Applies To:
Show Versions
BIG-IP AAM
- 11.6.1
BIG-IP APM
- 11.6.1
BIG-IP GTM
- 11.6.1
BIG-IP Link Controller
- 11.6.1
BIG-IP Analytics
- 11.6.1
BIG-IP LTM
- 11.6.1
BIG-IP AFM
- 11.6.1
BIG-IP PEM
- 11.6.1
BIG-IP ASM
- 11.6.1
BIG-IP Hotfix Release Information
Version: BIGIP-11.6.1
Build: 338.0
Hotfix Rollup: 2
Cumulative fixes from BIG-IP v11.6.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.6.1 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 8 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 7 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.6.x
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 631582-4 | CVE-2016-9250 | K55792317 | Administrative interface enhancement |
| 624570-3 | CVE-2016-8864 | K35322517 | BIND vulnerability CVE-2016-8864 |
| 612128 | CVE-2016-6515 | K31510510 | OpenSSH vulnerability CVE-2016-6515 |
| 611469-2 | CVE-2016-7467 | K95444512 | Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector |
| 597394-1 | CVE-2016-9252 | K46535047 | Improper handling of IP options |
| 596340-3 | CVE-2016-9244 | K05121675 | F5 TLS vulnerability CVE-2016-9244 |
| 591329-2 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K36488941 | CVE-2016-2108 fixed in Oracle Access Manager library used by BIG-IP APM |
| 588496-3 | CVE-2009-3555 | K10737 | SSL Renegotiation vulnerability - CVE-2009-3555 / VU#120541 |
| 586131-3 | CVE-2014-3566 | K15702 | SSLv3 vulnerability CVE-2014-3566 |
| 635412-2 | CVE-2017-6137 | K82851041 | Invalid mss with fast flow forwarding and software syn cookies |
| 618261-3 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
| 604442-1 | CVE-2016-6249 | K12685114 | iControl log |
| 597023-4 | CVE-2016-4954 | K82644737 | NTP vulnerability CVE-2016-4954 |
| 594496-3 | CVE-2016-4539 | K35240323 | PHP Vulnerability CVE-2016-4539 |
| 520924-4 | CVE-2016-5020 | K00265182 | Restricted roles for custom monitor creation |
| 475743-4 | CVE-2017-6128 | K92140924 | Improve administrative login efficiency |
| 635933-1 | CVE-2004-0790 | K23440942 K13361021 | The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable |
| 600198-4 | CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
| 599285-4 | CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 | K51390683 | PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095 |
| 597010-4 | CVE-2016-4955 | K03331206 | NTP vulnerability CVE-2016-4955 |
| 596997-4 | CVE-2016-4956 | K64505405 | NTP vulnerability CVE-2016-4956 |
| 591767-3 | CVE-2016-1547 | K11251130 | NTP vulnerability CVE-2016-1547 |
| 573343-3 | CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 | K01324833 | NTP vulnerability CVE-2015-8158 |
Functional Change Fixes
| ID Number | Severity | Description |
| 620712-1 | 3-Major | Added better search capabilities on the Pool Members Manage & Pool Create page. |
| 599536-2 | 3-Major | IPsec peer with wildcard selector brings up wrong phase2 SAs |
| 581840 | 3-Major | Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ. |
| 564876-1 | 3-Major | New DB variable log.lsn.comma changes CGNAT logs to CSV format |
| 561348-4 | 3-Major | krb5.conf file is not synchronized between blades and not backed up |
| 541549-4 | 3-Major | AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination. |
| 530109-5 | 3-Major | OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled. |
| 454492-1 | 3-Major | Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures |
| 451433-7 | 3-Major | HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe) |
| 609084-1 | 4-Minor | Max number of chunks not configurable above 1000 chunks |
| 591733-2 | 4-Minor | Save on Auto-Sync is missing from the configuration utility. |
TMOS Fixes
| ID Number | Severity | Description |
| 624457-3 | 1-Blocking | Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195 |
| 624263-3 | 2-Critical | iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response |
| 624245 | 2-Critical | Hung tasks leading to system problems and lack of management access via ssh/GUI |
| 616864-3 | 2-Critical | BIND vulnerability CVE-2016-2776 |
| 614865-2 | 2-Critical | Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors. |
| 613536-2 | 2-Critical | tmm core while running the iRule STATS:: command |
| 605476-2 | 2-Critical | istatsd can core when reading corrupt stats files. |
| 601527-3 | 2-Critical | mcpd memory leak and core |
| 591104-3 | 2-Critical | ospfd cores due to an incorrect debug statement. |
| 587698-2 | 2-Critical | bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured |
| 583516-3 | 2-Critical | tmm ASSERT's "valid node" on Active, after timer fire.. |
| 574055-3 | 2-Critical | TMM crash after changing raccoon log level |
| 570881-4 | 2-Critical | IPsec configuration mismatch in IKEv2 causes TMM crash in isakmp_parse_proposal () |
| 570663-3 | 2-Critical | Using iControl get_certificate_bundle_v2 causes a memory leak |
| 570419-2 | 2-Critical | Use of session DB on multi-process appliances and blades may core. |
| 567457-3 | 2-Critical | TMM may crash when changing the IKE peer config. |
| 460833-1 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis |
| 457252-1 | 2-Critical | tmm crash when using sip_info persistence without a sip profile |
| 440752-1 | 2-Critical | qkview might loop writing output file if MCPD fails during execution |
| 355806-3 | 2-Critical | Starting mcpd manually at the command line interferes with running mcpd |
| 623401-4 | 3-Major | Intermittent OCSP request failures due to non-optimal default TCP profile setting |
| 621417-1 | 3-Major | sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS. |
| 621242 | 3-Major | Reserve enough space in the image for future upgrades. |
| 616242-2 | 3-Major | basic_string::compare error in encrypted SSL key file if the first line of the file is blank★ |
| 615934-2 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. |
| 609119-5 | 3-Major | Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3: |
| 608320-4 | 3-Major | iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response |
| 604931-1 | 3-Major | bgpd might core on restarting process with BGP debug enabled. |
| 603149-1 | 3-Major | Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy |
| 601502-1 | 3-Major | Excessive OCSP traffic |
| 600558-3 | 3-Major | Errors logged after deleting user in GUI |
| 597729-1 | 3-Major | Errors logged after deleting user in GUI |
| 597601-4 | 3-Major | Improvement for a previous issue regressed NAT-T |
| 596814-3 | 3-Major | HA Failover fails in certain valid AWS configurations |
| 592870-3 | 3-Major | Fast successive MTU changes to IPsec tunnel interface crashes TMM |
| 591455-2 | 3-Major | NTP vulnerability CVE-2016-2516 |
| 590904-5 | 3-Major | New HA Pair created using serial cable failover only will remain Active/Active |
| 586878-2 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★ |
| 585485-4 | 3-Major | inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP |
| 583285-7 | 3-Major | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 577440-1 | 3-Major | audit logs may show connection to hagel.mnet |
| 571344-3 | 3-Major | SSL Certificate with special characters might cause exception when GUI retrieves items list page.★ |
| 566507-2 | 3-Major | Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment |
| 560510-6 | 3-Major | Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down. |
| 557059-2 | 3-Major | When a virtual server has an Anti-Fraud Profile and a Web Acceleration profile, POST requests to non-protected URLs hang |
| 543208 | 3-Major | Upgrading v11.6.0 to v12.x in a sync-failover group might cause mcpd to become unresponsive.★ |
| 534021-5 | 3-Major | HA on AWS uses default AWS endpoint (EC2_URL). |
| 533813-3 | 3-Major | Internal Virtual Server in partition fails to load from saved config |
| 528498-5 | 3-Major | Recently-manufactured hardware may not be identified with the correct model name and SNMP OID |
| 523642-5 | 3-Major | Power Supply status reported incorrectly after LBH reset |
| 523527-6 | 3-Major | Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.★ |
| 516540-3 | 3-Major | devmgmtd file object leak |
| 509400-1 | 3-Major | vCMP VIPRION: internal flooded unicast packets with multi-slot trunks impact performance |
| 502714-4 | 3-Major | Deleting files and file object references in a single transaction might cause validation errors |
| 481089-7 | 3-Major | Request group incorrectly deleted prior to being processed |
| 479660-2 | 3-Major | tmm crash in ipsec when ipsec-policy and ike-peer do not match. |
| 460176-4 | 3-Major | Hardwired failover asserts active even when standalone |
| 400456-3 | 3-Major | HTTP monitors with long send or receive strings may not save or update |
| 339825-3 | 3-Major | Management.KeyCertificate.install_certificate_from_file failing silently |
| 598498-4 | 4-Minor | Cannot remove Self IP when an unrelated static ARP entry exists. |
| 591447-3 | 4-Minor | PHP vulnerability CVE-2016-4070 |
| 585097-3 | 4-Minor | Traffic Group score formula does not result in unique values. |
| 581835-3 | 4-Minor | Command failing: tmsh show ltm virtual vs_name detail. |
| 551208-1 | 4-Minor | Nokia alarms are not deleted due to the outdated alert_nokia.conf. |
| 542347-1 | 4-Minor | Denied message in audit log on first time boot |
| 541320-6 | 4-Minor | Sync of tunnels might cause restore of deleted tunnels. |
| 535544-5 | 4-Minor | Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled |
| 477700-1 | 4-Minor | Detail missing from power supply 'Bad' status log messages |
| 470627-2 | 5-Cosmetic | Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE |
| 442231-2 | 5-Cosmetic | Pendsect log entries have an unexpected severity |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 622166 | 2-Critical | HTTP GET requests with HTTP::cookie iRule command receive no response |
| 619528-2 | 2-Critical | TMM may accumulate internal events resulting in TMM restart |
| 616215-2 | 2-Critical | TMM can core when using LB::detach and TCP::notify commands in an iRule |
| 613088-1 | 2-Critical | pkcs11d thread has session initialization problem. |
| 612229-2 | 2-Critical | TMM may crash if LTM a disable policy action for 'LTM Policy' is not last |
| 607360-2 | 2-Critical | Safenet 6.2 library missing after upgrade★ |
| 605865-2 | 2-Critical | Debug TMM produces core on certain ICMP PMTUD packets |
| 603082-2 | 2-Critical | Ephemeral pool members are getting deleted/created over and over again. |
| 603032-2 | 2-Critical | clientssl profiles with sni-default enabled may leak X509 objects |
| 597966 | 2-Critical | ARP/neighbor cache nexthop object can be freed while still referenced by another structure |
| 588351-2 | 2-Critical | IPv6 fragments are dropped when packet filtering is enabled. |
| 580026-3 | 2-Critical | HSM logging error |
| 574153-2 | 2-Critical | If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout. |
| 526367-3 | 2-Critical | tmm crash |
| 509646-7 | 2-Critical | Occasional connections reset when using persistence |
| 480009-2 | 2-Critical | OSPFv2 Redistributed routes are deleted after blade failover with Graceful Restart |
| 624616-3 | 3-Major | Safenet uninstall is unable to remove libgem.so |
| 618517-2 | 3-Major | bigd may falsely complain of a file descriptor leak when it cannot open its debug log file |
| 617862-1 | 3-Major | Fastl4 handshake timeout is absolute instead of relative |
| 617858-1 | 3-Major | bigd core when using Tcl monitors |
| 617824-2 | 3-Major | "SSL::disable/enable serverside" + oneconnect reuse is broken |
| 613673-1 | 3-Major | Pool members may not be marked up and/or there might be a slight delay in monitors |
| 610609-1 | 3-Major | Total connections in bigtop, SNMP are incorrect |
| 610429-3 | 3-Major | X509::cert_fields iRule command may memory with subpubkey argument |
| 607304-2 | 3-Major | TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap. |
| 606575-3 | 3-Major | Request-oriented OneConnect load balancing ends when the server returns an error status code. |
| 604977-3 | 3-Major | Wrong alert when DTLS cookie size is 32 |
| 603606 | 3-Major | tmm core |
| 603236-2 | 3-Major | 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware |
| 602366-2 | 3-Major | Safenet 6.2 HA performance |
| 602358-2 | 3-Major | BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version |
| 601496-1 | 3-Major | iRules and OCSP Stapling |
| 601178-3 | 3-Major | HTTP cookie persistence 'preferred' encryption |
| 600827-5 | 3-Major | Stuck nitrox crypto queue can erroneously be reported |
| 600593-4 | 3-Major | Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests |
| 598874-3 | 3-Major | GTM Resolver sends FIN after SYN retransmission timeout |
| 595275-2 | 3-Major | Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN |
| 594642-1 | 3-Major | Stream filter may require large allocations by Tcl leading TMM to core on allocation failure. |
| 592871-2 | 3-Major | Cavium Nitrox PX/III stuck queue diagnostics missing. |
| 592497-2 | 3-Major | Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state. |
| 591789-1 | 3-Major | IPv4 fragments are dropped when packet filtering is enabled. |
| 591659-3 | 3-Major | Server shutdown is propagated to client after X-Cnection: close transformation. |
| 591476-8 | 3-Major | Stuck crypto queue can erroneously be reported |
| 591343-2 | 3-Major | SSL::sessionid output is not consistent with the sessionid field of ServerHello message. |
| 588115-3 | 3-Major | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw |
| 586738-2 | 3-Major | The tmm might crash with a segfault. |
| 584029-2 | 3-Major | Fragmented packets may cause tmm to core under heavy load |
| 578971-1 | 3-Major | When mcpd is restarted on a blade, cluster members may be temporarily marked as failed |
| 576224-1 | 3-Major | NetHSM does not come back after TCP connection to device is reset |
| 573402-2 | 3-Major | "C_GetAttributeValue error" with netHSM |
| 572281-2 | 3-Major | Variable value in the nesting script of foreach command get reset when there is parking command in the script |
| 571573-2 | 3-Major | Persistence may override node/pmbr connection limit |
| 570057-3 | 3-Major | Can't install more than 16 SafeNet HSMs in its HA group |
| 569642-4 | 3-Major | Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core |
| 569288-2 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures |
| 569206-2 | 3-Major | After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades. |
| 568743-3 | 3-Major | TMM core when dnssec queries to dns-express zone exceed nethsm capacity |
| 568543-3 | 3-Major | Syncookie mode is activated on wildcard virtuals |
| 567862-1 | 3-Major | intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance |
| 565799-2 | 3-Major | CPU Usage increases when using masquerade addresses |
| 563227-3 | 3-Major | When a pool member goes down, persistence entries may vary among tmms |
| 557358-1 | 3-Major | TMM SIGSEGV and crash when memory allocation fails. |
| 556117-2 | 3-Major | client-ssl profile is case-sensitive when checking server_name extension |
| 555432-1 | 3-Major | Large configuration files may go missing on secondary blades |
| 550669-1 | 3-Major | Monitors stop working - throttling monitor instance probe because file descriptor limit 65436 reached |
| 549329-1 | 3-Major | L7 mirrored ACK from standby to active box can cause tmm core on active |
| 545450-3 | 3-Major | Log activation/deactivation of TM.TCPMemoryPressure |
| 541126-4 | 3-Major | Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed |
| 537553-6 | 3-Major | tmm might crash after modifying virtual server SSL profiles in SNI configuration |
| 528736-1 | 3-Major | When tcp connection is aborting tmm can crash with "hud_oob consumed" message |
| 525675 | 3-Major | SSL with forward proxy can leak memory |
| 522310-3 | 3-Major | ICMP errors cause the associated FastL4/TCP connection to be reset |
| 519746-1 | 3-Major | ICMP errors may reset FastL4 connections unexpectedly |
| 518086-6 | 3-Major | Safenet HSM Traffic failure after system reboot/switchover |
| 505705-7 | 3-Major | Expired mirrored persistence entries not always freed using intra-chassis mirroring |
| 501984-2 | 3-Major | TMM may experience an outage when an iRule fails in LB_SELECTED. |
| 500003-4 | 3-Major | Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP |
| 494977-2 | 3-Major | Rare outages possible when using config sync and node-based load balancing |
| 490740-10 | 3-Major | TMM may assert if HTTP is disabled by another filter while it is parked |
| 475677-3 | 3-Major | Connections may hang until timeout if a LTM policy action failed |
| 464801-2 | 3-Major | Intermittent tmm core |
| 442539-1 | 3-Major | OneConnect security improvements. |
| 587966-3 | 4-Minor | LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port |
| 574020-4 | 4-Minor | Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}') |
| 538708-3 | 4-Minor | TMM may apply SYN cookie validation to packets before generating any SYN cookies |
| 513288-5 | 4-Minor | Management traffic from nodes being health monitored might cause health monitors to fail. |
| 499795-2 | 4-Minor | "persist add" in server-side iRule event can result in "Client Addr" being pool member address |
| 446830-3 | 4-Minor | Current Sessions stat does not increment/decrement correctly. |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 603598-2 | 2-Critical | big3d memory under extreme load conditions |
| 587656-3 | 2-Critical | GTM auto discovery problem with EHF for ID574052 |
| 587617-3 | 2-Critical | While adding GTM server, failure to configure new IP on existing server leads to gtmd core |
| 613576-2 | 3-Major | QOS load balancing links display as gray |
| 613045 | 3-Major | Interaction between GTM and 10.x LTM results in some virtual servers marked down |
| 601180-1 | 3-Major | Link Controller base license does not allow DNS namespace iRule commands.★ |
| 589256-3 | 3-Major | DNSSEC NSEC3 records with different type bitmap for same name. |
| 588289-4 | 3-Major | GTM is Re-ordering pools when adding pool including order designation |
| 574052-2 | 3-Major | GTM autoconf can cause high CPU usage for gtmd |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 634001-1 | 2-Critical | ASM restarts after deleting a VS that has an ASM security policy assigned to it |
| 582003-2 | 2-Critical | BD crash on startup or on XML configuration change |
| 515728-5 | 2-Critical | Repeated BD cores. |
| 514571-1 | 2-Critical | Apply policy operation hangs |
| 511187-1 | 2-Critical | bd crash with large configuration changes while under load |
| 499347-3 | 2-Critical | JSON UTF16 content could be blocked by ASM as Malformed JSON |
| 621524-3 | 3-Major | Processing Timeout When Viewing a Request with 300+ Violations |
| 605921 | 3-Major | scriptd and mcpd cores following multiple failovers due to bd (asm) |
| 605616-3 | 3-Major | Creating 256 Fundamental Security policies will result in an out of memory error |
| 603945-1 | 3-Major | BD config update should be considered as config addition in case of update failure |
| 603479-1 | 3-Major | "ASM starting" while it's already running, causing the restart of all ASM daemons |
| 602221-3 | 3-Major | Wrong parsing of redirect Domain |
| 600174-1 | 3-Major | Wildcard "*" redirection domain cannot be deleted if list is scrollable |
| 582683-5 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan |
| 580168-2 | 3-Major | Information missing from ASM event logs after a switchboot and switchboot back |
| 576591-4 | 3-Major | Support for some future credit card number ranges |
| 573406-3 | 3-Major | ASU cannot be completed if license was last activated more than 18 months before |
| 559541-2 | 3-Major | ICAP anti virus tests are not initiated on XML with when should |
| 553976-1 | 3-Major | AJAX File uploads don't work in IE (import policy doesn't work) |
| 528071-1 | 3-Major | ASM periodic updates (cron) write errors to log |
| 521204-1 | 3-Major | Include default values in XML Policy Export |
| 508957-1 | 3-Major | ASM REST Slowness Viewing Policy List |
| 392121-1 | 3-Major | TMSH Command to retrieve the memory consumption of the bd process |
| 609496-1 | 4-Minor | Improved diagnostics in BD config update (bd_agent) added |
| 603071-1 | 4-Minor | XHTML validation fails on obfuscated JavaScript |
| 471766-2 | 4-Minor | Number of decoding passes configuration |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 565085-2 | 3-Major | Analytics profile allows invalid combination of entities for Alerts setup |
| 488989-3 | 3-Major | AVRD does not print out an error message when the external logging fails |
| 474613-1 | 3-Major | Upgrading from previous versions★ |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 622830 | 2-Critical | LDAP type CRLDP is parsed incorrectly |
| 622244-1 | 2-Critical | Edge client can fail to upgrade when always connected is selected |
| 618324-2 | 2-Critical | Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor |
| 617310-1 | 2-Critical | Edge client can fail to upgrade when Always Connected is selected★ |
| 608408-4 | 2-Critical | TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library |
| 582440-2 | 2-Critical | Linux client does not restore route to the default GW on Ubuntu 15.10 |
| 625376-1 | 3-Major | In some cases, download of PAC file by edge client may fail |
| 623562-1 | 3-Major | Large POSTs rejected after policy already completed |
| 621202-1 | 3-Major | Portal Access: document.write() with very long string as argument may be handled incorrectly. |
| 620614-2 | 3-Major | Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account |
| 619879-3 | 3-Major | HTTP iRule commands could lead to WEBSSO plugin being invoked |
| 617316-1 | 3-Major | Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration |
| 617002-3 | 3-Major | SWG with Response Analytics agent in a Per-Request policy fails with some URLs |
| 616838 | 3-Major | Citrix Remote desktop resource custom parameter name does not accept hyphen character |
| 614891-4 | 3-Major | Routing table doesn't get updated when EDGE client roams among wireless networks |
| 613613-1 | 3-Major | Incorrect handling of form that contains a tag with id=action |
| 612419-2 | 3-Major | APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable)) |
| 611669-1 | 3-Major | Mac Edge Client customization is not applied on macOS 10.12 Sierra |
| 610248 | 3-Major | IE 11 browser does not display VDI profile columns properly |
| 610243 | 3-Major | HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication |
| 610224-1 | 3-Major | APM client may fetch expired certificate when a valid and an expired certificate co-exist |
| 610180-3 | 3-Major | SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin. |
| 604767-4 | 3-Major | Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object. |
| 603293-3 | 3-Major | Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs |
| 601905-4 | 3-Major | POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server |
| 600116-1 | 3-Major | DNS resolution request may take a long time in some cases |
| 598211-2 | 3-Major | Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode. |
| 591268-3 | 3-Major | VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions |
| 583113-3 | 3-Major | NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event |
| 582752-2 | 3-Major | Macrocall could be topologically not connected with the rest of policy.★ |
| 569309-1 | 3-Major | Clientside HTML parser does not recognize HTML event attributes without value |
| 567503-5 | 3-Major | ACCESS::remove can result in confusing ERR_NOT_FOUND logs |
| 566998-2 | 3-Major | Edge client upgrade fails if client was configured in locked mode★ |
| 559082-1 | 3-Major | Tunnel details are not shown for MAC Edge client |
| 554458 | 3-Major | No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports with reduced zeros in Session ID |
| 509595-1 | 3-Major | Start uri is blank when going through portal in ie, but loads fine in firefox |
| 451301-1 | 3-Major | HTTP iRules break Citrix HTML5 functionality |
| 389484-4 | 3-Major | OAM reporting Access Server down with JDK version 1.6.0_27 or later |
| 366149-1 | 3-Major | ACL support for VPN tunnels |
| 238444-2 | 3-Major | An L4 ACL has no effect when a layered virtual server is used. |
| 620922-1 | 4-Minor | Online help for Network Access needs update |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 472942-2 | 2-Critical | tmm crash while changing acceleration policy |
| 596569-2 | 3-Major | Memory leak on Central device in Symmetric deployment |
| 506315-5 | 3-Major | WAM/AAM is honoring OWS age header when not honoring OWS maxage. |
| 474445-2 | 3-Major | TMM crash when processing unexpected HTTP response in WAM |
Wan Optimization Manager Fixes
| ID Number | Severity | Description |
| 619757-3 | 2-Critical | iSession causes routing entry to be prematurely freed |
Service Provider Fixes
| ID Number | Severity | Description |
| 607713-4 | 3-Major | SIP Parser fails header with multiple sequential separators inside quoted string. |
| 601255-3 | 3-Major | RTSP response to SETUP request has incorrect client_port attribute |
| 599521-2 | 3-Major | Persistence entries not added if message is routed via an iRule |
| 598854-1 | 3-Major | sipdb tool incorrectly displays persistence records without a pool name |
| 597835-1 | 3-Major | Branch parameter in inserted VIA header not consistent as per spec |
| 583010-9 | 3-Major | Sending a SIP invite with "tel" URI fails with a reset |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 619710 | 3-Major | GUI gives error when clicking "Update" making changes to VS in Security-Policies |
| 614563-1 | 3-Major | AVR TPS calculation is inaccurate |
| 605427-2 | 3-Major | TMM may crash when adding and removing virtual servers with security log profiles |
| 592113-1 | 3-Major | tmm core on the standby unit with dos vectors configured |
| 580460-1 | 3-Major | Client side integrity defense or proactive may break application |
| 495390-4 | 3-Major | An error occurs on Active Rules page after attempting to reorder Rules in a Policy |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 553735-3 | 2-Critical | TMM core on HTTP response with steering action . |
| 527992-2 | 2-Critical | tmm might crash with 'DHCP:dhcp_server_flow_connect' error when the server flow is already connected to a different client. |
| 624091 | 3-Major | DHCP relay is not forwarding all of the DHCPOFFERS to clients |
| 611355 | 3-Major | tmm core with PEM |
| 608742-4 | 3-Major | DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode. |
| 592070-1 | 3-Major | DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied |
| 551303-3 | 3-Major | TMM may core during processing of a CCA-T. |
| 472122-4 | 3-Major | DHCPv4: When configured in forwarding mode, BIG-IP will support client messages that use either UDP 67 or 68 as the source port. |
Carrier-Grade NAT Fixes
| ID Number | Severity | Description |
| 532365-1 | 3-Major | lsndb cores with "Assertion `size < bin_key_size' failed" |
| 504828-2 | 3-Major | "translate address" and "translate port" are enabled by default when configure from GUI |
| 481948-1 | 3-Major | LSN_DELETE messages may not be logged in PBA mode |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Description |
| 621239-1 | 3-Major | Certain DNS queries bypass DNS Cache RPZ filter. |
| 620215-3 | 3-Major | TMM out of memory causes core in DNS cache |
| 619398-4 | 3-Major | TMM out of memory causes core in DNS cache |
| 491801 | 3-Major | GTM iRule command [LB::status up] gives error |
| 615187-1 | 4-Minor | Missing hyperlink to GSLB virtual servers and servers on the pool member page. |
Traffic Classification Engine Fixes
| ID Number | Severity | Description |
| 615260 | 2-Critical | out of memory condition when URL categorization is configured to work with large feedlists |
Device Management Fixes
| ID Number | Severity | Description |
| 522268-2 | 2-Critical | hostagentd memory leak on VCMP hosts |
Cumulative fixes from BIG-IP v11.6.1 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 596488-4 | CVE-2016-5118 | K82747025 | GraphicsMagick vulnerability CVE-2016-5118. |
| 591806-3 | CVE-2016-3714 | K03151140 | ImageMagick vulnerability CVE-2016-3714 |
| 591328-2 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
| 591327-2 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
| 591325-2 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K75152412 | OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 |
| 591042-5 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K23230229 | OpenSSL vulnerabilities |
| 579955-2 | CVE-2016-7475 | K01587042 | BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 |
| 577826-4 | CVE-2016-1286 | K62012529 | BIND vulnerability CVE-2016-1286 |
| 573778-7 | CVE-2016-1714 | K75248350 | QEMU vulnerability CVE-2016-1714 |
| 573124-2 | CVE-2016-5022 | K06045217 | TMM vulnerability CVE-2016-5022 |
| 563670-11 | CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 | K86772626 | OpenSSL vulnerabilities |
| 601938-3 | CVE-2016-7474 | K52180214 | MCPD stores certain data incorrectly |
| 593447-2 | CVE-2016-5024 | K92859602 | BIG-IP TMM iRules vulnerability CVE-2016-5024 |
| 591918-4 | CVE-2016-3718 | K61974123 | ImageMagick vulnerability CVE-2016-3718 |
| 591908-4 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
| 591894-4 | CVE-2016-3715 | K10550253 | ImageMagick vulnerability CVE-2016-3715 |
| 591881-4 | CVE-2016-3716 | K25102203 | ImageMagick vulnerability CVE-2016-3716 |
| 587077-3 | CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 | K37603172 | Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118 |
| 585424-3 | CVE-2016-1979 | K20145801 | Mozilla NSS vulnerability CVE-2016-1979 |
| 582813-1 | CVE-2016-0774 | K08440897 | Linux Kernel CVE-2016-0774 |
| 579220-3 | CVE-2016-1950 | K91100352 | Mozilla NSS vulnerability CVE-2016-1950 |
| 564111-1 | CVE-2015-8395 CVE-2015-8384 CVE-2015-8392 CVE-2015-8394 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-2328 CVE-2015-2327 CVE-2015-8393 | K05428062 | Multiple PCRE vulnerabilities |
| 541231-2 | CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 | K16704 K16707 | Resolution of multiple curl vulnerabilities |
| 486791-2 | CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 | K16939 | Resolution of multiple wireshark vulnerabilities |
| 416734-1 | CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 CVE-2013-1667 | K15867 | Multiple Perl Vulnerabilities |
| 580340-3 | CVE-2016-2842 | K52349521 | OpenSSL vulnerability CVE-2016-2842 |
| 580313-3 | CVE-2016-0799 | K22334603 | OpenSSL vulnerability CVE-2016-0799 |
| 579975-3 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability |
| 579829-3 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability CVE-2016-0702 |
| 579237-3 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
| 579085-4 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
| 578570-2 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
| 577828-5 | CVE-2016-2088 | K59692558 | BIND vulnerability CVE-2016-2088 |
| 577823-4 | CVE-2016-1285 | K46264120 | BIND vulnerability CVE-2016-1285 |
| 567379-1 | CVE-2013-4397 | K16015326 | libtar vulnerability CVE-2013-4397 |
