ADAPT_REQUEST_RESULT when the ICAP server has previously returned 100-continue.

Conditions:
iRules exist on a VS with an adapt profile, containing:

when ADAPT_REQUEST_RESULT {
    ADAPT::result bypass
}

or

when ADAPT_RESPONSE_RESULT {
    ADAPT::result bypass
}

Impact:
ADAPT logs an unexpected state transition and resets the connection, making it impossible for iRules to replace the ICAP response.

Workaround:
Avoid 'ADAPT::result bypass' commands in cases where there is no preview (either configured for no preview, or after the preview has been dropped due to a 100-continue or 200-ok ICAP response).


583084-2 : iControl produces 404 error while creating records successfully

Component: TMOS

Symptoms:
iControl produces 404 error while creating gtm topology record successfully.

Conditions:
Creating gtm topology record without using full path via iControl.

Impact:
Result code/information is not compatible with actual result.

Workaround:
Use full path while creating gtm topology record using iControl.


582996-1 : iControl REST unavailable after first boot

Component: Device Management

Symptoms:
After initial system start, you notice that iControl REST is unavailable.

Conditions:
This occurs on first boot.

Impact:
iControl REST is unavailable.

Workaround:
Rebooting the BIG-IP clears this condition.


582595-3 : default-node-monitor is reset to none for HA configuration.

Component: TMOS

Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.

Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
  * ltm node with a monitor.
  * ltm default-node-monitor with a different monitor.

Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.

Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.

Workaround:
Reconfigure a default-node-monitor.


582234-2 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Component: Local Traffic Manager

Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it

Impact:
Monitoring does not resume when pool member is re-enabled via config merge.

Workaround:
You can re-enable monitoring by running the following commands:

tmsh save sys config
tmsh load sys config


582207-4 : MSS may exceed MTU when using HW syncookies

Component: Local Traffic Manager

Symptoms:
Packets larger than the interface's MTU can be transmitted.

Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.

Impact:
Potential packet loss.

Workaround:
Disable HW syncookie mode.


582084-2 : BWC policy in device sync groups.

Component: TMOS

Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.

Conditions:
If BWC policy is created both in global sync and local.

Impact:
Configuration error, BWC policies will not be synced due to errors.

Workaround:
Ensure that BWC policy is in global sync only.


581865-1 : 6900, 8900, 8950, or 11050 platforms missing swap storage

Component: TMOS

Symptoms:
No swap is available; observable via 'cat /proc/swaps'.

Conditions:
A 6900, 8900, 8950, or 11050 platform with RAID LVM, directly upgraded from a pre-10.2.4 version to version 11.x/12.x.

Impact:
No swap space is created during upgrade. Multiple unexpected issues might occur because there is no swap space available.

Workaround:
Newer systems have the swap storage created during initial format. You might also be able to first upgrade to version 10.2.4. Then, when upgrading to version 11.x/12.x, the process creates the swap during upgrade.


581851-4 : mcpd, interleaving of messages / folder contexts from primary to secondary blade

Component: TMOS

Symptoms:
MCPD on secondary blades restart with Configuration error.

Conditions:
Clustered system (VIPRION or vCMP guest). The issue occurs when the system interleaves commands from different contexts. For example, this might occur when one system requests continual persistence records resets, and another requests continual TCP statistics resets.

Impact:
Secondary blades restart services, resulting in performance degradation or failover.

Workaround:
Issuing commands as part of a transaction will help to reduce the chances of this issue but it may still be hit during the natural course of running commands on a single ssh instance in succession.


581746-3 : MPTCP traffic handling may cause a BIG-IP outage

Component: Local Traffic Manager

Symptoms:
Occasional BIG-IP outages may occur when MPTCP traffic is being handled by a Virtual server.

Conditions:
MPTCP has been enabled on a TCP profile on a Virtual Server.

Impact:
A System outage may occur.

Workaround:
Do not enable MPTCP on any TCP profile


580499-1 : Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled.

Component: TMOS

Symptoms:
Configuring alternate admin user fails on multi-blade VIPRION chassis and will prevent newly added blades from being available to process traffic. If default admin on primary is disabled and you are on a chassis with at least two blades. After disabling the default admin on the primary and configuring an alternate, mcpd on secondary blades goes into a restart loop, and posts error messages similar to the following in /var/log/ltm:

warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-primary2.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary1.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary2.
err mcpd[26012]: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.
err mcpd[26012]: 01070734:3: Configuration error: Configuration from primary failed validation: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.... failed validation with error 17242343.

In this example, admin-primary1 is the default admin user set in the GUI under System :: Platform :: Admin Account, admin-primary2, admin-secondary1 and admin-secondary2 are other admin users on the device, but they are not configured as the default admin user.

Conditions:
Chassis with multiple blades; alternate primary admin is set on the primary blade.

Impact:
mcpd in a restart loop on secondaries.

Workaround:
There is no workaround that will allow you to use a different primary admin user on BIG-IP software versions affected by this issue. To stop secondary blades from restarting in a loop, issue the following commands on your primary blade, which should be stable at this time:

# tmsh modify sys db systemauth.primaryadminuser value admin
# tmsh save sys config


580235 : PCCD cored when running 'bigstart restart pccd' command in v11.6.1

Component: Advanced Firewall Manager

Symptoms:
PCCD cores when running 'bigstart restart pccd' command in v11.6.1. The issue is intermittent.

Conditions:
Issue'bigstart restart pccd' command in v11.6.1.

Impact:
No functional impact. After pccd generates the core file it restarts and compiles the firewall rules successfully.


580225-3 : WEBSSO::select may crash tmm.

Component: Access Policy Manager

Symptoms:
The WEBSSO::select iRule command can cause TMM to crash if no arguments are passed in.

Conditions:
This occurs the command is used with no arguments.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
See the following DevCentral page related to WEBSSO::select - https://devcentral.f5.com/wiki/irules.websso__select.ashx


579694-2 : Monitors may create invalid configuration files

Component: TMOS

Symptoms:
Under certain conditions monitors created or edited in the GUI may save an invalid configuration to disk, causing errors when the configuration is reloaded.

Conditions:
Using the GUI to create/edit monitors.

Impact:
tmsh load sys config will fail.

Workaround:
Use tmsh to create or edit monitors.
If your configuration file already has an offending backlash, please manually remove the backlash.


579565-1 : FIPS (ngfips) card-sync fails due to its lacking ability to properly handle "\" in the SO (security officer) password.

Component: TMOS

Symptoms:
When setting up SO (security officer) password using "tmsh run util fips-util -f init", it accepts the password containing "\" without showing problems. However, card-sync will fail since it can't properly log on the fips with the password.

Conditions:
FIPS card with a security officer that contains "\"

Impact:
A password containing '\' will fail the card-sync process in FIPS HA setup.

Workaround:
Reset the password using command "tmsh run util fips-util -f init" and avoid the special character '\'.


579531 : bd_agent and bd are suddenly restarted, while there is no traffic nor configuration being processed

Component: Application Security Manager

Symptoms:
bd_agent and bd are suddenly restarted, while there is no traffic nor configuration being processed

This log line appears in '/var/log/ts/nwd.log'
------------
asm_start|INFO|Feb 26 01:34:35.922|19639|F5::NwdUtils::Nwd::verify,,bd_agent: not enough threads, exceeded TimesThreadsFail (2)!!
------------

Conditions:
The conditions which trigger this are unknown.

Impact:
bd_agent and bd are suddenly restarted, while there is no traffic no configuration being processed


579252-2 : Traffic can be directed to a less specific virtual during virtual modification

Component: Local Traffic Manager

Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.

Conditions:
net self external-ipv4 {
    address 10.124.0.19/16
    traffic-group traffic-group-local-only
    vlan external
  }
  net self internal-ipv4 {
    address 10.125.0.19/16
    traffic-group traffic-group-local-only
    vlan internal
  }

  ltm pool redirect-echo {
    members { 10.125.0.17:7 }
  }
  ltm virtual fw {
    description "less-specific virtual"
    destination 10.125.0.0:any
    ip-forward
    mask 255.255.255.0
    profiles { fastL4 }
    translate-address disabled
    translate-port disabled
    vlans-disabled
  }
  ltm virtual redirect-echo {
    description "enable/disable this one"
    destination 10.125.0.20:echo
    ip-protocol udp
    mask 255.255.255.255
    pool redirect-echo
    profiles { udp }
    vlans { external }
    vlans-enabled
  }

Impact:
Traffic can be directed to less specific virtual server

Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.


579035-2 : Config sync error when a key with passphrase is converted into FIPS.

Component: TMOS

Symptoms:
When a key with passphrase is converted to a FIPS key (that is, imported into the FIPS card) and a config sync is done, sync fails with an error saying that passphrase is specified but the key is not passphrase protected.

Conditions:
Converting a private key with a passphrase to FIPS key and then performing a config-sync.

Impact:
Config sync will fail.

Workaround:
Ensure that you only import FIPS keys that are not encrypted with a passphrase. For more information, see K15720: Certain tasks related to the management of SSL certificates do not support encrypted private keys (11.x) at https://support.f5.com/csp/#/article/K15720


578843-2 : GUI strips out 0.0.0.0 masks from the SNMP Client Allow Lists.

Component: TMOS

Symptoms:
The GUI strips out 0.0.0.0 masks from the SNMP Client Allow List.

Conditions:
Using the GUI to specific SNMP Client Allow List containing 0.0.0.0 masks.

Impact:
The GUI strips the 0.0.0.0 masks.

Workaround:
Use tmsh to modify the SNMP Access if using 0.0.0.0 net masks.


578551-2 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot

Component: TMOS

Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot

Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp

Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp


578097-1 : Enabling DNS resolver and proxy server pool at the same time by tmsh in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might cause OCSP responder not reached

Component: Local Traffic Manager

Symptoms:
OCSP Stapling uses either DNS resolver OR proxy server pool to connect to the OCSP responder. In GUI these two configuration options are selective but tmsh allows configuration of proxy-server-pool when use_proxy_server is set to false, and vice-versa.

Conditions:
DNS resolver and use_proxy_server are configured at the same time, but only one of these configurations is set to true.

Impact:
In following situation:
-use_proxy_server: Enabled but incorrectly configured or external proxy server not working or down.
-DNS resolver: Enabled and correctly configured.

OCSP stapling will not work since device will try to connect to OCSP responder by using proxy regardless DNS resolver configuration.
Since this 'double' configuration (DNS+use_proxy_server) only can be done by tmsh, you cannot see in GUI that you actually have both configurations at the same time.

Workaround:
Disable use_proxy_server configuration using tmsh, then device will use DNS resolver to reach OCSP responder.


577831-1 : VE does not boot without a vga console

Component: TMOS

Symptoms:
Virtual Edition (VE) does not boot and no boot messages are displayed.

Conditions:
This occurs when there is no video device present. This is an issue because by design VE grub and kernel configurations default to vga (tty0).

Impact:
VE does not boot.

Workaround:
Use a VGA console option when deploying the VE (via virt-admin, or the Xen configuration utility, etc.)


577697-2 : WebSafe features do not support Non-UTF8 encodings.

Component: Fraud Protection Services

Symptoms:
Encrypted ISO-8859-2 data is sent to the application server in UTF8 encoded form instead of ISO-8859-2 encoding.

Conditions:
Webpage using non-UTF8 encoding.

Impact:
Application server receives data in an unexpected encoding.

Workaround:
None


577668-1 : ASM Remote logger doesn't log 64 KB request.

Component: Application Security Manager

Symptoms:
A request longer than 10 KB is truncated to 10 KB in the ASM remote logger although the remote logger is configured to log up to 64 KB requests.

Conditions:
The remote logger is configured to max request size 64k .
A request is longer than 10 KB.

Impact:
Incorrect request size in the log.

Workaround:
N/A


577511 : The merged.state debugging file in qkview reports wrong method when input files are too volatile

Component: TMOS

Symptoms:
The /var/tmp/merged.state file produced by merged when it is sent SIGUSR2 including when qkview is taken can incorrectly report the merge method as slow in limited circumstances.

Conditions:
The input files to merged need to be in a steady state of churn (rows added or removed) so that merged cannot successfully complete a merge.

Impact:
It is harder to debug merged.

Workaround:
Reduce the churn on the input files, for example by not spawning a steady stream of processes recorded in the proc_pid_stat table.


576807-1 : Firewall policies assigned to route domain may not sync across HA

Component: TMOS

Symptoms:
HA devices may report "in sync" even though the firewall policy assigned to the route domain is not being synced. The problem is sporadic.

Conditions:
Route domains are configured across HA peers, and the route domain has a firewall policy attached to it.

Impact:
Firewall policies not syncing correctly within a sync group can cause unexpected or unwanted traffic on the network.

Workaround:
None


576705 : ASM does not start up after TMM crash on a 3600 platform

Component: Application Security Manager

Symptoms:
ASM does not start up after TMM crash on a 3600 platform. In the ASM log there are repeated insufficient thread messages. In the bd log there is a loop of restarts and SIGTERMs happening right after starting up.

Conditions:
tmm crashed or stopped causing the system to restart asm.

Impact:
ASM is not running. If bypass ASM is not configured, traffic is not getting through.

Workaround:
Run: bigstart restart asm


575848-2 : Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated.

Component: TMOS

Symptoms:
Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated.

Conditions:
SNAT object on a ePVA capable platform.

Impact:
Some traffic-related statistics (pkts/bytes in/out) are not updated.

Workaround:
To get these statistics, convert the global SNAT to an appropriate virtual server.


575368-2 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card

Component: TMOS

Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.

Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.


575176-2 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic

Component: TMOS

Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.

Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.

Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.


574860-1 : HTTP request dropped when using ACCESS::disable from iRule and a Per-Request Policy

Component: Access Policy Manager

Symptoms:
When ACCESS::disable command is used in an iRule along with a Category Lookup agent in a per-request policy, the HTTP request we be incorrectly dropped and the connection reset. This error condition may also occur with other per-request policy agents.

Conditions:
APM deployed with a Per-Request policy using a Category-Lookup agent and an iRule which issues the ACCESS::disable command associated on the same virtual server.

Impact:
The HTTP request will be dropped or the HTTP connection will stall and timeout.


574262-1 : Rarely encountered lockup for N3FIPS module when processing key management requests.

Component: Local Traffic Manager

Symptoms:
The N3FIPS module does not respond to key management requests.

Conditions:
No specific condition has been identified for this failure.

Impact:
Existing data continues to forward, but new traffic keys fail. MGMT locks up. This is a rarely encountered issue.

Workaround:
A SNMP trap is generated when N3FIPS is locked up. The trap informs the user that the BIG-IP system must be rebooted. Rebooting clears the condition.


574160-4 : Publishing DNS statistics if only Global Traffic and AVR are provisioned

Component: Application Visibility and Reporting

Symptoms:
AVR does not publish DNS statistics if LTM is not provisioned.

Conditions:
LTM is not provisioned.

Impact:
The DNS chart does not show statistics.


573764-3 : In some cases, only primary blade retains it's statistics after upgrade on multi bladed system

Component: Application Visibility and Reporting

Symptoms:
Statistics from the primary blade remain after upgrade, but not from the other blades.

Conditions:
Upgrade to new version in multi bladed system.

Impact:
Not all statistics are present after upgrade.

Workaround:
No workaround


573366-1 : parking command used in the nesting script of clientside and serverside command can cause tmm core

Component: Local Traffic Manager

Symptoms:
tmm cores in configuration using certain iRules

Conditions:
An iRule that parks the interpreter is used in the nesting script of clientside and serverside command. (e.g. when doing a table lookup).

For more information on iRule commands that park, see SOL12962: Some iRule commands temporarily suspend iRule processing, https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html

Impact:
Traffic disrupted while tmm restarts.

Workaround:
move the parking command outside the nesting script.


573031-3 : qkview may not collect certain configuration files in their entirety

Component: TMOS

Symptoms:
If the following files exceed 5M in size, they will be truncated when collected by qkview:

/config/partitions/*/bigip.conf
/config/partitions/*/BIG-IP_base.conf
/config/BIG-IP_gtm.conf

Conditions:
Any of the listed files exceeds 5 Mbytes.

Impact:
Fault diagnosis may be affected.

Workaround:
Create a qkview, and examine the qkview_run.data file. If this file indicates that any of the listed files has been truncated, manually copy that file from the BIG-IP device.


572895 : TCP forwarded flows are reset when time wait recycle of port happens

Component: Local Traffic Manager

Symptoms:
You notice that port-reused connections are getting reset. When a flow is forwarded from one tmm to another, and the destination tmm finds that the client is reusing a port that is in time_wait, and time wait recycle is enabled, the source tmm terminates the connection with a RST sent to the SYN-ACK from the client.

Conditions:
Using time-wait recycle and a client reuses the port that is currently in time-wait, and the flow is forwarded to another tmm.

Impact:
Client flows are reset rather than accepted.


572893-3 : error "The modem (or other connecting device) is already in use or is not configured properly"

Component: Access Policy Manager

Symptoms:
Clients get an error: error "The modem (or other connecting device) is already in use or is not configured properly"

Conditions:
The exact reproduction steps are not known, but it was seen to occur on certain Windows 10 clients where the access components were removed and login was attempted afterward.

Impact:
Clients will be unable to connect to the VPN

Workaround:
Rebooting might correct the issue on the client machine.


572885-2 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
ASM provisioned.
Device group w/ ASM policy sync configured.
ASM Policy is in automatic learning mode.
A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.


572655-2 : Request Logging profile Template textarea wrapping set to soft wrap

Component: TMOS

Symptoms:
The Template field in the Request Logging profile adds line break characters to long values.

Conditions:
This occurs when there is a long string of text in the Template field for the Request Logging profile, for example, $DATE_NCSA [REQUEST] - [$HOST:$VIRTUAL_PORT] - $VIRTUAL_POOL_NAME - [SRC_PORT:$CLIENT_PORT] - $NCSA_COMBINED.

Impact:
The data stored has line break characters in it at every location where the text wraps inside the Template text box.

Workaround:
There is a partial workaround, depending on the length of the string and the width of your screen. Adjust the width of the Template field by clicking and dragging the lower-right corner of the field. The line breaks the system adds occur only when the text wraps inside the box when you save the profile (by pressing Finished on a new profile or Update on an existing one).


572246 : When a rewrite profile using the default settings is attached to a virtual server, all layer 3 connectivity will begin to fail.

Component: TMOS

Symptoms:
By default, the 'rewrite' profile is in APM portal mode. When enabling a 'rewrite' profile on a vCMP guest with ten cores allocated all layer 3 connectivity to the virtual IP will begin to fail.

Errors similar to the following are seen in the TMM log (/var/log/tmm):

notice share_mem: shmget(0x1304d8, 657664, 0x3b6): Invalid argument

The system posts errors similar to the following in Local Traffic logs (/var/log/ltm):

crit tmm1[17820]: 01000025:2: Device error: mpi failed to allocate shared memory
err tmm1[17820]: 01480043:3: Failed to build plugin profile for /Common/rewriteplugin
err tmm1[17820]: 01480002:3: Can't initialize plugin configuration
crit tmm1[17820]: 01000203:2: Proxy failed to attach plugin rule
err tmm1[17820]: 01000008:3: Proxy initialization failed for /Common/my_virtual

Conditions:
A 'rewrite' profile in portal mode (the default) on a vCMP guest with ten cores allocated. A 'rewrite' profile is required for rewriting content; this is required for APM Portal deployments and VDI deployments.

Impact:
When a 'rewrite' profile using the default settings is attached to a virtual server all layer 3 connectivity to the virtual IP will fail.

Workaround:
Use another core allocation configuration for the guest (such as two, four or eight). If the APM (portal) function is not required, create a custom 'rewrite' profile with the 'rewrite-mode' option of 'uri-translation'.


572234-3 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.

Component: Local Traffic Manager

Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.

Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.

The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.

The return route is a pool route.

The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.

Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.

Workaround:
Increase the lasthop module's TCP idle timeout.

echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp


572180-1 : httpclass containing escaped backslashes are stripped on migration to LTM policy

Component: Local Traffic Manager

Symptoms:
When upgrading or installing a UCS file with http class profiles values containing escaped backslashes will have the escaped backslashes stripped from the value.

Conditions:
A http class profile with values containing escaped backslashes. This occurs on upgrades through 12.0.0.

Impact:
The escaped backslashes will be removed and then the policy will not correctly match.

Workaround:
Edit the policy and add backslashes back in.


571718-2 : LocalDB auth logs new password in debug log on password change

Component: Access Policy Manager

Symptoms:
When the Local user changes the password, the Localdb component logs the new password in the Debug Level.
Also, during the parsing of HTTP header, we log the content of the Parameter "_F5_challenge", which contains the Local user password.

Conditions:
This occurs when local users are changing their passwords and Access logging is set to debug.

Impact:
The password is plainly visible in the log file /var/log/apm


571560 : icrd may crash on shutdown

Component: TMOS

Symptoms:
In rare cases, icrd may crash and create a core file while shutting down.

Conditions:
icrd exiting, typically due to a system shutdown or reboot

Impact:
icrd crashes and generates a log file.

Workaround:
The crash of icrd during shutdown/reboot may be ignored; no services were impacted. Related core files can be deleted as desired.


571556-2 : RBA may generate a core file when shutting down

Component: Access Policy Manager

Symptoms:
RBA core file is generated.

Conditions:
When RBA plugin is shutting down, which may be related to configuration changes, system instability, or Admin actions.

Impact:
No service impact except a core file is generated

Workaround:
None


571482-2 : Unbalanced double-quotes may merge lines upon config save-then-load

Component: Local Traffic Manager

Symptoms:
Unbalanced double-quotes used in the configuration will cause load failure, or will merge subsequent configuration lines until a balancing double-quote character is found. For example, an improper expression may be used to configure a monitor 'recv' value that results in an unbalanced (odd number) of double-quote characters, such as "R\\"eceive" (note three double-quote characters, resulting in an unbalanced string).

The string is considered unbalanced with an odd number of double-quote characters, regardless of escaping (such as double- or triple-backslash escaping).

Conditions:
An odd count of double-quotes are used for a configuration value, resulting in an unbalanced string.

For example, configuring a monitor 'recv' value as "R\\"eceive" results in an unbalanced string (notice three double-quotes, an odd number).

Impact:
The configuration will fail to load, as it is improperly formed. In some cases the configuration may successfully load, but the unbalanced string will cause newline(s) to be implicitly escaped until a balancing double-quote is found; this will merge subsequent lines to the unbalanced line, resulting in the consumed lines to not be considered as configuration values, but as the merged continuation of the unbalanced line.

Workaround:
Modify configuration values that use double-quotes to be balanced (i.e., configuration items should have an even-number of double-quoted characters, even if they are escaped).


571333-1 : fastL4 tcp handshake timeout not honored for offloaded flows

Component: TMOS

Symptoms:
When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead.

Conditions:
1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS
2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN
3. Send over SYN packet from client to server via VS

Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.

Workaround:
Set the offload state to "established"


570845-2 : Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy

Component: TMOS

Symptoms:
The configuration infrastructure currently allows the invalid 'None' option to be configured on an IPsec IKE peer for phase 1 Perfect Forward Secrecy. Although the ability to configure the 'None' option is incorrect functionality which happens on specific browsers, the configuration infrastructure should have stronger checking and prevent the acceptance of an invalid 'None' option for configured IKE peers.

Conditions:
The ability to configure an IKE peer with an invalid 'None' option for Perfect Forward Secrecy occurs on Internet Explorer and Safari browsers, and the configuration infrastructure does not reject this invalid configuration for these cases.

Impact:
The racoon daemon will fail to start and all IPsec tunnels may fail to work. The racoon.log file may contain messages like:

INFO: Reading configuration from "/etc/racoon/racoon.conf"
ERROR: /etc/racoon/racoon.conf.bigip:59: "}" DH group required.
ERROR: fatal parse failure (1 errors)
ERROR: failed to parse configuration file.

Workaround:
Don't configure the 'None' option for Perfect Forward Secrecy in the IKE peer configuration section.


570570-3 : Default crypto failure action is now "go-offline-downlinks".

Component: Local Traffic Manager

Symptoms:
Previously, if a crypto accelerator encountered a failure, the default action was "failover". Now, the default behavior is "go-offline-downlinks".

Conditions:
Failed crypto accelerator.

Impact:
BIG-IP with failing crypto accelerator on a chassis blade may remain in standby as primary blade.


569583-1 : Secondary Blade Rejects All Traffic after being added to the chassis

Component: Application Security Manager

Symptoms:
After an upgrade ends in errors, the device may be left in a state that it erroneously believes to still be in the middle of the upgrade.

Conditions:
A second blade is installed into a chassis and there are errors as it comes up.
System configuration is never successfully loaded. This can occur during upgrades to versions prior to 12.0.0.

Impact:
Secondary blade blocks all ASM traffic.

Workaround:
1) Delete the /var/ts/var/install/ucs_install.pid file on all blades
2) Push a fresh sync from a good device.


569331-4 : Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP

Component: TMOS

Symptoms:
Traffic will not pass to virtual servers of a traffic group

Conditions:
BIG-IP AWS
High Availability
AWS network outage

Impact:
Some of virtual addresses end up associated with the standby BIG-IP; traffic will not pass to their virtual servers.

Workaround:
If the desired BIG-IP is standby, failover to the BIG-IP.
If the desired BIG-IP is already active, failover from this BIG-IP and then failover back to this BIG-IP.


569280-2 : BIG-IP does not delete the SA on peer box after erase/modify ike-peer

Component: TMOS

Symptoms:
After erase/modify ike-peer command, phase 1-2 SA is deleted on one system, but is not deleted on the peer.

Conditions:
Run an erase/modify ike-peer command on one system in a peer configuration.

Impact:
Possible lost of connectivity (if initiator has SA but receiver does not).

Workaround:
To work around this issue, delete SA manually on the peer system.


569270 : BIG-IQ CM 4.6 incompatible with BIG-IP 11.6.1.

Component: iApp Technology

Symptoms:
The restnoded process on the BIG-IP system continuously cycles after discovery by BIG-IQ CM 4.6.

Conditions:
Using BIG-IQ CM 4.6 to discover BIG-IP systems running 11.6.1.

Impact:
BIG-IQ CM 4.6 cannot manage BIG-IP 11.6.1.

Workaround:
Do not use BIG-IQ CM 4.6 to discover BIG-IP systems running version 11.6.1.


568795-1 : Dedup Cache Refresh may fail to re-initialize WOM endpoint

Component: Wan Optimization Manager

Symptoms:
WOM endpoints are not always re-initialized
correctly when for dedup cache refresh operations:
    tmsh modify wom remote-endpoint all dedup-action cache-refresh

Conditions:
WOM

Impact:
iSession tunnels do not establish.

Workaround:
bigstart restart


568445-3 : User cannot perform endpoint check or launch VPN from Firefox on Windows 10

Component: Access Policy Manager

Symptoms:
If Firefox is used on Windows 10 to connect to APM, access policy may fail, or system fails to launch VPN.

Conditions:
Firefox is used to connect to APM on Windows 10. The following conditions are exclusive and have different impact:
1) Access policy requires client side inspection.
2) Attempt to launch VPN from WebTop.

Impact:
1) Access policy will fail.
2) VPN cannot be launched from WebTop.

Workaround:
None.


568347-2 : BD Memory corruption

Component: Application Security Manager

Symptoms:
An Enforcer crash occurs and UMU errors may appear in the bd.log file.

Conditions:
N/A

Impact:
Traffic goes down while the Enforcer goes back up.


568229-2 : [LTM][DNS] save-on-auto-sync with partitions fails for LTM DNS partition objects

Component: Local Traffic Manager

Symptoms:
Even though 'auto-sync enabled' and 'save-on-auto-sync true' are set on a device group which has a partition assigned to it, creating an LTM DNS object in the partition is successfully transmitted to the running configuration of the peer device, but not written to bigip.conf.

Conditions:
1. auto-sync and save-on-auto-sync enabled for device group.
2. The device group has a partition assigned to it.
3. Creating a ltm dns partition object.

Impact:
Changes are not written to conf files as expected.

Workaround:
Save configuration manually at regular intervals on peer box.