| 565895-4 | CVE-2015-3217 | K17235 | Multiple PCRE Vulnerabilities |
| 553454-2 | CVE-2015-2730 | K15955144 | Mozilla NSS vulnerability CVE-2015-2730 |
| 551287-4 | CVE-2010-2596 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 | K16715 | Multiple LibTIFF vulnerabilities |
| 481806-2 | CVE-2013-4002 | K16872 | Java Runtime Environment vulnerability CVE-2013-4002 |
| 479431-4 | CVE-2014-3596 | K16821 | Apache Axis vulnerability CVE-2014-3596 |
| 416372-4 | CVE-2012-2677 | K16946 | Boost memory allocator vulnerability CVE-2012-2677 |
| 570667-16 | CVE-2016-0701 CVE-2015-3197 | K64009378 | OpenSSL vulnerabilities |
| 517048-1 | CVE-2015-2305 | K16831 | BSD regex library vulnerability CVE-2015-2305 |
Functional Change Fixes
| ID Number | Severity | Description |
| 532685-6 | 3-Major | PAC file download errors disconnect the tunnel |
| 544325-3 | 4-Minor | BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable). |
TMOS Fixes
| ID Number | Severity | Description |
| 538761-4 | 1-Blocking | scriptd may core when MCP connection is lost |
| 583936-3 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM |
| 574116-2 | 2-Critical | MCP may crash when syncing configuration between device groups |
| 570973-2 | 2-Critical | L7 hardware syn cookie feature is broken in BIG-IP v12.0.0 hf1 and hf2 |
| 569634 | 2-Critical | Aced process is not able to listen to port 6000 |
| 568889-2 | 2-Critical | Some ZebOS daemons do not start on blade transition secondary to primary. |
| 563064-1 | 2-Critical | Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory |
| 561814-1 | 2-Critical | TMM Core on Multi-Blade Chassis |
| 560683-3 | 2-Critical | HA IPSEC: tmm core/crash on standby in function ikev2_child_delete_outbound() |
| 559034-1 | 2-Critical | Mcpd core dump in the sync secondary during config sync |
| 557144-3 | 2-Critical | Dynamic route flapping may lead to tmm crash |
| 542097-2 | 2-Critical | Update to RHEL6 kernel |
| 530903-1 | 2-Critical | HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade★ |
| 529141-5 | 2-Critical | Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error★ |
| 506274-2 | 2-Critical | TMM crash/core seen when a traffic-selector is created Action discard |
| 493053-2 | 2-Critical | Route domains' firewall policies may be removed after sync |
| 481647-5 | 2-Critical | OSPF daemon asserts and generates core |
| 477611-4 | 2-Critical | ICMP monitor does not work on DAG Round Robin enabled VLANs |
| 473527-2 | 2-Critical | IPsec interop problem when using AES-GCM. |
| 420438-3 | 2-Critical | Default routes from standby system when HA is configured in NSSA |
| 598039-3 | 3-Major | MCP memory may leak when performing a wildcard query |
| 595773-3 | 3-Major | Cancellation requests for chunked stats queries do not propagate to secondary blades |
| 579284 | 3-Major | Potential memory corruption in MCPd |
| 576305-3 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code |
| 575735-2 | 3-Major | Potential MCPd leak in global CPU info stats code |
| 575726-2 | 3-Major | MCPd might leak memory in vCMP interface stats. |
| 575716-2 | 3-Major | MCPd might leak memory in VCMP base stats. |
| 575708-2 | 3-Major | MCPd might leak memory in CPU info stats. |
| 575671-2 | 3-Major | MCPd might leak memory in host info stats. |
| 575660-2 | 3-Major | Potential MCPd leak in TMM rollup stats stats |
| 575649-2 | 3-Major | MCPd might leak memory in IPFIX destination stats query |
| 575619-2 | 3-Major | Potential MCPd leak in pool member stats query code |
| 575608-2 | 3-Major | MCPd might leak memory in virtual server stats query. |
| 575595-1 | 3-Major | Potential MCPd leak in eviction policy stats. |
| 575591-2 | 3-Major | Potential MCPd leak in IKE message stats query code |
| 575589-1 | 3-Major | Potential MCPd leak in IKE event stats query code |
| 575587-2 | 3-Major | Potential MCPd leak in BWC policy class stats query code |
| 575027-2 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. |
| 574045-2 | 3-Major | BGP may not accept attributes using extended length |
| 571210-4 | 3-Major | Upgrade, load config, or sync might fail on large configs with large objects. |
| 571019-3 | 3-Major | Topology records can be ordered incorrectly. |
| 570818-2 | 3-Major | Address lease-pool in IKEv2 might interfere with IKEv2 negotiations. |
| 570053-2 | 3-Major | HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync. |
| 569356-2 | 3-Major | BGP ECMP learned routes may use incorrect vlan for nexthop |
| 569236-4 | 3-Major | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 565534-2 | 3-Major | Some failover configuration items may fail to take effect |
| 562044-2 | 3-Major | Statistics slow_merge option does not work |
| 559939-2 | 3-Major | Changing hostname on host sometimes causes blade to go RED / HA TABLE offline |
| 558858-4 | 3-Major | Unexpected loss of communication between slots of a vCMP Guest |
| 558779-6 | 3-Major | SNMP dot3 stats occassionally unavailable |
| 557281-2 | 3-Major | The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100% |
| 555039-2 | 3-Major | VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration |
| 553795-4 | 3-Major | Differing certificate/key after successful config-sync |
| 549971-5 | 3-Major | Some changes to virtual servers' profile lists may cause secondary blades to restart |
| 548385-3 | 3-Major | iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results |
| 546410-2 | 3-Major | Configuration may fail to load when upgrading from version 10.x.★ |
| 545745-2 | 3-Major | Enabling tmm.verbose mode produces messages that can be mistaken for errors. |
| 542860-4 | 3-Major | TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event |
| 542742-2 | 3-Major | SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m). |
| 542320-1 | 3-Major | no login name may appear when running ssh commands through management port |
| 541316-3 | 3-Major | Unexpected transition from Forced Offline to Standby to Active |
| 539199-3 | 3-Major | HTML filter is truncating the server response when sending it to client |
| 538133-4 | 3-Major | Only one action per sensor is displayed in sensor_limit_table and system_check |
| 537326-2 | 3-Major | NAT available in DNS section but config load fails with standalone license |
| 532559-4 | 3-Major | Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'. |
| 526974-1 | 3-Major | Data-group member records map empty strings to 'none'. |
| 521270-2 | 3-Major | Hypervisor might replace vCMP guest SYN-Cookie secrets |
| 519081-1 | 3-Major | Cannot use tmsh to load valid configuration created using the GUI. |
| 516995-3 | 3-Major | NAT traffic group inheritance does not sync across devices |
| 513649-4 | 3-Major | Transaction validation errors on object references |
| 512954-2 | 3-Major | ospf6d might leak memory distribute-list is used |
| 511900-2 | 3-Major | 'sessiondump -allkeys' command hangs |
| 510580-5 | 3-Major | Interfaces might be re-enabled unexpectedly when loading a partition |
| 508076-2 | 3-Major | Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name. |
| 504803-5 | 3-Major | GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'. |
| 502049-1 | 3-Major | Qkview may store information in the wrong format |
| 502048-1 | 3-Major | Qkview may store information in the wrong format |
| 487625-3 | 3-Major | Qkview might hang |
| 486725-2 | 3-Major | GUI creating key files with .key extensions in the name causing errors |
| 486712-3 | 3-Major | GUI PVA connection maximum statistic is always zero |
| 485702-4 | 3-Major | Default SNMP community 'public' is re-added after the upgrade |
| 484534-4 | 3-Major | interface STP state stays in blocked when added to STP as disabled |
| 481696-2 | 3-Major | Failover error message 'sod out of shmem' in /var/log/ltm |
| 479553-4 | 3-Major | Sync may fail after deleting a persistence profile |
| 479543-6 | 3-Major | Transaction will fail when deleting pool member and related node |
| 478215-2 | 3-Major | The command 'show ltm pool detail' returns duplicate members in some cases |
| 477888-4 | 3-Major | ESP ICSA support is non-functional on versions 11.4.0 and up |
| 455651-5 | 3-Major | Improper regex/glob validation in web-acceleration and http-compression profiles |
| 451494-2 | 3-Major | SSL Key/Certificate in different partition with Subject Alternative Name (SAN) |
| 425980-3 | 3-Major | Blade number not displayed in CPU status alerts |
| 421971-9 | 3-Major | Renewing certificates with SAN input in the GUI leads to error. |
| 418664-4 | 3-Major | Configuration utility CSRF vulnerability |
| 405611-3 | 3-Major | Configuration utility CSRF vulnerability |
| 375246-1 | 3-Major | Clarification of pool member session enabling versus pool member monitor enabling |
| 372118-3 | 3-Major | import_all_from_archive_file and import_all_from_archive_stream does not create file objects. |
| 601927-3 | 4-Minor | Security hardening of control plane |
| 551481-3 | 4-Minor | 'tmsh show net cmetrics' reports bandwidth = 0 |
| 536746-3 | 4-Minor | LTM : Virtual Address List page uses LTM : Nodes List search filter. |
| 533480-5 | 4-Minor | qkview crash |
| 532086-3 | 4-Minor | Local Traffic Policy Rules Condition List select value to update with existing values. |
| 478922-3 | 4-Minor | ICSA logging issues on versions 11.4.0 and later |
| 466612-1 | 4-Minor | Missing sys DeviceModel OID for VIPRION C2200 chassis |
| 487084-2 | 5-Cosmetic | GUI iFile delete confirmation page lists incorrect items to be deleted |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 596619 | 2-Critical | Some 10.2.x client SSL configurations fail to upgrade to 11.6.1.★ |
| 579919-1 | 2-Critical | TMM may core when LSN translation is enabled |
| 575011-4 | 2-Critical | Memory leak. Nitrox3 Hang Detected. |
| 565409-4 | 2-Critical | Invalid MSS with HW syncookies and flow forwarding |
| 559973-2 | 2-Critical | Nitrox can hang on RSA verification |
| 558612-4 | 2-Critical | System may fail when syncookie mode is activated |
| 558534-3 | 2-Critical | The TMM may crash if http url rewrite is used with APM |
| 549868-4 | 2-Critical | 10G interoperability issues reported following Cisco Nexus switch version upgrade. |
| 534795-1 | 2-Critical | Swapping VLAN names in config results in switch daemon core and restart. |
| 521548-6 | 2-Critical | Possible crash in SPDY |
| 517613-1 | 2-Critical | ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps |
| 489217-1 | 2-Critical | "cipher" memory can leak |
| 488686-1 | 2-Critical | Large file transfer hangs when HTTP is in passthrough mode |
| 483665-2 | 2-Critical | Restrict the permissions for private keys |
| 466007-2 | 2-Critical | DNS Express daemon, zxfrd, can not start if it's binary cache has filled /var |
| 459671-2 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. |
| 600535 | 3-Major | TMM may core while exiting if MCPD connection was previously aborted |
| 597089-5 | 3-Major | Connections are terminated after 5 seconds when using ePVA full acceleration |
| 593530-1 | 3-Major | In rare cases, connections may fail to expire |
| 592854-4 | 3-Major | Protocol version set incorrectly on serverssl renegotiation |
| 592784-4 | 3-Major | Compression stalls, does not recover, and compression facilities cease. |
| 589223-3 | 3-Major | TMM crash and core dump when processing SSL protocol alert. |
| 588442-3 | 3-Major | TMM can core in a specific set of conditions. |
| 587892-1 | 3-Major | Multiple iRule proc names might clash, causing the wrong rule to be executed. |
| 585412-2 | 3-Major | SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines |
| 583957-4 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. |
| 580303-3 | 3-Major | When going from active to offline, tmm might send a GARP for a floating address. |
| 579843-3 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states |
| 579371-2 | 3-Major | BIG-IP may generate ARPs after transition to standby |
| 576296-2 | 3-Major | MCPd might leak memory in SCTP profile stats query. |
| 575626 | 3-Major | Minor memory leak in DNS Express stats error conditions |
| 575612-3 | 3-Major | Potential MCPd leak in policy action stats query code |
| 575347-2 | 3-Major | Unexpected backslashes remain in monitor 'username' attribute after upgrade |
| 572025-2 | 3-Major | HTTP Class profile using a path selector upgrade to a policy that does not match the entire path★ |
| 571183-2 | 3-Major | Bundle-certificates Not Accessible via iControl REST. |
| 569349-2 | 3-Major | Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled |
| 566361-8 | 3-Major | RAM Cache Key Collision |
| 563591-2 | 3-Major | reference to freed loop_nexthop may cause tmm crash. |
| 563419-5 | 3-Major | IPv6 packets containing extended trailer are dropped |
| 563232-2 | 3-Major | FQDN pool in resource prevents Access Policy Sync. |
| 554295-3 | 3-Major | CMP disabled flows are not properly mirrored |
| 551189 | 3-Major | Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data |
| 548583-3 | 3-Major | TMM crashes on standby device with re-mirrored SIP monitor flows. |
| 547657-1 | 3-Major | A TCL error in a DNS_RESPONSE iRule event can cause a tmm crash. |
| 545704-2 | 3-Major | TMM might core when using HTTP::header in a serverside event |
| 543993-3 | 3-Major | Serverside connections may fail to detach when using the HTTP and OneConnect profiles |
| 540893-2 | 3-Major | Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets. |
| 540213-2 | 3-Major | mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary |
| 536191-2 | 3-Major | Transparent inherited TCP monitors may fail on loading configuration |
| 534111-1 | 3-Major | [SSL] Config sync problems when modifying cert in default client-ssl profile |
| 530812-1 | 3-Major | Legacy DAG algorithm reuses high source port numbers frequently |
| 530795-3 | 3-Major | In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number. |
| 528734-2 | 3-Major | TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received. |
| 527742-4 | 3-Major | The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system |
| 523513-3 | 3-Major | COMPRESS::enable keeps compression enabled for a subsequent HTTP request. |
| 521711-4 | 3-Major | HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual |
| 521036-2 | 3-Major | Dynamic ARP entry may replace a static entry in non-primary TMM instances. |
| 520405-4 | 3-Major | tmm restart due to oversubscribed DNS resolver |
| 517510-1 | 3-Major | HTTP monitor might add extra CR/LF pairs to HTTP body when supplied |
| 513530-4 | 3-Major | Connections might be reset when using SSL::disable and enable command |
| 513319-4 | 3-Major | Incorrect of failing sideband connections from within iRule may leak memory |
| 504396-2 | 3-Major | When a virtual's ARP or ICMP is disabled, the wrong mac address is used |
| 503257-7 | 3-Major | Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST |
| 502747-1 | 3-Major | Incoming SYN generates unexpected ACK when connection cannot be recycled |
| 495588-5 | 3-Major | Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases★ |
| 490936-2 | 3-Major | SSLv2/TLSv1 based handshake causing handshake failures |
| 490174-2 | 3-Major | Improved TLS protocol negotiation with clients supporting TLS1.3 |
| 472748-1 | 3-Major | SNAT pool stats are reflected in global SNAT stats |
| 472571-6 | 3-Major | Memory leak with multiple client SSL profiles. |
| 468790-2 | 3-Major | Inconsistent SafeNet key deletion in BIG-IP and Safenet HSM |
| 463202-7 | 3-Major | BIG-IP system drops non-zero version EDNS requests |
| 623135 | 4-Minor | BIG-IP virtual server TCP sequence numbers vulnerability (CVE-2002-1463) |
| 572015-3 | 4-Minor | HTTP Class profile is upgraded to a case-insensitive policy★ |
| 532799-2 | 4-Minor | Static Link route to /32 pool member can end using dst broadcast MAC |
| 531979-3 | 4-Minor | SSL version in the record layer of ClientHello is not set to be the lowest supported version. |
| 472051-1 | 4-Minor | Manually adding username/password in ZebOS can cause imi to core |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 569972-2 | 2-Critical | Unable to create gtm topology records using iControl REST |
| 569521-4 | 2-Critical | Invalid WideIP name without dots crashes gtmd. |
| 539466-2 | 2-Critical | Cannot use self-link URI in iControl REST calls with gtm topology |
| 569472-2 | 3-Major | TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled |
| 561539-2 | 3-Major | [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.★ |
| 559975-5 | 3-Major | Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth |
| 517582-3 | 3-Major | [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record. |
| 510888-1 | 3-Major | [LC] snmp_link monitor is not listed as available when creating link objects |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 578334-3 | 2-Critical | Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy. |
| 583686-3 | 3-Major | High ASCII meta-characters can be disallowed on UTF-8 policy via XML import |
| 579524-2 | 3-Major | DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name' |
| 577664-2 | 3-Major | Policy import, to inactive policies list, results in different policies on the sync-failover peers |
| 572922-2 | 3-Major | Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.★ |
| 568670-2 | 3-Major | ASM fails to start with error - ndefined subroutine &F5::CRC::get_crc32 |
| 559055-1 | 3-Major | Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All" |
| 554324-1 | 3-Major | Signatures cannot be updated after Signature Systems have become corrupted in database★ |
| 539704-2 | 3-Major | Large ASM REST response causes all REST to hang |
| 531566-2 | 3-Major | A partial response arrives to the client when response logging is turned on |
| 521370-3 | 3-Major | Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8 |
| 498433-1 | 3-Major | Upgrading with ASM iRule and virtual server with no websecurity profile★ |
| 521183-1 | 4-Minor | Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5★ |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 579049-1 | 2-Critical | TMM core due to wrong assert |
| 578353 | 2-Critical | Statistics data aggregation process is not optimized |
| 575170-3 | 2-Critical | Analytics reports may not identify virtual servers correctly |
| 598909-1 | 3-Major | SQL produces errors. AVR does not display any statistics. |
| 596945-2 | 3-Major | AVR DNS record lost after upgrade. |
| 582029-1 | 3-Major | AVR might report incorrect statistics when used together with other modules. |
| 569958-2 | 3-Major | Upgrade for application security anomalies |
| 567355-1 | 3-Major | Scheduled report lost after loading configuration |
| 559060-3 | 3-Major | AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration. |
| 557062-2 | 3-Major | The BIG-IP ASM configuration fails to load after an upgrade.★ |
| 525448-1 | 3-Major | Max TPS is always 0 |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 581770-2 | 1-Blocking | Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6 |
| 592868-4 | 2-Critical | Rewrite may crash processing HTML tag with HTML entity in attribute value |
| 591117-1 | 2-Critical | APM ACL construction may cause TMM to core if TMM is out of memory |
| 580817-3 | 2-Critical | Edge Client may crash after upgrade★ |
| 579909-2 | 2-Critical | Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error |
| 578844-2 | 2-Critical | tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client. |
| 575609-3 | 2-Critical | Zlib accelerated compression can result in a dropped flow. |
| 571090 | 2-Critical | When BIG-IP is used as SAML IdP, tmm may restart under certain conditions |
| 562919-2 | 2-Critical | TMM cores in renew lease timer handler |
| 513083-1 | 2-Critical | d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server. |
| 511478-2 | 2-Critical | Possible TMM crash when evaluating expression for per-request policy agents. |
| 428068-3 | 2-Critical | Insufficiently detailed causes for session deletion. |
| 598981-2 | 3-Major | APM ACL does not get enforced all the time under certain conditions |
| 597431-4 | 3-Major | VPN establishment may fail when computer wakes up from sleep |
| 596116-2 | 3-Major | LDAP Query does not resolve group membership, when required attribute(s) specified |
| 592591-1 | 3-Major | Deleting access profile prompts for apply access policy for other untouched access profiles |
| 592414-2 | 3-Major | IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed |
| 590820-2 | 3-Major | Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser. |
| 589794 | 3-Major | APD might crash if LDAP Query agent failed to retrieve primary group for a user |
| 589118 | 3-Major | Horizon View client throws an exception when connecting to Horizon 7 VCS through APM. |
| 588888-2 | 3-Major | Empty URI rewriting is not done as required by browser. |
| 586718-3 | 3-Major | Session variable substitutions are logged |
| 586006-3 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present |
| 585562-1 | 3-Major | VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari |
| 582526-2 | 3-Major | Unable to display and edit huge policies (more than 4000 elements) |
| 581834-4 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
| 580893-1 | 3-Major | Support for Single FQDN usage with Citrix Storefront Integration mode |
| 580421-3 | 3-Major | Edge Client may not register DLLs correctly |
| 577939-1 | 3-Major | DNS suffixes on user's machine may not be restored correctly in some cases |
| 576350-2 | 3-Major | External input from client doesn't pass to policy agent if it is not the first in the chain. |
| 576069-2 | 3-Major | Rewrite can crash in some rare corner cases |
| 575499-1 | 3-Major | VPN filter may leave renew_lease timer active after teardown |
| 575292-4 | 3-Major | DNS Relay proxy service does not respond to SCM commands in timely manner |
| 574781-2 | 3-Major | APM Network Access IPV4/IPV6 virtual may leak memory |
| 573643-2 | 3-Major | flash.utils.Proxy functionality is not negotiated |
| 573581-4 | 3-Major | DNS Search suffix are not restored properly in some cases after VPN establishment |
| 573429-1 | 3-Major | APM Network Access IPv4/IPv6 virtual may leak memory |
| 572887-2 | 3-Major | DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client |
| 570640-2 | 3-Major | APM Cannot create symbolic link to sandbox. Error: No such file or directory |
| 570064-3 | 3-Major | IE gives a security warning asking: "Do you want to run ... InstallerControll.cab" |
| 567660-2 | 3-Major | Disabling global Auto Last Hop setting breaks APM's Remote Desktop Gateway (RDG) feature |
| 566646-4 | 3-Major | Portal Access could respond very slowly for large text files when using IE < 11 |
| 565231-2 | 3-Major | Importing a previously exported policy which had two object names may fail |
| 564521-3 | 3-Major | JavaScript passed to ExternalInterface.call() may be erroneously unescaped |
| 564482-2 | 3-Major | Kerberos SSO does not support AES256 encryption |
| 563349-4 | 3-Major | On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established |
| 559218-2 | 3-Major | Iframes could be inaccessible to a parent window on a page accessed through Portal Access |
| 558946-4 | 3-Major | TMM may core when APM is provisioned and access profile is attached to the virtual |
| 556597-5 | 3-Major | CertHelper may crash when performing Machine Cert Inspection |
| 551999-2 | 3-Major | Edge client needs to re-authenticate after lost network connectivity is restored |
| 551454-5 | 3-Major | Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server |
| 551260-2 | 3-Major | When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated |
| 549086-8 | 3-Major | Windows 10 is not detected when Firefox is used |
| 547546-3 | 3-Major | Add support for auto-update of MachineCertService |
| 541622-6 | 3-Major | APD/APMD Crashes While Verifying CAPTCHA |
| 536575-1 | 3-Major | Session variable report can be blank in many cases |
| 534901-1 | 3-Major | VMware View HTML5 client may load/initialize with delays |
| 534373-5 | 3-Major | Some Text on French Localized Edge client on windows has grammatical error |
| 533422-2 | 3-Major | sessiondump is not reusing connections |
| 528701-2 | 3-Major | Sessiondump does not accept single dash options |
| 528548-2 | 3-Major | @import "url" is not recognized by client-side CSS patcher |
| 525429-12 | 3-Major | DTLS renegotiation sequence number compatibility |
| 519059-3 | 3-Major | [PA] - Failing to properly patch webapp link, link not working |
| 516219-4 | 3-Major | User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled |
| 508337-4 | 3-Major | In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access |
| 493106-4 | 3-Major | HTTP Basic authentication module logs clear text password in /var/log/apm at debug level |
| 479715-3 | 3-Major | Multi-tab protection problems with multi-domain SSO |
| 409323-3 | 3-Major | OnDemand cert auth redirect omits port information |
| 584373-3 | 4-Minor | AD/LDAP resource group mapping table controls are not accessible sometimes |
| 580429-5 | 4-Minor | CTU does not show second Class ID for InstallerControll.dll |
| 572543-2 | 4-Minor | User is prompted to install components repeatedly after client components are updated. |
| 554690-3 | 4-Minor | VPN Server Module generates repeated Error Log "iface eth0 "... every 2 secs |
| 541156-2 | 4-Minor | Network Access clients experience delays when resolving a host |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 575631-3 | 3-Major | Potential MCPd leak in WAM stats query code |
| 562644-4 | 3-Major | TMM may crash when AAM receives a pipelining HTTP request while shutting down the connection |
| 506557-3 | 3-Major | IBR tags might occasionally be all zeroes. |
| 501714-2 | 3-Major | System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS. |
| 476476-7 | 3-Major | Occasional inability to cache optimized PDFs and images |
Service Provider Fixes
| ID Number | Severity | Description |
| 578564-3 | 3-Major | ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response |
| 573075-2 | 3-Major | ADAPT recursive loop when handling successive iRule events |
| 572224-4 | 3-Major | Buffer error due to RADIUS::avp command when vendor IDs do not match |
| 570363-2 | 3-Major | Potential segfault when MRF messages cross from one TMM to another. |
| 566576-2 | 3-Major | ICAP/OneConnect reuses connection while previous response is in progress |
| 550434-5 | 3-Major | Diameter connection may stall if server closes connection before CER/CEA handshake completes |
| 561500-1 | 4-Minor | ICAP Parsing improvement |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 484013-4 | 2-Critical | tmm might crash under load when logging profile is used with packet classification |
| 575571-2 | 3-Major | MCPd might leak memory in FW DOS SIP attack stats query. |
| 569337-2 | 3-Major | TCP events are logged twice in a HA setup |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 593070-5 | 2-Critical | TMM may crash with multiple IP addresses per session |
| 577863-2 | 3-Major | DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime |
| 577814-4 | 3-Major | MCPd might leak memory in PEM stats queries. |
| 566061-3 | 3-Major | Subscriber info missing in flow report after subscriber has been deleted |
Carrier-Grade NAT Fixes
| ID Number | Severity | Description |
| 515736-4 | 3-Major | LSN pool with small port range may not use all ports |
Fraud Protection Services Fixes
| ID Number | Severity | Description |
| 561623-3 | 2-Critical | Realtime encryption causes high CPU usage in older browsers |
| 593667 | 3-Major | Dashboard displays incomplete alert details when Polish characters are included |
| 583445 | 3-Major | Alert dashboard does not correctly display Hebrew characters in alerts. |
| 556162-3 | 3-Major | Default obfuscator configuration causes very slow javascript in some browsers |
Traffic Classification Engine Fixes
| ID Number | Severity | Description |
| 595270 | 2-Critical | Memory leaks when session DB tables gets updated |
| 554928-1 | 2-Critical | tmm eventually crashes when classification profile is configured on the virtual |
Device Management Fixes
| ID Number | Severity | Description |
| 580686-1 | 3-Major | Hostagentd might leak memory on vCMP hosts. |
Cumulative fixes from BIG-IP v11.6.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 570716-3 | CVE-2016-5736 | K10133477 | BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736 |
| 565169 | CVE-2013-5825 CVE-2013-5830 | K48802597 | Multiple Java Vulnerabilities |
| 542314-5 | CVE-2015-8099 | K35358312 | TCP vulnerability - CVE-2015-8099 |
| 572495-3 | CVE-2016-5023 | K19784568 | TMM may crash if it receives a malformed packet CVE-2016-5023 |
| 570535 | CVE-2011-5321 CVE-2012-6657 CVE-2013-4483 CVE-2014-3184 CVE-2014-3185 CVE-2014-3611 CVE-2014-3940 CVE-2014-6410 CVE-2014-8160 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1593 CVE-2015-1805 CVE-2015-3636 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104 | K15685 K15912 K31300371 K16011 K21632201 K31026324 K17239 K17543 K17121 K41739114 K17246 K17458 K17244 K17245 K90230486 K17309 K17307 K31026324 K94105604 | Multiple Kernel Vulnerabilities |
| 567475-5 | CVE-2015-8704 | K53445000 | BIND vulnerability CVE-2015-8704 |
| 560925-2 | CVE-2015-3194 | K86772626 | OpenSSL Vulnerability fix |
| 560910-2 | CVE-2015-3194 | K86772626 | OpenSSL Vulnerability fix |
| 560180-2 | CVE-2015-8000 | K34250741 | BIND Vulnerability CVE-2015-8000 |
| 554624-2 | CVE-2015-5300 CVE-2015-7704 | K10600056 K17566 | NTP CVE-2015-5300 CVE-2015-7704 |
| 553902-2 | CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 | K17516 | Multiple NTP Vulnerabilities |
| 546080-5 | CVE-2016-5021 | K99998454 | Path sanitization for iControl REST worker |
| 545786-4 | CVE-2015-7393 | K75136237 | Privilege escalation vulnerability CVE-2015-7393 |
| 545762 | CVE-2015-7394 | K17407 | CVE-2015-7394 |
| 540767-2 | CVE-2015-5621 | K17378 | SNMP vulnerability CVE-2015-5621 |
| 539923-1 | CVE-2016-1497 | K31925518 | BIG-IP APM access logs vulnerability CVE-2016-1497 |
| 534090-2 | CVE-2015-5380 | K17238 | Node.js vulnerability CVE-2015-5380 |
| 518275-2 | CVE-2016-4545 | K48042976 | The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file |
| 508057-1 | CVE-2015-0411 | K44611310 | MySQL Vulnerability CVE-2015-0411 |
| 497065-1 | CVE-2013-6435 | K16383 | Linux RPM vulnerability CVE-2013-6435 |
| 488015-1 | CVE-2014-3669 CVE-2014-3670 CVE-2014-3668 | K15866 | Multiple PHP vulnerabilities |
| 472093-1 | CVE-2015-8022 | K12401251 | APM TMUI Vulnerability CVE-2015-8022 |
| 556383-1 | CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 | K31372672 | Multiple NSS Vulnerabilities |
| 550596-3 | CVE-2016-6876 | K52638558 | RESOLV::lookup iRule command vulnerability CVE-2016-6876 |
| 534633-3 | CVE-2015-5600 | K17113 | OpenSSH vulnerability CVE-2015-5600 |
| 527762-1 | CVE-2015-4000 | K16674 | TLS vulnerability CVE-2015-4000 |
| 525232-1 | CVE-2015-4024 CVE-2014-8142 | K16826 | PHP vulnerability CVE-2015-4024 |
| 500089-1 | CVE-2015-0206 | K16124 | OpenSSL vulnerability CVE-2015-0206 |
| 472696-1 | CVE-2014-1544 | K16716 | Multiple Mozilla Network Security Services vulnerabilities |
| 470842-1 | CVE-2012-5784 | K14371 | Apache Axis vulnerability CVE-2012-5784 |
| 427174-7 | CVE-2013-1620 CVE-2013-0791 | K15630 | SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620 |
| 560969-2 | CVE-2015-3196 | K55540723 | OpenSSL vulnerability fix |
| 560962-2 | CVE-2015-3196 | K55540723 | OpenSSL Vulnerability CVE-2015-3196 |
| 560948-2 | CVE-2015-3195 | K12824341 | OpenSSL vulnerability CVE-2015-3195 |
| 527639-2 | CVE-2015-1791 | K16914 | CVE-2015-1791 : OpenSSL Vulnerability |
| 527638-2 | CVE-2015-1792 | K16915 | OpenSSL vulnerability CVE-2015-1792 |
| 527637-2 | CVE-2015-1790 | K16898 | PKCS #7 vulnerability CVE-2015-1790 |
| 527633-2 | CVE-2015-1789 | K16913 | OpenSSL vulnerability CVE-2015-1789 |
| 500094-1 | CVE-2014-3570 | K16120 | OpenSSL vulnerability CVE-2014-3570 |
| 500093-1 | CVE-2014-8275 | K16136 | OpenSSL vulnerability CVE-2014-8275 |
| 500092-1 | CVE-2015-0205 | K16135 | OpenSSL vulnerability CVE-2015-0205 |
| 500090-1 | CVE-2014-3572 | K16126 | OpenSSL vulnerability CVE-2014-3572 |
| 494735-1 | CVE-2014-3566 | K15702 | SSLv3 vulnerability CVE-2014-3566 |
| 479897-1 | CVE-2014-2497 CVE-2014-3538 CVE-2014-3597 CVE-2014-4670 CVE-2014-4698 CVE-2014-5120 CVE-2014-0238 | K15761 | Multiple PHP 5.x vulnerabilities |
| 567484-5 | CVE-2015-8705 | K86533083 | BIND Vulnerability CVE-2015-8705 |
Functional Change Fixes
| ID Number | Severity | Description |
| 470715-5 | 2-Critical | Excessive IP fragmentation on tmm_bp vlan causes ftp data loss with vlan name >= 16 characters long |
| 539130-6 | 3-Major | bigd may crash due to a heartbeat timeout |
| 530133-3 | 3-Major | Support for New Platform: BIG-IP 10350 FIPS |
| 520277-2 | 3-Major | Components validation alert |
| 497395-1 | 3-Major | Correctly assign severity to check component alerts |
| 493507-1 | 3-Major | License checks for fictive URLs and injected tags |
| 490537-6 | 3-Major | Persistence Records display in GUI might cause system crash with large number of records |
| 382157-3 | 3-Major | Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats |
TMOS Fixes
| ID Number | Severity | Description |
| 492460-3 | 1-Blocking | Virtual deletion failure possible when using sFlow |
| 572086 | 2-Critical | Unable to boot v11.6.0 on 7250 or 10250 platforms |
| 564427-3 | 2-Critical | Use of iControl call get_certificate_list_v2() causes a memory leak. |
| 562959-2 | 2-Critical | In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel. |
| 562122-5 | 2-Critical | Adding a trunk might disable vCMP guest |
| 557680-1 | 2-Critical | Fast successive MTU changes to IPsec tunnel interface crashes TMM |
| 556380-2 | 2-Critical | mcpd can assert on active connection deletion |
| 555686-5 | 2-Critical | Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers |
| 554609-4 | 2-Critical | Kernel panics during boot when RAM spans multiple NUMA nodes. |
| 552481 | 2-Critical | Disk provisioning error after restarting ASM service. |
| 551661-2 | 2-Critical | Monitor with send/receive string containing double-quote may fail to load. |
| 544913-6 | 2-Critical | tmm core while logging from TMM during failover |
| 544481-5 | 2-Critical | IPSEC Tunnel fails for more than one minute randomly. |
| 543924 | 2-Critical | Update kernel to latest public RHEL6.4 kernel: 2.6.32-358.61.1.el6 |
| 520380-6 | 2-Critical | save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory |
| 511527-2 | 2-Critical | snmpd segmentation fault at get_bigip_profile_user_stat() |
| 510559-6 | 2-Critical | Add logging to indicate that compression engine is stalled. |
| 505071-5 | 2-Critical | Delete and create of the same object can cause secondary blades' mcpd processes to restart. |
| 504508-5 | 2-Critical | IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled |
| 503600-6 | 2-Critical | TMM core logging from TMM while attempting to connect to remote logging server |
| 502841-2 | 2-Critical | REST API hangs due to icrd startup issues |
| 490801-2 | 2-Critical | mod_ssl: missing support for TLSv1.1 and TLSv1.2 |
| 484453-6 | 2-Critical | Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand) |
| 365219-2 | 2-Critical | Trust upgrade fails when upgrading from version 10.x to version 11.x.★ |
| 606540-1 | 3-Major | DB variable changed via GUI does not sync across HA group |
| 567774-1 | 3-Major | ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root |
| 563475-3 | 3-Major | ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. |
| 562928 | 3-Major | Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled |
| 560423-2 | 3-Major | VxLAN tunnel IP address modification is not supported |
| 560220-1 | 3-Major | Missing partition and subPath fields for some objects in iControl REST |
| 559584-2 | 3-Major | tmsh list/save configuration takes a long time when config contains nested objects. |
| 558573-2 | 3-Major | MCPD restart on secondary blade after updating Pool via GUI |
| 556284-5 | 3-Major | iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found |
| 555905-3 | 3-Major | sod health logging inconsistent when device removed from failover group or device trust |
| 554563-3 | 3-Major | Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics. |
| 554340-4 | 3-Major | IPsec tunnels fail when connection.vlankeyed db variable is disabled |
| 553649-3 | 3-Major | The SNMP daemon might lock up and fail to respond to SNMP requests. |
| 553576-3 | 3-Major | Intermittent 'zero millivolt' reading from FND-850 PSU |
| 552585-3 | 3-Major | AAA pool member creation sets the port to 0. |
| 551927-2 | 3-Major | ePVA snoop header's transform vlan should be set properly under asymmetric routing condition |
| 551742-2 | 3-Major | Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades |
| 550694-3 | 3-Major | LCD display stops updating and Status LED turns/blinks Amber |
| 550536-3 | 3-Major | Incorrect information/text (in French) is displayed when the Edge Client is launched |
| 549543-3 | 3-Major | DSR rejects return traffic for monitoring the server |
| 548239-3 | 3-Major | BGP routing using route-maps cannot match route tags |
| 547532-2 | 3-Major | Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades |
| 541569-3 | 3-Major | IPsec NAT-T (IKEv1) not working properly |
| 540996-2 | 3-Major | Monitors with a send attribute set to 'none' are lost on save |
| 540871-1 | 3-Major | Update/deletion of SNMPv3 user does not work correctly |
| 539822-4 | 3-Major | tmm may leak connflow and memory on vCMP guest. |
| 539784-4 | 3-Major | HA daemon_heartbeat mcpd fails on load sys config |
| 538663-3 | 3-Major | SSO token login does not work due to remote role update failures. |
| 538024-3 | 3-Major | Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load |
| 534582-4 | 3-Major | HA configuration may fail over when standby has only base configuration loaded. |
| 534076-2 | 3-Major | SNMP configured trap-source might not be used in v1 snmp traps. |
| 533826-5 | 3-Major | SNMP Memory Leak on a VIPRION system. |
| 531986-3 | 3-Major | Hourly AWS VE license breaks after reboot with default tmm route/gateway. |
| 531705-2 | 3-Major | List commands on non-existent iRules incorrectly succeeds. |
| 530242-3 | 3-Major | SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs |
| 529977-1 | 3-Major | OSPF may not process updates to redistributed routes |
| 529484-4 | 3-Major | Virtual Edition Kernel Panic under load |
| 528987-3 | 3-Major | Benign warning during formatting installation |
| 528276-7 | 3-Major | The device management daemon can crash with a malloc error |
| 526817-4 | 3-Major | snmpd core due to mcpd message timer thread not exiting |
| 526031-2 | 3-Major | OSPFv3 may not completely recover from "clear ipv6 ospf process" |
| 524300-2 | 3-Major | The MOS boot process appears to hang. |
| 523867-3 | 3-Major | 'warning: Failed to find EUDs' message during formatting installation |
| 522871-1 | 3-Major | [TMSH] nested wildcard deletion will delete all the objects (matched or not matched) |
| 522837-1 | 3-Major | MCPD can core as a result of another component shutting down prematurely |
| 522332-1 | 3-Major | Configuration upgrade of httpclass which has the 'hosts' attribute done incorrectly★ |
| 521144-5 | 3-Major | Network failover packets on the management interface sometimes have an incorrect source-IP |
| 517388-7 | 3-Major | Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs. |
| 517209-7 | 3-Major | tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable |
| 517020-5 | 3-Major | SNMP requests fail and subsnmpd reports that it has been terminated. |
| 516322-7 | 3-Major | The BIG-IP system may erroneously remove an iApp association from the virtual server. |
| 513974-7 | 3-Major | Transaction validation errors on object references |
| 513659-3 | 3-Major | AAM Policy not all regex characters can be used via the GUI |
| 512130-4 | 3-Major | Remote role group authentication fails with a space in LDAP attribute group name |
| 510381-3 | 3-Major | bcm56xxd might core when restarting due to bundling config change. |
| 503246-4 | 3-Major | TMM crashes when unable to allocate large amount of provisioned memory |
| 496679-5 | 3-Major | Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.★ |
| 495865-2 | 3-Major | iApps/tmsh cannot reconfigure pools that have monitors associated with them. |
| 491727-2 | 3-Major | Upgrade can fail to load config due to tcp profile no longer allowing time-wait-timeout of 4294967295 (indefinite).★ |
| 482373-3 | 3-Major | Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction |
| 480246-4 | 3-Major | Message: Data publisher not found or not implemented when processing request |
| 473415-1 | 3-Major | ASM Standalone license has to include URL and HTML Rewrite★ |
| 449453-5 | 3-Major | Loading the default configuration may cause the mcpd process to restart and produce a core file. |
| 439559-2 | 3-Major | APM policy sync resulting in failover device group sync may make the failover sync fail |
| 433466-4 | 3-Major | Disabling bundled interfaces affects first member of associated unbundled interfaces |
| 421012-3 | 3-Major | scriptd incorrectly reports that it is running on a secondary blade |
| 405635-2 | 3-Major | Using the restart cm trust-domain command to recreate certificates required by device trust. |
| 553174-4 | 4-Minor | Unable to query admin IP via SNMP on VCMP guest |
| 533790-4 | 4-Minor | Creating multiple address entries in data-group might result in records being incorrectly deleted |
| 519216-4 | 4-Minor | Abnormally high CPU utilization from external SSL/OpenSSL monitors |
| 480071-2 | 4-Minor | Backslashes in policy rule added/duplicated when modified in GUI. |
| 401893-3 | 4-Minor | Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies |
| 223884 | 4-Minor | Module not licensed message appears when APM is provisioned and APML is licensed. |
| 572133-2 | 5-Cosmetic | tmsh save /sys ucs command sends status messages to stderr |
| 413708-5 | 5-Cosmetic | BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response. |
| 388274-3 | 5-Cosmetic | LTM pool member link in a route domain is wrong in Network Map. |
| 291469-2 | 5-Cosmetic | SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries. |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 536690-4 | 1-Blocking | Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm) |
| 476386-2 | 1-Blocking | DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 should only be supported for tls1.2 |
| 576314-2 | 2-Critical | SNMP traps for FIPS device fault inconsistent among versions. |
| 565810-2 | 2-Critical | OneConnect profile with an idle or strict limit-type might lead to tmm core. |
| 562566-2 | 2-Critical | High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems |
| 554967-3 | 2-Critical | Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets |
| 552151-2 | 2-Critical | Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected |
| 549782-1 | 2-Critical | XFV driver can leak memory |
| 545810-1 | 2-Critical | ASSERT in CSP in packet_reuse |
| 544375-1 | 2-Critical | Unable to load certificate/key pair |
| 542564-3 | 2-Critical | bigd detection and logging of load and overload |
| 540568-2 | 2-Critical | TMM core due to SIGSEGV |
| 540473-6 | 2-Critical | peer/clientside/serverside script with parking command may cause tmm to core. |
| 537988-5 | 2-Critical | Buffer overflow for large session messages |
| 534804-2 | 2-Critical | TMM may core with rate limiting enabled and service-down-action reselect on poolmembers |
| 534052-3 | 2-Critical | VLAN failsafe triggering on standby leaks memory |
| 530505-4 | 2-Critical | IP fragments can cause TMM to crash when packet filtering is enabled |
| 529920-7 | 2-Critical | Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit |
| 528739-1 | 2-Critical | DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses. |
| 527011-6 | 2-Critical | Intermittent lost connections with no errors on external interfaces |
| 525882-2 | 2-Critical | SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate. |
| 524605-2 | 2-Critical | Requests/responses may not be fully delivered to plugin in some circumstances |
| 523995-2 | 2-Critical | IPv4 link-local addresses can cause TMM crash when used in conjunction with ECMP routes |
| 521336-6 | 2-Critical | pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core |
| 520105-3 | 2-Critical | Possible segfault during hardware accelerated compression. |
| 517465-4 | 2-Critical | tmm crash with ssl |
| 509284-2 | 2-Critical | Improved reliability of a module interfacing with HSM |
| 507611-4 | 2-Critical | On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors. |
| 489451-3 | 2-Critical | TMM might panic due to OpenSSL failure during handshake generation |
| 489329-6 | 2-Critical | Memory corruption can occur with SPDY/HTTP2 profile(s) |
| 484214-2 | 2-Critical | Nitrox got stuck when processed certain SSL records |
| 483719-2 | 2-Critical | vlan-groups configured with a single member VLAN result in memory leak |
| 341928-4 | 2-Critical | CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM. |
| 570617-4 | 3-Major | HTTP parses fragmented response versions incorrectly |
| 564371-2 | 3-Major | FQDN node availability not reset after removing monitoring |
| 562308-2 | 3-Major | FQDN pool members do not support manual-resume |
| 562292-1 | 3-Major | Nesting periodic after with parking command could crash tmm |
| 560685 | 3-Major | TMM may crash with 'tmsh show sys conn'. |
| 559933-2 | 3-Major | tmm might leak memory on vCMP guest in SSL forward proxy |
| 558517-3 | 3-Major | Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.★ |
| 557783-2 | 3-Major | TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr |
| 556568-2 | 3-Major | TMM can crash with ssl persistence and fragmented ssl records |
| 556560-2 | 3-Major | DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records. |
| 556103-3 | 3-Major | Abnormally high CPU utilization for external monitors |
| 554769-4 | 3-Major | CPM might crash when TCLRULE_HTTP_RESPONSE is triggered. |
| 554761-5 | 3-Major | Unexpected handling of TCP timestamps under syncookie protection. |
| 553688-4 | 3-Major | TMM can core due to memory corruption when using SPDY profile. |
| 553613-3 | 3-Major | FQDN nodes do not support session user-disable |
| 552931-4 | 3-Major | Configuration fails to load if DNS Express Zone name contains an underscore |
| 552865-4 | 3-Major | SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. |
| 550782-4 | 3-Major | Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit |
| 550689-2 | 3-Major | Resolver H.ROOT-SERVERS.NET Address Change |
| 549800-2 | 3-Major | Renaming a virtual server with an attached plugin can cause buffer overflow |
| 549406-5 | 3-Major | Destination route-domain specified in the SOCKS profile |
| 548680-2 | 3-Major | TMM may core when reconfiguring iApps that make use of iRules with procedures. |
| 548678-2 | 3-Major | ASM blocking page does not display when using SPDY profile |
| 548563-2 | 3-Major | Transparent Cache Messages Only Updated with DO-bit True |
| 547732-1 | 3-Major | TMM may core on using SSL::disable on an already established serverside connection |
| 544028-5 | 3-Major | Verified Accept counter 'verified_accept_connections' might underflow. |
| 543220-1 | 3-Major | Global traffic statistics does not include PVA statistics |
| 542724-1 | 3-Major | If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash |
| 542640-2 | 3-Major | bigd intentionally cores when it should shutdown cleanly |
| 541571-3 | 3-Major | FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses |
| 538639-3 | 3-Major | P-256 ECDH performance improvements |
| 538603-2 | 3-Major | TMM core file on pool member down with rate limit configured |
| 537964-4 | 3-Major | Monitor instances may not get deleted during configuration merge load |
| 535759-3 | 3-Major | SMTP monitor might mark the server down even if the server answers the HELO message. |
| 534457-2 | 3-Major | Dynamically discovered routes might fail to remirror connections. |
| 533820-5 | 3-Major | DNS Cache response missing additional section |
| 532911-2 | 3-Major | Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates. |
| 532107-2 | 3-Major | [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted |
| 530761-1 | 3-Major | TMM crash in DNS processing on a TCP virtual |
| 529899-1 | 3-Major | Installation may fail with the error "(Storage modification process conflict.)".★ |
| 528407-4 | 3-Major | TMM may core with invalid lasthop pool configuration |
| 528007-6 | 3-Major | Memory leak in ssl |
| 527149-3 | 3-Major | FQDN template node transitions to 'unknown' after configuration reload |
| 527027-4 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information |
| 527024-3 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information |
| 525989-2 | 3-Major | A disabled blade is spontaneously re-enabled |
| 525958-11 | 3-Major | TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop. |
| 525672-2 | 3-Major | tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup. |
| 525322-7 | 3-Major | Executing tmsh clientssl-proxy cached-certs crashes tmm |
| 524960-2 | 3-Major | 'forward' command does not work if virtual server has attached pool |
| 524641-1 | 3-Major | Wildcard NAPTR record after deleting the NAPTR records |
| 523471-2 | 3-Major | pkcs11d core when connecting to SafeNet HSM |
| 519217-4 | 3-Major | tmm crash: valid proxy |
| 517282-7 | 3-Major | The DNS monitor may delay marking an object down or never mark it down |
| 517053-2 | 3-Major | bigd detection and logging of load and overload |
| 516816-4 | 3-Major | RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake. |
| 515759-3 | 3-Major | Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time |
| 513213-5 | 3-Major | FastL4 connection may get RSTs in case of hardware syncookie enabled. |
| 513142-3 | 3-Major | FQDN nodes with a default monitor may cause configuration load failure |
| 512119-2 | 3-Major | Improved UDP DNS packet truncation |
| 511057-5 | 3-Major | Config sync fails after changing monitor in iApp |
| 510264-1 | 3-Major | TMM core associated with smtps profile. |
| 509641-3 | 3-Major | Ephemeral pool members may not inherit attributes from FQDN parent |
| 507410-2 | 3-Major | Possible TMM crash when handling certain types of traffic with SSL persistence enabled |
| 507109-4 | 3-Major | inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade★ |
| 505089-4 | 3-Major | Spurious ACKs result in SYN cookie rejected stat increment. |
| 504545-2 | 3-Major | FQDN: node without service checking reported as 'service checking enabled, no results yet' |
| 502480-1 | 3-Major | Mirrored connections on standby device do not get closed when Verified Accept is enabled |
| 500786-6 | 3-Major | Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile |
| 499430-2 | 3-Major | Standby unit might bridge network ingress packets when bridge_in_standby is disabled |
| 488921-2 | 3-Major | BIG-IP system sends unnecessary gratuitous ARPs |
| 476567-5 | 3-Major | fastL4: acceleration state is incorrectly reported on show sys conn |
| 476564-5 | 3-Major | ePVA FIX: no RST for an unaccelerated flow targeting a network virtual |
| 475701-2 | 3-Major | FastL4 with FIX late-bind enabled may not honor client-timeout |
| 472532-4 | 3-Major | Cipher dhe-rsa-aes256-sha256 is missing from the SSL cipher list |
| 460946-2 | 3-Major | NetHSM key is displayed as normal in GUI |
| 458348-2 | 3-Major | RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing. |
| 455762-1 | 3-Major | DNS cache statistics incorrect |
| 452443-2 | 3-Major | DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured |
| 452439-5 | 3-Major | TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads |
| 446526-7 | 3-Major | TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash. |
| 441058 | 3-Major | TMM can crash when a large number of SSL objects are created |
| 424831-6 | 3-Major | State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover |
| 418890-2 | 3-Major | OpenSSL bug can prevent RSA keys from rolling forward★ |
| 406001-3 | 3-Major | Host-originated traffic cannot use a nexthop in a different route domain |
| 372473-2 | 3-Major | mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes |
| 554774-2 | 4-Minor | Persist lookup across services might fail to return a matching record when multiple records exist. |
| 551614-2 | 4-Minor | MTU Updates should erase all congestion metrics entries |
| 546747-2 | 4-Minor | SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets |
| 541134-2 | 4-Minor | HTTP/HTTPS monitors transmit unexpected data to monitored node. |
| 534458-6 | 4-Minor | SIP monitor marks down member if response has different whitespace in header fields. |
| 452482-7 | 4-Minor | HTTP virtual servers with cookie persistence might reset incoming connections |
| 558053-2 | 5-Cosmetic | Pool's 'active_member_cnt' attribute may not be updated as expected. |
| 529897-1 | 5-Cosmetic | Diameter monitor logging displays hex when monitor failing instead of the AVP which the monitor is failing on. |
Performance Fixes
| ID Number | Severity | Description |
| 489816-1 | 1-Blocking | F5 Enterprise MIB attribute sysTmmStatMemoryTotal returning zero★ |
| 548796-2 | 2-Critical | Avrd is at CPU is 100% |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 533658-5 | 2-Critical | DNS decision logging can trigger TMM crash |
| 471467 | 2-Critical | gtmparse segfaults when loading wideip.conf because of duplicate virtual server names |
| 469033 | 2-Critical | Large big3d memory footprint. |
| 551767-3 | 3-Major | GTM server 'Virtual Server Score' not showing correctly in TMSH stats |
| 546640 | 3-Major | tmsh show gtm persist <filter option> does not filter correctly |
| 529460-7 | 3-Major | Short HTTP monitor responses can incorrectly mark virtual servers down. |
| 526699-6 | 3-Major | TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port. |
| 481328-2 | 3-Major | Many 'tmsh save sys config gtm-only partitions all' stack memory issue. |
| 552352-2 | 4-Minor | tmsh list display incorrectly for default values of gtm listener translate-address/translate-port |
| 494796 | 4-Minor | Unable to create GTM Listener with non-default protocol profile. |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 565463-2 | 1-Blocking | ASM-config consumes 1.3GB RAM after repeated Policy Import via REST |
| 566758-2 | 2-Critical | Manual changes to policy imported as XML may introduce corruption for Login Pages |
| 555057-3 | 2-Critical | ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies. |
| 555006-3 | 2-Critical | ASM REST: lastUpdateMicros is not updated when changing a Custom Signature |
| 552139-2 | 2-Critical | ASM limitation in the pattern matching matrix builtup |
| 478351-1 | 2-Critical | Changing management IP can lead to bd crash |
| 475551-1 | 2-Critical | Flaw in CSRF protection mechanism |
| 474252-1 | 2-Critical | Applying ASM security policy repeatedly fills disk partition on a chassis |
| 574451-2 | 3-Major | ASM chassis sync occasionally fails to load on secondary slot |
| 563237 | 3-Major | ASM REST: name for ipIntelligenceReference is incorrect |
| 562775-2 | 3-Major | Memory leak in iprepd |
| 558642-1 | 3-Major | Cannot create the same navigation parameter in two different policies |
| 554367-1 | 3-Major | BIG-IQ ASM remote logger: Requests are not be logged. |
| 553146-2 | 3-Major | BD memory leak |
| 547000-4 | 3-Major | Enforcer application might crash on XML traffic when out of memory |
| 542511-2 | 3-Major | 'Unhandled keyword ()' error message in GUI and/or various ASM logs |
| 541852-1 | 3-Major | ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails |
| 541406-1 | 3-Major | ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request |
| 540390-2 | 3-Major | ASM REST: Attack Signature Update cannot roll back to older attack signatures |
| 538195-1 | 3-Major | Incremental Manual sync does not allow overwrite of 'newer' ASM config |
| 535188-3 | 3-Major | Response Pages custom content with \n instead of \r\n on policy import. |
| 534246-2 | 3-Major | rest_uuid should be calculated from the actual values inserted to the entity |
| 531809-2 | 3-Major | FTP/SMTP traffic related bd crash |
| 530598-1 | 3-Major | Some Session Tracking data points are lost on TMM restart |
| 529610-1 | 3-Major | On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db |
| 529535-4 | 3-Major | MCP validation error while deactivating a policy that is assigned to a virtual server |
| 526162-7 | 3-Major | TMM crashes with SIGABRT |
| 520732-3 | 3-Major | XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty |
| 514313-1 | 3-Major | Logging profile configuration is updated unnecessarily |
| 514061-4 | 3-Major | False positive scenario causes SMTP transactions to hang and eventually reset. |
| 503696-1 | 3-Major | BD enforcer updates may be stuck after BD restart |
| 491371-1 | 3-Major | CMI: Manual sync does not allow overwrite of 'newer' ASM config |
| 491352-3 | 3-Major | Added ASM internal parameter to add more XML memory |
| 481530-1 | 3-Major | Signature reporting details for sensitive data violation |
| 538837-1 | 4-Minor | REST: Filtering login pages or parameters by their associated URL does not work |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 529900-1 | 2-Critical | AVR missing some configuration changes in multiblade system |
| 519257-2 | 2-Critical | cspm script isn't injected in text/html chuncked response |
| 470559 | 2-Critical | TMM crash after traffic stress with rapid changes to Traffic capturing profiles |
| 552488-1 | 3-Major | Missing upgrade support for AFM Network DoS reports.★ |
| 549393-3 | 3-Major | SWG URL categorization may cause the /var/lib/mysql file system to fill. |
| 535246-6 | 3-Major | Table values are not correctly cleaned and can occupy entire disk space. |
| 530952-1 | 3-Major | MySql query fails with error number 1615 'Prepared statement needs to be re-prepared' |
| 529903-1 | 3-Major | Incorrect reports on multi-bladed systems |
| 528031-3 | 3-Major | AVR not reporting the activity of standby systems. |
| 491185-1 | 3-Major | URL Latencies page: pagination limited to 180 pages |
| 490999-2 | 3-Major | Subscriber-level AVR statistics display the subscriber-type as "Unknown" for subscribers created using Radius Acct-Start |
| 537435-1 | 4-Minor | Monpd might core if asking for export report by email while monpd is terminating |
| 495744-1 | 4-Minor | Some user defined ASM reports are not loading correctly after upgrade from 11.4 upwards★ |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 553330-3 | 1-Blocking | Unable to create a new document with SharePoint 2010 |
| 579559-2 | 2-Critical | DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration |
| 572563-3 | 2-Critical | PWS session does not launch on Internet Explorer |
| 569306-3 | 2-Critical | Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected |
| 565056-3 | 2-Critical | Fail to update VPN correctly for non-admin user. |
| 555507-2 | 2-Critical | Under certain conditions, SSO plugin can overrun memory not owned by the plugin. |
| 555272-8 | 2-Critical | Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★ |
| 551764-3 | 2-Critical | [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform |
| 530622-1 | 2-Critical | EAM plugin uses high memory when serving very high concurrent user load |
| 522997-3 | 2-Critical | Websso cores when it tries to shutdown |
| 491080-5 | 2-Critical | Memory leak in access framework |
| 571003-1 | 3-Major | TMM Restarts After Failover |
| 570563-2 | 3-Major | CRL is not being imported/exported properly |
| 569255-3 | 3-Major | Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON |
| 566908-5 | 3-Major | Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file |
| 565527-3 | 3-Major | Static proxy settings are not applied if NA configuration |
| 564496-3 | 3-Major | Applying APM Add-on License Does Not Change Effective License Limit |
| 564493 | 3-Major | Copying an access profile appends an _1 to the name. |
| 564262-4 | 3-Major | Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code |
| 564253-5 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
| 563474-2 | 3-Major | SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile |
| 561976 | 3-Major | Values of high-water and low-water mark for 'apd' pending request queue might not handle requests completely. |
| 558870-3 | 3-Major | Protected workspace does not work correctly with third party products |
| 558631-2 | 3-Major | APM Network Access VPN feature may leak memory |
| 555457-5 | 3-Major | Reboot is required, but not prompted after F5 Networks components have been uninstalled |
| 555435-2 | 3-Major | AD Query fails if cross-domain option is enabled and administrator's credentials are not specified |
| 554993-2 | 3-Major | Profile Stats Not Updated After Standby Upgrade Followed By Failover |
| 554899-2 | 3-Major | MCPD core with access policy macro during config sync in HA configuration |
| 554626-1 | 3-Major | Database logging truncates log values greater than 1024 |
| 554228-5 | 3-Major | OneConnect does not work when WEBSSO is enabled/configured. |
| 554041-5 | 3-Major | No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled |
| 553734-1 | 3-Major | Issue with assignment of non-string value to Form.action in javascript. |
| 553063-1 | 3-Major | Epsec version rolls back to previous version on a reboot |
| 552498-1 | 3-Major | APMD basic authentication cookie domains are not processed correctly |
| 549588-2 | 3-Major | EAM memory leak when cookiemap is destroyed without deleting Cookie object in it |
| 549108-1 | 3-Major | RDP resource 'Custom parameters' fail to accept parameters containing spaces or colon in the value |
| 548361 | 3-Major | Performance degradation when adding VDI profile to virtual server |
| 543222-3 | 3-Major | apd may crash if an un-encoded session variable contains "0x" |
| 539270-6 | 3-Major | A specific NTLM client fails to authenticate with BIG-IP |
| 539229-7 | 3-Major | EAM core while using Oracle Access Manager |
| 531983-5 | 3-Major | [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added |