568182-1 : IPsec does not send phase 2 delete.

Component: TMOS

Symptoms:
IPsec does not remove IKE-SA on change traffic selector.
As result there are uneven SA status between IPsec devices and it can cause significant delay in communication.

Conditions:
Change traffic selector on one device, and force delete SA on the same device, but do not propagate to the other one.

Impact:
This might result in significant delays in communication.

Workaround:
Delete SA manually.

Note: This workaround might not be possible.


567400-2 : Policy Diff/Merge Does Not Work Correctly For Session Awareness Login Pages

Component: Application Security Manager

Symptoms:
When comparing Security Policies with Session Awareness enabled for specific Login Pages, false differences are shown in the Diff.
Additionally, attempting to merge policies with these elements does not provide expected enforcement, as the Login Pages will not be enabled correctly in the target policy.

Conditions:
A Security Policy with Session Awareness Login Pages are compared with Policy Diff.

Impact:
False differences may appear, and merging them will not provide expected enforcement.

Workaround:
These elements can be ignored in the Diff Summary before an auto-merge, and handled manually.


567126 : Inaccurate message on missing request log record in Manual Traffic Learning

Component: Application Security Manager

Symptoms:
A misleading message appears in Manual Traffic Learning screen if request log records have been deleted due to data rotation.

Conditions:
Request log records have been deleted due to data rotation.

Impact:
A misleading message may appear in Manual Traffic Learning screen.


566071-1 : network-HSM may not be operational on secondary slots of a standby chassis.

Component: Local Traffic Manager

Symptoms:
pkcs11d may not be running on secondary slots of a chassis.

Conditions:
This might occur when the following conditions are true:
1. Network-HSM installed on BIG-IP chassis.
2. Chassis is in standby state OR Secondary slots do not have management IP configured.

Impact:
If SSL profiles are configured with keys of security-type 'nethsm' when the specified conditions are true, traffic for such profiles will fail when the affected slots process traffic.

Workaround:
Manually install netHSM on each secondary slot.


565790 : Qosmos classification result is not propagated for response-based classification.

Component: Traffic Classification Engine

Symptoms:
Qosmos classification result is not propagated for response-based classification.

Conditions:
No HTTP profile attached to the Virtual Server

Impact:
Classification result will not be propagated through the system. In the case of PEM, this issue leads to no enforcement of policy action.

Workaround:
None.


565616 : Keylogger Protection weakness in Internet Explorer

Component: Fraud Protection Services

Symptoms:
Some types of malware can log keys using Javascript in Internet Explorer.

Conditions:
Endpoint infected with javascript keylogger malware. End user uses Internet Explorer.

Impact:
Product does not prevent keystroke logging.

Workaround:
None


565412-1 : AVR reports device-level mitigation as "Device Level" and not as "Aggregated"

Component: Application Visibility and Reporting

Symptoms:
When AVR gets a report on device-level mitigation, it reports it as "Aggregated" instead of "Device Level".

Conditions:
When AVR gets a report on device-level mitigation.

Impact:
The network reports was not clear or detailed enough.


565137-1 : Pool licensing fails in some KVM/OpenStack environments.

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Workaround:
There is no workaround.


564956-4 : PCCD core and slow running SQL

Component: Advanced Firewall Manager

Symptoms:
Search in network firewall log is very slow.

Conditions:
This occurs with large log files.

Impact:
Log searches could get really slow for very large log files.

Workaround:
Use custom search filters to speed up the search times.


564634-3 : Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool

Component: Local Traffic Manager

Symptoms:
Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool.

Conditions:
Remove a monitor from a pool using tmsh edit commands.

Impact:
bigd still monitors the pool.

Workaround:
None.


564431-1 : Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail

Component: Policy Enforcement Manager

Symptoms:
Subscriber lines terminated with an EOL that occur before the line without an EOL are loaded.

Conditions:
At least one line in the static subscriber file is not terminated with an EOL character.

Impact:
Impact to support staff in diagnosing the root cause for failure while importing a subscriber file.

Workaround:
Save the file in unix format that appends EOL characters to the each line.
While editing the file make sure lines are terminated with an EOL character.


563933-2 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs

Component: Local Traffic Manager

Symptoms:
A and AAAA RRsets in the additional section are dropped.

Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.

Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.

Workaround:
Set dns64-additional-section-rewrite is 'any'.


563651-3 : Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.

Component: Access Policy Manager

Symptoms:
Web application does not work/works intermittently via Portal Access after BIG-IP upgrading to any new software version.

Conditions:
-- Web application via Portal Access.
-- any modern browser like Chrome, Firefox, Safari or MS Edge.
-- After upgrading of BIG-IP.

Impact:
Various unexpected behaviors. For example, a custom intranet application link might experience intermittent failures through rewrite. This occurs because Portal Access does not support Storage areas (localStorage, sessionStorage). This might impact web-applications with content previously populated in Storage areas.

Workaround:
Possible workaround:
-- Clear browser cache manually after upgrading.


563560-3 : Intermittent iStats reset

Component: TMOS

Symptoms:
iStats will intermittently be reset back to zero.

Conditions:
An event that causes iStats to be archive, such as removing an iStat, removing a configuration object that has an iStat or removing a custom-stat repeatedly may cause a reset.

Impact:
The iStat values will be reset to zero and then resume incrementing.

Workaround:
Avoid removing iStats or other events that trigger the resets.


563503-1 : Static RDP App Tunnel Resource connects to wrong backend server in some cases

Component: Access Policy Manager

Symptoms:
In some cases, user will get connected to wrong app tunnel resource.

Conditions:
One App tunnel resource host(or ip) is a substring of another app tuunel resource name or ip.

Impact:
User gets connected to wrong app tunnel resource once he clicks on resource icon on the webtop.

Workaround:
Don't create multiple resources where host name of one resource is substring of hostname of another resource.


563443-2 : WebSSO plugin core dumps under very rare conditions.

Component: Access Policy Manager

Symptoms:
WebSSO plugin core dumps under very rare conditions.

Conditions:
This occurs rarely when the WebSSO plugin is enabled.

Impact:
WebSSO plugin core dumps.

Workaround:
None.


563262-1 : "pem classify" policy action parameters

Component: Policy Enforcement Manager

Symptoms:
The "pem classify defer" and "pem classify" policy action logs an error when the application and protocol are not specified.

Conditions:
Create an LTM policy which has classification rules for which the application and protocol have not been specified and this policy is attached to a virtual.

Impact:
The configuration processing returns an error which is logged in /var/log/ltm and the erroneous policy is not used.

Workaround:
Fix the policy by specifying the application/classification and protocol.


563144 : Changing the system's admin user causes many errors in the REST framework.

Component: Device Management

Symptoms:
The iControl REST log at /var/log/icrd will have entries similar to the following:

notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.

Conditions:
Follow the steps in the Solution https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15632.html, and changes the default admin user.

Impact:
Many REST APIs do not function, and functionality that depends on REST fails.

Workaround:
None.


562885 : TMM segfault in flow_find_opaque_ctx() caused by corrupt opaque ctx.

Component: Local Traffic Manager

Symptoms:
A rare TMM segfault was encountered in flow_find_opaque_ctx() caused by corrupt opaque ctx. Log signature in /var/log/ltm: err tmm1[21114]: 01010276:3: Crypto codec error: sw_crypto Couldn't get ECDH other public value.

Conditions:
It is not known exactly what conditions trigger this.

Impact:
Traffic disrupted while tmm restarts.


562510-2 : BIG-IQ unable to license BIG-IP Virtual Edition (VE) instances in UDF/KVM Environments.

Component: TMOS

Symptoms:
Attempts to license a BIG-IP Virtual Edition (VE) in a UDF/KVM environment will fail; manually licensing the same BIG-IP with the same license regkey will work fine.

Conditions:
This issue affects systems that implement the SMBIOS specification in ambiguous ways. Differing mechanisms for reading the UUID can return different values.

Impact:
The BIG-IQ will incorrectly report that the license cannot be applied to the BIG-IP, and will fail the attempt.

Workaround:
None.


562452 : Perpetual 'Loading...' banner when updating values in GUI System :: Preferences.

Component: TMOS

Symptoms:
The GUI banner 'Loading... Receiving configuration data from your device' does not disappear when updating changes in System :: Preferences page.

Conditions:
Use a BIG-IP system running 11.6.0 HF6. Make changes to System :: Preferences page.

Impact:
The GUI banner 'Loading... Receiving configuration data from your device' stays without showing the modified data. This is cosmetic. The changes are properly sent and stored. Reloading the page shows the new values.

Workaround:
None needed. This is cosmetic.


561798-1 : Windows edge client may show scripting error on certain 3rd party authentication sites

Component: Access Policy Manager

Symptoms:
User sees JavaScript error on third party IDP sites.

Conditions:
Windows Edge client is used
Access policy requires user to authenticate on a third party site

Impact:
Usability of Edge Client


561595-2 : Guest user cannot see Event Correlation details

Component: Application Security Manager

Symptoms:
Guest user cannot see Event Correlation details.

Conditions:
Log in as Guest

Impact:
Limited read access for guest users.

Workaround:
For guest user - there is no workaround, but if it is possible to log in as another user - then everything works.


561444-3 : LCD might display incorrect output.

Component: TMOS

Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.

Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.

Impact:
LCD may display incorrect data.

Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.


560584-1 : Disabling an IKE Peer sets all Common Settings values to default

Component: TMOS

Symptoms:
When an existing "Enabled" IKE Peer has its "State" attribute changed to "Disabled" the value of all of the attributes in the Common Settings table are set to their default values.

Conditions:
This occurs when setting the state of an IKE peer to Disabled.

Impact:
When an existing "Enabled" IKE Peer temporarily has its "State" attribute changed to "Disabled" then later reset to "Enabled", any non-default settings in the Common Settings table are lost.

Workaround:
Re-enter any non-default values in the Common Settings table when re-enabling and IKE Peer.


560405-6 : Optional target IP address and port in the 'virtual' iRule API is not supported.

Component: Local Traffic Manager

Symptoms:
In certain scenarios there is a need to redirect an HTTP request through a given virtual server to a another virtual server (or remote endpoint). Such an operation is also known as 'vip-to-vip' forwarding. The available iRule API (specifically, the 'virtual' command) does not currently support this functionality.

Conditions:
Using an iRule to forward a request through a given virtual server to another virtual server or remote endpoint.

Impact:
Cannot implement HTTP Forward Proxy plus Transparent redirection to Web-Cache Pool.

Workaround:
None.


560231-3 : Pipelined requests may result in a RST if the server disconnects

Component: Local Traffic Manager

Symptoms:
If a HTTP client sends multiple pipelined requests before a full response is received, the HTTP filter will buffer them, and send them one at a time to the server.

If the server ends via a "Connection: Close" the HTTP filter will ignore this, and continue to send the next buffered request.

If the server then sends a FIN packet while that buffered request is in progress, the HTTP filter will send a RST packet to the client.

Conditions:
Multiple concurrent pipelined HTTP requests, and a back-end server that closes a connection while some requests are still buffered.

Oneconnect is not used.

Impact:
The client will receive a RST instead of a FIN packet.

Workaround:
There are two work-arounds.
1) Enable one-connect.
2) via iRule. If a "Connection: close" header exists in the HTTP_RESPONSE event, then HTTP::close may be used to cleanly shut the connection down.


560114-7 : Monpd is being affected by an I/O issue which makes some of its threads freeze

Component: Application Visibility and Reporting

Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T

Conditions:
A system I/O issue (maybe caused by /var/log being full).

Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.

Workaround:
Run the following:

find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd


559837-6 : Misleading error message in catalina.out when listing certificates.

Component: TMOS

Symptoms:
GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation. The exceptions are the actual cause of the failure.

java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229].

Conditions:
This occurs when listing certificates, and exceptions are returned.

Impact:
1. Throws table creation exceptions when randomly generated table name contains invalid character ('-').
2. Misleading 'Table not found" message in catalina.out.

Workaround:
Refreshing the page might fix the invalid table name issue because doing so generates a new table name. In some situations a restart of tomcat and httpd may be required.


559554-2 : CHD congestion control can have erroneous very large cwnd.

Component: Local Traffic Manager

Symptoms:
At times, CHD congestion control can store a very large congestion window, resulting in release of data well beyond that warranted by network conditions.

Conditions:
The client advertises a receive window less than 1 MSS, and CHD tries to decrease the window.

Impact:
Possible network congestion.

Workaround:
Change congestion control algoirhtm from CHD.


559402-1 : Client initiated form based SSO fails when username and password not replaced correctly while posting the form

Component: Access Policy Manager

Symptoms:
Client initiated form based SSO fails when the username and password are not replaced correctly in post request. The reason for this is that client initiated form based SSO and browser urlencode special character in username/password differently. and the case sensitive comparison fails to find match between both these urlencoded values. So sso module adds the username password to the token again. This results in password attribute/value pair appears twice with both the f5-sso-token and the real password and so it fails

Conditions:
When the password contains special charaters like [ or ]

Impact:
SSO fails with password attribute/value pair appears twice with both the f5-sso-token and the real password in the token and so it fails

Workaround:
No workaround


559159-1 : [PORTAL] JavaScript errors when Application runs through Portal

Component: Access Policy Manager

Symptoms:
[Portal Access] Wrong rewriting for some nested conditional expressions at client side.

For example, "x?w.location=y?a:b:c;"

Conditions:
Application running through Portal has javascript errors causing page not to load.

Impact:
Page not load.

Workaround:
iRule workaround available upon request. iRule will specific to the wep application behind BIG-IP.


559138-2 : Linux CLI VPN client fails to establish VPN connection on Ubuntu

Component: Access Policy Manager

Symptoms:
Linux client is unable to establish a VPN connection. An error is displayed which says that server certificate verification has failed.

Conditions:
CLI client used on Ubuntu to establish VPN connection.

Impact:
User cannot connect to VPN

Workaround:
Use web client.


559080-3 : High Speed Logging to specific destinations stops from individual TMMs

Component: TMOS

Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.

Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.

Impact:
Logs are silently lost.

Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.


558893-2 : TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT

Component: Local Traffic Manager

Symptoms:
TMM may fail to forward FTP data connections when PORT/EPRT commands are used in succession referring to the same IP/PORT.

Conditions:
FTP Virtual server configured with an FTP profile that does inherit-parent-profile disabled.
A client to request EPRT and then PORT commands referring to the same IP/PORT.

Impact:
TMM may reset the connection in some cases.

Workaround:
Change the ftp profile to enable the inherit-parent-profile option.


558763 : "Show All" option for large no. of security objects can cause poor performance in some browsers

Component: Advanced Firewall Manager

Symptoms:
Using "Show All" for showing a large number of security objects on GUI can be challenging for some browsers (especially IE)

Conditions:
Large number of security objects on GUI to display, use of particular browsers (especially IE)

Impact:
AFM Address List page and others may not render properly or responsively.

Workaround:
Use Chrome


558602-3 : Active mode FTP data channel issue when using lasthop pool

Component: Local Traffic Manager

Symptoms:
The data channel for active mode FTP may fail.

Conditions:
Active mode FTP through a virtual with ftp profile with port set to zero and configured to use a lasthop pool.

Impact:
Active mode FTP does not work.

Workaround:
Use auto-lasthop instead of lasthop pool.
Use passive mode FTP.


558088 : Expanding large objects in Security - Network Firewall - Address Lists does not work for IE

Component: Advanced Firewall Manager

Symptoms:
Expanding large address lists in Security - Network Firewall - Address Lists does not work on IE

Conditions:
Only happens when address lists are really big

Impact:
Address List page on Security-->firewall


557864 : bigd restart when DNS server returns 0 address

Component: Local Traffic Manager

Symptoms:
bigd might restart if DNS server returns a 0 address on FQDN nodes.

Conditions:
DNS server returns a 0 address on FQDN nodes.

Impact:
bigd continually restarts.

Workaround:
Fix DNS configuration to not return 0 address.


557508-2 : "Expect 100-continue" support

Component: Application Security Manager

Symptoms:
ASM supports "Expect 100-continue" behavior only for the POST method.

Conditions:
if for example, a client sends a request with PUT method, "Expect 100-continue" header, and a body.

Impact:
such a request will not be passed to server, instead it will hang and expire on a timeout.

Workaround:
N/A


557452-2 : Messages logged when the CAN daemon (cand) receives unsolicited data

Component: TMOS

Symptoms:
When the log filter is configured to filter at the 'Informational' log level, the logs can get filled with 'request for unsolicated data' messages. These messages appear in the log every 20 seconds.

Conditions:
This occurs when using a remote syslog logging filter with the 'Severity' field set to 'Informational'.

Impact:
Logs fill with messages. These messages are related to communication with the CAN daemon (cand), and are completely benign, so you can safely ignore them.

Workaround:
Change the remote syslog logging level to 'Notice'.


557399-2 : Browser could become unresponsive when page with specific script constructions is accessed through Portal Access

Component: Access Policy Manager

Symptoms:
If user application code has an object with toString() method and property names similar to ones from Javascript builtin Location interface, our rewriting may cause an infinite loop while processing such object.

Conditions:
APM with Portal Access configured.

Impact:
Browser hangs or crashes when trying to access page through Portal Access.

Workaround:
None


557155-4 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Conditions:
Sustained high packet rate with a very small payload.

Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.

Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
   sysctl vm.panic_on_oom=1


557098-1 : correlation is continuously restarted with "An instance with pid xxxx is already running" error in the ltm log

Component: Application Security Manager

Symptoms:
correlation is continuously restarted with these errors:

/var/log/asm:
----------
ASM subsystem error (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: correlation, Failure: Insufficient number of threads (required: 1, found: 0).
----------

/var/log/ltm:
----------
err correlation[xxxx]: 01560000:3: An instance with pid yyyyy is already running
----------

Conditions:
ASM provisioned

Impact:
correlation is continuously restarted

Workaround:
Here is a workaround.
All commands should be executed as root user, on the CLI of the affected BIGIP:

1) Create a backup of the file '/usr/share/ts/config/asm_processes.yaml' to '/usr/share/ts/config/asm_processes.yaml.orig':
      # cp /usr/share/ts/config/asm_processes.yaml /usr/share/ts/config/asm_processes.yaml.orig

2) Patch the yaml file (the spaces in the command are significant!!!):
      # perl -pi -e 's/correlation:/correlation:\n pid_file: \/shared\/tmp\/correlation.pid/' /usr/share/ts/config/asm_processes.yaml

3) Diff the original file VS the patched file:
      # diff -C 1 /usr/share/ts/config/asm_processes.yaml.orig /usr/share/ts/config/asm_processes.yaml

4) Validate that the diff, that was generated in previous step, is exactly as follows (spaces are significant, time stamps will differ):


*** /usr/share/ts/config/asm_processes.yaml.orig 2015-11-09 10:12:06.000000000 -0500
--- /usr/share/ts/config/asm_processes.yaml 2015-11-09 10:12:14.000000000 -0500
***************
*** 33,34 ****
--- 33,35 ----
    correlation:
+ pid_file: /shared/tmp/correlation.pid
      exec_method: system



5) Restart ASM:
      # bigstart restart asm

6) Make sure that the BIGIP is Active and that there are no 'Watchdog detected failure for process' errors in '/var/log/asm'.

7) Monitor logs for these errors, that should not appear:
-----------------------------------------
/var/log/asm:
----------
ASM subsystem error (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: correlation, Failure: Insufficient number of threads (required: 1, found: 0).
----------

/var/log/ltm:
----------
An instance with pid xxxx is already running
----------
-----------------------------------------


Note that step (5) is disruptive and will cause the BIGIP to go 'Offline' to a short period of time.

In the case that you need to revert the workaround:
-----------------------------------------
# mv /usr/share/ts/config/asm_processes.yaml.orig /usr/share/ts/config/asm_processes.yaml
# bigstart restart asm
-----------------------------------------


556774-2 : EdgeClient cannot connect through captive portal

Component: Access Policy Manager

Symptoms:
EdgeClient cannot connect through captive portal.

Conditions:
1) Install EdgeClient on a PC that connects to the APM through a captive portal.
2) Launch EdgeClient and try to connect to the APM.
3) System posts certificate warnings. Accept them.
4) Captive portal is not shown to the user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.

Impact:
No captive portal displayed to the user. EdgeClient UI shows he user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.

Workaround:
None.


556694-2 : DoS Whitelist IPv6 addresses may "overmatch"

Component: Advanced Firewall Manager

Symptoms:
When using the 8-entry "rich" DoS whitelist with IPv6 addresses, the HW matches only 32 bits of an incoming IPv6 address against the whitelist entry, meaning that if an incoming IPv6 address matches those 32 bits, the whitelist will result in "match", even if other bits of the IPv6 address do not match.
Note that the configuration can select which set of bits (there are 4 choices -- 127:96, 95:64, 63:32, 31:0) to match against, via the db.tunable dos.wlipv6addrsel.
Also, note that IPv4 matches are always perfect, and are not affected by this issue.

Conditions:
Occurs when the 8-entry AFM DoS Whitelist is used to match against IPv6 addresses.

Impact:
In some cases, the Whitelist may overmatch, meaning some IPv6 addresses will be considered whitelist matches, when they do not match the whitelist.


556088-3 : In a chassis system with APM provisioned mcpd daemon on secondary blade will restart.

Component: Access Policy Manager

Symptoms:
Uploading and installing an epsec/Opswat package on a chassis system will result in mcpd restart on the secondary blades.

Conditions:
Installing a new epsec package in a chassis system is the only condition under which this can happen.

Impact:
All daemons dependent on mcpd will restart


555464-2 : HA channel flapping will cause SessionDB memory leak on standby due to unexpired entries

Component: TMOS

Symptoms:
SessionDB memory leak on a standby in the HA pair due to HA channel flapping causing failure of expiry messages.

Conditions:
SessionDB in use, HA channel errors

Impact:
Slow memory leakage on the standby

Workaround:
Alleviate the HA flapping and then restart the standby.


555343-3 : tmm may crash in fastl4 tcp virtual server

Component: Local Traffic Manager

Symptoms:
tmm may crash if receives a fragmented packet in a fastl4 tcp virtual server.

Conditions:
fastl4 tcp virtual server
fragmented packet arrives

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enable option "Reassemble IP Fragments" in the fastl4 profile.


555156-3 : Changing monitoring configuration stops health checks for FQDN nodes.

Component: Local Traffic Manager

Symptoms:
When changing the monitoring configuration, the health checks never resume for FQDN node types.

Conditions:
Create a custom monitor, apply it to an FQDN node type. Change the monitor configuration, and health checks never resume.

Impact:
No health checking. (member status remains static as prior to change).

  - Traffic may be sent to unavailable pool members.

Workaround:
Restart bigd to force the change using the following command:

bigstart restart bigd


554826-2 : TMM may crash with a SIGFPE panic if an AFM DOS profile is configured with Behavioral Analysis enabled

Component: Advanced Firewall Manager

Symptoms:
If an AFM DoS profile with Behavioral Analysis enabled is applied to a virtual server configured for state mirroring, TMM may crash on the secondary device with a SIGFPE panic.

The system may produce a panic message in /var/log/tmm* similar to the following:

    panic: ./local/net/packet.h:505: Assertion "l3hdr set" failed.

Conditions:
AFM is provisioned and an AFM profile with 'Behavioral Analysis' enabled is configured on a virtual server, and that virtual server is configured for mirroring.

Impact:
TMM crash: Degraded HA. Traffic disrupted while tmm restarts.

Workaround:
Enabling the 'Behavioral Analysis' feature in an AFM profile is not completely functional at this time. Please do not enable the feature.


554444-3 : LTM Policy resets connection when removing non-existant HTTP header

Component: Local Traffic Manager

Symptoms:
Customer might notice that certain HTTP requests would be prematurely terminated without seeing a response.

Conditions:
This occurs when an LTM Policy is defined to remove an HTTP header from a request or response, but the request or response does not contain the specified header.

Impact:
The connection gets reset, client does not see response.

Workaround:
As a possible mitigation, if the HTTP header to be removed has narrowly-defined expected value, it may be possible to add a condition that effectively tests for the existence of a header. For example, instead of unconditionally removing the Server: header from a response, a condition could be added to check whether the Server: header contains "Apache", or even if it contains the letter 'a', or even any letter or number.


554074-1 : If the user cancels a connection attempt, there may be a delay in estabilshing the next connection.

Component: Access Policy Manager

Symptoms:
Clicking on connect button does not trigger start of VPN connection immediately.

Conditions:
User cancelled previous connection attempt

Impact:
User must wait for ten seconds before attempting to reconnect.

Workaround:
None


553925-2 : Manual upgrade of Edge Client fails in some cases on Windows

Component: Access Policy Manager

Symptoms:
Manual upgrade of BIG-IP Edge Client for Windows fails and this message displays "Newer version of this product is already installed."

Conditions:
Edge Client version 11.2.0. Version 12.0 is installed.
User tries to upgrade Edge Client by running a newer installer package of Edge Client.

Impact:
Edge Client cannot be upgraded.

Workaround:
Uninstall and reinstall Edge Client or use the installer service component for automatic update of Edge Client.


553830-2 : Use of OneConnect may result in stalled flows

Component: Local Traffic Manager

Symptoms:
Stuck serverside flows that do not expire

Conditions:
Serverside flow expires while clientside is closing while OneConnect is being used.

Impact:
Excessive memory usage, tmm can crash.

Workaround:
Disable OneConnect. This can also be mitigated by ensuring the server-side idle timeout is not set lower than the client profile's fin-wait timeout while using OneConnect.


553776-2 : BGP may advertise default route with bad parameters

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
Dynamic routing using BGP configured, BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command: clear ip bgp <affected neighbor address>.


553521-1 : TMM crash when executing route lookup in tmsh for multicast destination

Component: Local Traffic Manager

Symptoms:
tmsh show net route lookup 224.0.0.1
will crash TMM.

Conditions:
always

Impact:
Traffic disrupted while tmm restarts.

Workaround:
avoid route lookups of multicast destinations from tmsh. It should be possible to use ip route show instead. tmsh still should work for unicast routes.


553446-3 : Interface bfd session does not appear in configuration file or in show running-config

Component: TMOS

Symptoms:
When a Bi-Directional Forwarding Detection (BFD) session is configured for an interface, the bfd session command does not appear in the show running config or in the configuration file. However, running show bfd session command shows that a session is configured.

Conditions:
Interface bfd session between two nodes.

Impact:
Cannot determine whether a bfd session is configured. Further, because it is not save in the configuration file, the bfd session configuration is lost when the system restarts the protocol.

Workaround:
None.


553268-2 : Edge client shows "Invalid Cookies" message on third party IdP sites

Component: Access Policy Manager

Symptoms:
While authenticating with a third party IdP site, the site may show a message indicating that the cookie sent from client was invalid.

Conditions:
All of the following conditions should be met.
- User connects using Edge Client, disconnects and then attempts to connect again.
- APM is using SAML authentication with a third party IdP
- IdP uses multiple cookies to identify user session

Impact:
Edge Client is redirected to IdP site and the site displays a message indicating that the cookie was invalid or that there was a problem with the cookie.
User is not prompted for authentication credentials on the IdP.

Workaround:
Restart Edge Client before connecting again.


552444-2 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD

Component: Access Policy Manager

Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.

Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"

Impact:
Dynamic drive mapping may not function.

Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.

homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]


552342-2 : APMD logging at debug level may log passwords in clear text

Component: Access Policy Manager

Symptoms:
APMD logging at debug level logs all request headers in clear text. Some request types contain passwords in headers resulting in passwords logged in clear text.

Conditions:
APMD logging at debug level.

Impact:
Some passwords may be logged in clear text.

Workaround:
Do not log at debug level unless absolutely necessary.


552176-1 : LTM v11.6.0 iControl REST transaction w/multiple commands don't work as expected

Component: TMOS

Symptoms:
An exception may be thrown during mcp transaction when processing a more than one delete request.

Conditions:
One of the objects being deleted must have a dependency on the other.

Impact:
A valid transaction may fail.