| 528808-3 | 3-Major | Source NAT translation doesn't work when APM is disabled using iRule |
| 526637-4 | 3-Major | tmm crash with APM clientless mode |
| 522791-2 | 3-Major | HTML rewriting on client might leave 'style' attribute unrewritten. |
| 520088-2 | 3-Major | Citrix HTML5 Receiver does not properly display initial tour and icons |
| 518550-3 | 3-Major | Incorrect value of form action attribute inside 'onsubmit' event handler in some cases |
| 517846-2 | 3-Major | View Client cannot change AD password in Cross Domain mode |
| 511893-5 | 3-Major | Client connection timeout after clicking Log In to Access Policy Manager on a Chassis |
| 492122-5 | 3-Major | Now Windows Logon Integration does not recreate temporary user for logon execution each time |
| 488811-5 | 3-Major | F5-prelogon user profile folder are not fully cleaned-up |
| 482177-4 | 3-Major | Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO |
| 472446-2 | 3-Major | Customization group template file might cause mcpd to restart |
| 471318-1 | 3-Major | AD/LDAP group name matching should be case-insensitive |
| 467256-2 | 3-Major | Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat |
| 462598-4 | 3-Major | Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members. |
| 462258-8 | 3-Major | AD/LDAP server connection failures might cause apd to stop processing requests when service is restored |
| 461084-3 | 3-Major | Kerberos Auth might fail if client request contains Authorization header |
| 389328-7 | 3-Major | RSA SecurID node secret is not synced to the standby node |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 551010-7 | 3-Major | Crash on unexpected WAM storage queue state |
| 525478-2 | 3-Major | Requests for deflate encoding of gzip documents may crash TMM |
Wan Optimization Manager Fixes
| ID Number | Severity | Description |
| 552198-5 | 3-Major | APM App Tunnel/AM iSession Connection Memory Leak |
| 547537-3 | 3-Major | TMM core due to iSession tunnel assertion failure |
Service Provider Fixes
| ID Number | Severity | Description |
| 538784-3 | 3-Major | ICAP implementation incorrect when HTTP request or response is missing a payload |
| 523854-1 | 3-Major | TCP reset with RTSP Too Big error when streaming interleaved data |
| 545985-3 | 4-Minor | ICAP 2xx response (except 200, 204) is treated as error |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 561433-3 | 3-Major | TMM Packets can be dropped indiscriminately while under DOS attack |
| 489379-1 | 3-Major | Bot signature is not matched |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 529634-2 | 2-Critical | Crash observed with HSL logging |
| 512069-2 | 2-Critical | TMM restart while relicensing the BIG-IP using the base license. |
| 510923-2 | 2-Critical | TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered. |
| 565765-3 | 3-Major | Flow reporting does not occur for unclassified flows. |
| 564263-3 | 3-Major | PEM: TMM asserts when Using Debug Image when Gy is being used |
| 560607-3 | 3-Major | Resource Limitation error when removing predefined policy which has multiple rules |
| 559382-1 | 3-Major | Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers |
| 557675-3 | 3-Major | Failover from PEM to PCRF can cause session lookup inconsistency |
| 549283-3 | 3-Major | Add a log message to indicate transition in the state of Gx and Gy sessions. |
Carrier-Grade NAT Fixes
| ID Number | Severity | Description |
| 555369-3 | 2-Critical | CGNAT memory leak when non-TCP/UDP traffic directed at public addresses |
| 545783-3 | 2-Critical | TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool |
| 540571-2 | 2-Critical | TMM cores when multicast address is set as destination IP via iRules and LSN is configured |
| 540484-2 | 2-Critical | "show sys pptp-call-info" command can cause tmm crash |
| 535101-1 | 2-Critical | Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile. |
Fraud Protection Services Fixes
| ID Number | Severity | Description |
| 564039-3 | 2-Critical | WebSafe "Missing component" check gets applied on request with different referrer domain. |
| 563554-3 | 2-Critical | Accept-language in alerts |
| 559129-3 | 2-Critical | Update Generic Malware Signatures to detect new Dyre variant |
| 554540 | 2-Critical | RAT detection failure |
| 554537-2 | 2-Critical | Failed alerts on Internet Explorer |
| 541670-1 | 2-Critical | Memory leak and potential crash bug in secure channel cookie handling |
| 537106-3 | 2-Critical | Component checks wait for page load |
| 564040-4 | 3-Major | Differentiation of missing component alerts |
| 560069-1 | 3-Major | Default obfuscator configuration causes very slow javascript in some browsers |
| 558255-2 | 3-Major | Filtering encryption alerts |
| 555818-3 | 3-Major | Bait failure alerts do not give details of the cause of failure |
| 554546-2 | 3-Major | Only first entry in 'Mandatory Words' list is effective |
| 552476-2 | 3-Major | Use of JavaScript's 'eval' function may be prohibited by site's content security policy |
| 551893-2 | 3-Major | Alerts send from FPS plugin via HSL are sent in a malformed HTTP format |
| 542586-3 | 3-Major | Fallback alert mechanism can result in page refresh in Internet Explorer 8 |
| 542581-3 | 3-Major | Websafe alerts with HTML attached cause the page to run slowly |
| 542472 | 3-Major | SSL::disable for alerts does not take effect and first alert fails |
| 503160-3 | 3-Major | FPS malicious words doesn't trigger alert when ignore list is defined |
| 560791 | 4-Minor | FPS doesn't encrypt inputs of type "hidden" |
| 555827-2 | 4-Minor | No fallback for alerts. |
| 547038-2 | 4-Minor | In very fast transactions, some detection data is missing |
Device Management Fixes
| ID Number | Severity | Description |
| 538722-3 | 3-Major | Configurable maximum message size limit for restjavad |
iApp Technology Fixes
| ID Number | Severity | Description |
| 546082-5 | 2-Critical | Special characters might change input. |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 8 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 600662-4 | CVE-2016-5745 | K64743453 | NAT64 vulnerability CVE-2016-5745 |
| 599168-4 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
| 598983-4 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
| 580596-9 | CVE-2013-0169 CVE-2016-6907 | K14190 K39508724 | TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907 |
| 569467-11 | CVE-2016-2084 | K11772107 | BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084. |
Functional Change Fixes
| ID Number | Severity | Description |
| 557221-7 | 2-Critical | Inbound ISP link load balancing will use pool members for only one ISP link per data center |
TMOS Fixes
| ID Number | Severity | Description |
| 596603-11 | 2-Critical | AWS: BIG-IP VE doesn't work with c4.8xlarge instance type. |
| 547047 | 2-Critical | Older cli-tools unsupported by AWS |
| 595874-4 | 3-Major | Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.★ |
| 556277-6 | 3-Major | Config Sync error after hotfix installation (chroot failed rsync error)★ |
| 499537-3 | 3-Major | Qkview may store information in the wrong format |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 557645-5 | 3-Major | Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms. |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 7 that are included in this release
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Description |
| 591857 | 1-Blocking | 10-core vCMP guest with ASM may not pass traffic |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 532522-3 | CVE-2015-1793 | K16937 | CVE-2015-1793 |
| 536984 | CVE-2015-8240 | K06223540 | Ensure min_path_mtu is functioning as designed. |
| 536481-9 | CVE-2015-8240 | K06223540 | F5 TCP vulnerability CVE-2015-8240 |
| 534630-5 | CVE-2015-5477 | K16909 | Upgrade BIND to address CVE 2015-5477 |
| 530829 | CVE-2015-5516 | K00032124 | UDP traffic sent to the host may leak memory under certain conditions. |
| 529509-5 | CVE-2015-4620 | K16912 | BIND Vulnerability CVE-2015-4620 |
| 527799-9 | CVE-2015-4000 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 | K16674 K16915 K16914 | OpenSSL library in APM clients updated to resolve multiple vulnerabilities |
| 527630-1 | CVE-2015-1788 | K16938 | CVE-2015-1788 : OpenSSL Vulnerability |
| 506034-3 | CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 | K16393 | NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298) |
| 540849-5 | CVE-2015-5986 | K17227 | BIND vulnerability CVE-2015-5986 |
| 540846-5 | CVE-2015-5722 | K17181 | BIND vulnerability CVE-2015-5722 |
| 531576-1 | CVE-2016-7476 | K87416818 | TMM vulnerability CVE-2016-7476 |
| 520466-2 | CVE-2015-3628 | K16728 | Ability to edit iCall scripts is removed from resource administrator role |
| 516618-5 | CVE-2013-7424 | K16472 | glibc vulnerability CVE-2013-7424 |
| 526514-1 | CVE-2016-3687 | K26738102 | Open redirect via SSO_ORIG_URI parameter in multi-domain SSO |
| 522878-1 | CVE-2016-3686 | K82679059 | Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access. |
| 515345-1 | CVE-2015-1798 | K16505 | NTP Vulnerability |
Functional Change Fixes
| ID Number | Severity | Description |
| 502443-4 | 2-Critical | After enabling a blade/HA member, pool members are marked down because monitoring starts too soon. |
| 520705-5 | 3-Major | Edge client contains multiple duplicate entries in server list |
| 498992-6 | 3-Major | Troubleshooting enhancement: improve logging details for AWS failover failure. |
| 224903-5 | 3-Major | CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32. |
TMOS Fixes
| ID Number | Severity | Description |
| 544980-3 | 1-Blocking | BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle. |
| 535806-2 | 1-Blocking | Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE |
| 507312-1 | 1-Blocking | icrd segmentation fault |
| 477218-5 | 1-Blocking | Simultaneous stats query and pool configuration change results in process exit on secondary. |
| 473033-5 | 1-Blocking | Datastor Now Uses Syslog-ng |
| 529510-2 | 2-Critical | Multiple Session ha state changes may cause TMM to core |
| 523434 | 2-Critical | mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object |
| 513454-3 | 2-Critical | An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts |
| 510979-1 | 2-Critical | Password-less SSH access after tmsh load of UCS may require password after install. |
| 509503-4 | 2-Critical | tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration |
| 507602-1 | 2-Critical | Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled |
| 506199-4 | 2-Critical | VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles |
| 504496-3 | 2-Critical | AAA Local User Database may sync across failover groups |
| 497078-1 | 2-Critical | Modifying an existing ipsec policy configuration object might cause tmm to crash |
| 493791-2 | 2-Critical | iApps do not support FQDN nodes |
| 479460-5 | 2-Critical | SessionDb may be trapped in wrong HA state during initialization |
| 473105 | 2-Critical | FastL4 connections reset with pva-acceleration set to guaranteed |
| 471860-3 | 2-Critical | Disabling interface keeps DISABLED state even after enabling |
| 470813-1 | 2-Critical | Memory corruption in f5::rest::CRestServer::g_portToServerMap |
| 468473-2 | 2-Critical | Monitors with domain username do not save/load correctly |
| 464870-7 | 2-Critical | Datastor cores and restarts. |
| 438674-5 | 2-Critical | When log filters include tamd, tamd process may leak descriptors |
| 429018-2 | 2-Critical | tmipsecd cores when deleting a non-existing traffic selector |
| 420107-2 | 2-Critical | TMM could crash when modifying HTML profile configuration |
| 364978-1 | 2-Critical | Active/standby system configured with unit 2 failover objects★ |
| 544888-5 | 3-Major | Idle timeout changes to five seconds when using PVA full or Assisted acceleration. |
| 534251-1 | 3-Major | Live update with moving config breaks password-less ssh access |
| 533458-4 | 3-Major | Insufficient data for determining cause of HSB lockup. |
| 533257-2 | 3-Major | tmsh config file merge may fail when AFM security log profile is present in merged file |
| 529640 | 3-Major | Improvements in building Cloud images |
| 528881 | 3-Major | NAT names with spaces in them do not upgrade properly★ |
| 528310 | 3-Major | Upgrade failure when CertKeyChain exists in non-Common partition |
| 527537 | 3-Major | CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled |
| 527145-4 | 3-Major | On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown. |
| 527094-1 | 3-Major | iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata. |
| 527021-1 | 3-Major | BIG-IQ iApp statistics corrected for empty pool use cases |
| 526419-1 | 3-Major | Deleting an iApp service may fail |
| 524791-3 | 3-Major | non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0 |
| 524753-1 | 3-Major | IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip |
| 524490-4 | 3-Major | Excessive output for tmsh show running-config |
| 524326-4 | 3-Major | Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips |
| 523922-4 | 3-Major | Session entries may timeout prematurely on some TMMs |
| 523125 | 3-Major | Disabling/enabling blades in cluster can result in inconsistent failover state |
| 520640-2 | 3-Major | The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method. |
| 519510-3 | 3-Major | Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware |
| 519372 | 3-Major | vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files. |
| 519068-3 | 3-Major | device trust setup can require restart of devmgmtd |
| 518283 | 3-Major | Cookie rewrite mangles 'Set-Cookie' headers |
| 518039-1 | 3-Major | BIG-IQ iApp statistics corrected for partition use cases |
| 517580-3 | 3-Major | OPT-0015 on 10000-series appliance may cause bcm56xxd restarts |
| 517178-2 | 3-Major | BIG-IP system as SAML Service Provider cannot process some messages from SimpleSAMLphp under certain conditions |
| 516669-1 | 3-Major | Rarely occurring SOD core causes failover. |
| 515667-4 | 3-Major | Unique truncated SNMP OIDs. |
| 514726-4 | 3-Major | Server-side DSR tunnel flow never expires |
| 514724-1 | 3-Major | crypto-failsafe fail condition not cleared when crypto device restored |
| 513916-5 | 3-Major | String iStat rollup not consistent with multiple blades |
| 513294-8 | 3-Major | LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances |
| 510159-1 | 3-Major | Outgoing MAP tunnel statistics not updated |
| 510119-4 | 3-Major | HSB performance can be suboptimal when transmitting TSO packets. |
| 509782-3 | 3-Major | TSO packets can be dropped with low MTU |
| 509504-5 | 3-Major | Excessive time to save/list a firewall rule-list configuration |
| 509037-1 | 3-Major | BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type |
| 507853-1 | 3-Major | MCP may crash while performing a very large chunked query and CPU is highly loaded |
| 507575-1 | 3-Major | An incorrectly formated NAPTR creation via iControl can cause an error. |
| 506041-2 | 3-Major | Folders belonging to a device group can show up on devices not in the group |
| 505045-1 | 3-Major | MAP implementation not working with EA bits length set to 0. |
| 504494-2 | 3-Major | Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.★ |
| 502238-3 | 3-Major | Connectivity and traffic interruption issues caused by a stuck HSB transmit ring |
| 501437-3 | 3-Major | rsync daemon does not stop listening after configsync-ip set to none |
| 500234-4 | 3-Major | TMM may core during failover due to invalid memory access in IPsec components |
| 499260-3 | 3-Major | Deleting trust-domain fails when standby IP is in ha-order |
| 497564-2 | 3-Major | Improve High Speed Bridge diagnostic logging on transmit/receive failures |
| 497304-1 | 3-Major | Unable to delete reconfigured HTTP iApp when auto-sync is enabled |
| 495526-1 | 3-Major | IPsec tunnel interface causes TMM core at times |
| 493246-2 | 3-Major | SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot |
| 493213-1 | 3-Major | RBA eam and websso daemons segfaulting while provisioning |
| 491716-2 | 3-Major | SNMP attribute type incorrect for certain OIDs |
| 491556-7 | 3-Major | tmsh show sys connection output is corrected |
| 489084-1 | 3-Major | Validation error in MCPD for FQDN nodes |
| 484706-2 | 3-Major | Incremental sync of iApp changes may fail |
| 483104-3 | 3-Major | vCMP guests report platform type as 'unknown' |
| 481648-8 | 3-Major | mib-2 ipAddrTable interface index does not correlate to ifTable |
| 480679-1 | 3-Major | The big3d daemon does not receive config updates from mcpd |
| 473348-6 | 3-Major | SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later |
| 473088-4 | 3-Major | Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile |
| 470756-6 | 3-Major | snmpd cores or crashes with no logging when restarted by sod |
| 468837-5 | 3-Major | SNAT translation traffic group inheritance does not sync across devices |
| 464252-2 | 3-Major | Possible tmm crash when modifying html pages with HTML profile. |
| 464024-4 | 3-Major | File descriptor leak when running some TMSH commands through scriptd |
| 458104-3 | 3-Major | LTM UCS load merge trunk config issue |
| 455264-3 | 3-Major | Error messages are not clear when adding member to device trust fails |
| 442871-1 | 3-Major | BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor |
| 441297-3 | 3-Major | Trunk remains down and interface's status is 'uninit' after mcpd restart |
| 416388-1 | 3-Major | vCMPD will not reattach to guest |
| 410398-3 | 3-Major | sys db tmrouted.rhifailoverdelay does not seem to work |
| 405752-1 | 3-Major | TCP Half Open monitors sourced from specific source ports can fail |
| 383784-5 | 3-Major | Remote Auth user names containing blank space cannot login through TMSH. |
| 362267-3 | 3-Major | Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors★ |
| 359774-6 | 3-Major | Pools in HA groups other than Common★ |
| 355661-3 | 3-Major | sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address |
| 524606-1 | 4-Minor | SElinux violations prevent cpcfg from touching /service/mcpd/forceload |
| 524185 | 4-Minor | Unable to run lvreduce |
| 523863-2 | 4-Minor | istats help not clear for negative increment |
| 492163-3 | 4-Minor | Applying a monitor to pool and pool member may cause an issue. |
| 475647-2 | 4-Minor | VIPRION Host PIC firmware version 7.02 update |
| 473163-2 | 4-Minor | RAID disk failure and alert.conf log message mismatch results in no trap |
| 471827-1 | 4-Minor | Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist★ |
| 465675-3 | 4-Minor | Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable. |
| 465317-1 | 4-Minor | Failure notice from '/usr/bin/set-rsync-mgmt-fw close' seen on each boot. |
| 464043-3 | 4-Minor | Integration of Firmware for the 2000 Series Blades |
| 443298-2 | 4-Minor | FW Release: Incorporate VIPRION 2250 LOP firmware v1.20 |
| 356658-2 | 5-Cosmetic | Message logged when remote authenticated users do not have local account login |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 522784-2 | 1-Blocking | After restart, system remains in the INOPERATIVE state |
| 420341-6 | 1-Blocking | Connection Rate Limit Mode when limit is exceeded by one client also throttles others |
| 552937-1 | 2-Critical | HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail. |
| 539344-1 | 2-Critical | SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list |
| 538255 | 2-Critical | SSL handshakes on 4200/2200 can cause TMM cores. |
| 533388-1 | 2-Critical | tmm crash with assert "resume on different script" |
| 530963-4 | 2-Critical | BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms |
| 528432-2 | 2-Critical | Control plane CPU usage reported too high |
| 523079-2 | 2-Critical | Merged may crash when file descriptors exhausted |
| 514108-1 | 2-Critical | TSO packet initialization failure due to out-of-memory condition. |
| 510837-2 | 2-Critical | Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. bigip sends bad client key exchange. |
| 509346-2 | 2-Critical | Intermittent or complete SSL handshake failure with netHSM keys |
| 506304-2 | 2-Critical | UDP connections may stall if initialization fails |
| 505331-1 | 2-Critical | SASP Monitor may core |
| 505222-2 | 2-Critical | DTLS drops egress packets when traffic is large |
| 503343-7 | 2-Critical | TMM crashes when cloned packet incorrectly marked for TSO |
| 499422-1 | 2-Critical | An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm. |
| 497299-5 | 2-Critical | Thales install fails if the BIG-IP system is also configured as the RFS |
| 492352-3 | 2-Critical | Mismatch ckcName between GUI and TMSH can cause upgrade failure |
| 481677-2 | 2-Critical | A possible TMM crash in some circumstances. |
| 481162-2 | 2-Critical | vs-index is set differently on each blade in a chassis |
| 474601-5 | 2-Critical | FTP connections are being offloaded to ePVA |
| 450814-10 | 2-Critical | Early HTTP response might cause rare 'server drained' assertion |
| 431283-7 | 2-Critical | iRule binary scan may core TMM when the offset is large |
| 426328-8 | 2-Critical | Updating iRule procs while in use can cause a core |
| 402412-8 | 2-Critical | FastL4 tcp handshake timeout is not honored, connection lives for idle timeout. |
| 551612 | 3-Major | BIG-IP SSL does not support sending multiple certificate verification requests to the hardware accelerator at the same time in 11.6.0. |
| 530431 | 3-Major | FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts★ |
| 526810-5 | 3-Major | Crypto accelerator queue timeout is now adjustable |
| 525557 | 3-Major | FQDN ephemeral nodes not re-populated after deleted and re-created |
| 524666-3 | 3-Major | DNS licensed rate limits might be unintentionally activated. |
| 522147-2 | 3-Major | 'tmsh load sys config' fails after key conversion to FIPS using web GUI |
| 521774-3 | 3-Major | Traceroute and ICMP errors may be blocked by AFM policy |
| 521538-2 | 3-Major | Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known |
| 521522-3 | 3-Major | Traceroute through BIG-IP may display destination IP address at BIG-IP hop |
| 521408-3 | 3-Major | Incorrect configuration in BigTCP Virtual servers can lead to TMM core |
| 520540-1 | 3-Major | Specific iRule commands may generate a core file |
| 518020-11 | 3-Major | Improved handling of certain HTTP types. |
| 517790-1 | 3-Major | When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped |
| 517556-3 | 3-Major | DNSSEC unsigned referral response is improperly formatted |
| 516598-1 | 3-Major | Multiple TCP keepalive timers for same Fast L4 flow |
| 516320-2 | 3-Major | TMM may have a CPU spike if match cross persist is used. |
| 515817-2 | 3-Major | TMM may not reset connection when receiving an ICMP error |
| 515322-1 | 3-Major | Intermittent TMM core when using DNS cache with forward zones |
| 515072-4 | 3-Major | Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased |
| 514246-3 | 3-Major | connflow_precise_check_begin does not check for NULL |
| 512383-3 | 3-Major | Hardware flow stats are not consistently cleared during fastl4 flow teardown. |
| 512148-1 | 3-Major | Self IP address cannot be deleted when its VLAN is associated with static route |
| 512062-2 | 3-Major | A db variable to disable verification of SCTP checksum when ingress packet checksum is zero |
| 510921-1 | 3-Major | Database monitors do not support IPv6 nodes |
| 510720-1 | 3-Major | iRule table command resumption can clear the header buffer before the HTTP command completes |
| 510638-1 | 3-Major | [DNS] Config change in dns cache resolver does not take effect until tmm restart |
| 507529-1 | 3-Major | Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow |
| 506282-1 | 3-Major | GTM DNSSEC keys generation is not sychronized upon key creation |
| 505059-1 | 3-Major | Some special characters are not properly handled for username and password fields in TCL monitors |
| 504899-2 | 3-Major | Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one) |
| 504306-2 | 3-Major | https monitors might fail to re-use SSL sessions. |
| 504105-4 | 3-Major | RRDAG enabled UDP ports may be used as source ports for locally originated traffic |
| 503979-1 | 3-Major | High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server. |
| 503384-1 | 3-Major | SMTP monitor fails on multi line greeting banner in SMTP server |
| 501516-5 | 3-Major | If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted. |
| 497742-3 | 3-Major | Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address |
| 496758-5 | 3-Major | Monitor Parameters saved to config in a certain order may not construct parameters correctly |
| 495836-2 | 3-Major | SSL verification error occurs when using server side certificate. |
| 495557-1 | 3-Major | Ephemeral node health status may report as 'unknown' rather than the expected 'offline' |
| 490713-3 | 3-Major | FTP port might occasionally be reused faster than expected |
| 490429-2 | 3-Major | The dynamic routes for the default route might be flushed during operations on non-default route domains. |
| 488600-2 | 3-Major | iRule compilation fails on upgrade★ |
| 488581 | 3-Major | The TMM process may restart and produce a core file when using the SSL::disable clientside iRule command within a HTTP_REQUEST event |
| 485472-3 | 3-Major | iRule virtual command allows for protocol mismatch, resulting in crash |
| 479674-1 | 3-Major | bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors. |
| 478617-6 | 3-Major | Don't include maximum TCP options length in calculating MSS on ICMP PMTU. |
| 478439-6 | 3-Major | Unnecessary re-transmission of packets on higher ICMP PMTU. |
| 478257-7 | 3-Major | Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed |
| 476097-1 | 3-Major | TCP Server MSS option is ignored in verified accept mode |
| 474356-1 | 3-Major | Client SSL on partition other than /Common does not load if no key/cert/inherit-certkeychain |
| 471059-4 | 3-Major | Malformed cookies can break persistence |
| 465607-7 | 3-Major | TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP. |
| 465590-9 | 3-Major | Mirrored persistence information is not retained while flows are active |
| 465052-6 | 3-Major | Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing |
| 462714-2 | 3-Major | Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server |
| 460627-3 | 3-Major | SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists |
| 447874-5 | 3-Major | TCP zero window suspends data transfer |
| 447043-3 | 3-Major | Cannot have 2 distinct 'contains' conditions on the same LTM policy operand |
| 422107-8 | 3-Major | Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set |
| 422087-5 | 3-Major | Low memory condition caused by Ram Cache may result in TMM core |
| 375887-4 | 3-Major | Cluster member disable or reboot can leak a few cross blade trunk packets |
| 374339-4 | 3-Major | HTTP::respond/redirect might crash TMM under low-memory conditions |
| 364994-7 | 3-Major | TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule. |
| 352925-2 | 3-Major | Updating a suspended iRule and TMM process restart |
| 348000-1 | 3-Major | HTTP response status 408 request timeout results in error being logged. |
| 342013-6 | 3-Major | TCP filter doesn't send keepalives in FIN_WAIT_2 |
| 226892-13 | 3-Major | Packet filter enabled, default action discard/reject and IP fragment drop |
| 486485-1 | 4-Minor | TCP MSS is incorrect after ICMP PMTU message. |
| 454692-4 | 4-Minor | Assigning 'after' object to a variable causes memory leaks |
| 442647-5 | 5-Cosmetic | IP::stats iRule command reports incorrect information past 2**31 bits |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 515797-1 | 2-Critical | Using qos_score command in RULE_INIT event causes TMM crash |
| 513464-1 | 2-Critical | Some autodiscovered virtuals may be removed from pools. |
| 471819-2 | 2-Critical | The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled. |
| 517083-1 | 3-Major | Some autodiscovered virtuals may be removed from pools. |
| 516685-2 | 3-Major | ZoneRunner might fail to load valid zone files. |
| 516680-2 | 3-Major | ZoneRunner might fail when loading valid zone files. |
| 515033 | 3-Major | [ZRD] A memory leak in zrd |
| 515030-1 | 3-Major | [ZRD] A memory leak in Zrd |
| 496775-3 | 3-Major | [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor |
| 479142-1 | 3-Major | Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD) |
| 465951-2 | 3-Major | If net self description size =65K, gtmd restarts continuously |
| 479084-1 | 4-Minor | ZoneRunner can fail to respond to commands after a VE resume. |
| 353556-4 | 4-Minor | big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 524428-1 | 2-Critical | Adding multiple signature sets concurrently via REST |
| 524004-1 | 2-Critical | Adding multiple signatures concurrently via REST |
| 520280-1 | 2-Critical | Perl Core After Apply Policy Action |
| 513822-1 | 2-Critical | ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page |
| 511196-1 | 2-Critical | UMU memory is not released when remote logger can't reach its detination |
| 532030-3 | 3-Major | ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI |
| 531539-1 | 3-Major | The NTLM login is not recognized as failed login. |
| 527861 | 3-Major | When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive. |
| 526856-1 | 3-Major | "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency |
| 523261-1 | 3-Major | ASM REST: MCP Persistence is not triggered via REST actions |
| 523260-1 | 3-Major | Apply Policy finishes with coapi_query failure displayed |
| 523201-2 | 3-Major | Expired files are not cleaned up after receiving an ASM Manual Synchronization |
| 520585-2 | 3-Major | Changing Security Policy Application Language Is Not Validated or Propagated Properly |
| 519053-1 | 3-Major | Request is forwarded truncated to the server after answering challenge on a big request |
| 516522-1 | 3-Major | After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.★ |
| 486829-1 | 3-Major | HTTP Protocol Compliance options should not be modified during import/upgrade★ |
| 467930-1 | 3-Major | Searching ASM Request Log for requests with specific violations |
| 514117-1 | 4-Minor | Store source port higher than 32767 in Request Log record |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 531526-2 | 3-Major | Missing entry in SQL table leads to misleading ASM reports |
| 530356-2 | 3-Major | Some AVR tables that hold ASM statistics are not being backed up in upgrade process. |
| 525708-1 | 3-Major | AVR reports of last year are missing the last month data |
| 519022-2 | 3-Major | Upgrade process fails to convert ASM predefined scheduled-reports.★ |
| 518663-1 | 3-Major | Client waits seconds before page finishes load |
| 499315-1 | 3-Major | Added "Collect full URL" functionality. |
| 485251-1 | 3-Major | AVR core witch include tmstat backtrace |
| 479334-5 | 3-Major | monpd/ltm log errors after Hotfix is applied |
| 472117-2 | 3-Major | Analytics scheduled report: "predefinedReportName" and "multiLeveledReport" are mutually exclusive |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 492149-3 | 1-Blocking | Inline JavaScript with HTML entities may be handled incorrectly |
| 488736-5 | 1-Blocking | Fixed problem with iNotes 9 Instant Messaging |
| 482266-3 | 1-Blocking | Windows 10 support for Network Access / BIG-IP Edge Client |
| 482241-1 | 1-Blocking | Windows 10 cannot be properly detected |
| 439880-2 | 1-Blocking | NTLM authentication does not work due to incorrect NetBIOS name |
| 405769-3 | 1-Blocking | APM Logout page is not protected against CSRF attack. |
| 532340-1 | 2-Critical | When FormBased SSO or SAML SSO are configured, tmm may restart at startup |
| 526754-2 | 2-Critical | F5unistaller.exe crashes during uninstall |
| 525562-1 | 2-Critical | Debug TMM Crashes During Initialization |
| 523313-1 | 2-Critical | aced daemon might crash on exit |
| 520298-2 | 2-Critical | Java applet does not work |
| 520145-3 | 2-Critical | [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy |
| 519864-3 | 2-Critical | Memory leak on L7 Dynamic ACL |
| 518260-1 | 2-Critical | Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message |
| 517988-2 | 2-Critical | TMM may crash if access profile is updated while connections are active |
| 514220-1 | 2-Critical | New iOS-based VPN client may fail to create IPv6 VPN tunnels |
| 509490-2 | 2-Critical | [IE10]: attachEvent does not work |
| 507681-5 | 2-Critical | Window.postMessage() does not send objects in IE11 |
| 506223-2 | 2-Critical | A URI in request to cab-archive in iNotes is rewritten incorrectly |
| 502269-1 | 2-Critical | Large post requests may fail using form based SSO. |
| 493993-6 | 2-Critical | TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module |
| 492287-1 | 2-Critical | Support Android RDP client 8.1.3 with APM remote desktop gateway |
| 480272-6 | 2-Critical | During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID |
| 540778-3 | 3-Major | Multiple SIGSEGV with core and failover with no logged indicator |
| 539013-6 | 3-Major | DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases |
| 537614-1 | 3-Major | Machine certificate checker fails to use Machine cert check service if Windows has certain display languages |
| 537000-2 | 3-Major | Installation of Edge Client can cause Windows 10 crash in some cases |
| 534755-1 | 3-Major | Deleting APM virtual server produces ERR_NOT_FOUND error |
| 533566-1 | 3-Major | Support for View HTML5 client v3.5 shipped with VCS 6.2 |
| 532761 | 3-Major | APM fails to handle compressed ICA file in integration mode |
| 532096-2 | 3-Major | Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used |
| 531910-1 | 3-Major | apmd, apd, localmgr random crash |
| 531883-2 | 3-Major | Windows 10 App Store VPN Client must be detected by BIG-IP APM |
| 531541-1 | 3-Major | Support Citrix Receiver 4.3 for Windows in PNAgent mode |
| 531529-1 | 3-Major | Support for StoreFront proxy |
| 531483-2 | 3-Major | Copy profile might end up with error |
| 530800-1 | 3-Major | Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use. |
| 530773 | 3-Major | per-request policy logs frequently in apm logs |
| 530697-2 | 3-Major | Windows Phone 10 platform detection |
| 529392-2 | 3-Major | Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script |
| 528768-1 | 3-Major | Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication |
| 528727-1 | 3-Major | In some cases HTML body.onload event handler is not executed via portal access. |
| 528726-3 | 3-Major | AD/LDAP cache size reduced |
| 528675-2 | 3-Major | BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired |
| 526677-1 | 3-Major | VMware Horizon HTML5 View access client can not connect when using View Connection Server running version 6.1.1 |
| 526617-1 | 3-Major | TMM crash when logging a matched ACL entry with IP protocol set to 255 |
| 526578-1 | 3-Major | Network Access client proxy settings are not applied on German Windows |
| 526492-2 | 3-Major | DNS resolution fails for Static and Optimized Tunnels on Windows 10 |
| 526275-1 | 3-Major | VMware View RSA/RADIUS two factor authentication fails |
| 526084-3 | 3-Major | Windows 10 platform detection for BIG-IP EDGE Client |
| 525384-2 | 3-Major | Networks Access PAC file now can be located on SMB share |
| 524909-2 | 3-Major | Windows info agent could not be passed from Windows 10 |
| 523431-2 | 3-Major | Windows Cache and Session Control cannot support a period in the access profile name |
| 523390-2 | 3-Major | Minor memory leak on IdP when SLO is configured on bound SP connectors. |
| 523327-2 | 3-Major | In very rare cases Machine Certificate service may fail to find private key |
| 523305-1 | 3-Major | Authentication fails with StoreFront protocol |
| 523222-6 | 3-Major | Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending. |
| 521835-2 | 3-Major | [Policy Sync] Connectivity profile with a customized logo fails |
| 521773-2 | 3-Major | Memory leak in Portal Access |
| 521506-2 | 3-Major | Network Access doesn't restore loopback route on multi-homed machine |
| 520642-3 | 3-Major | Rewrite plugin should check length of Flash files and tags |
| 520390-1 | 3-Major | Reuse existing option is ignored for smtp servers |
| 520205-3 | 3-Major | Rewrite plugin could crash on malformed ActionScript 3 block in Flash file |
| 520118-2 | 3-Major | Duplicate server entries in Server List. |
| 519966-2 | 3-Major | APM "Session Variables" report shows user passwords in plain text |
| 519415-3 | 3-Major | apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual ) |
| 519198-3 | 3-Major | [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user |
| 518981-2 | 3-Major | RADIUS accounting STOP message may not include long class attributes |
| 518583-2 | 3-Major | Network Access on disconnect restores redundant default route after looped network roaming for Windows clients |
| 518573 | 3-Major | The -decode option should be added to expressions in AD and LDAP group mapping. |
| 518432 | 3-Major | [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation |
| 517564-1 | 3-Major | APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port |
| 517441-5 | 3-Major | apd may crash when RADIUS accounting message is greater than 2K |
| 516839-3 | 3-Major | Add client type detection for Microsoft Edge browser |
| 516462-2 | 3-Major | Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines |
| 515943-2 | 3-Major | "Session variables" report may show empty if session variable value contains non-English characters |
| 514912-3 | 3-Major | Portal Access scripts had not been inserted into HTML page in some cases |
| 513969-3 | 3-Major | UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running |
| 513953-1 | 3-Major | RADIUS Auth/Acct might fail if server response size is more than 2K |
| 513706-2 | 3-Major | Incorrect metric restoration on Network Access on disconnect (Windows) |
| 513545-1 | 3-Major | '-decode' option produce incorrect value when it decodes a single value |
| 513283-1 | 3-Major | Mac Edge Client doesnt send client data if access policy expired |
| 513098-1 | 3-Major | localdb_mysql_restore.sh failed with exit code |
| 512345-2 | 3-Major | Dynamic user record removed from memcache but remains in MySQL |
| 512245-7 | 3-Major | Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname |
| 511854-4 | 3-Major | Rewriting URLs at client side does not rewrite multi-line URLs |
| 510709-1 | 3-Major | Websso start URI match fails if there are more than 2 start URI's in SSO configuration. |
| 509722-1 | 3-Major | BWC traffic blocked |
| 509677-1 | 3-Major | Edge-client crashes after switching to network with Captive Portal auth |
| 504031-1 | 3-Major | document.write()/document.writeln() redefinition does not work |
| 501494-1 | 3-Major | if window.onload is assigned null, then null should be retrieved |
| 500938-3 | 3-Major | Network Access can be interrupted if second NIC is disconnected |
| 500450-1 | 3-Major | ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso. |
| 495336-1 | 3-Major | Logon page is not displayed correctly when 'force password change' is on for local users. |
| 494637-2 | 3-Major | localdbmgr process in constant restart/core loop |
| 494565-4 | 3-Major | CSS patcher crashes when a quoted value consists of spaces only |
| 493023-3 | 3-Major | Export of huge policies might ends up with 'too many pipes opened' error |
| 492701-3 | 3-Major | Resolved LSOs are overwritten by source device in new Policy Sync with new LSO |
| 492305-1 | 3-Major | Recurring file checker doesn't interrupt session if client machine has missing file |
| 490830-4 | 3-Major | Protected Workspace is not supported on Windows 10 |
| 488105-3 | 3-Major | TMM may generate core during certain config change. |
| 483792-5 | 3-Major | when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources |
| 483501-1 | 3-Major | Access policy v2 memory leak during object deletion in tmm. |
| 483286-3 | 3-Major | APM MySQL database full as log_session_details table keeps growing |
| 483020-1 | 3-Major | [SWG] Policy execution hang when using iRule event in VPE |
| 482699-4 | 3-Major | VPE displaying "Uncaught TypeError" |
| 482251-3 | 3-Major | Portal Access. Location.href(url) support. |
| 481987-6 | 3-Major | Allow NTLM feature to be enabled with APM Limited license |
| 481663-5 | 3-Major | Disable isession control channel on demand. |
| 480761-1 | 3-Major | Fixed issue causing TunnelServer to crash during reconnect |
| 478751-6 | 3-Major | OAM10g form based AuthN is not working for a single/multiple domain. |
| 478492-7 | 3-Major | Incorrect handling of HTML entities in attribute values |
| 475735-4 | 3-Major | Failed to load config after removing peer from sync-only group |
| 475403-2 | 3-Major | Tunnel reconnect with v2.02 does not occur |
| 474779-1 | 3-Major | EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails. |
| 473488-6 | 3-Major | In AD Query agent, resolving of nested groups may cause apd to spin |
| 473255-3 | 3-Major | Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement. |
| 472256-3 | 3-Major | tmsh and tmctl report unusually high counter values |
| 472062-3 | 3-Major | Unmangled requests when form.submit with arguments is called in the page |
| 471117-4 | 3-Major | iframe with JavaScript in 'src' attribute not handled correctly in IE11 |
| 468137-6 | 3-Major | Network Access logs missing session ID |
| 466745-3 | 3-Major | Cannot set the value of a session variable with a leading hyphen. |
| 462514-1 | 3-Major | Support for XMLHttpRequest is extended |
| 461189-5 | 3-Major | Generated assertion contains HEX-encoded attributes |
| 458450-2 | 3-Major | The ECA process may produce a core file when processing HTTP headers |
| 457760-5 | 3-Major | EAM not redirecting stdout/stderr from standard libraries to /var/log/apm |
| 452010-3 | 3-Major | RADIUS Authentication fails when username or password contain non-ASCII characters |
| 446860-4 | 3-Major | APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 |
| 442698-10 | 3-Major | APD Active Directory module memory leak in exception |
| 431467-1 | 3-Major | Mac OS X support for nslookup and dig utilities to use VPN DNS |
| 426209-2 | 3-Major | exporting to a CSV file may fail and the Admin UI is inaccessible |
| 423282-8 | 3-Major | BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence |
| 408851-7 | 3-Major | Some Java applications do not work through BIG-IP server |
| 402793-12 | 3-Major | APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients |
| 340406-10 | 3-Major | Localization of BIG-IP Edge Client for Macintosh |
| 533723-4 | 4-Minor | [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag. |
| 524756 | 4-Minor | APM Log is filled with errors about failing to add/delete session entry |
| 523158-2 | 4-Minor | In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails |
| 517872-1 | 4-Minor | Include proxy hostname in logs in case of name resolution failure |
| 513201-6 | 4-Minor | Edge client is missing localization of some English text in Japanese locale |
| 510459-1 | 4-Minor | In some cases Access does not redirect client requests |
| 507321-3 | 4-Minor | JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields |
| 497627-3 | 4-Minor | Tmm cores while using APM network access and no leasepool is created on the BIG-IP system. |
| 486661-3 | 4-Minor | Network Access should provide client IP address on reconnect log records |
| 482145-3 | 4-Minor | Text in buttons not centered correctly for higher DPI settings |
| 478658-6 | 4-Minor | Window.postMessage() does not send objects |
| 478261-2 | 4-Minor | WinInet handle leak in Edge Client on Windows |
| 473685-1 | 4-Minor | Websso truncates cookie domain value |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 522231-3 | 3-Major | TMM may crash when a client resets a connection |
| 521455-2 | 3-Major | Images transcoded to WebP format delivered to Edge browser |
Wan Optimization Manager Fixes
| ID Number | Severity | Description |
| 497389-1 | 3-Major | Extraneous dedup_admin core |
| 485182-2 | 3-Major | wom_verify_config does not recognize iSession profile in /Common sub-partition |
| 480910 | 3-Major | A TCP profile with 'Rate Pace" or 'Tail Loss Probe' enabled fails to successfully establish a connection. |
| 442884-1 | 3-Major | TMM assert "spdy pcb initialized" in spdy_process() |
Service Provider Fixes
| ID Number | Severity | Description |
| 521556-1 | 2-Critical | Assertion "valid pcb" in TCP4 with ICAP adaptation |
| 516057-3 | 2-Critical | Assertion 'valid proxy' can occur after a configuration change with active IVS flows. |
| 503652-4 | 2-Critical | Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit. |
| 480311-1 | 3-Major | ADAPT should be able to work with OneConnect |
| 489957-5 | 4-Minor | RADIUS::avp command fails when AVP contains multiple attribute (VSA). |
| 478920 | 4-Minor | SIP::discard is not invoked for all request messages |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 524748-1 | 2-Critical | PCCD optimization for IP address range |
| 506286-1 | 2-Critical | TMSH reset of DOS stats |
| 534886-1 | 3-Major | AFM Security checks were not being done for DNS over TCP |
| 532022-1 | 3-Major | tmm can crash when the reply pkt to a service flow request is a DoS pkt |
| 531761-1 | 3-Major | Web navigation flow may be reset when main page responds with non-HTML content |
| 530865-2 | 3-Major | AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists) |
| 526774 | 3-Major | Search in FW policy disconnects GUI users |
| 526277-1 | 3-Major | AFM attack may never end on AVR dos overview page in a chassis based BIGIP |
| 525522 | 3-Major | Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains |
| 523465-2 | 3-Major | Log an error message when firewall rule serialization fails due to maximum blob limit being hit. |
| 521763-1 | 3-Major | Attack stopped and start messages should not have source/dst ip addresses in log messages |
| 515112-1 | 3-Major | Delayed ehash initialization causes crash when memory is fragmented. |
| 510224-2 | 3-Major | All descriptions for address-list members are flushed after the address-list was updated |
| 509934-1 | 3-Major | Blob activation fails due to counter revision |
| 509919-2 | 3-Major | Incorrect counter for SelfIP traffic on cluster |
| 509600-1 | 3-Major | Global rule association to policy is lost after loading config. |
| 481706-2 | 3-Major | AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP |
| 533808-1 | 4-Minor | Unable to create new rule for virtual server if order is set to "before"/"after" |
| 533336-2 | 4-Minor | Display 'description' for port list members |
| 528499 | 4-Minor | AFM address lists are not sorted while trying to create a new rule. |
| 510226-2 | 4-Minor | All descriptions for ports-list's members are flushed after the port-list was updated |
| 491165-1 | 4-Minor | Legal IP addresses sometimes logged in Attack Started/Stopped message. |
| 495432-2 | 5-Cosmetic | Add new log messages for AFM rule blob load/activation in datapath. |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 545558-1 | 1-Blocking | Send RAA when RAR is sent by PCRF and session is deleted immediately after its created. |
| 533929 | 1-Blocking | PEM::subscriber info irule command can cause tmm core |
| 525175-1 | 1-Blocking | Fix a crash issue when querying SSP with multi-ip. |
| 524780-1 | 1-Blocking | TMM crash when quering the session information |
| 522933-1 | 1-Blocking | diam_app_process_async_lookup may cause TMM crash |
| 534490 | 2-Critical | Fixed TMM crash when IRULE configuration is modified. |
| 534018-1 | 2-Critical | Memory leak while running some of PEM::session and PEM::subscriber commands. |
| 533734-1 | 2-Critical | DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION |
| 533203 | 2-Critical | TMM may core on resuming iRule if the underlying flow has been deleted. |
| 528715-1 | 2-Critical | rare tmm crash when ipother irule parks |
| 527016-1 | 2-Critical | CLASSIFICATION_DETECTED irule event results in tmm core |
| 524374-1 | 2-Critical | TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule |
| 523296-1 | 2-Critical | TMM may core when using iRule custom actions in PEM policies |
| 519506-1 | 2-Critical | Flows dropped with initiate data from sever on virtual servers with HTTP |
| 491771-2 | 2-Critical | Parking command called from inside catch statement |
| 541592-1 | 3-Major | PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions |
| 537034 | 3-Major | PEM: CPU spike seen when iRule tries to update nonexistent sessions. |
| 534323-1 | 3-Major | Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr. |
| 533513-1 | 3-Major | Data plane Listener summary does not show LSN translation correctly |
| 529414-1 | 3-Major | PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon |
| 528787-1 | 3-Major | PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code. |
| 528247-1 | 3-Major | PEM: New Requested units empty for when used units matches granted service units |
| 528238-1 | 3-Major | Quota Policy Added multiple times will lead to reset of Subscriber flows |
| 527725-1 | 3-Major | BigIP crash caused by PSC::ip_address iRule is fixed |
| 527292-1 | 3-Major | BigIP crash caused by PSC::user_name iRule is fixed |
| 527289-1 | 3-Major | TMM crashes with core when PSC::ip_address iRule is used to list IPs |
| 527076-1 | 3-Major | TMM crashes with core when PSC::policy iRule is used to set more than 32 policies |
| 526786-1 | 3-Major | Session lookup fails |
| 526368-1 | 3-Major | The number of IPv4 addresses per Gx session exceeds the limit of 1 |
| 526295-3 | 3-Major | BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id |
| 525860-2 | 3-Major | PEM: Duplicate sessions formed with same IP |
| 525633-1 | 3-Major | Configurable behavior if PCRF returns unknown session ID in middle of session. |
| 525416-1 | 3-Major | List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed. |
| 524409-1 | 3-Major | Fix TMSH show and reset-stats commands for multi-ip sessions defect. |
| 524198-1 | 3-Major | PEM: Invalid HSL log generated when when session with static subscriber deleted. |
| 522934 | 3-Major | Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy |
| 522579-1 | 3-Major | TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM |
| 522141-1 | 3-Major | Tmm cores while changing properties of PEM policies and rules. |
| 522140-1 | 3-Major | Multiple IP is not added through iRule after setting the state of a session to provision by iRule |
| 521683-1 | 3-Major | PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs |
| 521655-2 | 3-Major | Session hangs when trying to switch state to provisioned |
| 504627-1 | 3-Major | Valid RADIUS sessions deleted on no session inactivity if no subscriber traffic exists during session timeout period. |
| 499778-1 | 3-Major | A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs |
| 471926-1 | 3-Major | Static subscriber sessions lost after bigstart restart |
| 539677-1 | 4-Minor | The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file |
Carrier-Grade NAT Fixes
| ID Number | Severity | Description |
| 533562-1 | 2-Critical | Memory leak in CGNAT can result in crash |
| 515646-1 | 2-Critical | TMM core when multiple PPTP calls from the same client |
| 509108-1 | 2-Critical | CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber |
| 494743-1 | 2-Critical | Port exhaustion errors on VIPRION 4800 when using CGNAT |
| 494122-2 | 2-Critical | Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades |
| 490893-4 | 2-Critical | Determinstic NAT State information incomplete for HSL log format |
| 505097-1 | 3-Major | lsn-pool backup-member not propagated to route table after tmrouted restart |
| 504021-1 | 3-Major | lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled |
| 500424-2 | 3-Major | dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error |
| 486762-1 | 3-Major | lsn-pool connection limits may be invalid when mirroring is enabled |
| 480119-2 | 3-Major | Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message. |
| 455020-1 | 3-Major | RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout |
Fraud Protection Services Fixes
| ID Number | Severity | Description |
| 526124 | 2-Critical | Parameter matching inconsistency |
| 520090-1 | 2-Critical | Flows are closed as expired rather than closed gracefully. |
| 529573 | 3-Major | CSS attribute name |
| 527075 | 3-Major | Update domain availability default settings |
| 525283-1 | 3-Major | Add obfuscator tuning tools |
| 524032-1 | 3-Major | Control sending alerts during the source integrity learning process |
| 513860-1 | 3-Major | Incomplete support for special characters in input field names |
| 503461-1 | 3-Major | Intermittent JavaScript failure on Safari on Macintosh computer or device. |
| 529587 | 4-Minor | Errornous JS injections |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Description |
| 514236-1 | 3-Major | [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses |
Device Management Fixes
| ID Number | Severity | Description |
| 525595 | 1-Blocking | Memory leak of inbound sockets in restjavad. |
| 509273 | 2-Critical | hostagentd consumes memory over time |
| 533307 | 3-Major | Increasing memory usage due to continual creation of authentication tokens |
| 521272 | 3-Major | Fixed memory leak in restjavad's Authentication Token worker |
iApp Technology Fixes
| ID Number | Severity | Description |
| 495525-1 | 4-Minor | iApps fail when using FQDN nodes in pools |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 523032-6 | CVE-2015-3456 | K16620 | qemu-kvm VENOM vulnerability CVE-2015-3456 |
| 513034-1 | CVE-2015-4638 | K17155 | TMM may crash if Fast L4 virtual server has fragmented packets |
| 511651-3 | CVE-2015-5058 | K17047 | CVE-2015-5058: Performance improvement in packet processing. |
| 477278-5 | CVE-2014-6032 | K15605 | XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033 |
| 476157-3 | CVE-2014-4341 CVE-2014-4342 | K15547 | MIT Kerberos 5 vulnerability CVE-2014-4342 |
| 507842-2 | CVE-2015-1349 | K16356 | Patch for BIND Vulnerability CVE-2015-1349 |
| 513382-13 | CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 | K16317 | Resolution of multiple OpenSSL vulnerabilities |
| 485917-3 | CVE-2004-1060 | K15792 | BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060) |
| 476738-1 | CVE-2007-6199 | K15549 | rsync daemon may be configured to listen on a public port |
| 430799-3 | CVE-2010-5107 | K14741 | CVE-2010-5107 openssh vulnerability |
Functional Change Fixes
| ID Number | Severity | Description |
| 500303-3 | 2-Critical | Virtual Address status may not be reliably communicated with route daemon |
| 499947 | 2-Critical | Improved performance loading thousands of Virtual Servers |
| 497433-2 | 2-Critical | SSL Forward Proxy server side now supports all key exchange methods. |
| 487552-3 | 2-Critical | triplets-not-allowed threshold too high because LTM minimum requirements for 6G guests are coming from 8G table |
| 361367-3 | 2-Critical | Create 8 MB-aligned partitions/volumes for VE images to improve disk I/O. |
| 523803 | 3-Major | Support two-factor authentication for Citrix Receivers in StoreFront proxy mode |
| 512016-1 | 3-Major | DB variable added to determine DNS UDP truncation behavior. |
| 504348-1 | 3-Major | iRules in event ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT cannot see modified headers |
| 502770-2 | 3-Major | clientside and serverside command crashes TMM |
| 495273-1 | 3-Major | LDAP extended error info only available at debug log level which could affect Branch rules |
| 480811-2 | 3-Major | qkview will not collect lib directories. |
| 474465-3 | 3-Major | Analysis processes appear to use high CPU though not affecting data plane |
TMOS Fixes
| ID Number | Severity | Description |
| 510393-1 | 1-Blocking | TMM may occasionally restart with a core file when deployed VCMP guests are stopped |
| 504490-1 | 1-Blocking | The BIG-IP system sometimes takes longer on boot up to become Active. |
| 468175-8 | 1-Blocking | IPsec interop with Cisco systems intermittent outages |
| 520349 | 2-Critical | iControl portal restarts |
| 509475 | 2-Critical | SPDY profile with activation-mode always may not load on upgrade to 11.6.0 or later |
| 509276-4 | 2-Critical | VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device |
| 507487-1 | 2-Critical | ZebOS Route not withdrawn when VAddr/VIP down and no default pool |
| 505323-1 | 2-Critical | NSM hangs in a loop, utilizing 100% CPU |
| 502675-1 | 2-Critical | Improve reliability of LOP/LBH firmware updates |
| 501343-3 | 2-Critical | In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle |
| 495335-1 | 2-Critical | BWC related tmm core |
| 492458-1 | 2-Critical | BIOS initial release |
| 487233-1 | 2-Critical | vCMP guests are unable to access NTP or RSYNC via their management network. |
| 484733-4 | 2-Critical | aws-failover-tgactive.sh doesn't skip network forwarding virtuals |
| 477281-4 | 2-Critical | Improved XML Parsing |
| 474751-1 | 2-Critical | IKEv1 daemon crashes when flushing SAs |
| 474323 | 2-Critical | ePVA IPv6 feature is not available |
| 467646 | 2-Critical | IDE DMA timeouts can result in stuck processes |
| 467196-5 | 2-Critical | Log files limited to 24 hours |
| 466266-1 | 2-Critical | In rare cases, an upgrade (or a restart) can result in an Active/Active state★ |
| 460730-7 | 2-Critical | On systems with multiple blades, large queries can cause TMM to restart |
| 452293-4 | 2-Critical | Tunneled Health Monitor traffic fails on Standby device |
| 445911-6 | 2-Critical | TMM fast forwarded flows are offloaded to ePVA |
| 430323-4 | 2-Critical | VXLAN daemon may restart when 8000 VXLAN tunnels are configured |
| 422460-8 | 2-Critical | TMM may restart on startup/config-load if it has too many objects to publish back during config load |
| 376120-4 | 2-Critical | tmrouted restart after reconfiguration of previously deleted route domain |
| 519877 | 3-Major | External pluggable module interfaces not disabled correctly. |
| 516073 | 3-Major | Revised AWS Setup Guide |
| 514450-4 | 3-Major | VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs. |
| 512485-3 | 3-Major | Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding |
| 510597-3 | 3-Major | SNAT Origin Address List is now stored correctly when first created |
| 507461-6 | 3-Major | Net cos config may not persist on HA unit following staggered restart of both HA pairs. |
| 507327-1 | 3-Major | Programs that read stats can leak memory on errors reading files |
| 506281 | 3-Major | F5 Internal tool change to facilitate creating Engineering Hotfixes. |
| 505878 | 3-Major | Configuration load failure on secondary blades may occur when the chassis is rebooted |
| 504572-4 | 3-Major | PVA accelerated 3WHS packets are sent in wrong hardware COS queue |
| 503875-1 | 3-Major | Configure bwc policy category max rate |
| 503604-3 | 3-Major | Tmm core when switching from interface tunnel to policy based tunnel |
| 501953-2 | 3-Major | HA failsafe triggering on standby device does not clear next active for that device. |
| 501371-4 | 3-Major | mcpd sometimes exits while doing a file sync operation |
| 495862-1 | 3-Major | Virtual status becomes yellow and gets connection limit alert when all pool members forced down |
| 494978-1 | 3-Major | The hostagentd daemon should not be running in non-vcmp mode. |
| 494367-2 | 3-Major | HSB lockup after HiGig MAC reset |
| 491791-3 | 3-Major | GET on non-existent pool members does not show error |
| 490414-1 | 3-Major | /shared/vmisolinks present on systems running versions where block-devices are not present |
| 489750-3 | 3-Major | Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config |
| 488916 | 3-Major | CIDR can now be used for SNAT Origin Address List |
| 488374-2 | 3-Major | Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation |
| 486512-7 | 3-Major | audit_forwarder sending invalid NAS IP Address attributes |
| 485939-1 | 3-Major | OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair. |
| 485833-7 | 3-Major | The mcpd process may leak memory when using tmsh to modify user attributes |
| 484861-5 | 3-Major | A standby-standby state can be created when auto failback acts in a CRC disagreement scenario |
| 483762-3 | 3-Major | Overlapping vCMP guest MAC addresses |
| 483751-1 | 3-Major | Internal objects can have load failures on restarted blades |
| 483699-1 | 3-Major | No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list |
| 483683-3 | 3-Major | MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error |
| 482434 | 3-Major | Possible performance degradation in AWS cloud |
| 481082-2 | 3-Major | Software auto update schedule settings can be reset during a full sync |
| 478761-1 | 3-Major | load sys config default does not work with iCR |
| 477859-1 | 3-Major | ZebOS config load may fail if password begins with numeric character |
| 477789-4 | 3-Major | SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN. |
| 476288-1 | 3-Major | Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault |
| 473200-2 | 3-Major | Renaming a virtual server causes unexpected configuration load failure |
| 473037-1 | 3-Major | BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP |
| 472365-4 | 3-Major | The vCMP worker-lite system occasionally stops due to timeouts |
| 471496-2 | 3-Major | Standby node sends a summary LSA for the default route into a stub area with the same metric value as that of Active node. |
| 468517-5 | 3-Major | Multi-blade systems can experience active/standby flapping after both units rebooted |
| 464132-2 | 3-Major | Serverside SSL cannot be disabled if Rewrite profile is attached |
| 463715-3 | 3-Major | syscalld logs erroneous and benign timeout messages |
| 447075-1 | 3-Major | CuSFP module plugged in during links-down state will cause remote link-up |
| 440346-5 | 3-Major | Monitors removed from a pool after sync operation |
| 440154-3 | 3-Major | When IKEv2 is in use, user can only associate one Traffic Selector object with the IKE Peer object |
| 439343 | 3-Major | Client certificate SSL authentication unable to bind to LDAP server |
| 436682-5 | 3-Major | Optical SFP modules shows a higher optical power output for disabled switch ports |
| 431634-6 | 3-Major | tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails |
| 420204-3 | 3-Major | FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long |
| 416292-1 | 3-Major | MCPD can core as a result of another component shutting down prematurely |
| 394236-3 | 3-Major | MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 - |
| 510049 | 4-Minor | Revised BIG-IP CGNAT Implementations content |
| 493223-3 | 4-Minor | syscalld core dumps now keep more debugging information |
| 490171-1 | 4-Minor | Cannot add FQDN node if management route is not configured |
| 477111-5 | 4-Minor | Dual management routes in the main routing table |
| 475592-2 | 4-Minor | Per-core and system CPU usage graphs do not match |
| 473517-2 | 4-Minor | 'OID not increasing error' during snmpwalk |
| 463959-1 | 4-Minor | stpd attempts to connect to slots in a chassis that are empty |
| 492422-4 | 5-Cosmetic | HTTP request logging reports incorrect response code |
| 466116-3 | 5-Cosmetic | Intermittent 'AgentX' warning messages in syslog/ZebOS log files |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 511873 | 1-Blocking | TMM core observed during SSL cert-related tmsh execution. |
| 507490-1 | 1-Blocking | Invalid HTTP/2 input can cause the TMM to hang |
| 507139-1 | 1-Blocking | Invalid HTTP/2 input can cause the TMM to hang |
| 504225-2 | 1-Blocking | Virtual creation with the multicast IPv6 address returns error message |
| 488931-1 | 1-Blocking | TMM may restart when MPTCP traffic is being handled. |
| 520413 | 2-Critical | Aberrant behavior with woodside TCP congestion control |
| 516408-1 | 2-Critical | SSL reports certificate verification OK even verification returns failure for pcm=request. |
| 516179-1 | 2-Critical | Woodside falsely detects congestion |
| 514521 | 2-Critical | Rare TMM Cores with TCP SACK and Early Retransmit |
| 509310-5 | 2-Critical | Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances |
| 503620-3 | 2-Critical | ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later |
| 495875-2 | 2-Critical | Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic |
| 495030-1 | 2-Critical | Segfault originating from flow_lookup_nexthop. |
| 494319-1 | 2-Critical | Proxy SSL caused tmm to core by dereferencing a null pointer |
| 491030-6 | 2-Critical | Nitrox crypto accelerator can sometimes hang when encrypting SSL records |
| 489796-2 | 2-Critical | TMM cores when Woodside congestion control is used. |
| 488908-1 | 2-Critical | In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function. |
| 486450-2 | 2-Critical | iApp re-deployment causes mcpd on secondaries to restart |
| 485189-3 | 2-Critical | TMM might crash if unable to find persistence cookie |
| 480699-2 | 2-Critical | HA mirroring can overflow buffer limits on larger platforms |
| 480370-6 | 2-Critical | Connections to virtual servers with port-preserve property will cause connections to leak in TMM |
| 480299-1 | 2-Critical | Delayed update of Virtual Address might not always happen. |
| 480113-4 | 2-Critical | Install of FIPS exported key files (.exp) causes device-group sync failure |
| 479171-3 | 2-Critical | TMM might crash when DSACK is enabled |
| 478983-1 | 2-Critical | TMM core during certificate verification against CRL |
| 478592-1 | 2-Critical | When using the SSL forward proxy feature, clients might be presented with expired certificates. |
| 477064-1 | 2-Critical | TMM may crash in SSL |
| 476683-2 | 2-Critical | Suspended DNS_RESPONSE events are not resumed |
| 476599-4 | 2-Critical | TMM may panic when resuming DNS_REQUEST iRule event |
| 475408-1 | 2-Critical | SSL persistence profile does not find the server certificate. |
| 475231-5 | 2-Critical | TCP::close in CLIENTSSL_CLIENTCERT iRule event may result in tmm crash |
| 474974-3 | 2-Critical | Fix ssl_profile nref counter problem. |
| 474388-3 | 2-Critical | TMM restart, SIGSEGV messages, and core |
| 472585-3 | 2-Critical | tmrouted crashes after a series configuration changes |
| 470191-2 | 2-Critical | Virtual with FastL4 with loose initiation and close enabled might result in TMM core |
| 417068-6 | 2-Critical | Key install or deletion failure on FIPS key names longer than 32 chars on some platforms |
| 517124 | 3-Major | HTTP::retry incorrectly converts its input |
| 516292-1 | 3-Major | Incorrect handling of repeated headers |
| 515482 | 3-Major | Multiple teardown conditions can cause crash |
| 514604-1 | 3-Major | Nexthop object can be freed while still referenced by another structure |
| 513243-1 | 3-Major | Improper processing of crypto error condition might cause memory issues. |
| 512490-3 | 3-Major | Increased latency during connection setup when using FastL4 profile and connection mirroring. |
| 511517-1 | 3-Major | Request Logging profile cannot be configured with HTTP transparent profile |
| 511130-3 | 3-Major | TMM core due to invalid memory access while handling CMP acknowledgement |
| 509416 | 3-Major | Suspended 'after' commands may result in unexpected behaviors |
| 508716-4 | 3-Major | DNS cache resolver drops chunked TCP responses |
| 507127-2 | 3-Major | DNS cache resolver is inserted to a wrong list on creation. |
| 506702-4 | 3-Major | TSO can cause rare TMM crash. |
| 506290-4 | 3-Major | MPI redirected traffic should be sent to HSB ring1 |
| 505964 | 3-Major | Invalid http cookie handling can lead to TMM core |
| 505056-5 | 3-Major | BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow. |
| 504633-1 | 3-Major | DTLS should not update 'expected next sequence number' when the record is bad. |
| 503741-2 | 3-Major | DTLS session should not be closed when it receives a bad record. |
| 503214-3 | 3-Major | Under heavy load, hardware crypto queues may become unavailable. |
| 503118-2 | 3-Major | clientside and serverside command crashes TMM |
| 502959-2 | 3-Major | Unable get response from virtual server after node flapping |
| 502683-3 | 3-Major | Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on |
| 502149-3 | 3-Major | Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.' |
| 501690-3 | 3-Major | TMM crash in RESOLV::lookup for multi-RR TXT record |
| 499950-5 | 3-Major | In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs |
| 499946-3 | 3-Major | Nitrox might report bad records on highly fragmented SSL records |
| 499478-2 | 3-Major | Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate |
| 499280-1 | 3-Major | Client side or server side SSL handshake may fail if it involves SHA512-signed certificates in TLS1.2 |
| 499150-3 | 3-Major | OneConnect does not reuse existing connections in VIP targeting VIP configuration |
| 498334-2 | 3-Major | DNS express doesn't send zone notify response |
| 498269-1 | 3-Major | 5200 does not forward STP BPDUs across VLAN groups when in PASSTHRU mode |
| 497584-2 | 3-Major | The RA bit on DNS response may not be set |
| 496950-1 | 3-Major | Flows may not be mirrored successfully when static routes and gateways are defined. |
| 496588-1 | 3-Major | HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash |
| 495574-3 | 3-Major | DB monitor functionality might cause memory issues |
| 495443-4 | 3-Major | ECDH negotiation failures logged as critical errors. |
| 495253-1 | 3-Major | TMM may core in low memory situations during SSL egress handling |
| 494322-6 | 3-Major | The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used |
| 493673-2 | 3-Major | DNS record data may have domain names compressed when using iRules |
| 493140-1 | 3-Major | Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters. |
| 493117-6 | 3-Major | Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted |
| 491518-2 | 3-Major | SSL persistence can prematurely terminate TCP connection |
| 491454-6 | 3-Major | SSL negotiation may fail when SPDY profile is enabled |
| 490817-1 | 3-Major | SSL filter might report codec alerts repeatedly |
| 490480-3 | 3-Major | UCS load may fail if the UCS contains FIPS keys with names containing dot★ |
| 490129-1 | 3-Major | SMTP monitor could not create socket on IPv6 node address |
| 488598-1 | 3-Major | SMTP monitor on non-default route domain fails to create socket |
| 487757 | 3-Major | Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on B4300/B2200/10000/12000-family platforms. |
| 487592 | 3-Major | Change in the caching duration of OCSP response when there is an error |
| 487587-2 | 3-Major | The allowed range of 'status-age' in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might not be wide enough for some of the scenarios |
| 487554-2 | 3-Major | System might reuse TCP source ports too quickly on the server side. |
| 486724-3 | 3-Major | After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails★ |
| 484305-2 | 3-Major | Clientside or serverside command with parking command crashes TMM |
| 483539-1 | 3-Major | With fastL4, incorrect MSS value might be used if SYN has options without MSS specified |
| 483353-1 | 3-Major | HTTP compression might cause TMM crash in low-memory conditions |
| 481880-5 | 3-Major | SASPD monitor cores |
| 481216-1 | 3-Major | Fallback may be attempted incorrectly in an abort after an Early Server Response |
| 480686-7 | 3-Major | Packet loop in VLAN Group |
| 480443-1 | 3-Major | Internal misbehavior of the SPDY filter |
| 479682-4 | 3-Major | TMM generates hundreds of ICMP packets in response to a single packet |
| 479176-1 | 3-Major | TMM hangs and receives SIGABRT due to race condition during DNS db load |
| 478840-1 | 3-Major | Cannot delete keys in subfolders using the BIG-IP GUI |
| 478734-5 | 3-Major | Incorrect 'FIPS import for failed for key' failure when operation actually succeeds |
| 478195-4 | 3-Major | Installation of FIPS .exp key files sets incorrect public exponent. |
| 477375-5 | 3-Major | SASP Monitor may core |
| 475791-4 | 3-Major | HTTP caching configured in a Web Acceleration profile may dispatch internal messages out-of-order, leading to assert |
| 475322-2 | 3-Major | cur_conns number different in tmstat and snmp output. |
| 474584-2 | 3-Major | igbvf driver leaks xfrags when partial jumbo frame received |
| 474226-2 | 3-Major | LB_FAILED may not be triggered if persistence member is down |
| 474002-4 | 3-Major | Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys |
| 473759-1 | 3-Major | Unrecognized DNS records can cause mcpd to core during a DNS cache query |
| 472148-7 | 3-Major | Highly fragmented SSL records can result in bad record errors on Nitrox based systems |
| 471821-1 | 3-Major | Compression.strategy "SIZE" is not working |
| 471625-8 | 3-Major | After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM |
| 470394-2 | 3-Major | Priority groups may result in traffic being load balanced to a single pool member. |
| 469705-4 | 3-Major | TMM might panic when processing SIP messages due to invalid route domain |
| 469115-3 | 3-Major | Management client-ssl profile does not support multiple key/cert pair. |
| 468472-7 | 3-Major | Unexpected ordering of internal events can lead to TMM core. |
| 467868-3 | 3-Major | Leak due to monitor status reporting |
| 464651-2 | 3-Major | Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core. |
| 464163-3 | 3-Major | Customized cert-key-chain of a client ssl profile might be reverted to its parent's. |
| 457934-4 | 3-Major | SSL Persistence Profile Causing High CPU Usage |
| 456763-5 | 3-Major | L4 forwarding and TSO can cause rare TMM outages |
| 456413-5 | 3-Major | Persistence record marked expired though related connection is still active |
| 455840-7 | 3-Major | EM analytic does not build SSL connection with discovered BIG-IP system |
| 449891-7 | 3-Major | Fallback source persistence entry is not used when primary SSL persistence fails |
| 447272-2 | 3-Major | Chassis with MCPD audit logging enabled will sync updates to device group state |
| 444710-6 | 3-Major | Out-of-order TCP packets may be dropped |
| 443006-1 | 3-Major | In low memory situations initializing the HTTP parser will cause the TMM to crash |
| 438792-5 | 3-Major | Node flapping may, in rare cases, lead to inconsistent persistence behavior |
| 428163-3 | 3-Major | Removing a DNS cache from configuration can cause TMM crash |
| 384451-6 | 3-Major | Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions |
| 503560-2 | 4-Minor | Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server. |
| 498597-5 | 4-Minor | SSL profile fails to initialize and might cause SSL operation issues |
| 481820-1 | 4-Minor | Internal misbehavior of the SPDY filter |
| 480888-2 | 4-Minor | Tcl parks during HTTP::collect, and serverssl is present, data can be truncated |
| 469739-4 | 4-Minor | ConfigSync may fail if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile |
| 463696-5 | 4-Minor | FIPS keys might not be recoverable from UCS |
| 451224-3 | 4-Minor | IP packets that are fragmented by TMM, the fragments will have their DF bit |
Performance Fixes
| ID Number | Severity | Description |
| 476144-1 | 1-Blocking | TMM generates a core file when dynamically loading a shared library. |
| 497619-6 | 3-Major | TMM performance may be impacted when server node is flapping and persist is used |
| 426939-5 | 3-Major | APM Polices does not work in VIPRION 4800 chassis if there is no slot1 |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 477240-2 | 2-Critical | iQuery connection resets every 24 hours |
| 468519-1 | 3-Major | BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file. |
| 491554-2 | 4-Minor | [big3d] Possible memory leakage for auto-discovery error events. |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 488306-1 | 1-Blocking | Requests not logged locally on the device |
| 478674-1 | 1-Blocking | ASM internal parameters for high availability timeout was not handled correctly |
| 516523-2 | 2-Critical | Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group |
| 515433-1 | 2-Critical | BD crash on specific signature sets configuration. |
| 512616-1 | 2-Critical | BD crash during brute force attack on cluster environement |
| 508908-1 | 2-Critical | Enforcer crash |
| 507919-1 | 2-Critical | Updating ASM through iControl REST does not affect CMI sync state |
| 506372 | 2-Critical | XML validation files related errors on upgrade |
| 504182-1 | 2-Critical | Enforcer cores after upgrade upon the first request★ |
| 503169-1 | 2-Critical | XML validation files are broken after upgrade★ |
| 493401-2 | 2-Critical | Concurrent REST calls on a single endpoint may fail |
| 492978-1 | 2-Critical | All blades in a cluster remain offline after provisioning ASM or FPS |
| 487420-1 | 2-Critical | BD crash upon stress on session tracking |
| 486323-1 | 2-Critical | The datasyncd process may keep restarting during the first 30 minutes following a hotfix installation |
| 481476-5 | 2-Critical | MySQL performance |
| 517245-2 | 3-Major | A request that should be blocked was forwarded to the server |
| 515449-1 | 3-Major | bd agent listens on all addresses instead of the localhost only |
| 515190-2 | 3-Major | Event Logs -> Brute Force Attacks can't show details after navigating to another page |
| 514093-1 | 3-Major | Allow request logs to be filtered by destination IP |
| 513763 | 3-Major | Slow response from GUI when listing Event Logs |
| 512668-1 | 3-Major | ASM REST: Unable to Configure Clickjacking Protection via REST |
| 512001-1 | 3-Major | Using REST API to Update ASM Attack Signatures Fails |
| 512000-1 | 3-Major | Event Log Filter using Policy Group isn't accurate |
| 511947-1 | 3-Major | Policy auto-merge of Policy Diff |
| 511488-1 | 3-Major | Correlation restarting on a multi-bladed vCMP guest |
| 511477-2 | 3-Major | Manage ASM security policies from BIG-IQ |
| 510499-2 | 3-Major | System Crashes after Sync in an ASM-only Device Group. |
| 509968-3 | 3-Major | BD crash when a specific configuration change happens |
| 509873-1 | 3-Major | Rare crash and core dump of TMM or bd after rebooting a device or joining a trust domain. |
| 509495 | 3-Major | A TMM memory leak when HTTP protocol security enabled profile and no AFM license |
| 508519-4 | 3-Major | Performance of Policy List screen |
| 508338-1 | 3-Major | Under rare conditions cookies are enforced as base64 instead of clear text |
| 507905 | 3-Major | Saving Policy History during UCS load causes DB deadlock/timeout★ |
| 507902-1 | 3-Major | Failure and restart of mcpd in secondary blade when cluster is part of a trust domain. |
| 507289-3 | 3-Major | User interface performance of Web Application Security Editor users |
| 506407 | 3-Major | Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages★ |
| 506386-2 | 3-Major | Automatic ASM sync group remains stuck in init state when configured from tmsh |
| 506355-1 | 3-Major | Importing an XML file without defined entity sections |
| 506110-1 | 3-Major | Log flood within datasyncd.log in clustered environment |
| 504973-1 | 3-Major | Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead |
| 504718-2 | 3-Major | Policy auto-merge of Policy Diff |
| 502852-2 | 3-Major | Deleting an in-use custom policy template |
| 501612-4 | 3-Major | Spurious Configuration Synchronizations |
| 500544-1 | 3-Major | XML validation files are not correctly imported/upgraded |
| 498708-1 | 3-Major | Errors logged in bd.log coming from the ACY module |
| 498189-3 | 3-Major | ASM Request log does not show log messages. |
| 497769 | 3-Major | Policy Export: BIG-IP does not export redirect URL for "Login Response Page" |
| 496565-1 | 3-Major | Secondary Blades Request a Sync |
| 496264-1 | 3-Major | SOAP Methods Were Not Being Validated For WSDL Based XML Profiles |
| 490284-3 | 3-Major | ASM user interface extremely slow to respond (e.g. >2 minutes to render policy list) |
| 489648-1 | 3-Major | Empty violation details for attack signatures |
| 485764-5 | 3-Major | WhiteHat vulnerability assessment tool is configured but integration does not work correctly |
| 484079-1 | 3-Major | Change to signature list of manual Signature Sets does not take effect. |
| 482915-1 | 3-Major | Learning suggestion for the maximum headers check violation appears only for blocked requests |
| 475819-4 | 3-Major | BD crash when trying to report attack signatures |
| 471103-1 | 3-Major | Ignoring null values for parameters with different content types |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 508544-1 | 3-Major | AVR injects CSPM JavaScript when the payload does not contain an HTML <head> tag |
| 504414-1 | 3-Major | AVR HTTP External log - missing fields |
| 503683 | 3-Major | Configuration upgrade failure due to change in an ASM predefined report name★ |
| 503471-1 | 3-Major | Memory leak can occur when there is a compressed response, and abnormal termination of the connection |
| 500457-1 | 3-Major | Synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash |
| 500034-1 | 3-Major | [SMTP Configuration] Encrypted password not shown in GUI |
| 497681-1 | 3-Major | Tuning of Application DoS URL qualification criteria |
| 497376-1 | 3-Major | Wrong use of custom XFF headers when there are multiple matches |
| 488713-1 | 3-Major | Corrupt memory |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 497662-3 | 1-Blocking | BIG-IP DoS via buffer overflow in rrdstats |
| 517146-1 | 2-Critical | Log ID 01490538 may be truncated |
| 516075-6 | 2-Critical | Linux command line client fails with on-demand cert |
| 513795-1 | 2-Critical | HTML5 client is not available on APM Full Webtop when using VMware Horizon 6.1 |
| 507782-1 | 2-Critical | TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data |
| 506235-2 | 2-Critical | SIGSEGV caused by access_redirect_client_to_original_uri |
| 497436-4 | 2-Critical | Mac Edge Client behaves erratically while establishing network access connection |
| 496894-1 | 2-Critical | TMM may restart when accessing SAML resource under certain conditions. |
| 495901-3 | 2-Critical | Tunnel Server crash if probed on loopback listener. |
| 493360-1 | 2-Critical | Fixed possible issue causing Edge Client to crash during reconnect |
| 489328-9 | 2-Critical | When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash. |
| 473092-1 | 2-Critical | Transparent Proxy + On-Demand Cert Auth will reset |
| 431980-1 | 2-Critical | SWG Reports: Overview and Reports do not show correct data. |
| 515387 | 3-Major | Update EPSEC package to latest verified in 11.6.0 branch |
| 514636-1 | 3-Major | SWG Category Lookup using Subject.CN results in a crash if the certificate presented does not have a Subject.CN. |
| 514277-1 | 3-Major | Provide a way to enable connection bar for Citrix desktops only |
| 513646-1 | 3-Major | APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer |
| 512999-1 | 3-Major | LDAP Query may fail if user belongs to a group from foreign domain |
| 512378-1 | 3-Major | Changing per request policy in the middle of data traffic can cause TMM to crash |
| 511961-1 | 3-Major | BIG-IP Edge Client does not display logon page for FirePass |
| 511648-2 | 3-Major | On standby TMM can core when active system sends leasepool HA commands to standby device |
| 511441-3 | 3-Major | Memory leak on request Cookie header longer than 1024 bytes |
| 509956-4 | 3-Major | Improved handling of cookie values inside SWG blocked page. |
| 509758-2 | 3-Major | EdgeClient shows incorrect warning message about session expiration |
| 509010 | 3-Major | Adding/Deleting a local user takes 30 seconds to complete |
| 508719-1 | 3-Major | APM logon page missing title |
| 508630-4 | 3-Major | The APM client does not clean up DNS search suffixes correctly in some cases |
| 507899 | 3-Major | Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value |
| 507318-3 | 3-Major | JS error when sending message from DWA new message form using Chrome |
| 507116-1 | 3-Major | Web-application issues and/or unexpected exceptions. |
| 506349-4 | 3-Major | BIG-IP Edge Client for Mac identified as browser by APM in some cases |
| 505797-1 | 3-Major | Citrix Receiver for Android fails to authenticate with APM configured as StoreFront proxy and Access Gateway |
| 505755-3 | 3-Major | Some scripts on dynamically loaded html page could be not executed. |
| 504880-2 | 3-Major | TMM may crash when RDP client connects to APM configured as Remote Desktop Gateway |
| 504606-3 | 3-Major | Session check interval now has minimum value |
| 503319-4 | 3-Major | After network access is established browser sometimes receives truncated proxy.pac file |
| 502441-5 | 3-Major | Network Access connection might reset for large proxy.pac files. |
| 502016-4 | 3-Major | MAC client components do not log version numbers in log file. |
| 501498-1 | 3-Major | APM CTU doesn't pick up logs for Machine Certificate Service |
| 499620-6 | 3-Major | BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated. |
| 499427-1 | 3-Major | Windows File Check does not work if the filename starts with an ampersand |
| 498993-1 | 3-Major | it is possible to get infinite loop in LDAP Query while resolving nested groups |
| 498782-2 | 3-Major | Config snapshots are deleted when failover happens |
| 498469-5 | 3-Major | Mac Edge Client fails intermittently with machine certificate inspection |
| 497455-1 | 3-Major | MAC Edge client crashed during routine Network Access. |
| 497325-1 | 3-Major | New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment |
| 496817-1 | 3-Major | Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy |
| 495702-4 | 3-Major | Mac Edge Client cannot be downloaded sometimes from management UI |
| 495319-3 | 3-Major | Connecting to FP with APM edge client is causing corporate network to be inaccessible |
| 495265-1 | 3-Major | SAML IdP and SP configured in same access profile not supported |
| 494176-5 | 3-Major | Network access to FP does not work on Yosemite using APM Mac Edge Client. |
| 494088-4 | 3-Major | APD or APMD should not assert when it can do more by logging error message before exiting. |
| 490844-4 | 3-Major | Some controls on a web page might stop working. |
| 490681-1 | 3-Major | Memcache entry for dynamic user leaks |
| 490675-1 | 3-Major | User name with leading or trailing spaces creates problems. |
| 489382-7 | 3-Major | Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert |
| 487170-1 | 3-Major | Enahnced support for proxy servers that resolve to multiple IP addresses |
| 486597-1 | 3-Major | Fixed Network Access renegotiation procedure |
| 486268-1 | 3-Major | APM logon page missing title |
| 485355-3 | 3-Major | Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace) |
| 484582-2 | 3-Major | APM Portal Access is inaccessible. |
| 483526-1 | 3-Major | Rarely seen Edge Client for Mac crash on session disconnect |
| 482269-1 | 3-Major | APM support for Windows 10 out-of-the-box detection |
| 480817-3 | 3-Major | Added options to troubleshoot client by disabling specific features |
| 480242-5 | 3-Major | APD, APMD, MCPD communication error failure now reported with error code |
| 477898-1 | 3-Major | Some strings on BIG-IP APM EDGE Client User Interface were not localized |
| 477795-1 | 3-Major | SSL profile passphrase may be displayed in clear text on the Dashboard |
| 476038-1 | 3-Major | Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name |
| 475505-6 | 3-Major | Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system. |
| 474698-2 | 3-Major | BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions. |
| 474582-3 | 3-Major | Add timestamps to logstatd logs for Policy Sync |
| 473697-6 | 3-Major | HD Encryption check should provide an option to choose drive |
| 473129-5 | 3-Major | httpd_apm access_log remains empty after log rotation |
| 471421-5 | 3-Major | Ram cache evictions spikes with change of access policy leading to slow webtop rendering |
| 471331-2 | 3-Major | APM::RBA reset due to a leaked HUDEVT_REQUEST_DONE |
| 460715-5 | 3-Major | Changes in captive portal probe URL |
| 452464-4 | 3-Major | iClient does not handle multiple messages in one payload. |
| 452416-1 | 3-Major | tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values |
| 437744-4 | 3-Major | SAML SP service metadata exported from APM may fail to import. |
| 437743-6 | 3-Major | Import of Access Profile config that contains ssl-cert is failing |
| 436201-6 | 3-Major | JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11 |
| 433972-13 | 3-Major | New Event dialog widget is shifted to the left and Description field does not have action widget |
| 433847-1 | 3-Major | APD crashes with a segmentation fault. |
| 432900-9 | 3-Major | APM configurations can fail to load on newly-installed systems★ |
| 431149-6 | 3-Major | APM config snapshot disappears and users see "Access Policy configuration has changed on gateway" |
| 416115-14 | 3-Major | Edge client continues to use old IP address even when server IP address changed |
| 410089-2 | 3-Major | Linux client hangs after receiving the application data |
| 403991-8 | 3-Major | Proxy.pac file larger than 32 KB is not supported |
| 510596-6 | 4-Minor | Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty |
| 505662-1 | 4-Minor | Signed SAML IdP/SP exported metadata contains some elements in wrong order |
| 504461-2 | 4-Minor | Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it. |
| 485202-1 | 4-Minor | LDAP agent does not escape '=' character in LDAP DN |
| 482134-1 | 4-Minor | APD and APMD cores during shutdown. |
| 471452-2 | 4-Minor | Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed. |
| 465012-4 | 4-Minor | Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access |
| 464992-7 | 4-Minor | Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria |
| 461597-11 | 4-Minor | MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate |
| 460427-2 | 4-Minor | Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment. |
| 456911-3 | 4-Minor | Add BIG-IP hostname to system's static DNS host entries |
| 493385-6 | 5-Cosmetic | BIG-IP Edge Client uses generic icon set even if F5 icon set is configured |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 514838-1 | 1-Blocking | TMM Crash on Relative URL |
| 514785-2 | 1-Blocking | TMM crash when processing AAM-optimized video URLs |
| 486346-3 | 2-Critical | Prevent wamd shutdown cores |
| 447254-1 | 2-Critical | Core in parked transaction due to evicted stand-in document |
| 511534-1 | 3-Major | A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load, |
| 481431-1 | 3-Major | AAM concatenation set memory leak on configuration change |
| 467633-5 | 3-Major | WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases) |
| 488917-2 | 4-Minor | Potentially confusing wamd shutdown error messages |
Service Provider Fixes
| ID Number | Severity | Description |
| 486356-1 | 2-Critical | unable to configure a virtual with stats profile and sip profile in 11.6.0 |
| 482436-1 | 2-Critical | BIG-IP processing of invalid SIP request may result in high CPU utilization |
| 478442-5 | 2-Critical | Core in sip filter due to sending of HUDEVT message while processing of HUDCTL message |
| 477318-1 | 2-Critical | Fixes possible segfault |
| 466761-4 | 2-Critical | Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss. |
| 455006-7 | 2-Critical | Invalid data is merged with next valid SIP message causing SIP connection failures |
| 512054-1 | 3-Major | CGNAT SIP ALG - RTP connection not created after INVITE |
| 511326-2 | 3-Major | SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation. |
| 507143-1 | 3-Major | Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion |
| 503676-4 | 3-Major | SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events |
| 500365-3 | 3-Major | TMM Core as SIP hudnode leaks |
| 499701-1 | 3-Major | SIP Filter drops UDP flow when ingressq len limit is reached. |
| 472376-3 | 3-Major | A SIP virtual server may crash while trying to send a message if the connection is in the process of shutting down |
| 448493-10 | 3-Major | SIP response from the server to the client get dropped |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 515562-1 | 2-Critical | Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned. |
| 513403-1 | 2-Critical | TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration. |
| 512609 | 2-Critical | Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses |
| 503541-2 | 2-Critical | Use 64 bit instead of 10 bit for Rate Tracker library hashing. |
| 501480-3 | 2-Critical | AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic. |
| 500925-3 | 2-Critical | Introduce a new sys db variable to control number of merges per second of Rate Tracker library. |
| 517019-1 | 3-Major | AVR-HTTP (and Application DoS): Detection of pool-member is sometimes incorrect |
| 515187-2 | 3-Major | Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules. |
| 513565-1 | 3-Major | AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept. |
| 511406-1 | 3-Major | Pagination issue on firewall policy rules page |
| 505624-1 | 3-Major | Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration |
| 503085-3 | 3-Major | Make the RateTracker threshold a constant |
| 502414-2 | 3-Major | Make the RateTracker tier3 initialization number less variant. |
| 501986-3 | 3-Major | Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process |
| 496278-2 | 3-Major | Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name |
| 500449 | 4-Minor | "Any IPv4 or IPv6" choice in sweep attack has atypical definition |