551849-3 : If 1 tmm gets more than 1 Mpps then the 1m stats in dos_stats can be wrong

Component: Advanced Firewall Manager

Symptoms:
If 1 tmm with AFM DoS gets more than 1 Mpps then in the dos_stats, where stats_1m is calculated (previous 60s average pps) can be wrong. This can cause the DoS attack to be detected sooner than it should.

Conditions:
AFM DoS configured and provisioned. Any 1 tmm gets more than 1 Mpps of a certain kind for which we've configured DoS attack detection - and this could cause the 1 minute average stats to be wrong.

Impact:
The state will be wrong and AFM could detect a DoS attack before it actually reaches the configured threshold.

Workaround:
None.


551635-2 : pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule

Component: Advanced Firewall Manager

Symptoms:
pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule

Conditions:
If firewall config contains rules with mixed IPv4 and IPv6 addresses in the same rule (either as source addresses or destination addresses), pccd may crash

Impact:
pccd crash.

Workaround:
Separate different address family addresses into separate rules. In other word, each firewall rule should contain only IPv4 or OPv6 addresses.


551349-4 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade

Component: TMOS

Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.

Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)

Impact:
Monitors appears to function normally but they will have the wrong format in the config file.

Workaround:
None.


550926-3 : AFM rule with "unknown" source Geo-entity stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule

Component: Advanced Firewall Manager

Symptoms:
When an AFM rule is configured to "unknown" geographic location, the rule stops functioning when another entity (geolocation or IP address) is added to the same list of addresses in the rule.

Conditions:
Configure an address list of AFM rule with "unknown" source Geo-entity and at least one other entity (geolocation or IP address).

Impact:
Confusing, inconsistent, and apparently broken behavior.

Workaround:
Do not configure "unknown" geographic locations as one of the entities in an address list. Known geographic locations work correctly.


550739-2 : TMSH mv virtual command will cause iRules on the virtual to be dis-associated

Component: Local Traffic Manager

Symptoms:
After renaming a virtual server that has attached iRules, the resulting virtual server configuration in tmm no longer has the iRules attached. The configuration in mcpd does not match the running configuration in tmm.

Conditions:
Must use the 'mv' command on an ltm virtual with iRules.

Impact:
Configuration is not as expected.

Workaround:
After moving the virtual, remove the iRules on it and re-add them.


550253-2 : SNMP query response for sysPacketFilterStatHits is incorrect

Component: TMOS

Symptoms:
SNMP query response for sysPacketFilterStatHits return an inaccurate value. Typically a zero value.

Conditions:
This occurs when looking at sysPacketFilterStatHits via snmp.

Impact:
Unable to view packet filter hits.

Workaround:
The tmctl command tmctl packet_filter_rule_stat can be used to show the filter statistics.


550204-3 : Any AFM Management Port rules disappear from iptables upon 'bigstart restart iptables'

Component: Advanced Firewall Manager

Symptoms:
Any AFM Management Port rules disappear from iptables upon 'bigstart restart iptables'.

Conditions:
-- Issuing the command: bigstart restart iptables.
-- AFM configured.

Impact:
AFM Management Port rules disappear from iptables.

Workaround:
Before issuing the command 'bigstart restart iptables' issue the following command:

 /sbin/iptables-save > /etc/sysconfig/iptables


550161-2 : Networking devices might block a packet that has a TTL value higher than 230.

Component: Local Traffic Manager

Symptoms:
Some networking devices block a packet that has a TTL value higher than 230. The TTL value for the BIG-IP system is set to 255 internally and cannot be changed.

Conditions:
The issue occurs when traffic originates from the BIG-IP system (as a client).

Impact:
No access to the resources.

Workaround:
None.


549569-2 : tmm may crash in the case of mem alloc fails.

Component: Local Traffic Manager

Symptoms:
tmm may crash in the case of mem alloc fails.

Conditions:
mem alloc that occurs with incompletely constructed RX queues.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


548866-1 : Tomcat might become unresponsive when the UI throws an Out of Memory Exception

Component: TMOS

Symptoms:
The UI might runs out of memory on a page that is memory heavy, such as on the Network Map page of a configuration with many Virtual Servers, Pools, iRules, Pool Members/Address Nodes, and the Tomcat UI server might become unresponsive unresponsive.

Conditions:
Using the Network Map page to render the map with a large number of components and multiple consecutive users can cause the UI to run out of memory.

Impact:
The UI becomes unresponsive.

Workaround:
Use the search filter to reduce the result set. When the UI becomes unresponsive, restart Tomcat. Also, consider increasing the memory allocation for Tomcat.


548611-1 : Memory protection strategies can conflict

Component: Local Traffic Manager

Symptoms:
The TMM has three mechanisms to protect memory usage when under pressure: the sweeper responds to low memory with a variety of strategies such as killing idle flows; memory reaping is activated to restore memory to the system; and tcp random early drops are activated if configured.

Since these are all targeting the same memory levels by default, it's possible that all three activate and victimize more flows than required.

In addition, a flaw in the random early drop logic could cause unpredictable behavior.

Conditions:
Always.

Impact:
More flows are victimized than necessary when under memory pressure. One symptom is a large number of random early drops, and hovering right near the sweeper's low-water mark causing new flows to encounter the random early drop limits nearly immediately.

Workaround:
The sweeper's low-water mark can be adjusted, along with the tm.tcpmemorypressure.hiwater and tm.tcpmemorypressure.lowater variables so that they are not all at the same location; this can alleviate most symptoms of this issue.


548268-2 : Disabling an interface on a blade does not change media to NONE

Component: TMOS

Symptoms:
When an interface on a blade in a chassis is disabled, it's media does not get reported as NONE and the link on the other end stays UP.

Conditions:
Disabling an interface on a blade within a chassis.

Impact:
Media on the disabled interface is not reported as NONE and link on partner end is UP.

Workaround:
none


548114-1 : RAR for already deleted session returns RAA with 5012 error code

Component: Policy Enforcement Manager

Symptoms:
Session already deleted forcefully by PEM, but when PCRF sends RAR with the same session ID then PEM responds with RAA with error code 5012 (unable to comply) instead of 5002(unknown session ID)

Conditions:
Session Deleted when Gx connection down and tmm.pem.session.endpointDeleteResponse and tmm.pem.session.FinalUsageRecord set to low value to trigger forced delete.

Impact:
PCRF still think session exists giving wrong signal to PCRF

Workaround:
Make sure tmm.pem.session.endpointDeleteResponse is set to high value to make sure session not deleted if Gx connection is down for a short period of time


547692-2 : Firewall-blocked KPASSWD service does not cause domain join operation to fail

Component: Access Policy Manager

Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.

As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.

However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.

Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.

Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.

Workaround:
Allow KPASSWD to reach ActiveDirectory server


547550-3 : avrd reports incorrect stat values

Component: Advanced Firewall Manager

Symptoms:
AVR has some uint32 counters for DoS statistics both in HW and SW. And these counters were getting overflowed with time.

Conditions:
When the box is running under heavy DoS traffic for few hours, DoS counters can overflow.

Impact:
Impact would only be seen on some DoS stats but functionality wise everything works fine without any issue.

Workaround:
There was no workaround.


547479-2 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.


546760-2 : snmpd will crash when performing snmp query on ifXTable of ifMIB.

Component: TMOS

Symptoms:
snmpd will crash when performing snmp query on ifXTable of ifMIB.

Conditions:
Perform snmp query on ifXTable of ifMIB.

Impact:
snmpd crashes.

Workaround:
When problem occurs, snmpd automatically restarts.


546516-1 : PEM: TMM core when deleting sessions not aware to PCRF

Component: Policy Enforcement Manager

Symptoms:
TMM core.

Conditions:
When PCRF sends a CCA-T for a session with error code 5002 (UNKNOWN_SESSION_ID)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If PCRF should just acknowledge CCA-T with success code 2001 even if its not aware of the session.


546145-4 : Creating local user for previously remote user results in incomplete user definition.

Component: TMOS

Symptoms:
Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI.

Conditions:
Configure remote system authentication. Create a local user for remotely authenticated user.

Impact:
User cannot authenticate. User name does not appear in User List.

Workaround:
After initial creation, modify local user via tmsh to include appropriate partition-access.


546085-2 : On shutdown, SOD and other daemons very infrequently cores due to an internal processing error during the shutdown.

Component: TMOS

Symptoms:
On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Conditions:
System shutdown. Unable to reproduce the issue reliably, so conditions for the crash are unknown

Impact:
Since the core happens on shutdown, operation on the device is not affected, but a core file may be generated.

Workaround:
None.


545986-1 : dnatutil aborts when encountering parse errors

Component: Carrier-Grade NAT

Symptoms:
dnatutil abort further processing of logs when it encounters a recoverable parse error.

Conditions:
Using dnatutil on log entries that resemble parseable logs, but failed to be processed by dnatutil

Impact:
Usage of dnatutil

Workaround:
Filter out questionable log entries as reported by dnatutil


545946-2 : Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load

Component: TMOS

Symptoms:
Transparent/translucent Vlangroup may have its MAC address set to 02:00:00:00:00 on either the first configuration load after an upgrade or on a manual mcpd db clear/reload.

Conditions:
Transparent/Translucent vlangroup configured.
Upgrade to later version (11.3.0 through 12.1.0) or manually delete mcpd DB binary.

Impact:
Vlangroup MAC address is incorrect and can adversely affect traffic transversing the vlangroup.

Workaround:
Reload configuration or alter vlangroup configuration: e.g: set back and forth between transparency modes.


545799-2 : Dashboard fails to export derived throughput history

Component: TMOS

Symptoms:
Dashboard fails to export derived throughput history.

Conditions:
Exporting derived throughput history in the Dashboard.

Impact:
The derived stats are not included in the export file.

Workaround:
The derived stats can be calculated from the exported raw stats.


545796-3 : [iRule] [Stats] iRule is not generating any stats for executed iRules.

Component: Local Traffic Manager

Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.

Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.

Impact:
No iRule usage stats available.

Workaround:
None.


545263-4 : Add SSL maximum aggregate active handshakes per profile and per global

Component: Local Traffic Manager

Symptoms:
SSL active handshakes in one BIGIP can be infinity. With many calls, memory can be exhausted and cause the system problems.

Conditions:
When BIGIP has too many active SSL handshakes.

Impact:
The memory and/or CPU can be exhausted.


545214-2 : OSPF distance command does not persist across restarts.

Component: TMOS

Symptoms:
When ospfd is restarted, the value configured for the OSPF distance command is lost.

Conditions:
The distance command is configured in OSPF and the ospfd process is restarted.

Impact:
The distance command does not function as configured, which affects OSPF behavior.

Workaround:
None.


545081-1 : "tmsh install sys crypto cert" command fails to overwrite existing certificate

Component: TMOS

Symptoms:
When using "tmsh install sys crypto cert cert_name from-local-file /cert_path/cert_file.crt" command, if a cert with the same name has already exists, it should still allow the cert import and overwrite the existing cert if "no-overwrite" is not specified in this tmsh command. However, it fails to overwrite the cert in this case, and still complains that "The requested cert(cert_name.crt) already exists in this scope."

Conditions:
-- Using "tmsh install sys crypto cert" to import a cert
-- The "no-overwrite" option is not specified in the tmsh command.
-- The specified cert name already exists.

Impact:
Unable to simultaneously update and overwrite a certificate using tmsh.

Workaround:
Although you cannot simultaneously update and overwrite the cert using tmsh, you can achieve the same result using these separate steps:
1. To remove the cert, which prevents the existing cert-overwrite situation, run the following command: tmsh install sys crypto cert cert_name.
2. Run the following command to update the cert: tmsh cert import command.


544989-2 : distance cli command without access name in OSPF posts a memory allocation error.

Component: TMOS

Symptoms:
OSPF distance command gives error and is not effective in changing Open Shortest Path First (OSPF) behavior.

Conditions:
throwing a memory allocation error when the distance command is used without an access list name. The access list name is optional parameter in the following command (WORD represents the optional access list name):
distance <1-255> A.B.C.D/M (WORD|).

Impact:
The distance command does not function correctly and posts a memory allocation error.

Workaround:
None.


544906-1 : Issues when using remote authentication when users have different partition access on different devices

Component: TMOS

Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user.

For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].

Conditions:
Devices configured for remote authentication.

User A on device 1 with role on all-partitions.

User A on device 2 with role restricted to a single partition.

Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.

Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.

Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.


544463 : The BIG-IP system's management port drops egress Ethernet multicast traffic

Component: TMOS

Symptoms:
The BIG-IP system's management port drops egress Ethernet multicast traffic. You may experience this issue if you employ certain routing techniques in the network segment the management port connects to. For example, you may experience this issue if the BIG-IP system's default gateway on the management network is a pair of Check Point Secure Gateways configured in Load Sharing Multicast Mode. In this case, the IP address of the default gateway resolves to a L2 multicast address and, because of this issue, the BIG-IP system's management port ends up dropping traffic destined the default gateway.

Conditions:
No special conditions are required to trigger this issue. However, only customers with unusual routing configurations are likely to actually notice this issue.

Impact:
As a result of this issue, certain destinations or certain services will not be reachable via the BIG-IP system's management port.

Workaround:
The Linux host configures a single-interface bridge over the management port to make certain tasks simpler. This issue has been shown to go away when multicast snooping is disabled for said bridge. You can disable multicast snooping for the management bridge by running the following command:

# echo 0 > /sys/class/net/mgmt/bridge/multicast_snooping

On a VIPRION chassis, the aforementioned command would have to be run on each blade.

The command is not permanent and the change is lost after a reboot of the system. To make the change permanent, you can add the command to the /config/startup file.


544033-2 : Fragmented ICMP Echo to Virtual Address may not receive response

Component: Local Traffic Manager

Symptoms:
In a very specific scenario, a response to an IPv4 ICMP Echo to a Virtual address may not reach back to the originator.

Conditions:
- Client network MTU is lower than the BIG-IP system's ingress VLAN's MTU.
- Client ICMP Echo is larger than Client's MTU and fragmented.

Impact:
Response is not received at client.

Workaround:
In certain version 11.x/12.x environments, it may be acceptable to disable PathMTU discovery.
If it is, this can be worked around by disabling the following DB Key:
tmsh modify sys db tm.pathmtudiscovery value disable

Note this workaround is not possible in BIG-IP software versions 10.x. 10.x does not have a workaround.


543344-1 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in these ways: either the session ID is embedded in the request, or the connection has been processed by ACCESS previously. When neither condition is satisfied, then current ACCESS iRule cannot find the associated session ID.

Conditions:
ACCESS iRule such as ACCESS::session data get/set, ACCESS::session exists, session ID is not provided by the caller, and caller expects the session ID to be resolved internally.

Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.

Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.


542898-3 : Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0

Component: TMOS

Symptoms:
After installing a new Virtual Edition software instance and booting into it, disk partition /var shows 100%

Conditions:
Virtual Edition only

Impact:
System is generally un-usable; applications cannot operate without space in /var.

Workaround:
1) reboot into the previous software location

2) delete the new software location that is non-functional

3) remove this file:
/shared/.tmi_config/global_attributes

4) install the new software again.


542781-1 : Tmm crash observed during load testing

Component: Policy Enforcement Manager

Symptoms:
TMM crashes, stack trace in logs.

Conditions:
Virtual server has a 0.0.0.0:3868, port 3868 is not disabled and the vlan list is not disabled for the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Block the port 3868 in this case or disable the virtual's vlan list to prevent creation of client side connection.


542664-1 : No default boot volume is set when installing a vCMP guest from a hotfix iso.

Component: TMOS

Symptoms:
When creating a vCMP guest using both an initial-image and initial-hotfix, the default boot volume is not set. This causes any future software installation performed inside that guest to automatically become the default boot volume.

Conditions:
This issue occurs when a vCMP guest is created from a hotfix build of BIG-IP.

Impact:
The default boot location is not set, which causes subsequent software installations inside the guest to be automatically marked default. Upon a reboot of an affected guest, the system boots into a newly installed volume, which might not be the desired behavior.

Workaround:
Once the vCMP guest is running perform the following steps:

1. Login to the guest via ssh or the vconsole utility.
2. Run the switchboot utility.
3. Select the appropriate volume to be the default boot location (there might be only one option in this list).
4. Press enter.

If the selected boot location is the current or only volume, it is marked as the default boot volume and the guest does not reboot.
If the selected boot location is not the currently booted volume, the guest immediately reboots into the selected volume.

Verify the operation was successful by issuing the command: grub_default -l.
The output of the command should resemble this:
-- config # grub_default -l
HD1.1 active yes default yes title BIG-IP 11.6.0 Build 5.0.429
As long as the appropriate volume is marked 'default yes', the operation is complete.


542292-2 : GUI might cause MIB files to be uncompressed when downloading from GUI with Chrome.

Component: TMOS

Symptoms:
In certain circumstances the BIG-IP GUI might cause MIB files to be served uncompressed, but with tar.gz extension.

Conditions:
Use Chrome to download BIG-IP MIB files from the GUI.

Impact:
MIB files are uncompressed.

Workaround:
Do not attempt to uncompress the MIB files further if downloaded with Chrome. Simply untar and use as normal. Renaming the file may help avoid further confusion.


542191-2 : Snmpd V1 and V2c view based access.

Component: TMOS

Symptoms:
SNMP v3 allows for 'views' to be created. These views can be a union of multiple sub-branch OID access config statements. Users/groups can then be assigned to a view.

Conditions:
If more that one snmpd view is specified per community string the second view is not accessible. Note: A view is a portion of a MIB tree defined by an OID.

Impact:
The BIG-IP system does not support view configuration. If multiple views are created using the lines: rouser USER [noauth|auth|priv [OID]], the system adds only one of them to the snmpd.conf file.

Workaround:
Multiple views with the same community string are not supported.


542009-2 : tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message.

Component: Local Traffic Manager

Symptoms:
tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message. You might notice the following in /var/log/ltm prior to the core:
notice MPI stream: connection to node nodedadress expired for reason: Internal error (bad magic) (mpi_proxy.c:664)

Conditions:
This is an internal condition related to TMMs passing messages between each other. The cause of the invalid internal message is unknown.

Impact:
tmm might loop, using 100% of CPU, and eventually get killed by sod.

Workaround:
None.


541693-2 : Monitor inheriting time-until-up and up-interval from parent incorrectly via GU

Component: TMOS

Symptoms:
Monitors inherit incorrect time-until-up and up-interval from parent.

Conditions:
Create a parent monitor with non-default time-until-up and up-interval values. Using the GUI, create a child monitor.

Impact:
The child monitor's time-until-up interval value is set to default (0). The up-interval value is incorrectly inherited from the parent.

Workaround:
Set the time-until-up value for the child to the desired value.


541550-1 : Defining more than 10 remote-role groups can result in authentication failure

Component: TMOS

Symptoms:
Authentication fails, indicating the affected user is associated with an "unknown" role:

notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false

Conditions:
Define more than 10 remote-role groups and authenticate with a user having more than 10 roles.

Impact:
User cannot authenticate.

Workaround:
None.


541261-2 : Clientless NA fails when iRule agent is present in access policy

Component: Access Policy Manager

Symptoms:
The failure happens when we get the redirect to /vdesk/webtop.eui. This is in the whitelist as a portal protected URI, and when it doesn't have a valid sid, the action is to create a new session. Because this is clientless mode, there aren't any cookies, so it thinks it needs to create a new session. Then the old session is deleted, causing the logs to report a logout due to user request.

Conditions:
Windows 8.1 + APM 11.5.3.
Logon page -> irule agent -> Advanced resource assign (NA+NA webtop) -> Allow
  (no auth for logon page, everything should lead to allow)

Try to log on with the Windows inbox VPN client.

Impact:
VPN connection Failed; stating error invalid credentials. Logs show session deleted due to user logout request.

Workaround:
None.


540928-3 : Memory leak due to unnecessary logging profile configuration updates.

Component: Application Security Manager

Symptoms:
There is a memory leak in ASM control plane daemons after processing many calls in a long lived process

Conditions:
A) Pool member state changes frequently.
or
B) Manual learning is enabled (versions 12.x)

Impact:
Memory consumption by ASM control plane daemons increases.

Workaround:
Restart ASM - which will cause a failover and a down time

OR just kill asm_config_server by:
-----------------------
pkill -f asm_config_server
-----------------------
which will get restarted back by ASM process watchdog in ~15 seconds and should not cause failover nor downtime.


540923-1 : TMSH list node filtering no longer filters correctly.

Component: TMOS

Symptoms:
In some circumstances the use of filters in the 'tmsh list ltm node' command no longer works correctly, returning all values instead.

Conditions:
Use of filter in the 'tmsh list ltm node' command.

Impact:
Filter is not applied, so all results are returned.

Workaround:
None.


540777-2 : SNMP requests fail and subsnmpd reports that it has been terminated.

Component: TMOS

Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.

Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.

Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.

Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.


540054-3 : tmm crash when DoS protection and behavior analysis enabled on virtual server

Component: Advanced Firewall Manager

Symptoms:
tmm crash when DoS protection and behavior analysis enabled on virtual server.

Conditions:
This occurs when the following conditions are met:
1) Provision AFM and LTM.
2) Enable DoS protection, Behavior Analysis in DoS profiles.
3) DoS profile is associated on a virtual server
4) Bad packets are sent to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
DoS-network behavioral analysis should be never configured since it does not provide any needed functionality.

If any security dos profiles contain 'behavioral-analysis enabled', these should be changed to 'behavioral-analysis disabled.


539832-3 : Zebos: extended community attributes are exchanged incorrectly in BGP updates.

Component: TMOS

Symptoms:
1. BGP is not sending extended community attributes in BGP Updates to its neighbors in versions prior to 11.6.0.
2. BGP is unable to accept new BGP UPDATE messages that contain extended communities from its neighbors in version 11.6.0 and later.
3. On the sending neighbor, the route-map is reapplied to the prefix every time the connection is torn down by the neighbor, resulting in an ever increasing extended community list.

Conditions:
Configure BGP extended community attribute.

Impact:
Loss of/incorrect info related to extended community attribute.

Workaround:
None.


539687-1 : No logs for Proactive Bot Defense drops.

Component: Advanced Firewall Manager

Symptoms:
A RST happens upon a request. There are no loggings or indication regarding this reset.

Conditions:
The VS has application dos attached with the proactive bot defense turned on.

Impact:
A connection terminates. The logging absence causes confusion.

Workaround:
N/A


539648 : Disabled db var Watchdog.State prevents vCMP guest activation.

Component: TMOS

Symptoms:
If a vCMP guest user disables the watchdog using the db variable Watchdog.State, then the vCMP guest does not reach a running state as reported by the vCMP host.

Conditions:
This occurs when the user sets sys db Watchdog.State value disable.

Impact:
vCMP guest fails to be operational.

Workaround:
Do not change the Watchdog.State db variable. The vCMP host requires the watchdog to monitor the guest health.


539439-1 : Using the pool command in HTTP_PROXY_REQUEST event occasionally fails

Component: Local Traffic Manager

Symptoms:
Use of HTTP::proxy disable with a pool command occasionally fails.

Conditions:
For each session, the very first request with the Proxy-Authorization header will get a RST, although the authentication is successful. That means that the request is not proxied to the backend proxy. Further requests are processed normally.

Impact:
Connection is being RST when pool command is used in HTTP_PROXY_REQUEST iRule. Subsequent requests go through successfully.

Workaround:
None.


539125-2 : SNMP: ifXTable walk should produce the available counter values instead of zero

Component: TMOS

Symptoms:
The SNMP ifXTable is presenting zeros for attributes hc_in_multicast_pkts and hc_out_multicast_pkts. However, this data is available on the Big-IP and should be presented.

Conditions:
snmpwalk the ifTable and the ifXTable. The ifTable shows Counter32 values for attributes in_multicast_pkts and out_multicast_pkts, but the ifXTable shows zeros for the Counter64 equivalent attributes hc_in_multicast_pkts and hc_out_multicast_pkts (except for vlans, which are correct).

Impact:
Inability to characterize/view counts for the above-referenced multicast packets via SNMP.


539026-1 : Stats refinements for reporting Unhandled Query Actions :: Drops

Component: Local Traffic Manager

Symptoms:
There are five drop down sections for Unhandled Query Actions:
Allow
Drop
Reject
Hint
No Error

but in statistics page, there are only four Unhandled Query Actions:
Drops
Rejects
Hints
No Errors

Drops refers to the dropped packets for the system, not specifically for Unhandled Query Actions. It would be more clear if there were one dropped packets stats for the system, and another specifically for Unhandled. And also add stats for Allow packets under Unhandled.

Conditions:
Statistics pages for Unhandled Query Actions :: Drops.

Impact:
May be confusing to determine what the statistics mean.

Workaround:
None.


539018-3 : TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file.

Component: Access Policy Manager

Symptoms:
TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file instead of looping TMM thread log file.

Conditions:
TMM stuck in a loop and aborted by monitor process.

Impact:
Unclear which TMM thread was looping and resulted in crash and failover.


538705-1 : tmm assert 'valid private'

Component: Local Traffic Manager

Symptoms:
Tmm crashes with the following message in /var/log/ltm: Assertion "valid private" failed
This is followed by a **SIGFPE** message.

Conditions:
This is an internal issue which occurs when processing syn cookies on a non-TCP4 flow.

Impact:
The tmm assert 'valid private', core, and restart.

Workaround:
None.


537227-2 : EdgeClient may crash if special Network Access configuration is used

Component: Access Policy Manager

Symptoms:
EdgeClient crashes during connect or disconnect process. Exact time may differ from time to time.

Conditions:
EdgeClient may crash if Network Access contains configuration which includes:
Full-tunnel
Allow DHCP or Allow Local subnets is used
There is a proxy between client and APM

Impact:
EdgeClient crashes prevent Access Network to work

Workaround:
Remove on of conditions causing crash to happen


537209-2 : Fastl4 profile sends RST packet when idle timeout value set to 'immediate'

Component: Local Traffic Manager

Symptoms:
When a virtual is configured with a Fastl4 profile and the idle timeout value is set to 'immediate', traffic is handled improperly and a RST is issued.

Conditions:
A virtual is processing traffic that contains a Fastl4 profile with idle timeout set to 'immediate'.

Impact:
Traffic is Reset on a virtual where it should properly handle the traffic.

Workaround:
Avoid using the 'immediate' setting for the idle timeout value on a Fastl4 profile.


536563-2 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.

Component: Local Traffic Manager

Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.

Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.

Impact:
Unexpected RSTs (Clientside).

Workaround:
None.


536505-3 : DHCPv6 - pool member not selected if it returns from DOWN state

Component: Local Traffic Manager

Symptoms:
A DHCP relay that has more than one poolmember configured, forwards requests to all of them as expected. However, if there is a constant flow of DHCP traffic from the client, and monitors change the state of these poolmembers, a poolmember that was down, does not get traffic when it comes up, and a poolmember that goes down, still receives forwarded DHCP traffic.

Conditions:
Pool members states are changed after sessions are created.

Impact:
Pool members are not used if they become active after sessions are created, or remain in use when they are inactive.

Workaround:
After pool members state are changed, delete all the sessions and re-create them.


535904-2 : BD crashes when attempting to access a closed connection

Component: Application Security Manager

Symptoms:
The Enforcer Application system generates a BD core file to the /shared/core directory.

Conditions:
One or more of these features is turned on - Session tracking, web scraping, ICAP, ASM irules. The client side or the server side pre-maturely closes the connection.
Some load happens on this traffic.

Impact:
The Enforcer Application system may temporarily fail to process traffic.

Workaround:
N/A


535122-1 : tmsh create sys ssl-cert command does not add .crt extension.

Component: Local Traffic Manager

Symptoms:
"tmsh create sys file" command (and also iControl REST) does not add appropriate extension while creating key/cert/csr/crl

Conditions:
when using tmsh command
"tmsh create sys file"

Impact:
the key/cert/csr/crl file extentions are missing, and the created ssl certificate can not be archived. It displays "Not found" error while trying to do archive in GUI.

Workaround:
Workaround is to have .crt extension in the file name while importing the certificate using tmsh.


534472 : Collecting DoS stats using iControl REST doesn't work when the stat in question has a space in its name.

Component: Advanced Firewall Manager

Symptoms:
Collecting DoS stats using iControl REST doesn't work when the stat in question has a space in its name.