| 497311 | 4-Minor | Can't add a ICMPv6 type and code to a FW rule. |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 519407-1 | 2-Critical | PEM session lookup by subscriber ID in TMSH fails if same IP is being used to create session with different subscriber ID |
| 518967-1 | 2-Critical | Possible error when parsing for certain URL categorization input. |
| 508051-1 | 2-Critical | DHCP response may return to wrong DHCP client. |
| 506734 | 2-Critical | Cloud lookup stress condition |
| 506283 | 2-Critical | 100% TPS drop when webroot cloud lookup is enabled under stress condition |
| 505529 | 2-Critical | wr_urldbd restarts continuously on VIPRION chassis with webroot lookup enabled. |
| 505069 | 2-Critical | Webroot cloud lookup granularity |
| 503381-2 | 2-Critical | SSL persistence may cause connection resets |
| 500219-1 | 2-Critical | TMM core if identical radius starts messages received |
| 496976-2 | 2-Critical | Crash when receiving RADIUS message to update PEM static subscriber. |
| 484278-4 | 2-Critical | BIG-IP crash when processing packet and running iRule at the same time |
| 480544-1 | 2-Critical | Secondary IP flows are not forwarded in multiple IP session |
| 473680-1 | 2-Critical | Multiple DHCP solicit packets may not succeed. |
| 515638 | 3-Major | 5% drop in Webroot cloud lookup performance with mixed upper/lowercase URLs |
| 512734 | 3-Major | Socket error when Webroot cloud lookup is enabled under stress condition |
| 511064-1 | 3-Major | Repeated install/uninstall of policy with usage monitoring stops after second time |
| 510811-1 | 3-Major | PEM::info irule does not take effect if used right after PEM::session config policy irule |
| 510721-1 | 3-Major | PEM::enable / PEM::disable iRule errors out with an error message |
| 509105-1 | 3-Major | TMM cores sometimes if provisioning hold time is set to non-zero. |
| 507753 | 3-Major | URL categorization missed if HTTP1.0 header does not have HOST |
| 507549-1 | 3-Major | PEM may ignore a RAR if the target session is in the Provision-Pending state |
| 506578 | 3-Major | Webroot cloud lookup does not yield a category. |
| 505986 | 3-Major | Extra Webroot cloud lookup requests when cache is full |
| 504028-1 | 3-Major | Generate CCR-T first and then CCR-I if session being replaced |
| 495913-2 | 3-Major | TMM core with CCA-I policy received with uninstall |
| 488166-1 | 3-Major | Provide an option to delete the session if IP class address Limit reached when new IP being added and create a new one instead. |
| 467106-1 | 3-Major | Loading ucs file after install 11.6.0 on top of 11.5.0 failed when Gx reporting is enabled.★ |
| 512663 | 4-Minor | Added urlcatblindquery iRule command |
| 489767 | 4-Minor | Webroot cloud lookup support |
| 478399-2 | 4-Minor | PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured. |
Carrier-Grade NAT Fixes
| ID Number | Severity | Description |
| 519723 | 2-Critical | dnatutil utility needs update because DAG changed. |
| 494280-3 | 2-Critical | TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel |
| 493807-5 | 2-Critical | TMM might crash when using PPTP with profile logging enabled |
| 482202-1 | 3-Major | Very long FTP command may be ignored. |
Fraud Protection Services Fixes
| ID Number | Severity | Description |
| 487553 | 3-Major | FPS alerts |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Description |
| 499719-1 | 3-Major | Order Zones statistics would cause database error |
| 475549-3 | 3-Major | Input handling error in GTM GUI |
| 475092 | 3-Major | Viewing DNS::Zones:Zones:Zones List:Statistics in the GUI generates error. |
| 494305-3 | 4-Minor | [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list. |
Anomaly Detection Services Fixes
| ID Number | Severity | Description |
| 461949 | 2-Critical | Virtual server with Portal Access and DOS profile resets connection |
Traffic Classification Engine Fixes
| ID Number | Severity | Description |
| 513215 | 2-Critical | Only one of the TMMs load the classification library after an IM package upgrade |
| 508660-1 | 2-Critical | Intermittent TMM crash in classification library |
| 484483-2 | 2-Critical | TCP and UDP was classified as Unknown by classification library |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 503237-8 | CVE-2015-0235 | K16057 | CVE-2015-0235 : glibc vulnerability known as Ghost |
| 496849-1 | CVE-2014-9326 | K16090 | F5 website update retrievals vulnerability |
| 494078-4 | CVE-2014-9326 | K16090 | Update Check feature can be target of man-in-middle-attack |
| 492368-5 | CVE-2014-8602 | K15931 | Unbound vulnerability CVE-2014-8602 |
| 492367-4 | CVE-2014-8500 | K15927 | BIND vulnerability CVE-2014-8500 |
| 489323-1 | CVE-2015-8098 | K43552605 | Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server. |
| 485812-2 | CVE-2014-3660 | K15872 | libxml2 vulnerability CVE-2014-3660 |
| 477274-8 | CVE-2014-6031 | K16196 | Buffer Overflow in MCPQ |
| 500088-1 | CVE-2014-3571 | K16123 | OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update |
| 497719-1 | CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296, | K15934 | NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296 |
| 496845-1 | CVE-2014-9342 | K15933 | NTP vulnerability CVE-2014-9296 |
| 474757-15 | CVE-2014-3508 CVE-2014-5139 CVE-2014-3509 CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3510 CVE-2014-3511 CVE-2014-3512 | K15573 | OpenSSL DTLS vulnerabilities CVE-2014-3505, CVE-2014-3506, and CVE-2014-3507, OpenSSL vulnerability CVE-2014-3508, OpenSSL vulnerability CVE-2014-3510, TLS vulnerability CVE-2014-3511. |
| 471014-14 | CVE-2014-2970 CVE-2014-5139 | K15567 | OpenSSL vulnerability CVE-2014-5139 |
Functional Change Fixes
| ID Number | Severity | Description |
| 480583-1 | 2-Critical | Support SIP/DNS DOS only for UDP packets and SIP DOS does not drop packets but count drops |
| 477524 | 3-Major | Enable ssh for admin account and disable ssh for root account for Amazon deployments |
TMOS Fixes
| ID Number | Severity | Description |
| 493275-3 | 1-Blocking | Restoring UCS file breaks auto-sync requiring forced sync. |
| 483436-1 | 1-Blocking | Update 11.5.0 license files for "hourly billing" with production licenses. |
| 482943-1 | 1-Blocking | Cannot upgrade because of lack of root/admin access. |
| 476126-1 | 1-Blocking | Adding SR-IOV and VLAN tagging in the F5 VE with Emulex NIC |
| 475829-1 | 1-Blocking | AWS - VE is locked out after live install on 2nd slot. |
| 499880 | 2-Critical | boot menu titles might not contain volume suffix |
| 487567-4 | 2-Critical | Addition of a DoS Profile Along with a Required Profile May Fail |
| 486137-3 | 2-Critical | License activation may not proceed if MCPD is not fully operational★ |
| 484399-2 | 2-Critical | Virtual Edition second installation slot and VMWare |
| 478896 | 2-Critical | Hourly Billing AMIs for 11.6.0 contain internal instead of production license |
| 477031-2 | 2-Critical | Deleting multiple VXLAN tunnels with flooding type multipoint can cause TMM restart |
| 473641-1 | 2-Critical | Missing a tunnel FDB endpoint configuration in VXLAN tunnels could result in memory leak |
| 497870-1 | 3-Major | PEM configured with BWC doing pem policy changes could trigger leak |
| 497062-1 | 3-Major | PEM configured with BWC doing PEM policy changes could trigger leak |
| 492809-4 | 3-Major | Small but continuous mcpd memory leak associated with statistics. |
| 485352-1 | 3-Major | TMM dumps core file when loading configuration or starting up |
| 483228-3 | 3-Major | The icrd_child process generates core when terminating |
| 479359-1 | 3-Major | Loading a UCS file with no-platform-check stalls at platform check★ |
| 479302-3 | 3-Major | Error message in ltm log: bcm56xxd: reading L2 entry Operation failed bs_arl.cpp. |
| 479152-5 | 3-Major | Hardware parity error mitigation on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades |
| 474172 | 3-Major | BIG-IQ at times cannot discover BIG-IP running TMOS 11.6.0 - 11.6.0 HF3, failure reason: Failed getting time zone. |
| 474166-4 | 3-Major | ConfigSync operation failing with rarely occurring sFlow error |
| 473409-1 | 3-Major | Route domain stats can not be reset by using F5-BIGIP-LOCAL-MIB::ltmRouteDomainStatResetStats |
| 468514-4 | 3-Major | Receiving several ConfigSync requests in a short period of time may cause the mcpd process to restart and produce a core file |
| 468021-3 | 3-Major | UCS file from earlier version may not load into 11.5.0 or later image★ |
| 481135-1 | 4-Minor | The pool members of a wide IP in Link Controller can not be modified once created |
| 441512-4 | 4-Minor | ConfigSync failing with sFlow error |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 490225-3 | 2-Critical | Duplicate DNSSEC keys can cause failed upgrade.★ |
| 484948-1 | 2-Critical | UDP connflow may aborted from parked iRule in server_closed. |
| 478812-2 | 2-Critical | DNSX Zone Transfer functionality preserved after power loss |
| 502174-4 | 3-Major | DTLS fragments do not work for ClientHello message. |
| 484429-4 | 3-Major | After updating a key/certificate in place and synchronizing the configuration, TMM may log critical-level messages that it could not load a key, certificate, or chain. |
| 483974-2 | 3-Major | Unrecognized EDNS0 option may be considered malformed. |
| 483328-4 | 3-Major | Client SSL profiles might fail to complete handshake, system logs critical-level error '01260000:2: Profile name-of-profile: could not load key/certificate' |
| 477924-1 | 3-Major | System can crash referencing compression provider where selection of provider has been deferred |
| 477394-1 | 3-Major | LTM might reset and cause out-of-ports |
| 476281 | 3-Major | tmm crash on uninitialized variable |
| 475055-3 | 3-Major | Core caused by incorrect accounting of I/O flows |
| 472944-3 | 3-Major | SMTPS race condition after STARTTLS may cause incorrect SMTP responses |
| 463902-3 | 3-Major | Hardware Compression in CaveCreek may cause excessive memory consumption. |
| 437627-5 | 3-Major | TMM may crash if fastl4 vs has fragmeneted pkt |
| 492780-1 | 4-Minor | Elliptic Curves Extension in ServerHello might cause failed SSL connection. |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 504232-1 | 2-Critical | Attack signatures are not blocked after signature/set change |
| 489705-2 | 2-Critical | Running out of memory while parsing large XML SOAP requests |
| 478876-2 | 2-Critical | BIG-IP with many active ASM accounts after a restart |
| 478672-1 | 2-Critical | Enforcer memory leak |
| 477432-6 | 2-Critical | Roll forward from 11.3.0 with iApp configured fails to load correctly and causes bd to core★ |
| 475856-1 | 2-Critical | BD may crash when enabling Base64 Decoding on Wildcard cookie |
| 496011-1 | 3-Major | Resets when session awareness enabled |
| 492570-1 | 3-Major | JavaScript error during CSRF protection |
| 481792-1 | 3-Major | BD may crash within HTTP payload parser. |
| 476191-1 | 3-Major | Bypass unicode validation on XML and JSON profiles by internal parameter |
| 476179-1 | 3-Major | Brute Force end attack operation mode reported as blocking while it was actually in transparent mode |
| 475861-1 | 3-Major | Session Awareness: Requests are reset |
| 475135-1 | 3-Major | BIG-IP goes offline after time change |
| 474430-1 | 3-Major | Rare issue: client session might not be restored by fingerprint in the Web Scraping mitigation. |
| 473410-1 | 3-Major | Policy Diff on merging missing URLs |
| 470779-1 | 3-Major | The Enforcer should exclude session awareness violations when counting illegal requests. |
| 469786-1 | 3-Major | Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule |
| 467776-1 | 3-Major | Fix in the Guardium to ASM protocol |
| 450241-3 | 3-Major | iControl error when discover ASM from EM |
| 441239-1 | 3-Major | Event Correlation is not enabled on vCMP guests if the disk is SSD. |
| 438809-6 | 3-Major | Brute Force Login |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 499299-1 | 2-Critical | Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash |
| 480350-1 | 2-Critical | AVR and APM: TMM crashes |
| 476336 | 2-Critical | TMM and other daemons, such as the Enforcer, crash |
| 475439-1 | 2-Critical | Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash |
| 474251-1 | 2-Critical | IP addresses are not properly cleaned from lookup tables, so there might be no room for new IP addresses to be collected. |
| 472969-1 | 2-Critical | If you try to create more than 264 AVR profiles, avrd might crash. |
| 499036 | 3-Major | Rare cases of errors when loading data into mysql |
| 496560-1 | 3-Major | AVR and APM: TMM crashes (additional fixes for ID 480350) |
| 493825-1 | 3-Major | Upgrade failure from version 11.4.0 due to incorrect configuration being saved★ |
| 489682-1 | 3-Major | Configuration upgrade failure due to change in an ASM predefined report name★ |
| 481541-1 | 3-Major | Memory leak in monpd when LTM and AVR or ASM are provisioned |
| 478346-1 | 3-Major | Some AVR statistics not collected properly |
| 472607 | 3-Major | VCMP: Warning messages in AVR log |
| 467945-3 | 3-Major | Error messages in AVR monpd log |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 488986-2 | 1-Blocking | Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client. |
| 504060 | 2-Critical | iOS and Mac receivers cannot create account on Citrix StoreFront in proxy mode |
| 494098-6 | 2-Critical | PAC file download mechanism race condition |
| 485906 | 2-Critical | TMM may core when an APM virtual server has a OneConnect profile attached to the virtual server |
| 485465-3 | 2-Critical | TMM might restart under certain conditions when executing SLO. |
| 484454-3 | 2-Critical | Users not able to log on after failover |
| 482833 | 2-Critical | apd crash for missing db variable |
| 479524-5 | 2-Critical | If a "refresh" response header should not be rewritten, it can crash the rewrite plugin or be improperly rewritten |
| 477540-1 | 2-Critical | 'ACCESS::policy evaluate' iRule command causes crash of apmd daemon |
| 476736-2 | 2-Critical | APM IPv6 Network Access connection may fail in some cases |
| 475049-1 | 2-Critical | Missing validation of disallowing empty DC configuration list |
| 474532-5 | 2-Critical | TMM may restart when SLO response is received on SLO request URL (.../post/sls) |
| 474392-1 | 2-Critical | OS X 10.10 Yosemite support |
| 474058-5 | 2-Critical | When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions |
| 471874-1 | 2-Critical | VDI plugin crashes when trying to respond to client after client has disconnected |
| 469960-1 | 2-Critical | Managing apd connection from tmm |
| 458928-5 | 2-Critical | APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable. |
| 455284-4 | 2-Critical | Monitor traffic rejected with ICMP message, causing node down |
| 496449-1 | 3-Major | APM does not support using session variables for the destination address in Citrix and VMware View remote desktop resources. |
| 496447-1 | 3-Major | APM does not apply route domain configured in visual policy editor to Citrix/VMware View connections when their backends are specified as hostname/IP address. |
| 496441-1 | 3-Major | APM does not apply route domain configured in visual policy editor to Java AppTunnel connections. |
| 496440-1 | 3-Major | APM does not apply route domain configured in visual policy editor to Java RDP connections. |
| 494284-3 | 3-Major | Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status. |
| 494189-1 | 3-Major | Poor performance in clipboard channel when copying |
| 493487-3 | 3-Major | Function::call() and Function::apply() wrapping does not work as expected |
| 493164-3 | 3-Major | flash.net.NetConnection::connect() has an erroneous security check |
| 492238-6 | 3-Major | When logging out of Office 365 TMM may restart |
| 492153-2 | 3-Major | Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated. |
| 491887-1 | 3-Major | Changing the ending of a macro in Access Policy crashes TMM. |
| 491478-1 | 3-Major | EAM is a CMP plugin and spins up one thread per TMM. |
| 491233-1 | 3-Major | Rare deadlock in CustomDialer component |
| 490811-5 | 3-Major | Proxy configuration might not to be restored correctly in some rare cases |
| 490482-1 | 3-Major | Applying Access Policy with an unused macro crashes TMM. |
| 488892-3 | 3-Major | JavaRDP client disconnects |
| 487859-1 | 3-Major | Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI. |
| 485948-5 | 3-Major | Machine Info Agent should have a fallback branch |
| 485396 | 3-Major | Online help about persistent cookies does not specify supported use |
| 484847-2 | 3-Major | DTLS cannot be disabled on Edge Client for troubleshooting purposes |
| 484298-2 | 3-Major | The aced process may restart in a loop |
| 483601 | 3-Major | APM sends a logout Bookmarked Access whitelist URL when session is expired. |
| 483379-1 | 3-Major | High CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes |
| 482710-4 | 3-Major | SSLv3 protocol disabled in APM clients |
| 482260-4 | 3-Major | Location of Captive portal configuration registry entry in 64 bit windows is incorrect |
| 482046-1 | 3-Major | Old password is not verified during password change from View client. |
| 481257-5 | 3-Major | Information on "OPSWAT Integration Libraries V3" is missing from CTU report |
| 481210-1 | 3-Major | Active Directory Query doesn't populate all values of multi-value attributes |
| 481203-5 | 3-Major | User name case sensitivity issue |
| 481046-5 | 3-Major | F5_Inflate_text(o, incr, v) wrapper need to be fixed for case when o is script tag |
| 481020-1 | 3-Major | Traffic does not flow through VPN tunnel in environements where proxy server is load balanced |
| 480995-1 | 3-Major | APM client components are not using extended logging by default. |
| 480247-5 | 3-Major | Modifying edge client application folder causes gatekeeper to throw warning |
| 480047-1 | 3-Major | BIG-IP Edge Client for Windows does not enable you to generate a client troubleshooting report from the user interface. |
| 479451-1 | 3-Major | Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth |
| 478491 | 3-Major | Microsoft RDP client for iOS doesn't work against F5 APM for versions >= 8.1.0 |
| 478333 | 3-Major | Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions |
| 478285-2 | 3-Major | [MAC][NA] Routing table is not restored correctly in multi-homed environment if server settings disallow local subnet access |
| 478214-1 | 3-Major | APM Native RDP Proxy does not allow users to authenticate without specifying a domain name. |
| 478115-5 | 3-Major | The action attribute value of a form HTML tag is not properly rewritten in the Minimal Content Rewriting mode when it starts with "/" |
| 477841-1 | 3-Major | Safari 8 does not use Network Access proxy. |
| 477642-5 | 3-Major | Portal Access rewriting leads to page reload in Firefox |
| 477474-3 | 3-Major | Wrong HTML rewriting at client side for very special case |
| 477445-1 | 3-Major | APM client improved to support 2 interface connected to the same network segment |
| 476133-1 | 3-Major | In APM OAM authentication, ObSSOCookie _lastUseTime was not updated. |
| 476033-1 | 3-Major | APM does not support Microsoft Remote Desktop 8.0.8 client for iOS to work using APM as RD Gateway. |
| 476032-1 | 3-Major | BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server |
| 475770-1 | 3-Major | Fixed routing table management for cases when 2 or more interfaces are used |
| 475682-6 | 3-Major | APM OAM should be sending a single Cookie header with the cookies delimited by semi-colon. |
| 475650-5 | 3-Major | The TMM may restart when processing single logout (SLO) messages. |
| 475363-6 | 3-Major | Empty or invalid configuration, or during exception in NTLM, handling might not work as expected. |
| 475360-6 | 3-Major | Edge client remembers specific virtual server URI after it is redirected |
| 475262-1 | 3-Major | In some cases Edge Client for Windows does not re-resolve server hostname while reconnecting |
| 475163-5 | 3-Major | Submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL. |
| 475148-1 | 3-Major | Microsoft RDP Client for Mac OS X ver. 8.0.9 does not work correctly with BIG-IP APM. |
| 475143 | 3-Major | CATEGORY::filetype command may cause tmm to crash and restart |
| 474730-5 | 3-Major | Incorrect handling of form if it contains a tag with id=action |
| 474231-5 | 3-Major | RAM cache evictions spikes with change of access policy which may lead to slow webtop rendering |
| 473728-3 | 3-Major | Incorrect HTML form handling. |
| 473386-4 | 3-Major | Improved Machine Certificate Checker matching criteria for FQDN case |
| 473344-6 | 3-Major | Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP. |
| 472825-2 | 3-Major | The Dashboard charts may dip when a blade is rebooted. |
| 471825-3 | 3-Major | Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322. |
| 471772-1 | 3-Major | APM does not support VMware View application remoting. |
| 471714-1 | 3-Major | Certain SMTP servers (Windows) do not receive complete email due to missing CRLF header terminator in Emails generated by APM Email agent. |
| 471125 | 3-Major | Fixed issue causing EdgeClient to work improperly behind environment with CaptivePortal. |
| 470414-4 | 3-Major | Portal Access rewrite daemon may crash while processing some Flash files |
| 470225-4 | 3-Major | Machine Certificate checker now correctly works in Internet Explorer 11 |
| 470205-2 | 3-Major | /config/.../policy_sync_d Directory Is 100% Full |
| 469100-5 | 3-Major | JavaScript index expressions with a comma are not properly rewritten |
| 468478-5 | 3-Major | APM Portal Access becomes unresponsive. |
| 467849-6 | 3-Major | In some cases user cannot go to external sites through proxy when vpn is connected |
| 466877-6 | 3-Major | When BIG-IP is used as SAML SP, signatures created by IBM Tivoli Federated Identity Manager may fail validation |
| 466325-6 | 3-Major | Continuous policy checks on windows might fail incorrectly in some cases |
| 463776-2 | 3-Major | VMware View client freezes when APM PCoIP is used and user authentication fails against VCS 5.3 |
| 463230-1 | 3-Major | Aced service does not recover if child process dies. |
| 462727-1 | 3-Major | TMM crash when processing ACCESS::session iRule without an attached Access Policy |
| 456403-2 | 3-Major | Citrix Storefront native protocol |
| 454493-1 | 3-Major | VMWare View applications are not available on BIG-IP APM webtops |
| 447013-4 | 3-Major | The Citrix Client Detection process may incorrectly prompt for the installation of client software. |
| 441355-1 | 3-Major | Enable change password within vmview client when password doesn't meet the AD policy requirements |
| 439518-3 | 3-Major | Portal access resource item modifications are not synced |
| 438730-5 | 3-Major | DNS Filtering driver causes crash/BSOD |
| 432102-6 | 3-Major | HTML reserved characters not supported as part of SAML RelayState |
| 431810-5 | 3-Major | APMD process core due to missing exception handling in execute agents |
| 428387-2 | 3-Major | SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",') |
| 418850-1 | 3-Major | Do not restrict AD to be the last auth agent for View Client |
| 407350-4 | 3-Major | Client side checks on Windows Phone 8 |
| 400726-4 | 3-Major | No support for multi-valued attributes inside SAML assertion. |
| 398657-8 | 3-Major | Active Session Count graph underflow |
| 503924-1 | 4-Minor | Citrix receivers cannot authenticate |
| 492844-1 | 4-Minor | Office365 generated SAML SLO message causes browser connection to be reset. |
| 489888-1 | 4-Minor | Configuring VDI profile when APM is not provisioned, but does not. |
| 489364-1 | 4-Minor | Now web VPN client correctly minimizes IE window to tray |
| 485760-1 | 4-Minor | Tag <NameIDFormat> in SAML metadata may contain wrong attributes |
| 480827-1 | 4-Minor | Logging might show unnecessary messages when Citrix Receiver connects to Storefront: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND). |
| 480360-5 | 4-Minor | Edge Client for Mac blocks textexpander application's functionality |
| 478397-1 | 4-Minor | Memory leak in BIG-IP APM Edge Client Windows API. |
| 477138-1 | 4-Minor | Only one of several VMware View Desktop/Application pools with the same display name can be launched from APM Webtop |
| 473377-5 | 4-Minor | BIG-IP as IdP may rejects AuthnRequest with specific NameID format |
| 472216-2 | 4-Minor | Duration counter for customized Edge Client |
| 466797-6 | 4-Minor | Added warning message when maximum session timeout is reached |
| 464547-1 | 4-Minor | Show proper error message when VMware View client sends invalid credentials to APM |
| 450033-5 | 4-Minor | Sometimes VMware View client 2.3 for Windows can't launch desktops via APM |
| 447302-3 | 4-Minor | APM incorrectly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode. |
| 432423-5 | 4-Minor | Need proactive alerts for APM license usage |
| 421901-2 | 4-Minor | The 'Restore down' button can be hidden for full-screen RDP resources. |
| 503673-1 | 5-Cosmetic | APM sets MRHSession cookie on /cgi/login request from Citrix Receivers |
| 486344-2 | 5-Cosmetic | French translation does not properly fit buttons in BIG-IP Edge client on Windows |
| 484856-1 | 5-Cosmetic | Citrix remote desktop visible even if the user cannot access it |
Wan Optimization Manager Fixes
| ID Number | Severity | Description |
| 479889-5 | 1-Blocking | Memory leaks when iSession and iControl are configured |
| 480305-1 | 4-Minor | tmm log flood: isession_handle_evt: bad transition:7 |
Service Provider Fixes
| ID Number | Severity | Description |
| 476886-3 | 3-Major | When ICAP cuts off request payload, OneConnect does not drop the connection |
| 472092-3 | 3-Major | ICAP loses payload at start of request in response to long execution time of iRule |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 496036 | 1-Blocking | GUI throws an error in some situations when an ASM policy is assigned to virtual server |
| 484245-1 | 1-Blocking | Delete firewall rule in GUI changes port settings in other rules to 'any' |
| 498227-2 | 2-Critical | Incorrect AFM firewall rule counter update after pktclass-daemon restarts. |
| 497342 | 2-Critical | TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule. |
| 480903-1 | 2-Critical | AFM DoS ICMP sweep mitigation performance impact |
| 478644 | 2-Critical | dwbld race with mcpd causes core. |
| 477769-1 | 2-Critical | TMM crash (panic) in AFM pktclass code (Assertion 'classifier ref non-zero' failed.) when virtual server has SPDY or HTTP Prefetching enabled along with AFM Rules. |
| 469512-2 | 2-Critical | TMM aborted by SOD due to heartbeat failure when trying to load huge firewall policies. |
| 500640-1 | 3-Major | TMM core could be seen if FLOW_INIT iRule attached to Virtual server |
| 497732-2 | 3-Major | Enabling specific logging may trigger other unrelated events to be logged. |
| 497667-2 | 3-Major | Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error |
| 497263-1 | 3-Major | Global whitelist count exhausted prematurely |
| 496498-3 | 3-Major | Firewall rule compilation will fail in certain scenario when there are multiple scheduled AFM rules and one of the non scheduled AFM rule is modified. |
| 495928-5 | 3-Major | APM RDP connection gets dropped on AFM firewall policy change |
| 495698-3 | 3-Major | iRule can be deleted even though it exists in a rule-list |
| 493234-1 | 3-Major | Device version in AFM log message could be empty |
| 485787-1 | 3-Major | Firewall ACL counters for staged policy attached to a Virtual/SelfIP are not incremented when a policy with a similar rule to drop/reject packets is enforced by the Global or Route Domain context |
| 485771-1 | 3-Major | TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort. |
| 480826 | 3-Major | IPs can be added for infinite duration |
| 478816 | 3-Major | Fastl4 TCP connection trasitions are not logged |
| 477576-1 | 3-Major | Valid iRule command FLOWTABLE::limit gets rejected when virtual server or route domain name is not specified |
| 474896-1 | 3-Major | Remote logs without attack ID and mitigation fields |
| 442535-5 | 3-Major | Time zone changes do not apply to log timestamps without tmm restart |
| 429885-6 | 3-Major | Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics) |
| 498785 | 4-Minor | Black List Classes/Black List Categories terminology inconsistency |
| 481189-2 | 4-Minor | Change the default value of pccd.hash.load.factor to 25 |
| 480623 | 4-Minor | Category defaulted to whitelist when a valid category was not specified |
| 480196 | 4-Minor | Packets not counted in tmctl ip_intelligence_stat on accept-decisively ACL match |
| 478631 | 4-Minor | No validation for Shun TTL lengths |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 489754-1 | 2-Critical | Flow based reporting attribute mismatch between TMUI and TCL |
| 483798-1 | 2-Critical | TMM crashes if iRule PSC::ip_address is used after RADIUS Authentication of DHCP discovery. |
| 481373-1 | 2-Critical | TMM might core when deleting an entry for a user in a Radius AAA cache |
| 472860-3 | 2-Critical | RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented. |
| 484095-1 | 3-Major | RADIUS accounting message with multiple IPv6 prefix causes TMM crash |
| 482137-1 | 3-Major | Adding TCP iRules to PEM space |
| 479917-1 | 3-Major | TMM crashes if new IP address is added to a session through radius interim update message. |
| 476705-1 | 3-Major | TMM can crash if receiving radius start or stop messages with multiple IP but no subscriber ID. |
| 474638-1 | 3-Major | PEM: Session policy list may be lost if there is an radius update of custom attributes |
| 453959-3 | 3-Major | UDP profile improvement for flexible TTL handling |
| 481950-1 | 4-Minor | DHCP: Need an upgrade script for DHCPRELAY virtuals for BIG-IP version 11.5 and 11.4★ |
| 476904-2 | 4-Minor | App type 0 session Update Failed on PEMDB: ERR_INPROGRESS |
Fraud Protection Services Fixes
| ID Number | Severity | Description |
| 484020 | 2-Critical | If Identify as Username is enabled for a parameter, the Encrypt checkbox is not grayed out. |
| 492549 | 3-Major | FPS injection only into success responses |
| 489933 | 3-Major | Generic malware false positives |
| 486001 | 3-Major | Application Layer encryption not working on password field in certain situations |
| 485253 | 3-Major | Enable directory protection |
| 482034 | 3-Major | Browser displays error in console in Firefox 3.6.22 |
| 474469 | 3-Major | Identical source integrity alerts are present. |
| 473771 | 3-Major | No URL path in the Browser Automation alert |
| 491168 | 4-Minor | Encrypt checkbox should be greyed out for a new parameter when Application Layer Encryption is disabled under URL Configuration. |
| 478859 | 4-Minor | Username displayed with trailing "&" sign |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Description |
| 482442-5 | 4-Minor | [GTM] [GUI] Changes to a single wideip Propagates to All WIPs |
Traffic Classification Engine Fixes
| ID Number | Severity | Description |
| 487512-1 | 2-Critical | Enable Bittorrent classification in Qosmos by default |