Conditions:
Using iControl REST to collect DoS stats.

Impact:
Failure to obtain desired stats.


533956-1 : Portal Access: Space-like characters in EUC character sets may be handled incorrectly.

Component: Access Policy Manager

Symptoms:
Extended Unix Code (EUC) character sets include several white space characters which have no ASCII equivalents. These characters are not recognized as white spaces by Portal Access. This may lead to incorrect handling of HTML pages, XML files and/or JavaScript files in these character sets.

Conditions:
- HTML page, XML file or JavaScript file in any EUC encoding scheme (EUC-JP, for example).

Impact:
Page or file in EUC encoding scheme may not be parsed correctly.

Workaround:
Use an iRule to replace non-ASCII compatible white space characters by ordinal spaces.


533174 : Several "Standard MIB" OIDs were not supported correctly

Component: TMOS

Symptoms:
Certain OIDs in the IP-MIB, IF-MIB and Etherlike-MIB were either not supported by the Big-IP, or the returned MIB query data related to the interface index (IfIndex) was incorrect or inconsistent with the IfIndex returned by the IF-MIB::ifTable.

Conditions:
No special conditions.

Impact:
Customer could not relate interface data from one MIB table to another.

Workaround:
None.


532904-2 : Some HTTP commands fail validation when it is in a proc and the proc is called from another proc

Component: Local Traffic Manager

Symptoms:
The following HTTP commands fail validation:

HTTP::uri
HTTP:version
HTTP::header
HTTP::method

Validation fails with the following error:
HTTP::uri command in a proc in rule (<the rule>) under event at virtual-server (<the virtual>) does not satisfy cmd/event/profile requirement.

Conditions:
Command is in a proc and the proc is called from another proc.

Impact:
Config load fails.

Workaround:
Directly call the proc from an iRule, instead of from the proc.


532828 : Changing from a standard virtual server to a FastHTTP server may stop processing traffic

Component: Local Traffic Manager

Symptoms:
With a pre-existing Virtual Server, modifications that change from an L7 virtual to a FastHTTP virtual may stop processing traffic.

Conditions:
Using a standard virtual, switch to a FastHTTP virtual.

Impact:
The virtual stops processing traffic until a bigstart restart.

Workaround:
Perform a bigstart restart.


532294 : Use of GTP Profile Requires Extended Protocols License

Component: Service Provider

Symptoms:
Until this release, the requirement of acquiring a license for Extended Protocols to use the GTP protocol has not been enforced. After this release, that requirement will be enforced.

Conditions:
Usage of GTP Profile without Extended Protocols license

Impact:
Users will be unable to use GTP Profile without Extended Protocols License.

Workaround:
None.


531966 : APM ACLs can block ICA file generation on APM Webtop

Component: Access Policy Manager

Symptoms:
APM ACLs can block ICA file generation on APM Webtop. As a result, Citrix app on APM Webtop cannot be started.

Conditions:
APM ACLs are blocking internal ICA file generation request. Example is a deny-all L4 ACL.

Impact:
Citrix app on APM Webtop cannot be started.

Workaround:
Add allow ACL to allow ICA file generation request destined for hte virtual server servicing the Citrix.

ACL logging from /var/log/pktfilter to determine the rule for such allow ACL.


530927-2 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed

Component: TMOS

Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.

Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.

Impact:
Interface cannot be added to the trunk.

Workaround:
Remove all interfaces, readd them all at the same time.


530877-4 : TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.

Component: Local Traffic Manager

Symptoms:
A specific combination of configuration options might cause iRule processing to run the CLIENT_ACCEPTED event twice.

If the iRule contains a suspending command, the system may eventually stop accepting connections to any TCP virtual servers with that have the Verified Accept option enabled.

Conditions:
This occurs when all of the following conditions are met:
- Standard Virtual Server is configured.
- Virtual Server is configured with a TCP profile in which Verified Accept is enabled.
- Client sends the initial data to be sent on the ACK of the three-way-handshake.

Impact:
Depending on the scenario, this might:
- Result in the specific connection being reset.
- Eventually result in TMM being unable to process any further connections to virtual servers with Verified Accept enabled.

Workaround:
You can use the following workarounds:
- Disable Verified Accept in the TCP profile.
- Modify the iRule to run the commands in the CLIENT_ACCEPTED event once, by setting a variable and checking whether the variable has been set on subsequent runs.


530530-2 : [mcpd] TMSH "range" filter for 'show sys log' fails to work as expected

Component: TMOS

Symptoms:
TMSh 'show sys log' is not working expected with 'range' filter.

Conditions:
Use range filter for 'tmsh show sys log'.

Impact:
tmsh could not filter log correctly with 'range' filter.

Workaround:
Specify a range at least 8 hours of designated time.


530102-2 : Illegal meta characters on XML tags -

Component: Application Security Manager

Symptoms:
After upgrading from 11.4.1 to 11.6.0, 11.6.1 or 12.0.0, you see a lot of "Illegal meta character in value" false positives on your XML content. The flagged character are valid within XML (<, >, /, :, etc.) and the affected URLs are associated with legitimate XML profiles via header-based content profiles.
From the security event report, one can see that the invalid characters are for the global UNNAMED wildcard parameter and that the request is a multipart POST.

Conditions:
XML profile is assigned to the wildcard URL and having Header-Based Content profile.

Impact:
False positive violations could happen on the parameter enforcement (as it's not a parameter content but XML).

Workaround:
N/A


530092-1 : AD/LDAP groupmapping is overencoding group names with backslashes

Component: Access Policy Manager

Symptoms:
Adding a group value that contains space(s) manually in AD/LDAP Group Resource Assign actions will result in the space(s) being escaped and thus invalidating match attempts. For example, adding group 'Foo Bar' (without the quotes) will result in an expression found in bigip.conf as follows:

expression "expr { [mcget -decode {session.ldap.last.attr.memberOf}] contains \"CN=Foo\\\\ Bar\" }"

The value '\"CN=Foo\\\\ Bar\"' will not match a memberOf group returned that contains 'CN=Foo Bar,...'.

Conditions:
Spaces are encoded with backslashes.

Impact:
Matching for memberOf group will not working.

Workaround:
N/A


529912 : Input Names that are configured as "Parameters" in BIG-IP and are getting encoded in special characters via the EncodedURI JavaScript function are ignored after the submission.

Component: Fraud Protection Services

Symptoms:
Input Names that are configured as "Parameters" in BIG-IP and are getting encoded in special characters via the EncodedURI JavaScript function are ignored after the submission.

Conditions:
After configuring the required input in BIG-IP system, login to the page and submitting it.

Impact:
There is no decryption action on that input's value. The password/encryption target do not go through the decryption phase, and therefore will not succeed in login into the account.

Workaround:
None.


529627-1 : LDAP StartTLS may fail on serverside when persistence is configured

Component: Local Traffic Manager

Symptoms:
In some circumstances LDAP may fail to setup StartTLS on the server-side when instructed by a LDAP client when the LDAP virtual server is in use with a persistence profile.

Conditions:
- LDAP virtual server with client and server profiles.
- LDAP profiles with STARTTLS Activation Mode set to Allow.
- Persistence profile (for example, src addr persistence).

Impact:
Serverside does not upgrade to TLS.

Workaround:
Do not use LDAP virtual server in conjunction with persistence.


529395 : Local-only network IP forwarding virtual server not forwarding traffic on standby system

Component: Local Traffic Manager

Symptoms:
A local-only network IP forwarding virtual server does not forward traffic on standby systems.

Conditions:
BIG-IP systems in an high-availability (HA) device cluster. An IP forwarding virtual server in traffic-group-local-only.

Impact:
Traffic is forwarded only on active BIG-IP systems.

Workaround:
None.


528894-2 : Config sync after sub-partition config changes results extra lines in the partition's conf file

Component: TMOS

Symptoms:
Config sync after sub-partition config changes results extra lines in the partition's conf file.

Conditions:
Make changes under any partition except /Common and then config sync without overwrite.

Impact:
/config/partitions/partition_name/bigip_base.conf in the partitions folder has trunk and ha-group configuration. /config/bigip_base.conf no longer has the trunk and ha-group configuration.

Workaround:
'Sync Device to Group' with 'Overwrite Configuration' enabled.


528424-3 : IE11 on Windows 10 doesn't show tooltips/toast notifications when Network Access changes state

Component: Access Policy Manager

Symptoms:
Tooltips/Toast notification are not displayed when Network Access changes state (Connect, Disconnect, Reconnect, etc). Beginning with Microsoft Windows 8, tooltips are replaced by Toast Notifications; Windows does not convert tooltips to toast notification for F5 WebComponent in Windows 10.

Conditions:
The problem occurs under these conditions: Internet Explorer 11.
Windows 10.
Networks Access changes state.

Impact:
User is not notified about state change.

Workaround:
To enable tooltips, in Group Policy change this setting:
"User Configuration \ Administrative Templates \ Start Menu and Taskbar \ Disable showing balloon notifications as toasts" to Enable.


528406 : Errors in monpd log after upgrade from version 11.5.x regarding deprecated widgets

Component: Application Visibility and Reporting

Symptoms:
Errors appear in monpd log after upgrading from version 11.5.x regarding deprecated widgets. For example, "Failed on primary blade: Undefined entity dosl7_ip was used".

Conditions:
Defining widgets in 11.5.x with entities that are no longer in use in later versions and upgrading to 11.6.x or 12.0.0.

Impact:
Errors in monpd log (no other "serious" impact).

Workaround:
After upgrading to new version remove all widgets from the Analytics :: HTTP : Overview page
and the
Security :: Overview : Summary page
and create new ones.


528401-1 : Using an iRule to enable/disable a profile does not enable/disable the profile

Component: Local Traffic Manager

Symptoms:
When using an iRule to enable/disable a profile, the profile is being enabled/disabled on every other iRule invocation.

Conditions:
Reusing a connection between requests and using an iRule to enable/disable a profile.

Impact:
The profile will not be enabled/disabled.

Workaround:
None.


528343-2 : Loading cli preference that does not contain the user attribute will fail

Component: TMOS

Symptoms:
The cli preference config objects under certain circumstances can be saved without a user attribute. The loading of such a cli preference will result in error "Loading a preference requires user name specified".

Impact:
Loading scf, ucs configuration will fail

Workaround:
Remove the cli preference that does contains the user from the configuration (/config/bigip_user.conf or SCF) and reload.


528295-4 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.

Component: TMOS

Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.

Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.

Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.

Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.


528228 : Monitor with alias port fails for FQDN nodes

Component: Local Traffic Manager

Symptoms:
When a node is configured using a FQDN and a port specific monitor is assigned at the node level, the BIG-IP system sends the probe to the incorrect destination port.

Conditions:
Assign port specific monitor at node level to a FQDN node.

Impact:
You cannot monitor the specified port on a FQDN node.

Workaround:
Apply the monitor at the pool level rather than the node level for correct operation.


528198-2 : reject in iRule event FLOW_INIT may not respond with a RST

Component: Local Traffic Manager

Symptoms:
reject in iRule event FLOW_INIT currently does not respond with a RST

Conditions:
iRule on a tcp virtual IP which has reject in FLOW_INIT event.

Impact:
RST is not sent

Workaround:
If licensed/provisioned for AFM, "ACL::action reset" can be an option.


528139-3 : Windows 8 client may not be able to renew DHCP lease

Component: Access Policy Manager

Symptoms:
VPN disconnects after the DHCP lease expires.

Conditions:
BIG-IP Edge Client is running on Windows 8.
"Allow access to local DHCP servers" is checked in Network Access settings.

Impact:
VPN may disconnect and user must connect to VPN again.
ipconfig /renew will not work.

Workaround:
DCHP Lease timeout is automatic and works properly. Also, end users can first run ipconfig /release and then ipconfig /renew to manually renew a lease.


528083-2 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Component: TMOS

Symptoms:
On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Conditions:
System shutdown. Unable to reproduce the issue reliably, so conditions for the crash are unknown

Impact:
Since the core happens on shutdown, operation on the device is not affected, but a core file may be generated.

Workaround:
None


528064-1 : GUI does not retain reflect connection type of "No Server" for AAA CRLDP server

Component: Access Policy Manager

Symptoms:
When you set a new or existing AAA CRLDP to have a "Server Connection" to "No Server" and save it from GUI, subsequent visits to the CRLDP properties page would show Server Connection being set to Direct.

Conditions:
This happened under all conditions from GUI.

Impact:
The GUI presents the incorrect state. It is confusing to administrator.

Workaround:
TMSH can be used to set the "Server Connection" back to "No Server" by setting the address to be "::" and saving.


528052-1 : System remains OFFLINE after running tmsh run cm config-sync recover-sync

Component: TMOS

Symptoms:
When ASM is provisioned, running the command "tmsh run cm config-sync recover-sync" causes the device to remain offline. This command should reset all of the local device configuration, but the device should come back online after several minutes.

Conditions:
ASM is provisioned and FPS is not provisioned.

Impact:
System remains OFFLINE and not handling incoming traffic.

Workaround:
Two workaround options:
1. Re-provision ASM:
   tmsh modify sys provision level nominal
2. Reboot the device


527907-4 : TCP reject Virtual Servers may not respond with TCP reset

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, reject Virtual servers configured with IP protocol TCP may not respond to TCP SYN packets with a TCP RST; silently dropping them.

All-protocols and UDP reject virtual servers are unaffected.

Conditions:
- Virtual Server, type Reject
- Virtual server ip-protocol only TCP.

Impact:
TCP SYN packets are silently dropped.

Workaround:
Use all-protocols or use a standard VIP and reject via iRule.


527720-2 : Rare 'No LopCmd reply match found' error in getLopReg

Component: TMOS

Symptoms:
An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally:
warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.

This message might be followed by a log message similar to one of the following:
err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0.
err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50.

This message might be followed by a log message similar to the following:
warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.

Conditions:
This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades.

Impact:
This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored.

Workaround:
None.


527668-1 : "Minimize to tray" option doesn't work in IE with latest updates if APM is not in Trusted Sites list

Component: Access Policy Manager

Symptoms:
KB3058515 introduces new security changes in Internet Explorer versions 9, 10, and 11. As a result, it is unable to create a tray icon from a plug-in that running on site that is not in the Trusted Sites list.

Conditions:
The problem occurs under these conditions:
1. KB3058515 is installed.
2. Client machine has Internet Explorer version 9, 10 or 11.
3. APM virtual server is not in Trusted Sites list.

Impact:
Minimize to tray option does not work.

Workaround:
To work around the problem, uninstall KB3058515 or add APM to the Trusted Sites list.


527387-1 : Timeout config settings can result in incorrect monitoring

Component: Global Traffic Manager

Symptoms:
Pool members may not be marked correctly. They may be marked UP when they should be DOWN, or vice versa.

Conditions:
If a monitor is configured with a timeout that is less than the interval, such as:
gtm monitor external /Common/sample-timeout {
    defaults-from /Common/external
    destination *:*
    interval 10
    probe-timeout 22
    run /Common/sample_monitor
    timeout 5
}

Impact:
GTM may not notice that the monitored Pool Member is DOWN, and will leave it marked UP. Pool Members may be erroneously marked UP and used as answers in DNS Responses thus directing clients to unreachable nodes.

Workaround:
Configure monitors with a timeout value that is greater than the interval value.


527206-3 : Management interface may flap due to LOP sync error

Component: TMOS

Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.

Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.

Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.

Workaround:
None.


527185 : 'Data publisher not found or not implemented ...' errors in /var/log/ltm

Component: TMOS

Symptoms:
Errors similar to the following appear in the /var/log/ltm log file:

-- err mcpd[7447]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (25538).
-- err mcpd[7447]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (25550).

Conditions:
A BIG-IP system under management by Enterprise Manager.

Impact:
The error is benign and may be ignored.

Workaround:
None.


527119-3 : Iframe document body could be null after iframe creation in rewritten document.

Component: Access Policy Manager

Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.

Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
    iframe.contentDocument.write(html);
    iframe.contentDocument.close();
    <any operation with iframe.contentDocument.body>

One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.


527080 : Upgrade of invalid IP address or FQDN configuration.

Component: Local Traffic Manager

Symptoms:
All nodes must have unique constraints on IP address or FQDN. If a saved configuration has violated that constraint, the upgrade fails when the configuration fails validation.

Conditions:
Configuration contains nodes that do not have unique IP addresses or FQDNs.

Impact:
Configuration fails to load on upgrade. The system posts messages similar to the following in the ltm log:

ltm log:
-- err tmsh[9336]: 01420006:3: Loading configuration process failed.
-- emerg load_config_files: '/usr/bin/tmsh -n -g load sys config partitions all' - failed. -- 01070734:3: Configuration error: Invalid FQDN : the node already exists for (www.siterequest.com) Unexpected Error: Loading configuration process failed.
-- err mcpd[7634]: 01070425:3: Full configuration load failed.

Workaround:
Delete duplicate IP addresses or FQDNs and retry the upgrade/load.


526829-2 : Enable client side encoding by default in DoS Layer 7

Component: Application Security Manager

Symptoms:
The client side challenge does not encode the parameters of POST requests by default. A system protected by DoS Layer 7 can get broken by the proactive mitigation (not during attacks) or by client side challenge mitigation (during attacks)

Conditions:
DoS client side is enabled as a mitigation or a proactive bot defense is enabled. A POST request is sent and its parameters should get decoded.

Impact:
The application might break in this scenario by receiving parameters that are not encoded.

Workaround:
Manually change the parameters cs_encode to enable and to compensate for the performance penalty reduce the size of cs_max_request_size from 50k to 10k or lower.


526708-2 : system_check shows fan=good on removed PSU of 4000 platform

Component: TMOS

Symptoms:
Running system_check on a 4000 platform with one PSU removed will still show status FAN=good; STATUS=good

Conditions:
This applies only to the BIG-IP 4000 platform.

Impact:
Fan shows status of 'good' when the PSU is removed. Reading the power supply status in the system_check output will show the PSU as down.


526642-2 : iRule with HTML commands inside can be attached to Virtual server without HTML profile

Component: TMOS

Symptoms:
If iRule with HTML commands inside is attached to Virtual server which has not HTML profile, this iRule may fail with 'Unknown error' message in the log.

Conditions:
- iRule with HTML commands
- Virtual server without HTML profile
- the iRule is attached to this server

Impact:
iRule does not work as expected

Workaround:
If Virtual server uses iRule with HTML commands, this server should use HTML profile.


525847-2 : SNMP manager doesn't accept community name in double quotes in packet capture.

Component: TMOS

Symptoms:
When configuring SNMP trap via tmsh sys snmp v2-traps (trap2sink directive) or v1-traps (trapsink directive) commands, the community name contains double quotes in packet capture. This causes a problem as SNMP manager doesn't accept the trap because of the community mismatch.

On the other hand, if traps are configured using tmsh sys snmp traps (trapsess directive), community name doesn't contain double quotes, which is an expected behavior.

Conditions:
Use tmsh sys snmp v2-traps or tmsh sys snmp v1-traps to configure SNMP traps.

Impact:
Community name contains double quotes in packet capture, which causes the SNMP manager to reject the trap because of the community mismatch.

Workaround:
Use tmsh sys snmp traps.


524735-5 : Use a DB variable to control whether IPsec interface should enforce policy check

Component: TMOS

Symptoms:
IPsec tunnel interface enforces the traffic-selector policy on its internal traffic. That is, the source and destination addresses of the packet going through the tunnel must comply with the traffic selector associated with the tunnel. Otherwise, the packet will be dropped. Sometimes, such policy enforcement is not needed.

Conditions:
You want to use the IPsec tunnel interface as a secure transport, and do not want the interface to filter traffic.

Impact:
Limit the use of IPsec interface feature for traffic protection.

Workaround:
IPsec tunnel interface can be associated with a traffic selector that can accommodate the desired traffic.


524277 : Missing power supplies issue warning message that should be just a notice message.

Component: Local Traffic Manager

Symptoms:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.

Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.

Conditions:
Running chassis with absent power supplies, or with power not applied, will cause ltm to issue warning messages.

Impact:
Extra logging.

Workaround:
Ignore missing power supply warning messages.


524193-4 : Multiple Source addresses are not allowed on a TMSH SNMP community

Component: TMOS

Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.

Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.

Impact:
The command is accepted, but only the first address will be allowed snmp access.

Workaround:
Add an additional source address to another snmp community object that has the same community string.


524123-3 : iRule ISTATS::remove does not work

Component: TMOS

Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.

Conditions:
Invoking the ISTATS::remove command from an iRule.

Impact:
The value of the iStat remains defined.

Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.


524009-1 : Incorrect parsing of abnormal request headers during DOS attacks

Component: Advanced Firewall Manager

Symptoms:
When the DOS profile is in use, and a client-side mitigation is active, in some rare cases the request headers were parsed incorrectly, causing valid requests to be reset.

Conditions:
DOS profile is used, DOS attack is active and mitigated using Client-Side Integrity. This is only relevant for the requests which are marked for DOS mitigation.

Impact:
Some valid requests are blocked during the client-side DOS mitigation.

Workaround:
None


523992-8 : tmsh error map not included in /etc/alertd

Component: TMOS

Symptoms:
tmsh error map is not included in /etc/alertd.

Conditions:
File /etc/alertd/bigip_tmsh_error_maps.h missing.

Impact:
The tmsh error maps include certificate expiration warnings (i.e., BIGIP_TMSH_TMSH_CERT_EXPIRED, BIGIP_TMSH_TMSH_CERT_WILL_EXPIRE). This information is used to create alerts. Not having the map makes it difficult to create alerts for tmsh related errors (e.g., certificate expiration warnings).

Workaround:
None.


523985 : Certificate bundle summary information does not propagate to device group peers

Component: TMOS

Symptoms:
Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync.

Conditions:
A certificate file is create in a folder synced to a device group.

Impact:
Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available.

Workaround:
None.


523973-1 : Deletion of key/cert/csr fails to update bigip.conf.

Component: Local Traffic Manager

Symptoms:
Deletion of key/cert/csr fails to update bigip.conf.

Conditions:
Use the GUI to delete a key/cert/csr or all of them together, and notice that bigip.conf is not changed.

Impact:
Because of this, any deletion from GUI brings back the configuration object after a 'tmsh load sys config'.

Workaround:
None.


523797-3 : Upgrade: file path failure for process name attribute in snmp.

Component: TMOS

Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.

Conditions:
Upgrade from 10.x. to 11.5.1 or later.

Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.

Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.


523522-1 : In a device group, installing a UCS (on any one of the peers in group) does not propagate the ASU file (that is bundled with UCS) to other peers

Component: Application Security Manager

Symptoms:
In a device group, after installing a UCS file (on any one of the peers in group), an inconsistent state of Application security update version is achieved between peer machines.

Conditions:
ASM is provisioned.
Device group with ASM sync enabled.
Install UCS file with a bundled ASU version different then the currently installed.

Impact:
An inconsistent state of ASU version is achieved between peer machines.

Workaround:
Manually trigger ASU update/install from:
Security > Security Updates > Application Security


522632 : Qkview generates error-level message

Component: TMOS

Symptoms:
In version 11.6.0, if AVR is not provisioned but a module that uses AVR (for example, APM) is provisioned, the Qkview utility generates the following error-level log message:

err tmsh[18617]: 01420006:3: virtual is not a valid entity.

Conditions:
AVR not provisioned, but modules that use AVR (e.g. APM, AFM) are provisioned.

Impact:
This is a cosmetic issue. There is no impact on traffic.

Workaround:
This is a benign error message that can be safely ignored.


522620-1 : BIG-IP continues to monitor APM AAA pool with old monitor after monitor changed

Component: Local Traffic Manager

Symptoms:
BIG-IP APM continues to use old monitor (in addition to new monitor configuration) for APM AAA pool after the monitor type is modified.

Conditions:
APM AAA pool's monitor configuration is modified via the APM GUI.

Impact:
BIG-IP APM continues to use old monitor (in addition to new monitor) to monitor pool members for an AAA pool.

Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following:

Save and re-load the configuration to correct the incorrect information in mcpd:

    tmsh save sys config partitions all && tmsh load sys config partitions all


522304-2 : Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group

Component: TMOS

Symptoms:
Some password policy settings (maximum and minimum durations, expiration warning) are reflected in /etc/shadow when a user's password is changed. In a CMI device group, changes to password policy are correctly synced, but the settings reflected in /etc/shadow are not.

Conditions:
CMI device group configured; maximum or minimum duration, or expiration warning, settings of password policy are used; user password is changed.

Impact:
Password policy may not be enforced consistently across all devices.

Workaround:
None.


522124-3 : Secondary MCPD restarts when SAML IdP or SP Connector is created

Component: Access Policy Manager

Symptoms:
Secondary MCPD restarts when the admin creates APM SAML IdP Connector (or SP Connectors) from attached metadata on the primary blade.

Conditions:
BIG-IP chassis with multiple blades where the configuration includes APM SAML IdP Connector or SP Connector created from attached metadata file.

Impact:
Secondary slot's MCPD restarts.


520682-2 : In PBA mode subscribers cannot initiate more than 512 connections to the same server IP:port

Component: Carrier-Grade NAT

Symptoms:
In PBA mode connections fail and new port blocks are not allocated when subscriber attempts more than 512 connections to the same server IP and port.

Conditions:
PBA mode is configured on the LSN pool and inbound connections setting is set to disabled.

Impact:
Subscribers can initiate only 512 connections to particular server IP:port.

Workaround:
Set 'Inbound connections' setting in the LSN pool to 'Automatic'.


520604-8 : Route domain creation may fail if simultaneously creating and modifying a route domain

Component: Local Traffic Manager

Symptoms:
Failure trying to create and modify a route domain in a single operation.

Conditions:
Performing create and modify operations in the same transactions, as can be done using tmsh and iControl.

Impact:
Transaction fails. Even though an ID is passed in with the create method, the system posts an error similar to the following: 01070734:3: Configuration error: route-domain Name /Common/test_rd_200 is non-numeric, so an ID must be specified.

Workaround:
Perform create and modify operations in different transactions.


519090-1 : Assigning value to window.onerror in empty window lead to exception.

Component: Access Policy Manager

Symptoms:
Assigning value to window.onerror in empty window might lead to load failure.

Conditions:
Portal access configured, and there are links on pages that stop working after rewrite when assigning value to some empty window's onerror handler.

Impact:
Page does not load.

Workaround:
None.


519064 : Maximum connections statistic on node incorrect, shows higher than connection limit

Component: Local Traffic Manager

Symptoms:
If a node is configured with a connection limit, the display may show a maximum connection count equal to the number of pool members using that node.

Conditions:
This occurs when nodes are configured with connection limits, and more than 1 pool member is using that node.

Impact:
Maximum connections statistic on node shows higher than the specified connection limit. This is a display issue only. The actual connection limit is enforced.

Workaround:
None.


519011-2 : Auditor role: Exporting the Request Log

Component: Application Security Manager

Symptoms:
Users with the Auditor role cannot export from the Request log.

Conditions:
Users with Auditor role trying to export from the Request log.
Using a software version 11.5.x or 11.6.x.

Impact:
Cannot export from the Request log.

Workaround:
None.


518258-1 : The CLIENTSSL_CLIENTCERT iRule event may not be triggered.

Component: Local Traffic Manager

Symptoms:
Using the SSL persistence profile, the CLIENTSSL_CLIENTCERT event might not be triggered during renegotiation.

Conditions:
The SSL persistence profile is in use, and an iRule depends upon the CLIENTSSL_CLIENTCERT event.

Impact:
The CLIENTSSL_CLIENTCERT iRule event may not be triggered. iRule command SSL::cert does not access certs retrieved from on-demand cert auth. This is functioning as designed.

Workaround:
None.


518197 : Modifying the default antifraud profile causes device group sync failures

Component: TMOS

Symptoms:
A device group sync results in the following error:

01070700:3: The attributes of a root profile (/Common/antifraud) cannot be set to 'default'.

Conditions:
The default /Common/antifraud profile is modified from its default values while in a device group.

Impact:
Sync fails and can be difficult to recover.

Workaround:
Don't modify the base profile; create a new one instead.

Recovery could involve running SOL13887 against a peer with an unmodified base profile, but this will delete any changes made. If that is not an acceptable solution, you can tmsh save sys config, remove the /Common/antifraud profile from bigip.conf, then tmsh load sys config.


517609-2 : GTM Monitor Needs Special Escape Character Treatment

Component: Global Traffic Manager (DNS)

Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.

Conditions:
Any running GTM monitor.

Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.

Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.
 
For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.


517456 : Resetting virtual server stat increments cur_conns stat in clientssl profile

Component: Local Traffic Manager

Symptoms:
When there are active connections on the virtual server, resetting its virtual server stat through tmsh reset-stats ltm virtual virtual_name, doubles the client ssl profile cur_conns/cur_native_conns/cur_compat_conns.

Conditions:
- SSL virtual server.
- Active connections on the virtual server.
- Virtual server stat reset which active connections are occurring.

Impact:
Invalid statistics values on the client ssl profile stats.

Workaround:
None.


517202-1 : Microsoft Internet Explorer may fail SSL handshake

Component: Local Traffic Manager

Symptoms:
Clients using Microsoft Internet Explorer get intermittent "page cannot be displayed" errors while accessing LTM virtual servers.

Internet Explorer versions 10 and 11 may fail SSL handshake when the ServerKeyExchange message sent by BIG-IP acts as TLS server with a DHE ciphersuite (e.g., DHE-DSS-AES256-SHA, includes a field dh_Y (g^x) that, for 1024 DH that BIG-IP uses, fits in 128 or fewer bytes. In 1 dh_Y out of 256 dh_Y will fit into 127 bytes, sending dh_Y tightly packed into 127).

This is a Internet Explorer issue. Its existence probably stems from the fact that DSA cert is required (which is rare on the public internet) and that the cert must be DSA 1024+SHA1, which provides substandard security. Note: ECDHE does not exhibit this problem.

Conditions:
-- LTM client-ssl virtual server.
-- Clients using Internet Explorer versions 10 and 11.

Impact:
Some websites fail to load for these clients.

Workaround:
Disable DHE cipher suites in client-ssl profile, as follows:

* 'DEFAULT:!EDH' to permanently remove DH-based ciphersuites.
* 'DEFAULT:-EDH:DEFAULT+EDH' to move them to the end of the preference list.


516841-2 : Unable to log out of the GUI in IE8

Component: TMOS

Symptoms:
"Log out" button doesn't work in Microsoft Internet Explorer version 8 (IE8).

Conditions:
This occurs when clicking the "Log out" button in the GUI while using IE8.

Impact:
You cannot log out with the "Log out" button

Workaround:
Close and reopen IE8.


516808-1 : tmsh listing of a nonexistent ltm monitor returns incorrect results.

Component: TMOS

Symptoms:
tmsh listing of a nonexistent ltm monitor returns incorrect results. (tmos)# list ltm monitor gateway-icmp http
ltm monitor gateway-icmp http {
    adaptive disabled
    destination *:*
    interval 5
    time-until-up 0
    timeout 16
    user-defined IP_TOS 0
    user-defined SEND "GET /\r\n"
}.

Note there is no gateway-icmp monitor named http present. The output corresponds to the HTTP monitor.

Conditions:
The issue arises only when querying for a nonexistent monitor whose name matches a valid monitor type, for example, http, https, icmp, and so on.

Impact:
tmsh listing of a nonexistent ltm monitor returns incorrect results. For example, the following command returns a gateway-icmp http configuration even though it does not exist: (tmos)# list ltm monitor gateway-icmp http.

Workaround:
Use the following command to return the correct results:
tmsh list ltm monitor gateway-icmp gateway-icmp.

(tmos)# list ltm monitor gateway-icmp does_not_exist
01020036:3: The requested monitor (/Common/does_not_exist) was not found.
The listing of non-existing monitor also returns an error as expected.


516432-5 : DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1.

Component: Local Traffic Manager

Symptoms:
DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1.

Conditions:
When DB variable tmm.ssl.dtlsmaxcrs is not 1.

Impact:
DTLS sends corrupted record.

Workaround:
Set tmm.ssl.dtlsmaxcrs to 1.


516280-2 : bigd process uses a large percentage of CPU

Component: Local Traffic Manager

Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.

Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.

Impact:
bigd process uses a large percentage of CPU.

Workaround:
None.


516200-6 : HTML5 Receivers for Storefront 2.5 and 2.1 are not working on Google Chrome 40+

Component: Access Policy Manager

Symptoms:
Google Chrome version 40+ shows JavaScript errors when using HTML5 Receivers for Storefront 2.5 and 2.1.

Conditions:
APM is configured for Citrix proxy or replacement and HTML5 Receivers for Storefront 2.5 or 2.1 are used.

Impact:
HTML5 Receivers for Storefront 2.5 or 2.1 can't be used.

Workaround:
Need to edit the HTML5 receiver files as suggested by Citrix.
http://discussions.citrix.com/topic/361040-storefront-21-html5-broken-on-chrome-v40/
1) Edit SessionWindow.html file at "C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\src\SessionWindow.html"
2) Find <meta http-equiv="content-security-policy" content="default-src 'none';
3) Add child-src directive <meta http-equiv="content-security-policy" content="default-src 'none'; child-src 'self';


516167-3 : TMSH listing with wildcards prevents the child object from being displayed

Component: TMOS

Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.

For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.

Conditions:
tmsh list with a wildcard character specified for parent object.

Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier

Workaround:
None.


515915-1 : Server side timewait close state cause long establishment under port reuse

Component: Local Traffic Manager

Symptoms:
When server TCP connection is under timewait closing state.
if a new client connection is initiated toward server under the BIG-IP SYN-Cookie mode, the server respond with ACK instead of SYN+ACK for the SYN received.

BIG-IP drops this ACK and retransmit the SYN, till timed out.

Conditions:
FastL4 is under SYN-Cookie mode and the previous server connection is under time wait close state and new client connection is reusing the port to get to the same server TCP connection.

Impact:
longer establishment time and retry.


515764-4 : PVA stats only being reported on virtual-server and system-level basis.

Component: TMOS

Symptoms:
The VLAN/interfaces stats do not include PVA stats. PVA stats are reported on a per-virtual-server including virtual server plus pool and pool members.

Conditions:
Viewing PVA stats.

Impact:
Interfaces stats only count TMM software traffic stats, and do not include PVA traffic stats. Although this is by design, it makes it difficult to monitor per-VLAN throughput on their devices.

Workaround:
Retrieve pool member PVA stats for server-side PVA stats on the associated VLANs. Also look at PVA stats in the virtual server stats for client-side PVA stats. Note: On the client side, the virtual server might be configured to run on multiple VLANs, so the client-side details are not included in the stats.


515649 : config load failed after upgrading from 11.6.1 to 12.0.0

Component: TMOS

Symptoms:
config load failed after upgrading from 11.6.1 to 12.0.0. Error: fatal: (Can't load component definition 'service_policy_global' for command 'service-policy-global') (framework/SchemaCmd.cpp, line 279), exiting.

Conditions:
This occurs when Acceleration Manager (AM) is provisioned and configured on 11.6.1, then upgrading to version 12.0.0

Impact:
Config load fails.

Workaround:
Since 11.6.1 came after 12.0.0 was released, upgrade from 11.6.1 to 12.1.0 instead.


515139-5 : Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics

Component: Local Traffic Manager

Symptoms:
Current connections seen in the poolmember statistics via tmsh might show a non-decremented number over time.

Conditions:
This occurs when the following conditions are met: - FTP virtual server with address translate disabled. - FTP profile with inherit parent profile. - Active FTP session. Running the command: tmsh show ltm pool pool_name.

Impact:
The current connections statistics value does not decrement upon data connection closure. While this is primarily cosmetic, it might impact connections when used in combination with limit calculations.

Workaround:
Disable inherit parent profile in the FTP profile.


514496-1 : Modifying an in-use rate-shaping profile may prevent from being rate shaped

Component: Local Traffic Manager

Symptoms:
Modifying an in-use rate-shaping profile might prevent existing connections from being rate shaped.

Conditions:
Modify a rate-shaping profile attached to a virtual server with active connflows.

Impact:
Active connflows might no longer be rate shaped.

Workaround:
None.


514431-1 : [TMSH][GTM] Add validation for special characters like Ctrl+k for gtm object names

Component: Global Traffic Manager

Symptoms:
GTM objects display ^K characters, cannot be assigned to other objects

When editing bigip_gtm.conf using the CLI, it is possible to use some characters in server, virtual server, and pool names. These characters can be saved to the config as a space or as a special character. Characters include ^K ^B, ^N, ^L.

Conditions:
Editing bigip_gtm.conf using CLI.

Impact:
1. Config is not displayed properly.
2. Odd problems happen when object has such names, for example, it fails to add virtual server to a server with such names, in 11.5.1 and 11.4.1 virtual servers cannot be assigned to pools, pools to wideips etc.

Workaround:
Do not use such characters (CTRL+) for objects.


514419-5 : TMM core when viewing connection table

Component: Local Traffic Manager

Symptoms:
In very rare conditions tmm may core on viewing the connection table.

Conditions:
This occurs only when a configuration meets all of the following conditions: - A NAT. - An AFM reject rule for ICMP. The user views the connection table on the system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not view the connection table when this configuration combination exists.


513887-7 : The audit logs report that there is an unsuccessful attempt to install a mysql user on the system

Component: Application Security Manager

Symptoms:
There are "/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'

Conditions:
Provisioning AFM and/or APM after ASM is already provisioned.

Impact:
"/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'

no other impact

Workaround:
none


513787-3 : CSRF doesn't apply web application callback registered as XMLHttpRequest.onload in IE8-10

Component: Application Security Manager

Symptoms:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.

Conditions:
Using Internet Explorer 8-10 with CSRF ASM enabled.

Impact:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.

Workaround:
N/A


513202-2 : RPZ may not work as expected

Component: Local Traffic Manager

Symptoms:
A query may incorrectly not match the RPZ database, getting an answer from the cache instead of triggering the RPZ action.

Conditions:
DNS Cache with a Response Policy Zone.

Impact:
A DNS client may not be filtered by the RPZ database as expected.

Workaround:
None


513151-8 : VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID.

Component: TMOS

Symptoms:
VIPRION B2150 blades with SSD show up as unknown when SNMP queries the OID sysObjectID.

Conditions:
SNMP queries the OID sysObjectID.

Impact:
You cannot identify any VIPRION B2150 blades with SDD using SNMP.

Workaround:
None.


512853-2 : Kerberos SSO fails if KDC is not specified

Component: TMOS

Symptoms:
When you configure single sign-on (SSO) using Kerberos, and you do not fill in the KDC field on the configuration page (Access Policy > SSO Configurations > Kerberos) , you may encounter an error. The error may be similar to: <Date> slot2/BIGIP1 err websso.0[29236]: 014d0005:3: Kerberos: can't get TGT for host/svcf5kerberos.corpdev.apdev.local@CORPDEV.APDEV.LOCAL - Cannot contact any KDC for realm 'CORPDEV.APDEV.LOCAL' (-1765328228)

Conditions:
This occurs if you do not specify a value for KDC when configuring SSO with Kerberos.

Impact:
SSO fails

Workaround:
Has a workaround, administrator should edit /etc/krb5.conf file manually and set option
dns_lookup_kdc=true

Note that this workaround is:
not synced across cluster
not backed up
not audited
not upgrade safe
not re-provision safe
may revert during other maintenance operations


512836-1 : ASM REST Error When Trying To Create a Custom Manual Signature Set

Component: Application Security Manager

Symptoms:
If the user attempts to create a Custom Manual Signature Set with an assigned System via REST, an error is thrown and the transaction fails.

Conditions:
The user attempts to create a Custom Manual Signature Set with an assigned System via REST.

Impact:
An error is thrown and the transaction fails.

Workaround:
No workaround.


512687-4 : Policy parameter fields minimumValue and maximumValue do not accept decimal values through REST but accept decimal through GUI

Component: Application Security Manager

Symptoms:
Create security policy named "policy1"

Send POST to
--------------------------
https://<BIG-IP>/mgmt/tm/asm/policies/<asm-policy-uuid>/parameters
--------------------------
with body:
--------------------------
{
"name": "decimal",
"dataType": "decimal",
"maximumValue": 20.1
}
--------------------------
you will get error saying:
--------------------------
"Could not parse/validate the Parameter. Field value for maximumValue must be an integer."
--------------------------

Conditions:
ASM is provisioned.

Impact:
Not able to create a decimal parameter with floating "minimumValue" and "maximumValue" properties using REST API.

Workaround:
None.


512634-1 : Add logging to indicate the nitrox3 compression engine is stalled.

Component: TMOS

Symptoms:
The compression engine stops functioning, and new compression requests may fail. Examination of tmctl compress table shows no changes for accelerated compression, over time.

Conditions:
Invalid request data passed into the compression engine can stall the accelerated compression engine.

Impact:
No compression; or possibly compression performed only in software (which drives up the CPU).

Workaround:
Disable accelerated compression.


512303-1 : Install does not complete (stays at 0%) because the UCS save operation hangs while backing up the AVR database.

Component: Application Visibility and Reporting

Symptoms:
Install does not complete (stays at 0%) because the UCS save operation hangs while backing up the AVR database.

Conditions:
/var/db/mysqlpw file does not exist (was not created due to lack of space, MySQL never ran, or another reason).

Impact:
Upgrade process does not complete.

Workaround:
None.


511985-4 : Large numbers of ERR_UNKNOWN appearing in the logs

Component: Local Traffic Manager

Symptoms:
There are times when LTM Policy subsystem attempts to execute particular actions, which fail and result in LTM Policy writing an error to the logs with an error type of ERR_UNKNOWN.

Conditions:
While not limited only to the ASM module, this has been observed when ASM is active and experiencing high traffic volumes. The logging of ERR_UNKNOWN occurs when filters and plug-ins experience failures (such as out of memory) and react by initiating a reset of the connection. When these filters and plug-ins return an error to LTM Policy, LTM Policy logs ERR_UNKNOWN, as it should.

Impact:
This is a case of unnecessary logging, and there is no adverse effect other than a higher-than-normal amount of logging.

Workaround:
None.


511865-1 : [GTM] GTM external monitor is not correctly synced in GTM sync group without device group

Component: Global Traffic Manager

Symptoms:
GTM external monitor is not correctly synced in GTM sync group without device group.

Conditions:
This occurs when the following conditions are met: 1. GTM systems exist in the same GTM sync group but not in the same device group. The GTM external monitor refers to non-default system file.

Impact:
The GTM external monitor is not synced correctly and configuration fails on the peer GTM system. The system posts an error similar to the following: err iqsyncer[20361]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17237778 result_message '01070712:3: Values (/Common/bad_external_monitor.sh) specified for external monitor parameter (/Common/external_test 2 RUN_I=): foreign key index (to_file) do not point at an item that exists in the database.' }

Workaround:
Configure both GTM systems in the same GTM sync group and the same device group.


511819 : Using replace-all-with to modify a rule list doesn't work if you specify an existing rule name

Component: Advanced Firewall Manager

Symptoms:
Using replace-all-with to modify a rule list doesn't work if you specify an existing rule name. The system attempts to modify the existing rule.

Conditions:
Rule list, attempt to replace-all-with and specify a rule name that exists.

Impact:
Difficulty modifying the rule list.

Workaround:
When using replace-all-with, use new rule names.


511782-3 : The HTTP_DISABLED event does not trigger in some cases

Component: Local Traffic Manager

Symptoms:
HTTP_DISABLED is not triggered by the HTTP::disable iRule command, requests using the CONNECT method, and Web-sockets traffic.

Conditions:
If the HTTP filter is switched into pass-through mode by the HTTP::disable command, CONNECT requests, or via Web-sockets traffic.

Impact:
The HTTP_DISABLED event does not trigger.

Workaround:
This issue has the following workaround: -- For HTTP::disable, add the logging code within HTTP_DISABLED after that iRule command. -- For CONNECT, use an iRule to match the method in HTTP_REQUEST, and check that 200 Connected is returned as the status in HTTP_RESPONSE. If so, invoke the logging code within HTTP_DISABLED. -- For Web-sockets, use an iRule to match the 101 Switching Protocols status code in HTTP_RESPONSE. If this happens invoke the logging code that is also within HTTP_DISABLED.


511324-5 : HTTP::disable does not work after the first request/response.

Component: Local Traffic Manager

Symptoms:
The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message.

Conditions:
HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it.

Impact:
The connection is reset.

Workaround:
None.


510802 : Using ECA:metadata iRule command might cause MCPD failure.

Component: Access Policy Manager

Symptoms:
Using the ECA::metadata iRule command in an iRule might cause configuration errors.

Conditions:
Using ECA::metadata command in the iRule.

Impact:
Configuration cannot be loaded or saved.

Workaround:
Use ECA::select command instead of ECA::metadata command.


510728-7 : Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.

Component: Advanced Firewall Manager

Symptoms:
Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.

Conditions:
User with role of Firewall Manager and accessing
Security :: Protocol Security : Security Profiles : DNS

Impact:
Firewall Manager has extra abilities not considered in scope for the role. Therefore a validation error will be thrown similar to the following: "01070822:3: Access Denied: user (username) does not have create access to object (dns_security)"


510425-4 : DNS Express zone RR type-count statistics are missing in some cases

Component: TMOS

Symptoms:
When displaying DNS zone data with multiple instances, if one has no resource record data, the following instance also displays an empty resource record data even there is something to display.

Conditions:
When displaying DNS zone data with multiple instances, and one has no resource record data.

Impact:
Missing Resource Record data when the data is not empty.

Workaround:
Query the specific DNS Zone data instance instead of the 'query all'.


510409-1 : NAT64 ICMP may fail with SP DAG and a small number of IPv4 addresses.

Component: Carrier-Grade NAT

Symptoms:
ICMP requests from IPv6 clients are successfully translated and sent but the replies are dropped.

Conditions:
A NAT64 enabled virtual server and SP DAG (cmp-hash set to src-ip or dst-ip) when there is a small number of IPv4 addresses available.

Impact:
ICMP fails

Workaround:
Increase the number of IPv4 addresses available for NAT64 translation.


510281-1 : learning_manager crash

Component: Application Security Manager

Symptoms:
learning_manager crashed and restarted.

Conditions:
ASM provisioned, learning_manager running and traffic is flowing through ASM.

Impact:
learning_manager restarted

Workaround:
N/A


510200-1 : Upon de-provisioning, ASM does not release disk resources.

Component: TMOS

Symptoms:
ASM is deprovisioned but asm logical volume remains.

Conditions:
provision and then de-provision asm

Impact:
ASM is deprovisioned but asm logical volume remains.

Workaround:
after asm is de-provisioned, run this in CLI:
 - tmsh delete sys disk application-volume asmdata
 - tmsh save sys config


510034 : Access Policy memory is not cleared between access policy executions

Component: Access Policy Manager

Symptoms:
APD has a Tcl interpreter that can process commands provided inside an Access policy, for variable assignment or other purposes.

The Tcl environment provided does not reliably clear Tcl variables assigned in prior executions, so care must be taken to initialize the potentially dirty variables if they are used.

Conditions:
User uses some Tcl variables that can potentially be not initialized. For example, a variable assign:
session.test = regexp {(.+)@example.com} "[mcget {session.logon.last.username}]" foo captured; return $captured

Note that here, the regex may match or not match depending on the user input. If it does not match, the variable "captured" *may* contain the results from a different user who logged in previously.

Impact:
Unexpected results from Access Policy execution.

Workaround:
To work around the problem, any variable that was used must be checked. For example, instead of the regex statement above, this could be used:

if { [regexp {(.+)example.com} "[mcget {session.logon.last.username}]" foo captured] == 1 } { return $captured; } else { return "nomatch"; }

This way, if the regex does NOT match, then the result will be "nomatch" instead of potentially containing results from a previous session.


509611-1 : Asynchronous Tasks for Long-Running command control

Component: TMOS

Symptoms:
Long-running operations via the iControl/REST interface might lead to timeouts and non-responsiveness to new requests while the operation completes, with no way to return the result. While transactions can mitigate this by permitting polling on the status of the transaction, not all operations are permitted in transactions.

Conditions:
Heavily loaded systems might result in some commands, particularly save sys config, or save sys ucs, taking so long to complete that they time out. Until the operation completes, further operations can not be started by the same user.

Impact:
This makes automated control problematic, as it removes control over long-running operations.

Workaround:
Where possible, run long-running iControl/REST commands in transactions.


508699-1 : Import with reuse is failing if profile and resource are sharing the same name

Component: Access Policy Manager

Symptoms:
If a profile and a resource have the same name, and there is attempt to export and re-import it using the 'Reuse Existing Objects' option, import fails with an error.

Conditions:
Profile and resource share the same name, for example: access-profile /Common/google and resource-assign /Common/google. Export and import using the 'Reuse Existing Objects' option.

Impact:
Import does not work. This represents minimal impact, however, because failure occurs only in the reuse-objects case.

Workaround:
A. Use profile copy instead of import with reuse.
B. Perform the following steps:
1) Unpack .conf.tar.gz.
2) Open .conf.
3) Change name of resource and all links to it from /@partition/@name to a unique name, such as @name-123.
4) Repack .conf.tar.gz.


508556-1 : CSR missing SAN when renewing cert in GUI

Component: TMOS

Symptoms:
When using the GUI to renew a CA certificate that contains a subject alternative name (SAN), the SAN field is missing in the generated CSR.

Conditions:
Using the GUI to renew a CA certificate that contains a SAN.

Impact:
The resulting CSR does not contain a SAN value.

Workaround:
Use tmsh. For example: tmsh create sys crypto csr abc key abc.key subject-alternative-name DNS:ddd.nnn.sss common-name cn


508486-2 : TCP connections might stall if initialization fails

Component: Local Traffic Manager

Symptoms:
TCP connections might stall if initialization fails

Conditions:
TCP connections fail to initialize if the tmm hud message queue is full. If these connections are flagged to not expire then they will linger forever.

Impact:
TCP connections that never expire. Increased memory usage. tmm logs containing 'hud queue full' errors.


508341-4 : Scheduled-reports are not syncing the 'first-time' value on a sync group

Component: Application Visibility and Reporting

Symptoms:
Creating a scheduled-report on a sync or sync-failover group configuration.

Conditions:
Having a DSC configuration and trying to create a scheduled report.

Impact:
This issue may cause other devices in sync group to send reports before the first-time they assigned to.


508074-1 : Non-admin deployment causes iApp failure

Component: iApp Technology

Symptoms:
Some iApps fail when deployed by a user with role privilege lower than "admin".

Conditions:
This occurs with users other than admin that deploy certain iApps.

Impact:
Affected templates:
f5.dns
f5.ldap
f5.microsoft_sharepoint_2010
f5.http
f5.sap_enterprise_portal
f5.peoplesoft_9
f5.sap_erp
f5.microsoft_iis
f5.bea_weblogic
f5.oracle_ebs


507640-1 : Importing Security Policy in Binary Format Fails

Component: Application Security Manager

Symptoms:
Error appears in the GUI after attempting to import a binary policy:
Unknown error after running import policy script.
Could not import the Security Policy; Error: DBD::mysql::db do failed: Cannot add or update a child row: a foreign key constraint fails.

Conditions:
A Security Policy was created using a Custom Policy Template. It is then exported in Binary format and attempted to be imported on a device where that Custom Policy Template does not exist.

Impact:
User will be unable to import the policy

Workaround:
Use XML Export/Import instead.


507554-1 : Uneven egress traffic distribution on trunk with odd number of members

Component: Local Traffic Manager

Symptoms:
If a trunk on a BIG-IP appliance or VIPRION chassis is populated with a number of members that is not a power of 2, the resulting distribution of egress traffic may be noticeably uneven.

For example, in a VIPRION chassis with 3 blades each having 5 ports assigned to the trunk (total of 15 ports), one of the ports on one of the blades may send noticeably more traffic than the other ports.

Conditions:
This problem occurs on the following F5 hardware platforms:
-- BIG-IP 10000-series and 12000-series appliances.
-- VIPRION B4300 and B2250 blades.

Impact:
Sub-optimal distribution of traffic across available trunk ports.

Workaround:
Configure the members of the trunk to always contain a number of members which is a power of 2 (2, 4, 8, 16).


507331-4 : Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.

Component: TMOS

Symptoms:
If a saved configuration from an earlier version is used when launching an instance of BIG-IP v11.5.2 on AWS, then SSLv3 may be enabled on the management interface.

Conditions:
Using configuration saved with version 11.5.2 (and earlier) on AWS.

Impact:
There are known security issues with SSLv3 and the BIG-IP software disables it by default with v11.5.2 on AWS. An enabled SSLv3 on the management interface might make the instance open to an attack, so after upgrading, configurations in which SSLv3 is enabled should be disabled before deploying.

Workaround:
Disable SSLv3 as documented here: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip, and in and in SOL15702: https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html.


507206-3 : Multicast Out stats always zero for management interface.

Component: TMOS

Symptoms:
Multicast Out stats are always zero for the management interface.

Conditions:
Statistics information on the management interface.

Impact:
The Multicast Out stats can help determine whether multicast network failover is working (from looking at a qkview). The missing stat might also delay or confuse other troubleshooting activities unrelated to network failover.

Workaround:
Run the following command: clsh 'ethtool -S eth0 | grep tx_mcast_packets'.


506597-1 : False positive cookie hijacking violation after uploading big requests

Component: Application Security Manager

Symptoms:
There is a false cookie hijacking violation, there is a TS cookie with _0 at the end of the cookie name.

Conditions:
After uploading a big payload, a false cookie is created which in turn, upon the next request will issue the ASM cookie hijacking violation.

Impact:
A false violation, alarm or block.

Workaround:
Turn off the ASM cookie hijacking violation (it is off by default)


506452-2 : Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1

Component: Advanced Firewall Manager

Symptoms:
Sometime the firewall rule matching result is wrong if there are firewall rules configured with source or destination IPv6 address whose most significant bit is 1. Below are some examples of those IPv6 address: dfdf::/128, bbbb://64.

Conditions:
Firewall rules are configured with source or destination IPv6 address whose most significant bit is 1.

Impact:
The firewall rule with those IPv6 addresses may accept or deny packets that do not match the rule.


506423-2 : [GTM] [ZoneRunner] Silent failure when adding a resource record is not successful

Component: Global Traffic Manager

Symptoms:
Silent failure on unsuccessful creation of resource record.

Conditions:
Create a resource record which will not be successful and for which NAMED does not return an error.


For example: Adding DS record via Zone Runner when subdomain delegation is not configured.

Impact:
Record does not get added with no errors returned by SoneRunner

Workaround:
None.


505992 : Erroneous MCPd Errors using tmsh reboot

Component: TMOS

Symptoms:
When using tmsh reboot, the connection to the mcpd daemon may closed at the time of doing a restart - indicating that the connection to mcpd has been lost. These errors do not indicate an issue.

Conditions:
When issuing a reboot, you might errors similar to the following:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all base" - failed. -- Error: failed to reset strict operations; disconnecting from mcpd.

Impact:
Erroneous error messages. These messages do not indicate a functional issue with the system, so you can safely ignore them.

Workaround:
No workaround required.


505123-7 : sysObjectID returns 'unknown' platform on the VIPRION 4400

Component: TMOS

Symptoms:
Querying for sysObjectID on VIPRION 4400 returns 'unknown' (.1.3.6.1.4.1.3375.2.1.3.4.1000):
# snmpwalk -v 2c -c community big-ip sysObjectID
SNMPv2-MIB::sysObjectID.0 = OID: F5-BIGIP-SYSTEM-MIB::unknown (# snmpwalk -v 2c -On -c community big-ip sysObjectID
.1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.3375.2.1.3.4.1000.)

Conditions:
This occurs when running 'show sys hardware' on the VIPRION 4400.

Impact:
The snmpd call incorrectly identifies the BIG-IP system as unknown.


504917-1 : In ASM Manual Sync Only group, policies do not stay deleted or inactive on secondary after sync is pushed

Component: Application Security Manager

Symptoms:
An inactive ASM policy on a sync target is suddenly re-activated.

Conditions:
This occurs when ASM manual sync is configured, and a policy is de-activated or deleted. The time stamp of the policy does not get updated, so the active policy will take precedence and re-activate it.

Impact:
If the user deactivates or deletes a policy on one device and then pushes the ASM config to the other device, the policies will end up being reactivated (or recreated as a default policy) on the other device.

Workaround:
The workaround is to make a change to Policy one of the machines before de-activating it, to update its timestamp to newer than the other machine.


504384-1 : ICMP attack thresholds

Component: Advanced Firewall Manager

Symptoms:
ICMP flood protection triggers at an earlier than expected threshold if all of the ICMP attack traffic contains the same ID. This is because all traffic is sent to the same tmm when it contains the same ID but the threshold takes into account the number of tmms.

Conditions:
When ICMP traffic is sent with the same ICMP id, and the DoS threshold was configured assuming the ICMP traffic would be spread across all tmms.

Impact:
The forwarded ICMP traffic has higher priority that regular traffic causing normal traffic to potentially get dropped sooner as compared to forwarded traffic.

Workaround:
None


504244 : Secondary blade shows "unknown" sync status while primary show "in sync"

Component: TMOS

Symptoms:
On a VIPRION Chassis in a sync/failover devicegroup, the secondary blade may show sync status "unknown" although the primary blade shows "in sync".

Conditions:
VIPRION Chassis with multiple blades, in a sync/failover devicegroup with at least one other device.

Impact:
There should be no impact on function; it just fails to display the correct status.

Workaround:
None.


503960-4 : The requested unknown (1936) was not found.

Component: TMOS

Symptoms:
mcpd restarts leaving the message "The requested unknown (1936) was not found"

Conditions:
The conditions for this bug are somewhat unknown. Older versions of Big-IP have a simple lookup for display names. This display name table only has a select few configuration items in it, where everything else returns "unknown". So any configuration error that is generated from using a type that is not defined in the table could potentially lead to this error.

Impact:
MCPD restarts, causing system-wide restarting of daemons.


503795-4 : [LTM] [DNS] [LOG] debug log information is logged even when "dnscacheresolver.loglevel" set to higher than debug

Component: Local Traffic Manager

Symptoms:
The BIG-IP system logs debug log information when 'dnscacheresolver.loglevel' is set to higher than debug.
For example, 'dnscacheresolver.loglevel' is set to notice.

Conditions:
'dnscacheresolver.loglevel' log level is set to higher than 'debug'.

Impact:
Although it might be difficult to determine the severity of the logging information, there is no known negative impact on the system.

Workaround:
This issue has no workaround at this time.


503125-5 : Excessive MPI net traffic can cause tmm panics on chassis systems

Component: Local Traffic Manager

Symptoms:
Excessive MPI net traffic can cause tmm panics on chassis systems.

Conditions:
This occurs on chassis systems with excessive internal traffic resulting from abnormal load distribution or excessive session DB usage. The session DB usage can be the result of modules or of custom iRules that store session data.

Impact:
Temporary outage and possible failover when using HA. The source conditions will also continue on the new active device, which can cause repeated failovers. When this occurs, the tmm logs will contain messages similar to: notice MPI stream: connection to node 127.20.3.24 expired for reason: TCP retransmit timeout

Workaround:
If affected by this when using iRules to create custom keys and data, this can be partially mitigated by consolidating multiple keys and using smaller key lengths as possible. This is affected by the amount of data stored as well, but large keys can exacerbate the issue.


502129-3 : Hash Cookie Persistence interacts poorly with persistence iRules

Component: Local Traffic Manager

Symptoms:
Persistence may fail to work correctly if hash persistence is selected via an iRule persist command. Later requests could then use the hash cookie value as the name of the persistence cookie to inspect.

Conditions:
Cookie persistence is configured, and then overridden by cookie hash persistence by an iRule persist command.

Impact:
Persistence may fail to work correctly when the persist iRule command overrides from cookie to hash-cookie persistence.


501949-1 : BWC rate limit instability on large number of live dynamic flows

Component: TMOS

Symptoms:
max-user-rate configuration changes constantly on large number of live dynamic flows.

Conditions:
This issue appears very intermittently.

Impact:
This results in a lower-than-expected total rate.

Workaround:
Avoid rapid constant configuration changes on live traffic. Restart tmm to recover.


501947-2 : Cannot delete keys/certificates whose names start with 0 (zero).

Component: TMOS

Symptoms:
Cannot delete keys/certificates whose names start with 0 (zero).

Conditions:
Trying to delete a key/certificate who names start with 0.

Impact:
Trying to delete a key/certificate whose name starts with 0, the GUI shows the confirm delete page, but there is no key or certificate listed, and after clicking delete again, the system displays the key/certificate list page, with the key/certificate still there.

Workaround:
Use tmsh or iControl to delete keys/certificates whose names start with 0 (zero).


501418-2 : OSPF: Multiple ECMP default routes not distributed to TMM

Component: TMOS

Symptoms:
TMM route table does not use both ECMP routes for the default route.

Conditions:
When using ECMP and OSPF.

Impact:
Does not use both equal-cost routes to route traffic.

Workaround:
None.


500639-2 : Setting log level for ZoneRunner has no effect.

Component: Global Traffic Manager

Symptoms:
Modifying the log level for ZoneRunner does not change the log level.

This is a bug in the handling of the log level change message within ZoneRunner

Conditions:
If a GTM config sync is also occurring, the GTM can get into a state where all queries go unanswered until the GTM config loads and/or the BIND zones load.

Impact:
BIND queries go unanswered until the zone is loaded into BIND.

Workaround:
Assuming that the desired log level is "DEBUG", the following steps will force zonerunner to log debug messages to
/var/tmp/zrd.out

On the BIG-IP system:
touch /service/zrd/debug
bigstart restart zrd


500402-2 : 'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh.

Component: Local Traffic Manager

Symptoms:
'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh. The system posts the following mcpd error message in ltm log when an iRule is loaded from tmsh: err mcpd[5834]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (6589).

Conditions:
When merging config files, the error message may show up in system log.

Impact:
There is no functional impact observed.

Workaround:
Manually edit and merge config files.


499800-1 : Customized logout page is not displayed after logon failure

Component: Access Policy Manager

Symptoms:
Default logout page is displayed instead of customized logout page after maximum logon attempts allowed is reached.

Conditions:
1. Access profile has customized logout page.
2. The number of failed logon attempts reaches what is allowed by the policy.

Impact:
User will not see the customized logout page.

Workaround:
None.


499694 : LTM v10.2.x to v11.x upgrade misses partition name on node specific monitor

Component: TMOS

Symptoms:
When upgrading from v10.2.x to v11.x, the node monitor name does not acquire full path or partition information. Similarly, creating a node with a monitor via TMSH, the node monitor name does not show partition information; however, configuring a node via GUI does add partition information.

If a node with a specific none monitor is later forced down and then re-enabled, the node will remain in a marked down by monitor state.

Conditions:
Upgrade from v10.2.x to v11.x.

Impact:
For nodes that have a specific monitor of "none", if the node is forced down and then re-enabled via tmsh or the node list in the GUI, the node will be marked down by the monitor. If the node is re-enabled from the node properties page in the GUI, this issue does not occur.

For other monitor types or pool and pool member monitors, the issue is cosmetic.

Workaround:
Load sys config base, then load sys config. Then in both the GUI and TMSH add partition info to the node monitor.


499615-3 : RAM cache serves zero length documents.

Component: Local Traffic Manager

Symptoms:
RAM cache serves zero length documents.

Conditions:
Forcing caching in an iRule.

Impact:
RAM Cache will cache a HEAD response, if an iRule is configured to force it to do so. This causes RAM cache to serve zero length documents.

Workaround:
If the HTTP operation is a HEAD request, do not cache the response.


499404-3 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies

Component: Local Traffic Manager

Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.

Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.

Impact:
The wrong MSS value is advertised during 3WHS.

Workaround:
None.


499348-1 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This can occur when the system is spawning/reaping processes on a frequent basis (e.g., a large number of external monitors).

This can also occur if iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server, as this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis.

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures, which depends on what is triggering them. For instance, reduce the frequency of configuration changes, or the use of 'SSL::profile' in iRules (if those are the trigger), or reduce the number/frequency of processes being spawned by the system (if that is the trigger).

2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. This can be done by setting the 'merged.method' DB key to 'slow_merge' using the following command:
    tmsh modify sys db merged.method value slow_merge.


499124-1 : wom_verify_config produces unneccesarily elevated messages in ltm log

Component: Wan Optimization Manager

Symptoms:
The wom_verify_config utility sometimes produces error-level messages in ltm log, that should be informational or warning.

Conditions:
When WOM is not fully configured.

Impact:
Error-level messages in the ltm log can result in unexpected action being taken, where an information or warning level message may not.


498150 : "General database error retrieving information" appears on Self Ip Security page after removing a rule and refreshing the page

Component: Advanced Firewall Manager

Symptoms:
The error "General database error retrieving information" appears on the Self IP Security page after removing a rule and refreshing the page.

Conditions:
Error occurs after deleting a rule from the Self IP Security page

Impact:
The user must refresh the page to continue configuring that feature.

Workaround:
You can navigate again to Network :: Self IPs : self_ip_name : Security when this issues occurs. The issue does not stop the user from deleting the rule itself.


497154-2 : Clear schedue name when setting firewall rule state from Scheduled to Enabled/Disabled.

Component: Advanced Firewall Manager

Symptoms:
Schedule name was not getting cleared when firewall rule state was changed from Scheduled to Enabled/Disabled.

Conditions:
Happens when firewall rule state was changed from Scheduled to Enabled/Disabled.

Impact:
AFM Policy Editor


497104-1 : Log filled with 'hash grow: malloc failed' log messages.

Component: Local Traffic Manager

Symptoms:
Excessive 'hash grow: malloc failed' messages in the ltm log: err tmm10[31888]: hash grow: malloc failed. The message indicates that the cache has reached a point where it needs to be resized because memory allocation failed.

Conditions:
The messages are visible when viewing the ltm log during low memory conditions, perhaps due to memory leaks or high memory usage.

Impact:
Log filled with 'hash grow: malloc failed' log messages. Although the failure of the allocation can occur during normal operation, the number of messages is excessive, as it does not provide any useful information after the first failure.

Workaround:
To filter out hash grow: malloc failed errors from the log, set dnscacheresolver.loglevel to critical or emerg. For example, to set log level to critical, run the following command: tmsh modify sys db dnscacheresolver.loglevel value critical. This records only critical errors to the log.


496179 : Creating new Active Rule to assign policy to a VIP forces user to create rule

Component: Advanced Firewall Manager

Symptoms:
Creating new Active Rule to assign policy to a VIP forces you to create rule because the "Type" list does not appear. The Type List would allow you to select a policy instead of creating an unwanted rule to make the rule properties dialogue go away.

Conditions:
Create a new rule on Active Rules page

Impact:
User inconvenience.

Workaround:
Assign the Policy to the virtual server on the Virtual server page via the Security tab.


495227-1 : tmsh displays wrong cert expiration date on 'show gtm iquery' (later than Jan 18 2038).

Component: TMOS

Symptoms:
When displaying iQuery stats in tmsh, the expiration date of the certificate appears to be in the past.

Conditions:
Certificate expiration date is beyond Jan 18, 2038 (Max epoch represented by signed 32 bit int).

Impact:
The certificate remains valid. This is a cosmetic issue only.

Workaround:
None.


495128-2 : Safari 8 continues using proxy for network access resource in some cases when it shouldn't

Component: Access Policy Manager

Symptoms:
If a client machine uses proxy and Network Access does not specify any proxy, then Safari should not use proxy for some Network Access resource after the Network Access tunnel is created. However, Safari does so.

This problem occurs with Safari 8. Other versions of Safari and other browsers work as expected in our testing.
Apple has been notified: rdar://problem/18651124

Conditions:
The problem occurs when all of these conditions exist:
1. OS = Mac OS X Yosemite.

2. Configuration = Client machine has local proxy configured and Network Access on BIG-IP system access policy does not specify any proxy.

3. Action = Accessing Network Access resource after tunnel is created.

Impact:
As a result, some Network Access resource might be unavailable.

Workaround:
There is no workaround at this time.


494493-1 : iControl REST for ASM Character Sets returns invalid characters (greater than 127 (0x7f) ) for Multi-Byte Encodings

Component: Application Security Manager

Symptoms:
The REST endpoint for Character Sets returns items that are invalid to send back to the endpoint as a PATCH. This can cause an API client to get unexpected errors

Conditions:
A Security Policy exists with a Single-Byte Encoding configured, and REST API is being used.

Impact:
Objects returned by the endpoint will fail validation when sent back to the endpoint.
Additionally this will not match output from the same endpoint (if enabled) on 11.5.2-HF1+, and could confuse API clients that attempt to compare Security Policies.


494333-2 : In specific cases, persist cookie insert fails to insert a session cookie when using an iRule

Component: Local Traffic Manager

Symptoms:
The 'persist cookie insert' and 'persist cookie rewrite' iRule commands fail to set session cookies.

Conditions:
A persistence cookie profile with a timeout of zero must be applied. If either command is used without an explicit timeout, LTM will fail to set a session cookie.

Impact:
TMM sets a cookie that expires using timeout of 180 instead of a session cookie.

Workaround:
Explicitly specify a 0 for the cookie timeout in the iRule.


494084-2 : Certain rapidly-terminating UDP virtuals may core on standby

Component: Local Traffic Manager

Symptoms:
Based on an internal race condition, it is possible for certain flows to cause cores on standby BIG-IPs when using connection mirroring on layer 7 VIPs. This does not apply to use of mirroring on Performance or Performance (HTTP) virtuals.

Conditions:
Standard UDP virtual using connection mirroring.

Impact:
Restart of the standby tmm. No connections are affected, though if packets are set to require acknowledgements from the standby there may be a brief delay in processing for some or all connections.


493950-3 : Virtual Server with misconfigured profiles may block upgrade

Component: TMOS

Symptoms:
Virtual Server with unmatched context settings in a profile might block upgrade.

Conditions:
This occurs when there is a virtual server configured with a TCP, UDP, or SCTP profile set with either (context clientside) or (context serverside), but without a corresponding profile with the other proxy side (serverside or clientside, respectively).

Impact:
Cannot upgrade and roll-forward a configuration, and the system might post the following error message: 01070734:3: Configuration error: Less than the required minimum number of profiles found on /Common/test-vip5: At least 1 Of but Not more than 1 Of (UDP Profile, TCP Profile, SCTP Profile)

Workaround:
There are 2 workarounds: 1: Before upgrade, modify the existing configuration, by either removing the (context) line or by adding the corresponding context, and then saving the UCS file.
2: After a failed attempt to load the UCS file, manually modify the UCS file as described in workaround 1., and then load the file again.


493250-2 : BGP disabling graceful-restart in ZebOS does not persist and is automatically enabled

Component: TMOS

Symptoms:
The ZebOS command to 'disable' BGP graceful-restart works temporarily, but is reset to 'enable' after system restart.

Conditions:
Setting BGP graceful-restart to enable and restarting the system.

Impact:
Cannot disable graceful-restart past a restart operation.


491406-1 : TMM SIGSEGV in sctp_output due to NULL snd_dst

Component: TMOS

Symptoms:
Crash in tmm sctp_output routine.

Conditions:
SCTP incorrectly processes a duplicate or unexpected COOKIE_ECHO following association shutdown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


490449-1 : LSN translation may occur after an iRule error.

Component: Local Traffic Manager

Symptoms:
When an iRule throws an error, the default is to abort the connection. When the error occurs in the CLIENT_ACCEPTED event and the Virtual Server is using source-address-translation type LSN, the source address translation may be executed before the connection is aborted. The address translation may succeed even though the connection fails.

Conditions:
A Virtual Server is using source-address-translation type LSN and has an iRule that does not handle errors.

Impact:
There are a number of possible side effects depending on configuration:
- Any LSN commands in the failing iRule may be ignored.
- LSN Pool translation statistics may be incremented.
- A log message indicating a successful translation may be output.
- Multiple RSTs may be sent for the aborted connection.
- PBA port blocks may be allocated.
- Persistence mapping entries may be created.
- Inbound mapping entries may be created.

Workaround:
Use the Tcl catch command to handle Tcl errors. When an error occurs, use the LSN::disable command to prevent the translation.


490139-2 : Loading iRules from file deletes last few comment lines

Component: Local Traffic Manager

Symptoms:
Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket.

Conditions:
This occurs when loading an iRule file from versions prior to 11.5.1.

Impact:
Although the comments are removed, this does not affect iRule functionality.

Workaround:
Put comments in places other than immediately above the closing bracket.


489562 : HTTP with NTLMSSP_NEGOTIATE message and with payload more than 4KB cause the NTLM front end authentication to stall

Component: Access Policy Manager

Symptoms:
NTLM authentication cannot be completed in the following circumstances. It is observed that some non-Microsoft HTTP clients might start NTLM authentication by sending a NTLMSSP_NEGOTIATE message together with a payload. As part of NTLM protocol, the response to this request should be a 401 status with an NTLMSSP_CHALLENGE message which renders the payload from the initial request unnecessary.


However, the issue is that currently the BIG-IP system has a limit of 4KB for initial buffer, and does not drop it. This causes a deadlock between the BIG-IP server and HTTP client, as the BIG-IP notifies the client that it cannot receive the payload any more by closing the TCP receive window, and the client tries to complete sending all of the requests to be able to send the final NTLMSSP_AUTHENTICATE message.

Conditions:
The client sends NTLMSSP_NEGOTIATE message with payload of more than 4KB and the BIG-IP system performs NTLM authentication for this request.

Impact:
NTLM authentication cannot be completed.


489499-4 : chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd

Component: TMOS

Symptoms:
chmand fails to register for unsolicited LOP events, meaning that asynchronous alerts from lopd will not seen or reported by chmand. A message is seen in /var/log/ltm that contains the phrase, "failed to register for LOP at <address>"

Conditions:
Occurs when chmand has been re-started after it has already synchronized once with lopd.

Impact:
Asynchronous events from lopd will not be reported or handled, such as fan tray removal/insertion and PSU removal/insertion. Alerts that are driven by system_check through polling sensor values and comparing them to specified limits, however, will still be operational.

Workaround:
Re-start lopd:
# bigstart restart lopd


489312-1 : IPsec IKEv2 tmm crash hud_ike_ingress_pkt()

Component: TMOS

Symptoms:
Using IPsec IKEv2 the tmm may crash in hud_ike_ingress_pkt() because of an uninitialized variable.

Conditions:
Using IPsec IKEv2.

Impact:
Traffic disrupted while tmm restarts.


488560-1 : Duplicate 'Source Address Translation' field on Virtual Server properties page

Component: TMOS

Symptoms:
On the Virtual Server page, with the type equal to 'Performance (HTTP)', the 'Source Address Translation' field will appear twice. The first field is correct. The second field should be ignored.

Conditions:
Virtual Server type equal to 'Performance (HTTP)'

Impact:
Filling in the second won't have any affect, but it is confusing.

Workaround:
Ignore the second field.


488417-2 : Config load failure with 'Input error: can't create user' after upgrade

Component: TMOS

Symptoms:
Unable to load config after upgrade or reboot if the admin account is disabled and replaced with a custom user. The system posts the message:

01070829:5: Input error: can't create user, role partition mapping, user does not exist, username, Unexpected Error: Loading configuration process failed.

On single-NIC virtual deployments, if the admin account is disabled and replaced with a custom user, the system will experience this issue any time the system is rebooted.

Logs similar to the following may appear in /var/log/ltm:

notice sod[6214]: 010c005e:5: Waiting for mcpd to reach phase base, current phase is platform.
notice mcpd[4672]: 01070829:5: Input error: can't create user, role partition mapping, user does not exist, security
err tmsh[7444]: 01420006:3: Loading configuration process failed.
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all base" - failed. --
  01070829:5: Input error: can't create user, role partition mapping, user does not exist, security
  Unexpected Error: Loading configuration process failed.
err mcpd[4672]: 01070422:3: Base configuration load failed.

Conditions:
This occurs when upgrading or rebooting a system on which the root admin account is disabled and replaced with a custom admin user account.

This occurs on single-NIC virtual deployments in version 12.0.0, when a system on which the root admin account is disabled and replaced with a custom admin user account is rebooted.

To verify single-NIC is enabled:
tmsh list sys db provision.1nic.

To verify a custom administrator has been defined:
tmsh list sys db systemauth.primaryadminuser.

Impact:
You cannot upgrade if the root admin account is disabled.

On single-NIC virtual deployment configurations in version 12.0.0, the system fails to load the configuration after a reboot.

Workaround:
There is no workaround for this issue. To resolve this issue, you can reboot the BIG-IP system back to the previous working boot location that has the admin user disabled. For single-NIC virtual deployments, you can re-enable the default admin user account. To do so, perform one of the following procedures:

Impact of workaround: Since the BIG-IP System is already in the inoperative state, performing the following procedure should not have a negative impact on your system.

Rebooting the BIG-IP system back to the previous working boot location:

Log in to the Traffic Management shell (tmsh) by typing the following command:
tmsh

To reboot the BIG-IP system to the desired boot location, type the following command syntax:
reboot volume <boot_location>

Re-enabling the default admin user account on BIG-IP system (for single-NIC virtual deployments):

Azure BIG-IP Virtual Edition (VE):

Log in to tmshby typing the following command:
tmsh

Re-enable the default admin user account by typing the following command:
modify /sys db systemauth.primaryadminuser value admin

Re-load BIG-IP configuration by typing the following command:
load /sys config

Amazon Web Services BIG-IP VE:

Log in to tmshby typing the following command:
tmsh

Re-enable the default admin user account by typing the following command:
modify /sys db systemauth.primaryadminuser value admin

Update the password for the default admin user by typing the following command syntax:
modify /auth user admin password <password>

Re-load BIG-IP configuration by typing the following command:
load /sys config


488262-2 : moving VLAN from route-domain being deleted in the same transaction can cause errors

Component: TMOS

Symptoms:
Error can occur when removing VLAN(s) from route-domain, and deleting the said route-domain in the same transaction can cause errors.

Conditions:
In a transaction, removing the VLAN membership from route-domain, and deleting the same route-domain.

Impact:
Transactional deletion of route-domain and route-domain VLAN membership changes in the same transaction.

Workaround:
Perform route-domain VLAN changes, and route-domain deletion in different transaction.


488188-1 : When qkview is killed, it might leave temporary files on disk

Component: TMOS

Symptoms:
qkview removes its temporary files on exit. However, if qkview is killed externally, for example by CTRL-C, temporary files remain on the disk.

Conditions:
qkview is running, and is killed with a signal, such as CTRL-C.

Impact:
Unneeded files remain in /var/tmp, and possibly in other locations. This might contribute to a disk filling up with garbage data.

Workaround:
Delete files in /var/tmp.


487795 : Front panel Ethernet TX pause flow-control non-functional

Component: Local Traffic Manager

Symptoms:
Front panel port Ethernet TX pause is currently disabled for the following platforms: B4200, B4300, B2100, B2150, B2250, 5000-series, 7000-series, 10000-series, 11000-series, and 12250.

Conditions:
This occurs on the B4200, B4300, B2100, B2150, B2250, 5000-series, 7000-series, 10000-series, 11000-series, and 12250 platforms.

Impact:
Front panel Ethernet TX pause flow-control non-functional.

Workaround:
None.


487660-6 : LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range

Component: Carrier-Grade NAT

Symptoms:
LSN Translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN.

Conditions:
Persistence is enabled on the LSN pool, and cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN, when the lsn-pool port range is relatively small (under 1000), or a blade is added or removed. Translation mode is NAPT or PBA.

Impact:
Translation failures. The system posts an error similar to the following: debug tmm9[25268]: 01670012:7: [0.9] Translation failed client 200.200.200.101,10096.

Workaround:
Adequately provision the LSN pool.


486735-4 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.


485164-2 : MCPD cores when the Check Service Date in the license is not current.

Component: TMOS

Symptoms:
MCPD cores when the license has not been reactivated, causing the Check Service Date to be before the release date, and there are modified default profiles in the config.

Conditions:
A license with a check Service Date before the release of the current version and a config with modified default profiles.

Impact:
The BIG-IP system does not function.

Workaround:
Reactivate the license prior to upgrade.


484542-2 : QinQ tag-mode can be set on unsupported platforms

Component: Local Traffic Manager

Symptoms:
tmsh does not validate QinQ tag-mode and allows invalid values to be set.

Conditions:
This occurs when trying to set QinQ tag-mode to values other than 'none' on unsupported platforms. Only platforms with ePVA support QinQ tagging.

Impact:
Although you can set !in! tag-mode, the configuration has no effect. There is no negative impact on system functionality.

Workaround:
Only configure QinQ tag-mode on the following platforms: BIG-IP 5050s/5250v/7050s/7250v/10050s/10250v and VIPRION B2150 SSD-based models.


483840-2 : Serial number of a blade is not cleared in show command after it is moved

Component: TMOS

Symptoms:
In a partially populated chassis, if a blade is moved from one slot to another, the serial number is still shown in the previous slot from this command:
guishell -c "select slot_id, serial_number from chassis_slot"
The stale serial number is also visible in the user interface.

Conditions:
In a partially populated chassis, a blade is moved from one slot to another.

Impact:
This issue is not harmful, but displays incorrect information.

Workaround:
The brute-force workaround is to reboot chassis.


483653-2 : In some traffic situations, virtuals using SSL can excessively buffer client data instead of closing the TCP window

Component: Local Traffic Manager

Symptoms:
In some traffic situations, TMM can excessively buffer client data instead of closing the TCP window. This buffering occurs based on internal race conditions that are not directly controllable. This occurs only when the BIG-IP is providing SSL termination or origination.

In extreme circumstances with a slow connection, this could ultimately lead to out of memory situations.

Conditions:
The virtual must be providing SSL termination and/or origination.

Impact:
Increased memory usage, possibly leading to tmm crashing.


483257-1 : Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP

Component: Local Traffic Manager

Symptoms:
Cannot delete keys without extension .key (and certificates without extension .crt) using iControl SOAP.

Conditions:
You attempt to delete SSL certificates or keys without the .crt or .key extensions. Such objects may have been previously created using the tmsh utility.

Impact:
Cannot delete keys without extension .key (and certificates without extension .crt) using iControl SOAP.

Workaround:
Delete affected certificates or keys using the tmsh utility, with commands similar to the following example:

tmsh delete sys crypto cert example
tmsh delete sys crypto key example


483242-1 : GUI LTM Profile ClientSSL unable to recognize certificates/key with short names.

Component: TMOS

Symptoms:
LTM ClientSSL profile unable to detect certificate/key files with short names.

Conditions:
When you have a certificate/key file with a short name like 'app', the ClientSSL profile is unable to find the file.

Impact:
You may be unable to select the desired certificate/key.

Workaround:
Use tmsh to assign certificate/key to ClientSSL profile.


483093 : Create button is not disabled for non-Common partition

Component: Advanced Firewall Manager

Symptoms:
Since the Create button is not displayed, users will be able to fill out the fields for creating a blacklist category. An error will be displayed once they hit 'Finished' button.

Conditions:
This issue is seen only in partitions other than Common, since creation of blacklist categories is not allowed in other partitions.

Impact:
For partitions other than Common, user will have to fill out the fields and hit 'Submit' to see that they cannot create a blacklist category.


482082-1 : Possible response truncation when using an asynchronous iRule command in ICAP_RESPONSE event

Component: Service Provider

Symptoms:
The HTTP client may receive only a partial response from the ICAP server after a long-running iRule in the ICAP_RESPONSE event on the internal virtual server.

Conditions:
A long-running iRule command executes asynchronously in the ICAP_RESPONSE event.

Impact:
HTTP client receives a partial response but the tail is truncated.


481725 : Source Address Add field is not shown if some Source FQDN is set

Component: Advanced Firewall Manager

Symptoms:
rGUI does allow FQDNs as an input for firewall rules.

Conditions:
Using pre-v12.0.0.

Impact:
Source Address Add field is not shown.

Workaround:
None. 11.6.1 and earlier does not support FQDNs as an input for firewall rules.


481572-1 : Navigation parameter from POST data is not reported

Component: Application Security Manager

Symptoms:
A navigation parameter in the POST data is not reported.

Conditions:
-- Navigation parameter(s) are configured.
-- A navigation parameter appears in the post data.
-- The URL and the navigation parameter sums up to a specific size.

Impact:
The navigation parameter is not reported.

Workaround:
N/A


481481-1 : APM on a multi blade chassis: On an idle machine 'rewrite' processes can takes up to half CPU cycles.

Component: Access Policy Manager

Symptoms:
On an idle machine 'rewrite' processes can takes up to half CPU cycles.

Conditions:
APM on a multi blade chassis

(this is debatable. Two attached SRs are for 5250V systems)

Impact:
APM box performance degaraded.

Workaround:
There is no workaround at this time.


480982-5 : pkcs11d with a high thread count can result in high CPU utilization

Component: Local Traffic Manager

Symptoms:
When pkcs11d is set to use a very high thread count, CPU utilization can increase dramatically.

Conditions:
The thread count for pkcs11d is set higher than the default.

Impact:
Less CPU available for other processes.

Workaround:
Do not set the db variable for pkcs11d thread count (/sys crypto fips external-hsm num-threads) higher than the default.


479888-2 : BCM debug logging cannot be turned off once enabled

Component: TMOS

Symptoms:
Log messages continue to appear after being disabled.

Conditions:
This occurs when the BCM daemon loglevel is increased to debug and a non-zero mask is set.

Impact:
Unexpected log messages. The volume of logs from bcm56xxd debug can be overwhelming and being unable to stop them risks filling the filesystem where they are logged.

Workaround:
Restart bcm56xxd daemon. Note: Restarting this daemon affects traffic.


479262-5 : 'readPowerSupplyRegister error' in LTM log

Component: TMOS

Symptoms:
The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power.

Conditions:
When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power.

Impact:
The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages.

Workaround:
None. You can safely ignore this error message in this case.


479260-1 : FTP active mode does not work with LSN pool modes PBA and Deterministic when FTP profile port=any

Component: Carrier-Grade NAT

Symptoms:
FTP active mode does not work

Conditions:
When PBA or Deterministic mode is configured on the LSN pool and FTP profile port=any

Impact:
FTP active mode does not work

Workaround:
Use FTP passive mode


479115-1 : stpd tries to use bcm56xxd before it has started which results in error messages in ltm log

Component: TMOS

Symptoms:
There is a race condition when the daemons startup where stpd is coming up before bcm56xxd. The stpd daemon tries to use bcm56xxd before it has started. You see the following in /var/log/ltm: err stpd[8241]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address

Conditions:
Affects switch based platforms that use bcm56xxd.

Impact:
Several error messages appear in the ltm log:

Feb 9 15:06:23 localhost err stpd[9390]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
Feb 9 15:06:23 localhost err stpd[9390]: 01280012:3: HAL packet request sendMessage failed (slot 0)


478462-1 : Whitelist count could increment incorrectly

Component: Advanced Firewall Manager

Symptoms:
The whitelist count for UDP flood may increment incorrectly.

Conditions:
when ICMP traffic is coming in, the UDP flood whitelist count will increament

Impact:
The counts for whitelist will be seen increamenting


477992-2 : Instance-specific monitor logging fails for pool members created in iApps

Component: Local Traffic Manager

Symptoms:
Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp.

Conditions:
Create pool members via an iApp, and attempt to enable logging on the pool member.

Impact:
Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened.

Workaround:
If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.


477950-3 : Displayed SSL profile statistics might be incorrect

Component: Local Traffic Manager

Symptoms:
When issuing `tmsh show ltm profile client-ssl', the hardware acceleration statistics might be incorrect in some instances.

Conditions:
Negotiated ciphers are partially accelerated (the handshake is done in software, the encryption in hardware).

Impact:
None. This is a display only issue.

Workaround:
This issue has no workaround at this time.


477897-2 : After modifying the protocol profile on an SCTP virtual, the logs may contain error messages

Component: Local Traffic Manager

Symptoms:
Error messages are logged in the tmm and ltm logs:
/var/log/tmm:
 <13> Sep 4 10:07:29 localhost notice hudfilter_init: 'proxy' is not a bottom-level filter.
/var/log/ltm
Sep 4 10:07:29 localhost err tmm1[14942]: 01010008:3: Proxy initialization failed for /Common/sctp_echo
Sep 4 10:07:29 localhost err tmm[14942]: 01010008:3: Proxy initialization failed for /Common/sctp_echo

Conditions:
Modify an SCTP virtual by changing the protocol profiles so that the client-side and server-side profiles are are both the same profile.

Impact:
The only impact is that an ominous error message is logged.


477547-1 : Resource Assign Agent shows javascript error

Component: Access Policy Manager

Symptoms:
When opening full resource assign, users encounter the following error while trying to edit the Visual Policy Editor (VPE):
"Error While creating agent class (pCustomRAMapping_class is not defined)"

Conditions:
Attempt to edit resource assign.

Impact:
Unable to edit resource assign.

Workaround:
Edit bigip.conf directly.


477195-2 : OSPFv3 session gets stuck in loading state

Component: Local Traffic Manager

Symptoms:
When running tmsh ipv6 ospf neighbor, you see one or more neighbors stuck at Loading. Other adjacent network equipment might report the neighbor at Full.

Conditions:
This occurs when using OSPFv3

Impact:
Neighbor discovery fails to complete


477178-1 : Occasional crash when SSL session mirroring is enabled

Component: Local Traffic Manager

Symptoms:
Occasionally, when SSL session mirroring is enabled, TMM will crash.

Conditions:
unknown

Impact:
Traffic disrupted while tmm restarts.


476616-3 : Set active fails after accept learning suggestion for illegal metachar Policy with encoding iso-8859-1

Component: Application Security Manager

Symptoms:
The GUI reports the following error: Could not apply configuration; Set active failed.

Conditions:
-- Policy is configured for an application language like iso-8859-1 or iso-8859-15.
-- Learning suggestions that stem from multi byte UTF-8 parameter values (Illegal Meta Character in Value) are accepted.

Impact:
Set active fails. Policy changes cannot be applied.

Workaround:
Go to Parameters list and for each parameter with override 'Allow' for the metachar 'ÿ' remove the override completely: choose the override, click on '>>' and click on update.


476544-3 : mcpd core during sync

Component: TMOS

Symptoms:
mcpd can run out of memory and core when a device in a sync group is sending an extremely high volume of sync messages.

Conditions:
The exact cause of this is unknown, and it has been seen very rarely with a large sync in a sync group. Large incremental syncs could be a symptom of other things happening between the devices which could trigger the core.

Impact:
mcpd cores and restarts if it runs out or memory. Only through inspection of the core file can this condition be detected.

Workaround:
None.


476460-6 : WAM Range HTTP header limited to 8 ranges

Component: WebAccelerator

Symptoms:
When doing a request with multiple ranges, depending on the current state of the document in the cache (due to previous requests), WAM responds with 'HTTP 416 Requested range not satisfiable'.

Conditions:
Client requesting more than 8 ranges in a single HTTP Range request for a document that has an active cache record.

Impact:
Document is not possible retrieve, even with valid range values.

Workaround:
Force the document to not be cached in the Policy and to be always proxied to the OWS.


476136 : notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE/TRUE)

Component: Local Traffic Manager

Symptoms:
On VIPRION B2250 and B4300/B4340N blades, you might encounter log entries of this type: notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE): error 01140012 or notice HA: ha_enabled_put(daemon_heartbeat, tmm, TRUE): error 01140012.

Conditions:
This occurs only on VIPRION B2250, B4300, B4340N blades.

Impact:
The system posts the error messages. These messages are benign and can be safely ignored.

Workaround:
None.


475896-2 : 'tmsh load /sys config from-terminal' (or from file) with a reference to an external file fails

Component: Local Traffic Manager

Symptoms:
'tmsh load /sys config from-terminal" or "tmsh load /sys config file' for objects that have references to external files (such as external monitors, ifiles, SSL certs, data groups) will fail.

Conditions:
This occurs when running the command 'tmsh load /sys config from-terminal' or 'tmsh load /sys config from-terminal' on an object that references a file external to the configuration (using source-path or cache-path).

Impact:
The system posts an error similar to: Failed: name (/Common/external_monitor_name) cache path expected to be non empty. This error prevents using cut and paste to configure certain configuration objects.

Workaround:
To work around this issue, you can add the appropriate stanzas to the bigip.conf file manually and do a full load of the configuration, upload the external files individually through the GUI, or use the 'tmsh create sys file' command.


475681-1 : Changing virtual server type from Standard to Performance (HTTP) can make it impossible to connect to VIP

Component: Local Traffic Manager

Symptoms:
After changing TCP virtual server type from Standard to Performance (HTTP), it might no longer be possible to connect to previously working VIP. The connection to VIP will be silently dropped.

Conditions:
This occurs when changing a Standard TCP virtual server type to Performance (HTTP).

Impact:
Might not connect to the VIP, and results in the message: 'Connection timed out.'

Workaround:
Change virtual server type from Standard to Performance (Layer 4), then change type from Performance (Layer 4) to Performance (HTTP).


474797 : Malformed SSL packets can cause errors in /var/log/ltm

Component: Local Traffic Manager

Symptoms:
If malformed SSL packets are sent to the BIG-IP system, the following errors can be logged to /var/log/ltm:

Device error: cn9 core general.
crypto codec cn-crypto-4 queue is stuck.

Conditions:
Malformed SSL packets being sent to the BIG-IP system.

Impact:
Error logs in /var/log/ltm. This is a cosmetic issue only, and the errors can be safely ignored.

Workaround:
None.


474606-1 : [Flash AS3] ApplicationDomain matching fails for relative URLs

Component: Access Policy Manager

Symptoms:
URL matching fails for child SWFs loaded from URL without hostname. SWFs from the same backend host are loaded into an isolated ApplicationDomain, and can't see objects from parent SWF. Application doesn't work or throws exceptions.

Conditions:
Child SWFs cannot access parent SWF.

Impact:
Application doesn't work or throw exceptions.

Workaround:
Disable the flash patching


474149-4 : SOD posts error message: Config digest module error: Traffic group device not found

Component: TMOS

Symptoms:
SOD posts error message: Config digest module error: Traffic group device not found.

Conditions:
In a failover device group, if a peer device (non self device) has gone through a management IP address change, SOD fails to clean up the old IP address from its internal storage, so the system subsequently and incorrectly behaves as if there is a 'configuration data inconsistent' error.

Impact:
System posts the message: notice sod[8118]: 010c0062:5: Config digest module error: Traffic group device not found.

This causes the HA failover next-active device selection to fall back to the static (IP-based) selection algorithm, which in Device Service Clusters with more than 2 devices, may cause a device other than the intended device to take over services.

Workaround:
Restart sod or reboot the device to restore correct failover functionality. This will cause a failover of any traffic groups currently Active on the device.

To restart sod, at the command line run bigstart restart sod


473213-4 : Emergency alert treated as critical on the 10000s, 10200v, 10250v, and 10350vN platforms.

Component: TMOS

Symptoms:
Failed system fan emergency alert is exhibited as critical alert at LED and LCD screen.

Conditions:
A failure of a system fan on the 10000s, 10200v, 10250v, and 10350vN platforms causes this issue to appear.

Impact:
This is a relatively minor event. Although the alarm is reported as critical, it should be treated at an emergency level and not critical.

Workaround:
None.


473212 : Systems which do not use RAID show confusing RAID status on the LCD

Component: TMOS

Symptoms:
The front panel LCD displays confusing RAID information on some systems which do not use RAID. On the front panel LCD, a RAID Status menu indicates that the single drive installed is Undefined. For systems configured in this way, you can safely ignore this display because the system is not using the RAID interface.

Conditions:
This occurs on some early 6900 and 8900 platforms, and 7000, 10000, and 12000 series platforms that shipped with a single SSD.

Impact:
This issue is cosmetic, and does not indicate a functional issue.


472308-3 : Management IP address change interaction with HA heartbeat / failover traffic

Component: TMOS

Symptoms:
When the management IP address changes (either as a result of enabling mgmt-dhcp, or the leased address changing), the system does not synchronize this updated address to other devices in the failover device group / trust domain. (That is, the system does not trigger an update to the device_trust_group.)

Conditions:
This occurs on HA configurations.

Impact:
This can cause disruption in an HA environment. The sod process discards any HA heartbeat traffic it receives (e.g., traffic over the self IP addresses) that does not contain a 'known' cluster_mgmt_ip.

Workaround:
None.


471835-1 : Invalid port blocks are incorrectly counted as active zombie blocks.

Component: Carrier-Grade NAT

Symptoms:
After changing the LSN pool configuration while port blocks are active, the port blocks may become invalid because they are no longer be in the pool. An active port block may also become invalid if a translation request occurs during the short period of time between when a block expires and when we process the expiration. These invalid blocks are incorrectly counted in the 'Active zombie port block' count. Since the invalid blocks are not zombie blocks, the count is not decremented when the invalid block expiration is processed.

Conditions:
More than one lsn-pool with overlapping address spaces, and virtual servers using these lsn-pools. Zombie timeout must be enabled on the pool and there must be active zombie port blocks.

Impact:
The PBA zombie statistics for the lsn-pool may be invalid.

Workaround:
None.


471288-5 : TMM might crash with session-related commands in iRules.

Component: Local Traffic Manager

Symptoms:
TMM might crash with session-related commands in iRules.

Conditions:
This occurs when the following conditions are met:
1) session/table command.
2) client_closed/server_closed iRule.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using client_closed and sever_closed iRules at same time, in a virtual server using session/table command in iRule.


471042-6 : Datastor High Velocity Traffic Pattern Changes

Component: TMOS

Symptoms:
During periods of high velocity in the traffic pattern, datastor will seem to stop caching new objects.

Conditions:
A traffic pattern that requires that a given percentage of the working set be displaced in order to move the cache content towards the new working set.

Impact:
For web sites that have a fairly static working set, this will reduce the efficacy of their caching by a percentage relative to the write reserve.

Workaround:
None.


471001-5 : Standby responds to traceroute on mirror enabled forwarding virtual server

Component: Local Traffic Manager

Symptoms:
Standby responds with ICMP time exceeded message on mirror enabled forwarding virtual server.

Conditions:
This occurs when the following conditions are met: HA configuration, IP forwarding virtual server, mirroring enabled, non-floating self IP address, simultaneous flood of ICMP packet to both active and standby systems.

Impact:
Standby responds with ICMP time-exceeded message.

Workaround:
Disable mirroring in forwarding virtual server, or remove non-floating self IP address on standby system.


469974-3 : APM New Session performance graph displays incorrect timed out/error value

Component: Access Policy Manager

Symptoms:
The timed out/error value shown in the APM New Session performance graph is supposed to show only the count for sessions that were terminated due to inactivity or error while in the access policy evaluation state. However, it also includes sessions that were timed out after they passed access policy evaluation. As a result, the timed out/error value is larger than the actual value.

Conditions:
If sessions are timed out in established state, the stats will show up in the New Session graph.

Impact:
N/A

Workaround:
None


469566-1 : HTTP OneConnect on wildcard non-translating virtual server does not reuse connections

Component: Local Traffic Manager

Symptoms:
Server-side flows are not reused. In this version of the software, the system disables reuse of server-side flows if the server-side flow is established without use of a pool.

Conditions:
This occurs when using HTTP OneConnect on wildcard non-translating virtual servers.

Impact:
This causes virtual servers that do not use pools to create a new server-side connection for every HTTP request, which results in excessive back-end connection traffic.

Workaround:
For all virtual servers except for APM virtual servers, you can use the following iRule to reuse connections:

when HTTP_REQUEST_RELEASE {
        if {[HTTP::request_num] == 0} {
            ONECONNECT::reuse enable
        }
}


468559-2 : Config fails to load after upgrade to 11.5.1 when iApp requires PSM module.

Component: TMOS

Symptoms:
Protocol Security Module (PSM) provisioning was removed in 11.5.0. Upgrading a config fails to load after upgrade to 11.5.1 when an iApp requires PSM module.

Conditions:
Upgrade to 11.5.1 when an iApp requires PSM module.

Impact:
The upgrade fails as the configuration fails to load.

Workaround:
Remove PSM from the list of enabled modules from affected iApp templates before upgrading.


468503-1 : The Update Check operation reports a different version of IP geolocation database than what is installed.

Component: Global Traffic Manager

Symptoms:
The Update Check operation reports a different version of the IP geolocation database than what is installed.

Conditions:
When Update Check runs, either automatically or manually, by pressing Update Now.

Impact:
Update Check reports the wrong version of the IP geolocation database, which results in the Update Check operation continually reporting IP geolocation database available as an update.

Workaround:
None.


468083-2 : An LB_FAILED iRule that references an undefined value can cause Traffic Management Microkernel (TMM) failover.

Component: Local Traffic Manager

Symptoms:
If an LB_FAILED iRule calls HTTP::respond and references an undefined value, then Traffic Management Microkernel (TMM) can crash or failover.

The following is in the ltm logfile showing the undefined value reference:
Jun 19 11:10:04 bigip1 err tmm[9515]: 01220001:3: TCL error: /Common/rule_lbpickfailed <LB_FAILED> - can't read "value": no such variable while executing "log local0. "$value doesn't exist""

Conditions:
The following have to be configured in order for this to reproduce:

1. An http profile with web acceleration and http compression enabled:
profiles {
    /Common/http { }
    /Common/optimized-acceleration { }
    /Common/tcp { }
    /Common/wan-optimized-compression { }
}

2. An LB_FAILED iRule that calls HTTP::respond and references an undefined value:

when LB_FAILED {
   HTTP::respond 200 content "content"
   log local0. "$value doesn't exist"
}

Impact:
The TMM crashes.

Workaround:
Fix iRule by not referencing an undefined value within LB_FAILED.


467589-2 : Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.

Component: WebAccelerator

Symptoms:
The /usr/share/mysql/purge_mysql_logs.pl script that ships with the new install (and is run hourly via cron) throws an error. The script is meant to be exited if AAM, ASM and PSM are not provisioned, but the check is not done appropriately and it continues execution, failing later.

Conditions:
BIG-IP system with no AAM, ASM, and PSM provisioned, when running the script /etc/cron.hourly/purge_mysql_logs.pl (linked to /usr/share/mysql/purge_mysql_logs.pl)

Impact:
The script gives false output and attempts to execute invalid actions. The system posts the following error: Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27.

Workaround:
Provision AAM, ASM, or PSM. Or modify the script using the following procedure:

Remount /usr partition as RW:
# mount -o remount -rw /usr

Edit /usr/share/mysql/purge_mysql_logs.pl and change the original check:

unless( $provisioned_am || $provisioned_asm || $provisioned_psm ) {
    exit 0;
}

to:

unless( $provisioned_am == 1 || $provisioned_asm == 1 || $provisioned_psm == 1 ) {
    exit 0;
}


467059-1 : Customization GUI not showing proper error message when modify customization group file created from iApps

Component: Access Policy Manager

Symptoms:
Objects that are created through iApps cannot be modified unless the user explicitly specifies to allow modification. An incorrect error message appears When the user tries to modify the object.

Conditions:
This issue occurs when the user tries to modify a customization group file created through iApps.

Impact:
The impact of this issue is that an incorrect error message appears, which might confuse the administrator.

Workaround:
This issue has no workaround at this time.


467018-1 : On HSB platforms which don't have HW DoS, bad cksum pkts could cause perf drop

Component: Performance

Symptoms:
If you have a HSB platform which does not have HW DoS features then bad TCP/UDP/IP checksum pkts could cause a performance drop.

Conditions:
HSB platform which does not have HW DoS (BIG-IP 2000/4000 appliances). On those platforms if too many bad checksum packets are received then the performance will not be optimum as before.

Impact:
Bad performance.

Workaround:
Create file with name “tmm_init.tcl” in “/config” with lines:
HSB::netc_ipcsum_drop yes
HSB::netc_l4csum_drop yes

And then reboot


466017-4 : Tab-completion does not work for TCP/HTTP profiles with ltm virtual profiles

Component: TMOS

Symptoms:
Tab-completion does not work for TCP/HTTP profiles with the command: ltm virtual profiles.

Conditions:
This occurs with TCP and HTTP profiles when using Tab-completion in tmsh.

Impact:
Cannot use Tab-complete with TCP or HTTP profiles.

Workaround:
Type the profile name out completely, instead of using tab-completion to complete the name of the profile.


465234-3 : wamd process keeps restarting during provisioning on the BIG-IP 4000 series platforms.

Component: WebAccelerator

Symptoms:
wamd process keeps restarting. The /var/log/kern.log contains messages similar to the following:

info kernel: wamd[29081]: segfault at 78 ip 000000005793c3e0 sp 00000000ff887d30 error 4 in libumem_mt.so[57928000+2c000]

Conditions:
This occurs intermittently during provisioning on the BIG-IP 4000 series platforms, and might indicate a race condition in between provisioning and wamd.

Impact:
System cannot provision modules and start up properly.

Workaround:
None.


465115-1 : Message about missing database variable found in ltm log.

Component: TMOS

Symptoms:
You see this message in the install log:

liveinstall.log.0:01020036:3: The requested database variable (config.encryption) was not found.

Conditions:
This occurs after using 'tmsh sys software' commands

Impact:
none, the error is benign.


464650-3 : Failure of mcpd with invalid authentication context.

Component: TMOS

Symptoms:
MCPd cores.

Conditions:
It is not known what triggers this core.

Impact:
Mcpd restarts

Workaround:
None.


464437-3 : Quickly repeated external datagroup loads might cause TMM crash.

Component: Local Traffic Manager

Symptoms:
TMM crashes while loading an external datagroup that has already been loaded.

Conditions:
External datagroup is already loaded, and is then re-loaded.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
To avoid this issue, wait a few seconds between load and reload the same external data group.


462881-1 : Configuration utility allows for mismatch in IP protocol and transport profile

Component: Local Traffic Manager

Symptoms:
tmsh allows configuration of a virtual server with mismatched ip-protocol and transport-layer profile. For example, ip-protocol tcp with a UDP profile or ip-protocol udp with a TCP profile, or ip-protocol any with a TCP profile.

Conditions:
Configure a virtual server with mismatched ip-protocol and transport-layer profiles (e.g., ip-protocol udp, profiles { tcp }).

Impact:
Traffic reaching a misconfigured virtual server can crash tmm, resulting in an outage.

Workaround:
Configure virtual server with matching ip-protocol and transport-layer profile.


462043-1 : DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Component: Local Traffic Manager

Symptoms:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged.

Conditions:
On 5000 and C2400 platforms.

Impact:
Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0.

Workaround:
None.


461531-2 : Content of 'Tower' column in 'Policy Enforcement/Subscribers/Active Sessions' table is displayed incorrectly.

Component: Policy Enforcement Manager

Symptoms:
The tower column in the Active Sessions table (Policy Enforcement : Subscribers) is displayed incorrectly.

Conditions:
Viewing 'Tower' column in 'Policy Enforcement/Subscribers/Active Sessions' table.

Impact:
There is no impact. This is a cosmetic issue only.

Workaround:
None needed.


457288-1 : FTP active mode does not work with NAT64 and inherit enabled

Component: Carrier-Grade NAT

Symptoms:
An FTP connection in active mode and with inherit-parent-profile enabled in FTP profile using LSN source address translation does not work.

Conditions:
Config includes a virtual with nat64 enabled with an attached ftp with inherit-parent-profile enabled. Also using LSN source-address translation. Then initiate an FTP connection then switch ftp mode to active. This problem is only seen when the "Inherit Parent Profile" box is checked within the FTP profile.

Impact:
You are unable to use FTP in active mode with this configuration.

Workaround:
None.


456976 : Web scraping/brute force may break application on IE6/IE7

Component: Application Security Manager

Symptoms:
A blank page is shown on IE6/IE7 browsers when Web Scraping is enabled with Bot Detection set to Blocking mode, or Client Side Integrity Defense is enabled in Blocking mode in either Web Scraping or Brute Force.

Conditions:
1. Clients using IE6 or IE7 browser.
2. Web Scraping is enabled with Bot Detection set to blocking mode,
   OR Client Side Integrity Defense is enabled in blocking mode in either Web Scraping or Brute Force.

Impact:
1. Blank page is shown and user does not reach the page


456378-2 : On a virtual server with the ipother profile assigned, iRule firing on CLIENT_ACCEPTED with discard or reject action may cause TMM to core

Component: Local Traffic Manager

Symptoms:
When using ipother profile, if there is an iRule that fires on CLIENT_ACCEPTED that contains a discard or reject action, TMM is going to failover.

Conditions:
Virtual server with ipother profile and an iRule firing on CLIENT_ACCEPTED with discard or reject action.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use CLIENT_DATA as the firing event for the iRule. Will have the same expected result when discarding the connection.


455066-1 : Read-only account can save system config

Component: TMOS

Symptoms:
A read-only user can run the tmsh save sys config command, which saves the configuration including changes made by other read/write users.

Conditions:
This occurs when logged in as a read-only user and running save sys config in tmsh.

Impact:
Read-only users are able to run save sys config in tmsh.


454949-3 : AFM Optimizations to improve run-time and memory usage.

Component: Performance

Symptoms:
AFM Optimizations to improve run-time and memory usage.

Conditions:
Running AFM.

Impact:
Potential run-time and memory-usage issues.

Workaround:
None


454941-2 : IPsec IKEv1 configuration change resets all existing IPsec IKEv1 tunnels.

Component: TMOS

Symptoms:
IPsec IKEv1 configuration change resets all existing IPsec IKEv1 tunnels.

Conditions:
This occurs when the IPsec IKEv1 configuration is modified.

Impact:
All existing IPsec IKEv1 tunnels are reset.

Workaround:
None available.


454209-3 : TMM crash on UDP DNS virtual without datagram-load-balancing enabled

Component: Local Traffic Manager

Symptoms:
TMM crash on UDP DNS virtual without datagram-load-balancing enabled.

Conditions:
DNS virtual server without datagram lb mode.

Impact:
TMM crash with a backtrace including dns_dev_pool coring at line 360. Failover and potential traffic interruption.

Workaround:
Enable datagram-lb-mode in the UDP profile used by the DNS virtual server, or turn off DNS queuing via the db variable dns.queuing.


452660-4 : SNMP trap engineID should not be configsynced between HA-pairs

Component: TMOS

Symptoms:
When configuring an engine_id for a SNMPv3 trap destination, the engine_id was synchronized to all HA peers.

Conditions:
All

Impact:
Received SNMPv3 traps would appear as if they originated from the same Big-IP system after failover to a backup Big-IP.

Workaround:
Workaround is to disbale configsync (change 'yes' to 'no') on engine_id in /defaults/config_base.conf. However, you must first remount the /usr partition to modify the file and then run tmsh load. For more information on remounting the /usr partition, see SOL11302: The /usr file system is mounted in read-only mode
at https://support.f5.com/kb/en-us/solutions/public/11000/300/sol11302.html


450136-5 : Occasionally customers see chunk boundaries as part of HTTP response

Component: Access Policy Manager

Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.

Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.

Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.

Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.


447565-3 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Component: Access Policy Manager

Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.

Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.

Impact:
End users will be unable to connect.

Workaround:
Correct the problem by running the following command:
bigstart restart eca.


446187-7 : Manual start of a BIG-IP APM service may trigger 100 percent CPU utilization.

Component: Access Policy Manager

Symptoms:
As a result of this issue, you may encounter the following symptoms:

-- BIG-IP iHealth lists Heuristic H465125 on the Diagnostics :: Identified :: High screen.
-- The BIG-IP APM service that you started causes system CPU utilization to increases over time, and eventually to consume all available CPU.
-- Users may be unable to access the BIG-IP APM access profiles.
-- When you view the Configuration utility, dashboard CPU consumption continually increases.
-- In the /var/log/ltm log file, you may observe log messages similar to the following examples.
notice chmand[6792]: 012a0005:5: Cpu utilization over 300 seconds is 100%, exceeded log level 80%
notice chmand[6792]: 012a0005:5: Cpu utilization over 300 seconds is 100%, exceeded log level 80%

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP service is already running.
-- You manually start the BIG-IP service from the command line either directly or by using bigstart.
-- The BIG-IP service is running one of the following services:
aced, acctd, apd, eam, rba, or websso

Impact:
The user may be unable to access the system, and the BIG-IP APM system may stop responding.

Workaround:
Never start any daemon manually.
The proper way to start, stop, and restart daemons on the BIG-IP system is to use the bigstart utility:
bigstart start daemonname
bigstart stop daemonname
bigstart restart daemonname


442532-4 : Log shows "socket error: resource temporarily unavailable"

Component: Access Policy Manager

Symptoms:
Response could not be sent to remote client. This happens rarely with huge access policy configuration. We could not reproduce the issue.

Conditions:
Conditions leading to this issue are not yet known.

Impact:
Box still works okay. Reconnect works.

Workaround:
This issue has no workaround at this time.


441913-6 : Empty Webtop when large number of resources assigned to access policy.

Component: Access Policy Manager

Symptoms:
When a large number of resources (more than 25) is assigned to an access policy with full a webtop, the system displays an empty webtop when accessed the second time.

Conditions:
Large number of resources assigned to access policy.

Impact:
Failed to display large number of resources on webtop when accessed second time.

Workaround:
To work around the problem, you can only use fewer resources.


441482-2 : SWG is seen on platforms with less than 8 GB of memory

Component: TMOS

Symptoms:
Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms.

Conditions:
This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.)

Impact:
Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.'

Workaround:
Do not attempt to provision SWG on platforms with less than 8 GB of memory.


441079-5 : BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved

Component: Local Traffic Manager

Symptoms:
The BIG-IP system is modifying the source port on NAT connections.

Conditions:
This occurs when NAT is configured on the BIG-IP system. This occurs on BIG-IP 2000/4000 hardware platforms.

Impact:
This impacts any applications where the source port is expected to be preserved.

Workaround:
None.


440505-7 : Default port should be removed from Location header value in http redirect

Component: Access Policy Manager

Symptoms:
Browser recognizes page loaded with URL without default port and page loaded after receiving Location header that contains rewritten URL with default port included in it as different pages and loads page twice.

Conditions:
Resource is loaded through Portal Access; page is loaded after receiving Location header with default port included in rewritten part; navigation occurs to this page without default port in domain part (for example, to anchor in this page).

Impact:
Resource is loaded twice and this can possibly change behavior of backend.

Workaround:
This issue has no workaround at this time.


440431-3 : Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.

Conditions:
This issue occurs when the following condition is met:

A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command.
The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging.

Impact:
The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank.

Workaround:
To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required.


439860-3 : Missing SNMP alerts for Virtual Server enabled/disabled.

Component: TMOS

Symptoms:
When user enables or disables a virtual server, the SNMP traps do not exist. However, when virtual server changes up/down state due to pool member monitoring, the traps exist.

Conditions:
The BIG-IP system configured for sending SNMP traps.

Impact:
SNMP traps when a user manually enables/disables virtual servers are not sent.

Workaround:
None.


439680-3 : BIG-IP as SP fails to report unsupported key transport algorithms when processing encrypted assertions

Component: Access Policy Manager

Symptoms:
A BIG-IP system configured as a Service Provider (SP) supports only rsa-oaep for key transport (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p).

When the BIG-IP system configured as SP receives a SAML assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails.

The only issue here is the error reported does not directly point to the cause of failure which makes troubleshooting more difficult.

Conditions:
A BIG-IP system configured as an SP receives a SAML assertion that is encrypted or contains encrypted attributes.

Impact:
Troubleshooting could take longer.

Workaround:
There is no workaround.


439399-3 : Discrepancy between Throughput and Detailed Througput data

Component: TMOS

Symptoms:
Discrepancy between Throughput and Detailed Throughput graphs.

Conditions:
Conditions leading to this issue include vCMP guest with ePVA virtual servers in guest.

Impact:
The impact of this issue is a discrepancy between Throughput and Detailed Througput graphs.

Workaround:
This issue has no workaround at this time.


439330-8 : Javascript: getAttribute() returns mangled event handlers

Component: Access Policy Manager

Symptoms:
All event handlers in HTML page are rewritten by APM. If some script uses getAttribute() call to obtain event handler code, it gets rewritten code. This may lead to incorrect results.

Conditions:
HTML page with event handlers defined.

Impact:
If a script uses event handler source code, it might work incorrectly.


435419-5 : Install of partial epsec file causes mcpd to crash, followed by multiple cores.

Component: Access Policy Manager

Symptoms:
Install of partial epsec file causes mcpd to crash, followed by multiple cores.

Conditions:
-- Attempt to upload a current epsec file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.

Impact:
mcpd crashes, followed by multiple cores.

Workaround:
Upload the epsec file completely, and try the installation again.


435055-1 : ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert)

Component: Local Traffic Manager

Symptoms:
ECDHE-ECDSA cipher does not work with hybrid certificate (RSA signed EC cert).

Log files may indicate SSL handshake error or a 'no shared ciphers' error.

Conditions:
Using a hybrid certificate (RSA signed EC cert).

Impact:
ECDHE-ECDSA cipher does not work with hybrid certificate (RSA signed EC cert).

Workaround:
None.


435044-3 : Erroneous 'FIPS open failed' error on platforms without FIPS hardware

Component: Local Traffic Manager

Symptoms:
The following error may be logged on BIG-IP platforms which do not contain a FIPS hardware device:

date_and_time hostname err iControlPortal.cgi[30667]: Checking for FIPS card.. FIPS open failed.

Conditions:
This error occurs when the iControl get_certificate_bundle function is invoked on BIG-IP platforms that do not contain a FIPS hardware device.
The F5 Enterprise Manager product makes frequent use the iControl get_certificate_bundle function.

Impact:
This error message does not indicate a functional problem and should be ignored.

Workaround:
None.


434517-10 : HTTP::retry doesn't work in an early server response

Component: Local Traffic Manager

Symptoms:
If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly.

Conditions:
Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event.

Impact:
Typically, early server responses are error conditions.

Workaround:
HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.


433572-3 : DTLS does not work with rfcdtls cipher on the B2250 blade

Component: Local Traffic Manager

Symptoms:
DTLS does not work with rfcdtls cipher on the B2250 blade.

Conditions:
This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP.

Impact:
DTLS does not work with rfcdtls cipher on the B2250 blade

Workaround:
None.


433323-2 : Ramcache handling of Cache-Control: no-cache directive in Response

Component: Local Traffic Manager

Symptoms:
Previously, when a Cache-Control header from the OWS contained a no-cache directive, RAM Cache mistakenly interpreted that the same as a no-store directive.

Conditions:
Configure a virtual server with HTTP caching.

Impact:
Failure to cache a cachable document.

Workaround:
This issue has no workaround at this time.


433055-6 : BFD GTSM IMI shell commands don't work

Component: TMOS

Symptoms:
BFD GTSM IMI shell commands 'bfd gtsm enable' and 'bfd gtsm disable' commands are disabled and have no effect.

Conditions:
This problem shows up when BFD is configured, and attempt to configure GTSM feature of BFD.

Impact:
GTSM feature is not usable.

Workaround:
None.


431480-2 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message

Component: Local Traffic Manager

Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.

Conditions:
The exact conditions that result in this error are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time, but the system recovers without any user action.


428864-7 : Lowering virtual server connection limit does not work when traffic is being processed

Component: Local Traffic Manager

Symptoms:
Lowering the virtual server connection limit does not work when traffic is already being processed.

Conditions:
This occurs when:
-- The virtual server has a connection limit set.
-- The virtual server is processing traffic.
-- The virtual server connection limit is reset to a lower value.

Impact:
New virtual server configuration does not use the new, lower value to limit the number of connections. It will remain this way until the connection count goes below the new threshold.

Workaround:
Change virtual server connection limit configuration when there is no traffic.


427644-3 : asm_config_server_rpc might crash during ASM policy sync

Component: Application Security Manager

Symptoms:
asm_config_server_rpc might crash during ASM policy sync. asm_config_server restarts after the core, and resumes synchronization. There is no effect on configuration or on traffic.

Conditions:
ASM sync enabled.

Impact:
asm_config_server restarts after the core, and resumes synchronization. There is no effect on configuration or on traffic.

Workaround:
None.


426274-2 : Firewall ACL Schedules may not work when configured with a daily schedule that starts before the specified start date and time

Component: Advanced Firewall Manager

Symptoms:
If the daily schedule for a rule starts before the start date and time specified in the schedule. For example, assume the current time is 2013-07-26 16:20:00. If you specify the following schedule and associate it with a rule, the rule will not get scheduled at all. tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-26:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }

Conditions:
The daily-hour-start needs to be configured to occur before the date-valid-start.

Impact:
The scheduled rule will not become active when configured in this manner.

Workaround:
As a workaround, make sure that date-valid-start is not before daily-hour-start. A working example, assuming the current time is 2013-07-26 16:20:00. Configure the date-valid-start to be the previous day: tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-25:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }


425331-2 : On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID

Component: TMOS

Symptoms:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports the ID of the Chassis.
This differs from the behavior on VIPRION 4xxx-series platforms, where the SNMP sysObjectID OID reports the ID of the Blade.

Conditions:
This occurs on VIPRION 2xxx-series platforms:
- C2xxx-series chassis
- B2xxx-series blades

Impact:
SNMP queries to identify the System ID of VIPRION platforms will identify different classes of hardware component on VIPRION 2xxx-series vs. 4xxxx-series platforms.


424542-3 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments

Component: TMOS

Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"

Conditions:
Only happens on clustered or virtual environments, not on appliances.

Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.

Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"


424228-3 : Parking iRules in CLIENT_DATA on virtual without assigned pool may not return

Component: Local Traffic Manager

Symptoms:
If a virtual server is created without an assigned pool (i.e. the pool is assigned in the iRule) and the iRule parks, the iRule may not return from suspension and the packet will be dropped.

Conditions:
A virtual server is created and an iRule is assigned that parks, and the virtual server has no assigned default pool.

Impact:
Packets are dropped.

Workaround:
Either use the CLIENT_ACCEPTED event for UDP data or assign a default pool.


423928-2 : syslog messages over 8 KB in length cause logstatd to exit

Component: TMOS

Symptoms:
Creating a syslog longer than 8 KB in length might cause logstatd to issue an exception and exit.

Conditions:
This occurs when the system processes a syslog message that is longer than 8 KB.

Impact:
logstatd exits and posts a message similar to the following: localhost emerg logger: Re-starting logstatd.

Workaround:
Configure syslog smaller than (or equal to) 8 KB using a command similar to the following in bigip_base.conf:
sys syslog {
    include "options { ... log_msg_size(8192); };"
}.


423629-4 : bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted

Component: Local Traffic Manager

Symptoms:
bigd restarts once, and afterwards, subsequent pings from the monitor fails.

Conditions:
This can occur when assigning an ICMP monitor to a pool member, specifying a route domain that does not exist.

Impact:
For bigd, a single restart is actually harmless. The invalid config will cause monitor failures, since the route domain no longer exists, the pool member will be marked down.


423392-5 : tcl_platform is no longer in the static:: namespace

Component: Local Traffic Manager

Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.

Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.

Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.

Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see K14544: The tcl_platform iRules variable is not in the static:: namespace, available here: https://support.f5.com/csp/#/article/K14544.


418509 : Stream filter cannot match literal (

Component: Local Traffic Manager

Symptoms:
It is not possible to match a literal ( (open parenthesis) in the stream filter.

Conditions:
Stream filter enabled.
Stream expression includes a ( not intended as the opening of a regex group.

Impact:
Unable to directly match expression that contains a literal (.

Workaround:
Use octal character encoding to resolve stream filter conflicts, as shown in this example:
   ( = \050
   ) = \051
so instead of the expression:
    function\(param1\),
use the expression:
    function\050param1\051.


418349-1 : Update/overwrite of FIPS keys error

Component: TMOS

Symptoms:
After deleting and re-creating a FIPS key, sync to other devices fails and /var/log/ltm gives the following error:

crit tmm[10817]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 78 status: 0x40000116 : ERR_HSM_ERROR

Note that this error is logged on any FIPS-related error, it might be this issue if you were attempting to replace FIPS keys with an identical name on devices in a device group.

Conditions:
This can occur on FIPS-enabled devices in a device group when a FIPS key is deleted and an identically-named FIPS key is added.

Impact:
Sync of the FIPS key fails.

Workaround:
If you are encountering this, you can do the following workaround.

Impact of workaround: this should have no negative impact to the system since your objective is to replace the FIPS keys.

- Detach all keys/certs from all SSL Profiles and delete all keys via script on the standby System
- Run “tmsh show sys crypto fips” and verify all keys have been deleted
- Run a configsync with override and verify the sync has been carried out successfully.


417720-1 : BIG-IP LTM Log Indicates Chassis Power Turned Off During Fan Speed Failures

Component: TMOS

Symptoms:
If a power supply fan unit becomes jammed or experiences a failure that prohibits the minimum RPM threshold to be met, the LTM log will erroneously indicate that the power supply has been turned off. For example:

localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(73-610-125): Bad

localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power supply #2 fan-1: Bad

localhost warning chmand[8482]: 012a0018:4: Chassis power module 2 turned off.

Conditions:
Any kind of power supply fan failure that prevents the unit from achieving the minimum spec. for RPMs.

Impact:
Misleading log message.

Workaround:
None.


412036 : DHCP broadcast traffic will create a session if was processed on a PEM enabled UDP virtual

Component: Policy Enforcement Manager

Symptoms:
If a PEM enabled UDP virtual (i.e., a virtual that has SPM profile) was hit by DHCP broadcasting traffic, then SPM will create a subscriber session for address 0.0.0.0

Conditions:
PEM enabled UDP virtual
DHCP broadcast traffic on the network the virtual is listening on
No virtual servers configured to handle the DHCP traffic

Impact:
Extra subscriber session(s) created that shouldn't be created.

Workaround:
Create a DHCP virtual that has subscriber discovery turned on. The subscriber discovery can be turned on via the DHCPv4 profile that is attached to the virtual.

This way any DHCP broadcasting traffic should be handled by this virtual.


403781 : Web UI: Error when accessing PEM->Policy page by a non-admin(operator/firewall manager) user.

Component: Policy Enforcement Manager

Symptoms:
A non-admin user(operator/firewall manager) can not access PEM GUI pages. Even the error which is shown is not meaningful to the user.

Conditions:
A non-admin user(operator/firewall manager) trying to access PEM GUI pages.

Impact:
A non-admin user(operator/firewall manager) can not access/configure PEM options from GUI.

Workaround:
None. Operators and firewall managers do not have a meaningful role in PEM.


402414-1 : Configured flow control not applied to Copper SFPs

Component: TMOS

Symptoms:
On affected platforms, flow control configured for an external interface is not applied if the interface is populated with a Copper SFP.

The 'tmsh list net interface' command may show the 'Flow Control' setting for the interface as the configured value (such as 'tx-rx').
However, the 'tmsh show net interface' command may show the 'Flow Control' setting for the interface as 'none', and the remote node connected to the interface in question may show no flow control on the connection.

Conditions:
This may occur with interfaces populated with Copper SFPs on the following BIG-IP and VIPRION platforms:
-- BIG-IP 10000-/12000-series appliances
-- VIPRION B4300-series blades
-- VIPRION B2250 blades

Impact:
No flow control as configured on affected interfaces.

Workaround:
To work around this issue:
1. Set flow control to none for the affected interfaces.
2. Set flow control to the desired value for the affected interfaces.


399732-1 : SAML Error: Invalid request received from remote client is too big

Component: Access Policy Manager

Symptoms:
Some SAML deployments will produce SAML Assertions or SAML Authentication Requests in POST data that are larger than 64KB.

When this occurs, an error message will be produced in the APM log:
"Invalid request received from remote client is too big."

Conditions:
When a BIG-IP systems acts as a SAML service provider, it supports only assertions of size 64K or less. Also, when a BIG-IP system acts as a SAML IdP, it supports only authentication requests of size 64K or less.

Impact:
SAML cannot be used in BIG-IP as IdP or BIG-IP as SP with deployments that cause large POST data from clients.

Workaround:
No workaround possible.


396273-3 : Error message in dmesg and kern.log: vpd r/w failed

Component: TMOS

Symptoms:
When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update.
This error can be seen in /var/log/kern.log as well.

Conditions:
This can occur whenever 'lspci -vv' (or 'lspci -vvv', e.g., during qkview generation) is executed.

Impact:
This is a benign firmware message, and you can safely ignore it.

Workaround:
There is no workaround, but this is not a functional issue.


393270-2 : Configuration utility may become non-responsive or fail to load.

Component: TMOS

Symptoms:
While doing normal operations via the configuration utility, the status indicators may become non-responsive or fail to load, the GUI could become very sluggish, and you could be unable to load the GUI, or you could be taken to the license activation screen.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Unable to log into the GUI or GUI shows blank page

Workaround:
Run the command 'bigstart restart tomcat' or reboot the BIG-IP system.


385243-1 : HSL::open irule causes Virtual Server to go green

Component: Local Traffic Manager

Symptoms:
An iRule configured with HSL::open will cause the virtual server to which it's attached to be marked as green (up), even if there are no available pool members.

Conditions:
iRule attached to a virtual server that contains HSL::open as the first command

Impact:
Connections are reset if the pool contains no members.

Workaround:
In your iRule, instead of configuring HSL::open like the following:

when CLIENT_ACCEPTED {
    set hsl [HSL::open -proto UDP -pool My_HSL_Pool]
}

Set a variable before calling HSL::open

when CLIENT_ACCEPTED {
    set mypool My_HSL_Pool
    set hsl [HSL::open -proto UDP -pool $mypool]
}

The pool's status will then be properly propagated to the virtual server status.


384995-4 : Management IP changes are not synced to the device group.

Component: TMOS

Symptoms:
A device group shows a device as offline when it was previously working, and the device's management IP address has recently changed.

Conditions:
When the management IP is changed on a device in a trust domain, it is not updated in the device group even though its config sync IP is a SelfIP and config sync continues to work. Other devices show it offline under Device Management :: Devices.

Impact:
Incorrect device status displayed when looking at the device group.

Workaround:
To resolve this, the device that changed must be discovered from a device that is not changed.

Note: If you attempt to discover a device that is not changed from the device that is changed, the operation loses the hostname and other configuration objects.


382363 : min-up-members and using gateway-failsafe-device on the same pool.

Component: TMOS

Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.

Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.

Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.

Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.


378967-1 : Users are not synchronized if created in a partition

Component: TMOS

Symptoms:
Users in partitions attached to sync-only device groups do not sync to other devices in that device group.

Conditions:
There are users whose active partitions are attached to a sync-only device group.

Impact:
This affects sync-only device groups only, not the failover device group.

Workaround:
None.


375434-4 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.

Component: TMOS

Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.

Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.

Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.

Workaround:
None.


374067-4 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections

Component: Local Traffic Manager

Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.

Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.

Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.

Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.


373949-4 : Network failover without a management address causes active-active after unit1 reboot

Component: TMOS

Symptoms:
A device in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.

Conditions:
If a Device Service Cluster is configured with only self-IPs for unicast network failover communication, or if the management network between the peers is unavailable, the device may not detect that the peer is active when it is starting up. When using only self-IPs, communication with the peers is disrupted while the TMM is starting up.

Impact:
Unexpected failover may cause traffic interruption.

Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.


372332 : Unnecessary buffering of client-side egress in some circumstances.

Component: Local Traffic Manager

Symptoms:
BIG-IP can perform unnecessary buffering of client-side egress in some circumstances. This can cause a tmm crash on out of memory. Analysis of the core by support indicates that the system has run out of memory.

Conditions:
It is not known what triggers this event to occur but it has been observed when modules like APM and ASM are enabled.

Impact:
Traffic disrupted while tmm restarts.


370131-2 : Loading UCS with low GTM Autoconf Delay drops pool Members from config

Component: Global Traffic Manager

Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.

Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.

Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.

Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.


369407-1 : Access policy objects are created inconsistently depending on whether created using wizard or manually.

Component: Access Policy Manager

Symptoms:
Network Access (NA) wizard policy incorrectly labels 'Advanced Resource Assign' as 'Resource Assign' in VPE.

Conditions:
This is evident when viewing the label following completion of the NA wizard.

Impact:
The label in the VPE is 'Resource Assign', where it should be 'Advanced Resource Assign'.

Workaround:
None.


369352-10 : No verification prompt when executing 'load sys config default' for resource administrator role

Component: TMOS

Symptoms:
When logged in as a resource administrator "load sys config default", which restores the configuration to factory defaults, doesn't prompt for verification as it should. If you execute the command from a normal administrator role you do get a prompt.

Conditions:
Login as a resource administrator
run "load sys config default"
restore begins without a verification prompt.

Impact:
System restore initiated without prompt when run as a resource administrator.

Workaround:
None.


368824-3 : There is no indication that a failed standby cannot go active.

Component: TMOS

Symptoms:
There is no indication that a failed standby cannot go active.

One example is if pool-min-up-members fails. In this case the device will go standby and since this condition may persist, it will not be able to go active.

Conditions:
When a standby fails, there is no indication that it cannot go active.

Impact:
It is not apparent that the standby cannot go active.

Workaround:
None.


367226-1 : Outgoing RIP advertisements may have incorrect source port

Component: Local Traffic Manager

Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.

If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.

Conditions:
Multiple TMM instances, RIP routing configured.

Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.


366695-7 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Component: Global Traffic Manager (DNS)

Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.

Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.

Impact:
Error message thrown

Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.


366605-1 : response_log_size_limit does not limit the log size.

Component: Application Security Manager

Symptoms:
The internal parameter response_log_size_limit does not limit the log size.

Conditions:
The internal parameter response_log_size_limit is configured.

Impact:
Response log size limit is not applied.

Workaround:
None.


359071-10 : The empty origin-realm in the Diameter request won't be accepted by LTM.

Component: Service Provider

Symptoms:
The empty origin-realm in the Diameter request will cause our Diameter process to reset the connection and log the error message in the /var/log/ltm.

Conditions:
Send the Diameter request with empty origin-realm. Note that this kind of request is not RFC 6733 compliant.

Impact:
The connection will be reset.


352957-1 : Route lookup after change in route table on established flow ignores pool members

Component: Local Traffic Manager

Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.

Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.

Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.

Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.


345358-2 : OneConnect Transforms do not recognize Connection header if it contains extra Header tokens.

Component: Local Traffic Manager

Symptoms:
OneConnect Transforms do not recognize Connection header if it contains extra Header tokens.

Conditions:
This can occur if the HTTP header contains a Connection header with multiple tokens, for example "Connection: TE, Close", and the http profile and OneConnect profile is in use.

Impact:
The Connection header is changed when it is passed to the server. Instead of passing "Connection: Close", it will pass "X-Cnection: Close"


337934-1 : remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly

Component: TMOS

Symptoms:
The remoterole configurations in which one of the attributes ends in 'role' will have that attribute truncated. Also this could happen with an attribute that ends in 'deny' and has a deny directive.

Conditions:
remoterole attributes ending in 'role'. May also happen with attributes ending in 'deny'.

Impact:
Parsing truncates attributes.

Workaround:
Do not use remoterole configurations in which one of the attributes ends in 'role' or one that ends in 'deny" that has a deny directive.


333340 : The bigd process is not compatible with IPv6 link-local unicast addresses

Component: Local Traffic Manager

Symptoms:
Monitors that are monitoring pool members using the IPv6 link local address are marked down.

Conditions:
This occurs when pointing the monitor at the pool member's link local IPv6 address (FE80::/10 prefix).

Impact:
The monitor fails to connect to the pool member, so the pool member will never be marked up.

Workaround:
You can avoid this issue by not configuring nodes or pool members using IPv6 link-local unicast addresses; instead use IPv6 global unicast addresses or IPv6 unique local unicast addresses.


246726-4 : System continues to process virtual server traffic after disabling virtual address

Component: Local Traffic Manager

Symptoms:
A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address.

Conditions:
When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers.

Impact:
Traffic is still processed.

Workaround:
Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/csp/#/article/K8940


225634-5 : The rate class feature does not honor the Burst Size setting.

Component: Local Traffic Manager

Symptoms:
The rate class feature does not honor a Burst Size setting other than the default of 0 (zero).

The Burst Size setting is intended to specify the maximum number of bytes that traffic is allowed to burst beyond the base rate configured for the rate class. When the burst rate is set to zero, no bursting is allowed.

Conditions:
When using a non-default Burst Size setting for a single rate class, the setting does not have the intended effect of allowing traffic to burst beyond the base rate configured for the rate class. When using a non-default Burst Size setting for a rate class referencing a hierarchical rate class (a child class referencing a parent class), traffic processed by the rate class may cause TMM to panic and generate a core file.

Impact:
Traffic does not burst beyond the base rate configured for the rate class. In the case of hierarchical rate classes, the BIG-IP may temporarily fail to process traffic.

Workaround:
To work around this issue, you can disable the Burst Size setting by changing the value to zero. To do so, perform the following procedure:

Impact of workaround: None.

Log in to the Configuration utility.
Click Network.
Click Rate Shaping.
Click the appropriate rate class.
Change the Burst Size to 0.
Click Update.


222690 : The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command.

Component: Local Traffic Manager

Symptoms:
The persist none iRule command disables persistence for the current connection. If cookie persistence is enabled for a virtual server referencing an iRule, and the LB::reselect command is called after the persist none iRule command, cookie persistence is not disabled for the connection.

Conditions:
For example, the following configuration illustrates the issue:

pool default_pool {
member 10.10.10.4:80 down session disable
}
pool fail_pool {
member 10.10.10.5:80
}
rule fail_rule {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
}
virtual vs {
destination 10.10.10.6:80
ip protocol tcp
profile http tcp
persist cookie
pool default_pool
rule fail_rule
}

Impact:
In the example, the initial load balancing attempt to the default_pool pool will fail, since sessions are disabled for the pool member. The LB_FAILED iRule event will execute, which sets the persistence to none. In addition, the LB::reselect command will load balance the connection to the fail_pool pool. The connection to the pool member 10.10.10.5 will succeed, but the BIG-IP LTM will incorrectly place a persistence cookie in the response to the client.

Workaround:
You may be able to work around this issue by using the HTTP::cookie command in the HTTP_RESPONSE event to remove the BIG-IP cookie from the response before it is sent to the client.

For example, the following revised iRule removes the BIG-IP persistence cookie that would be set in the response when the fail_pool was selected:

rule fail_rule_no_cookie_for_you {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
when HTTP_RESPONSE {
HTTP::cookie remove BIGipServerfail_pool
}
}

Note: The HTTP_RESPONSE event is triggered after the BIG-IP LTM has added the persistence cookie to the HTTP headers.

Note: The default persistence cookie name is derived from the name of the pool to which the request was sent. For more information about the BIG-IP persistence cookie, refer to SOL6917: Overview of BIG-IP persistence cookie encoding.

The workaround has the added benefit of preserving any persistence information for the original load balancing pool should it again become available. If you want to completely remove the persistence cookie from the client, you can use the HTTP::cookie command in the HTTP_RESPONSE event to set an expired version of the BIG-IP cookie in the response before it is sent to the client.


222409-1 : The HTTP::path iRule command may return more information than expected

Component: Local Traffic Manager

Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.

The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:

GET /dir1/dir2/file.ext HTTP/1.1

In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:

GET http://www.example.org:80/dir1/dir2/file.ext

In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Impact:
The HTTP::path iRule command should return the following path value for both requests:

/dir1/dir2/file.ext

However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:

www.example.org:80/dir1/duir2/file.ext

Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.

Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.

Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:

when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::path]]"
}


222034-7 : HTTP::respond in LB_FAILED with large header/body might result in truncated response

Component: Local Traffic Manager

Symptoms:
If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated.

Conditions:
This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client.

Impact:
The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points.

Workaround:
To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see K9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: https://support.f5.com/csp/#/article/K9456.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Fri May 12 11:55:14 2017 PDT
Copyright F5 Networks (2017) - All Rights Reserved