| 479450 | 2-Critical | SSL traffic is not forwarded to destination |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 484635-1 | CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568 | K15722 | OpenSSL DTLS SRTP Memory Leak CVE-2014-3513, OpenSSL vulnerability CVE-2014-3567, and OpenSSL vulnerability CVE-2014-3568. |
| 451218-2 | CVE-2014-8730 | K15882 | TLS1.x padding vulnerability CVE-2014-8730. |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Description |
| 478791-1 | 1-Blocking | Hardware compression test fails on 5000 series, 7000 series, 10000 series platforms |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 488208-1 | 2-Critical | openssl v1.0.1j. |
| 485188-1 | 3-Major | Support for TLS_FALLBACK_SCSV |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 487808-3 | 3-Major | End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing. |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Description |
| 476475 | 1-Blocking | SSL accelerator card does not function on the BIG-IP 12250 platform. |
| 479374-5 | 2-Critical | Setting appropriate TX driver settings for 40 GB interfaces. |
| 478948 | 2-Critical | DC PSU reported as AC |
| 477676 | 2-Critical | HSB v2.3.12.1 bitstream integrated to fix HSB firmware issues |
| 473772 | 3-Major | SNMP reports the incorrect product name for the BIG-IP 10350 NEBS platform. |
| 473210 | 3-Major | Chassis Temperature Status not showing Nitrox3x3 temperatures |
| 472767-1 | 3-Major | Adding slots to running guests with host-iso can become stuck |
| 467693-1 | 3-Major | sysObjectID SNMP OID returns 'linux' instead of BIG-IP platform. |
| 410101-3 | 3-Major | HSBe2 falls off the PCI bus |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 477571-1 | 2-Critical | HTTP/2 support. |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 480931-1 | CVE-2014-6271 CVE-2014-7169 CVE-2014-7187 CVE-2014-7186 CVE-2014-6277 CVE-2014-6278 | K15629 | Multiple BASH vulnerabilities - ShellShock |
Functional Change Fixes
None
Cumulative fix details for BIG-IP v11.6.1 Hotfix 2 that are included in this release
635933-1 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
Vulnerability Solution Article: K23440942 K13361021
635412-2 : Invalid mss with fast flow forwarding and software syn cookies
Vulnerability Solution Article: K82851041
634001-1 : ASM restarts after deleting a VS that has an ASM security policy assigned to it
Component: Application Security Manager
Symptoms:
ASM restarts with the following errors:
'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------
'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------
Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.
Impact:
ASM restart
Workaround:
None.
Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.
631582-4 : Administrative interface enhancement
Vulnerability Solution Article: K55792317
625376-1 : In some cases, download of PAC file by edge client may fail
Component: Access Policy Manager
Symptoms:
Edge client may fail to download PAC file and incorrectly apply proxy configuration after VPN connection.
Conditions:
- User machine proxy configuration points to a proxy auto configuration file.
- Network access proxy configuration points to a proxy auto configuration file.
- PAC file URI in either case has uppercase characters.
- PAC file is hosted on a server where resource names are case sensitive.
Impact:
PAC file download will fail and client will use incorrect proxy settings due to unavailability of PAC file.
Workaround:
Use only lowercase characters in PAC file URI.
Fix:
Now Edge client can download PAC files from URIs that have uppercase as well as lowercase characters.
624616-3 : Safenet uninstall is unable to remove libgem.so
Component: Local Traffic Manager
Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:
rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.
Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.
Impact:
Uninstall is unable to complete.
Workaround:
None.
Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.
624570-3 : BIND vulnerability CVE-2016-8864
Vulnerability Solution Article: K35322517
624457-3 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
Component: TMOS
Symptoms:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html
Conditions:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html
Impact:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html
Fix:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html
624263-3 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
624245 : Hung tasks leading to system problems and lack of management access via ssh/GUI
Component: TMOS
Symptoms:
Problems with bigd, snmpd and other daemons. System becomes inaccessible via ssh and GUI.
Hung tasks recorded in kern logs, typically snmpd, bigd, chmand, big3d hung.
Caused by Centos kernel bug in netlink code where mutex is left locked on error path.
Conditions:
Seen when a system is handling heavy SNMP traffic and memory is low.
Impact:
SNMP traffic fails with hung tasks. Reboot required.
Workaround:
Apparently reducing SNMP load helps avoid/postpone the problem.
624091 : DHCP relay is not forwarding all of the DHCPOFFERS to clients
Component: Policy Enforcement Manager
Symptoms:
When upgrading from v11.5.3 to v11.6.1, DHCPOFFER packets got silently dropped.
Conditions:
If DHCP clients send broadcast DHCP packets with non-zero unicast source IP address via BIG-IP, and regular DHCP discovery packets(0.0.0.0 source IP addrees), multiple client connection flows are created, after some are aged out, BIG-IP may stop relay DHCP server replies back to clients.
Impact:
BIG-IP will stop to relay DHCPOFFER and DHCPACK back
to DHCP clients
Workaround:
Manually delete all system connection flows by doing "delete sys conn" under tmsh.
623562-1 : Large POSTs rejected after policy already completed
Component: Access Policy Manager
Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:
/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big
/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960
Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.
Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.
Workaround:
Move the resource from '/' to another URL.
Fix:
The logic of '/' in this area was changed to be consistent with other URLs.
623401-4 : Intermittent OCSP request failures due to non-optimal default TCP profile setting
Component: TMOS
Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.
Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.
Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.
Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.
623135 : BIG-IP virtual server TCP sequence numbers vulnerability (CVE-2002-1463)
Component: Local Traffic Manager
Symptoms:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html
Conditions:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html
Impact:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html
Fix:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html
622830 : LDAP type CRLDP is parsed incorrectly
Component: Access Policy Manager
Symptoms:
After upgrading to 11.6.1 HF1, CRLDP authentication stopped working.
It can be seen from following sample log that the URL is not parsed correctly:
warning apd[15314]: 0149015e:4: fc98d22d: CRLDP Auth agent: CRL lookup failed for LDAP url 'ldap::::389//crl.certificate.../..../certificaterevocationlist?certificateRevocationList' reason 'Invalid CRLDP URL.
Conditions:
The problem occurs only when LDAP type CRLDP is available in the client certificate and it is used from the CRL Distribution Points list.
Impact:
Users may fail access policy evaluation when client certification is used.
Workaround:
Configure other than LDAP type distribution points in the Certificate or if multiple distribution points are present in the client certificate, make sure other than LDAP type scheme succeeds before hitting LDAP CRLDP.
Fix:
The system now parses LDAP type CRLDP URL correctly, so after upgrading, CRLDP authentication now works as expected.
622244-1 : Edge client can fail to upgrade when always connected is selected
Component: Access Policy Manager
Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled
Conditions:
Always Connected is selected in BIG-IP when upgrading the client
Impact:
Upgrade will fail
Workaround:
Disable the Always Connected mode
Fix:
Upgrade functions as intended regardless of connection mode
622166 : HTTP GET requests with HTTP::cookie iRule command receive no response
Component: Local Traffic Manager
Symptoms:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers do not get a response.
Conditions:
An LTM virtual server with an iRule including the HTTP::cookie command.
Impact:
No response is received by the client.
Workaround:
None.
Fix:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers now get a response as expected.
621524-3 : Processing Timeout When Viewing a Request with 300+ Violations
Component: Application Security Manager
Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.
Conditions:
Attempting to view a request that triggered hundreds or thousands of violations
Impact:
A timeout is encountered.
Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.
Fix:
Processing high violation requests is now more efficient.
621417-1 : sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.
Component: TMOS
Symptoms:
On a BIG-IP deployed in AWS cloud, sys-icheck reports size an md5 errors for /usr/share/defaults/BIG-IP_base.conf file as following:
ERROR: S.5...... c /usr/share/defaults/BIG-IP_base.conf (no backup)
Conditions:
BIG-IP deployed in AWS cloud.
Impact:
sys-icheck reports "rpm --verify" size and md5 errors for /usr/share/defaults/BIG-IP_base.conf. This doesn't have any functional impact on the product but looks like factory config file was modified incorrectly by a user/application.
Workaround:
No workaround exists for this issue.
Fix:
sys-icheck error for /usr/share/defaults/BIG-IP_base.conf in AWS.
621242 : Reserve enough space in the image for future upgrades.
Component: TMOS
Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.
Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).
Impact:
Extends the disk image to reserve more disk space for upgrades.
Workaround:
N/A
Fix:
Increased the reserved free space on VE images.
621239-1 : Certain DNS queries bypass DNS Cache RPZ filter.
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.
Conditions:
A DNS Cache configured with RPZ.
Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.
Fix:
The DO-bit is now ignored with respect to RPZ filtering.
621202-1 : Portal Access: document.write() with very long string as argument may be handled incorrectly.
Component: Access Policy Manager
Symptoms:
JavaScript code may include document.write() calls with very long strings (> 60K). In some cases these strings may be rewritten incorrectly.
Conditions:
- document.write() with very long string as argument.
- argument string contains HTML tags with quoted attribute values which include '>' inside.
Impact:
rewritten HTML page may not work correctly.
Fix:
Now document.write() calls with long HTML strings are handled correctly by Portal Access.
620922-1 : Online help for Network Access needs update
Component: Access Policy Manager
Symptoms:
Online help for advanced network settings does not tell users that if they fill in the DNS Address Space setting, they also need to install the DNS Relay Proxy service on Windows-based systems to get the desired result.
Conditions:
Split tunneling configured. Windows-based system in use. DNS Address Space setting filled in.
Impact:
Use of DNS Address Space setting does not provide the expected result.
Workaround:
Install the DNS Relay Proxy server on Windows-based systems.
Fix:
Network Access online help now states that for DNS Address Space to work properly on a Windows-based system, the DNS Relay Proxy service must be installed and running on the client.
620712-1 : Added better search capabilities on the Pool Members Manage & Pool Create page.
Component: Global Traffic Manager (DNS)
Symptoms:
Large amount of virtual servers were hard to manage on the GSLB Pool Member Manage page.
Conditions:
Having large amount of virtual servers/wide ips
Impact:
Poor usability.
Workaround:
No workaround.
Fix:
The GSLB Pool Member Manage page now has a new search feature in the form of a combo box to allow for better management of large amount of virtual servers.
Behavior Change:
The GSLB Pool Member Manage page now has the new search feature to allow for better management of large amount of virtual servers.
620614-2 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
Component: Access Policy Manager
Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.
/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.
The above error, otherwise, below error which deletes the session id abruptly.
Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).
Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.
Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth
Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.
Fix:
Use the right session id for decrypting the password.
620215-3 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
619879-3 : HTTP iRule commands could lead to WEBSSO plugin being invoked
Component: Access Policy Manager
Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 bigip3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor
With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 bigip3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))
Conditions:
HTTP::disable followed by HTTP::enable.
when CLIENT_ACCEPTED {
HTTP::disable
// do some other stuff
HTTP::enable
}
Impact:
client receives a HTTP 503 reset
Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.
Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.
619757-3 : iSession causes routing entry to be prematurely freed
Component: Wan Optimization Manager
Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.
Conditions:
iSession-enabled virtual.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No reasonable workaround short of not using iSession functionality.
Fix:
iSession no longer causes routing entries to be prematurely freed.
619710 : GUI gives error when clicking "Update" making changes to VS in Security-Policies
Component: Advanced Firewall Manager
Symptoms:
GUI times out and generates an error when ASM policy takes longer time to update (in Virtual Server Security page)
Conditions:
When the same ASM policy is attached to hundreds of virtual servers, it takes longer to update.
Impact:
GUI times out before the changes are saved. Users will be able to see the updated changes only after refreshing the page.
Workaround:
Refresh the page in the browser once the error shows up.
Fix:
GUI doesn't time out when ASM policy is updated.
619528-2 : TMM may accumulate internal events resulting in TMM restart
Component: Local Traffic Manager
Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.
Conditions:
HTTP virtual with long-lived connections.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.
Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.
619398-4 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
618517-2 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file
Component: Local Traffic Manager
Symptoms:
- On 11.6.1, bigd will report erroneously mark pool members down and messags similar to the following will be seen in the ltm log file:
Sep 23 10:45:59 bipve1 warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.
- On 12.1.x, this bug has negligible impact.
Conditions:
Monitoring must be in use, bigd debug logging must be enabled, and the bigd debug log file (/var/log/bigdlog) must be full.
Impact:
- On 11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.
- In 12.1.x, some of the underlying logging code changed and there is no real impact.
Workaround:
You can rotate the log file, using the following command:
logrotate -f bigdlog
Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.
618324-2 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
Component: Access Policy Manager
Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.
Conditions:
Wrongful information displayed.
Impact:
Wrongful information displayed.
Workaround:
N/A
Fix:
Correct (*** Invalid ***) information displayed.
618261-3 : OpenSSL vulnerability CVE-2016-2182
Vulnerability Solution Article: K01276005
617862-1 : Fastl4 handshake timeout is absolute instead of relative
Component: Local Traffic Manager
Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.
Conditions:
A TCP connection in three-way handshake.
Impact:
Connections are expired prematurely if they are still in three-way handshake.
Workaround:
Disable handshake timeout.
Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.
Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.
617858-1 : bigd core when using Tcl monitors
Component: Local Traffic Manager
Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.
Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).
Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.
Workaround:
None.
Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.
617824-2 : "SSL::disable/enable serverside" + oneconnect reuse is broken
Component: Local Traffic Manager
Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.
Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.
Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.
Workaround:
You can work around the problem by disabling oneConnect.
617316-1 : Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration
Component: Access Policy Manager
Symptoms:
Desktop launched from browser or from native receiver has garbled title.
Conditions:
Citrix storefront integration mode through APM with no STA configured. Double byte language such as Japanese character set is used in the backend.
Impact:
Desktop title is not shown properly.
Workaround:
None
Fix:
Double byte character language title is shown properly
617310-1 : Edge client can fail to upgrade when Always Connected is selected★
Component: Access Policy Manager
Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled
Conditions:
Always Connected is selected in BIG-IP when upgrading the client.
Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.
Workaround:
Turn off Always Connected before upgrading.
Fix:
Edge client now succeeds during upgrade when Always Connected is selected.
617002-3 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs
Component: Access Policy Manager
Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs
Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.
Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.
Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.
Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.
616864-3 : BIND vulnerability CVE-2016-2776
Component: TMOS
Symptoms:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html
Conditions:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html
Impact:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html
Fix:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html
616838 : Citrix Remote desktop resource custom parameter name does not accept hyphen character
Component: Access Policy Manager
Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,
01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"
Conditions:
Having Citrix resource with custom parameter name with hyphen character
Impact:
Custom parameter can not be used with hyphen character
Workaround:
None
Fix:
Accept custom parameter name with hyphen character
616242-2 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
Component: TMOS
Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:
01070711:3: basic_string::compare
If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.
Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.
Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).
Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.
616215-2 : TMM can core when using LB::detach and TCP::notify commands in an iRule
Component: Local Traffic Manager
Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.
Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.
Fix:
TMM no longer cores in this instance.
615934-2 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.
615260 : out of memory condition when URL categorization is configured to work with large feedlists
Component: Traffic Classification Engine
Symptoms:
out of memory condition when URL categorization is configured to work with large (millions of records) feedlists.
Conditions:
In order to hit this issue user would have to load and unload large feedlist multiple times
Impact:
SWAP memory will increase and will eventually lead the box to run out of memory
Fix:
This problem is fixed in v12.1
615187-1 : Missing hyperlink to GSLB virtual servers and servers on the pool member page.
Component: Global Traffic Manager (DNS)
Symptoms:
Hyperlinks to to GSLB virtual servers and servers on the pool member page were removed in 11.x.
Conditions:
Have a GSLB pool with pool members set up.
Impact:
Must manually note of the member's virtual or server.
Workaround:
Manually take note of virtual or server and search for it.
Fix:
Added hyperlink to GSLB virtuals and servers on the pool member page.
614891-4 : Routing table doesn't get updated when EDGE client roams among wireless networks
Component: Access Policy Manager
Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.
Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.
Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.
614865-2 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()
Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.
Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.
Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.
- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.
Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.
614563-1 : AVR TPS calculation is inaccurate
Component: Advanced Firewall Manager
Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.
Conditions:
DoS profile attached to the virtual server.
Impact:
Attack can wrongly be detected.
Workaround:
None.
Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.
613673-1 : Pool members may not be marked up and/or there might be a slight delay in monitors
Component: Local Traffic Manager
Symptoms:
A UDP monitor might fail to mark a pool member up even when the pool member is up.
Other monitor types may mark a pool member down.
A slight delay (less than 0.1 seconds) might be noticed in monitor traffic sent by the BIG-IP.
Conditions:
To experience the incorrect pool member status issue, there is generally some other monitor on the system that is legitimately down.
To experience the delay, run an affected version. The issue has been observed with TCP, HTTP, and HTTPS monitors.
Impact:
Incorrect pool member status or pool member flapping.
Connections to monitored pool members might last slightly longer than necessary.
Workaround:
None.
Fix:
In this release, the system now correctly sets pool member status and connections to monitored pool members no longer last longer than necessary.
613613-1 : Incorrect handling of form that contains a tag with id=action
Component: Access Policy Manager
Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.
Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.
Impact:
The impact of this issue is that the web application can not work as expected.
Workaround:
This issue has no workaround at this time.
Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.
613576-2 : QOS load balancing links display as gray
Component: Global Traffic Manager
Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.
Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.
Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.
Workaround:
Remove all ilnks from configuration or install this hotfix.
613536-2 : tmm core while running the iRule STATS:: command
Component: TMOS
Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.
Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED
613088-1 : pkcs11d thread has session initialization problem.
Component: Local Traffic Manager
Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.
Conditions:
This occurs when SafeNet is configured with VIPRION chassis
Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.
Workaround:
None.
Fix:
Fixed a pkcs11d thread session initialization problem that prevented SafeNet connections.
613045 : Interaction between GTM and 10.x LTM results in some virtual servers marked down
Component: Global Traffic Manager
Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.
Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.
Impact:
On the GTM side, that LTM virtual server will never get marked up.
Workaround:
None.
Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.
612419-2 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
Component: Access Policy Manager
Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.
Conditions:
Network access; full webtop, multiple Network Access resources.
Impact:
Memory usage increases over time.
Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.
Fix:
Fixed a memory leak related to network access.
612229-2 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
Component: Local Traffic Manager
Symptoms:
TMM may crash while processing an LTM policy.
Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.
Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.
Workaround:
Ensure any LTM policy disable action is the last in the list of actions.
Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.
612128 : OpenSSH vulnerability CVE-2016-6515
Vulnerability Solution Article: K31510510
611669-1 : Mac Edge Client customization is not applied on macOS 10.12 Sierra
Component: Access Policy Manager
Symptoms:
Mac Edge Client's Icon, application name, company name amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.
Conditions:
macOS Sierra 10.12, Edge client, customization
Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.
Workaround:
run following command on Terminal and re-launch Edge client:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
Fix:
Edge client honors customization on macOS Sierra 10.12 now.
611469-2 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
Vulnerability Solution Article: K95444512
611355 : tmm core with PEM
Component: Policy Enforcement Manager
Symptoms:
tmm cores intermittently on SIGSEGV.
Conditions:
A background job processing HA session information might rarely trigger this. No external factor is causing this.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes the rarely encountered issue in which a background job processing HA session information might have triggered a tmm core.
610609-1 : Total connections in bigtop, SNMP are incorrect
Component: Local Traffic Manager
Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.
Conditions:
This occurs on PVA-enabled hardware platforms.
Impact:
The total connection count statistic is incorrect.
610429-3 : X509::cert_fields iRule command may memory with subpubkey argument
Component: Local Traffic Manager
Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.
Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.
Example/signature to look for:
ltm rule rule_leak {
when HTTP_REQUEST {
if { [SSL::cert 0] ne "" } {
HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
} else {
HTTP::respond 200 content "no client cert (WRONG!)"
}
}
}
Impact:
Memory will leak, eventually impacting the operation of tmm.
Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields
610248 : IE 11 browser does not display VDI profile columns properly
Component: Access Policy Manager
Symptoms:
Microsoft Internet Explorer version 11 browsers do not properly display the two columns 'General information' and 'MSRDP settings' in the VDI profile edit window.
Conditions:
Using IE 11 browser, and APM is provisioned to use VDI profile.
Impact:
Makes it difficult to configure VDI profile using the GUI.
Workaround:
Use other browsers to configure VDI profile.
Fix:
Microsoft Internet Explorer version 11 browsers now properly display the two columns 'General information' and 'MSRDP settings' in the VDI profile edit window.
610243 : HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication
Component: Access Policy Manager
Symptoms:
HTML5 client can not be used to access the published applications or desktops.
HTML5 client access displays returns blank/black screen and displays "Can not connect to the server".
Conditions:
APM is configured Citrix Storefront integration mode. And in Storefront html5 client access is enabled.
Impact:
HTML5 client can not be used to access the published resources
Workaround:
None
Fix:
HTML5 client can be used to access the published resources.
610224-1 : APM client may fetch expired certificate when a valid and an expired certificate co-exist
Component: Access Policy Manager
Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.
Conditions:
A valid and an expired certificate co-exist in the certificate store.
Impact:
Machine Certificate check fails.
Workaround:
Remove the expired certificate from the store.
Fix:
When a valid and an expired certificate co-exist, the system now matches the valid certificate.
610180-3 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.
Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO
Impact:
SSO plugin leaks memory
Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.
Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.
609496-1 : Improved diagnostics in BD config update (bd_agent) added
Component: Application Security Manager
Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.
Conditions:
Further troubleshooting of BD config update transmission is needed.
Impact:
No diagnostics are available.
Workaround:
None.
Fix:
Improved diagnostics in BD config update (bd_agent) were added.
609119-5 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
Component: TMOS
Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:
-- err mcpd[19114]: 01070711:3:
For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.
Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.
Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.
Workaround:
None. The problem corrects automatically when the system rewrites the log.
Fix:
The logging system prints out a blank message in response to failed file object configuration change validations.
609084-1 : Max number of chunks not configurable above 1000 chunks
Component: Application Security Manager
Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:
Unparsable request content Chunks number exceeds request chunks limit: 1000.
Conditions:
This occurs when the request exceeds 1000 chunks.
Impact:
Requests that are valid from the server side are being rejected.
Workaround:
None.
Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000
Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000
608742-4 : DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode.
Component: Policy Enforcement Manager
Symptoms:
When BIGIP is configured in Forwarding mode, renewal ack message from server in response to unicast renewal message from DHCP clients is getting dropped.
Conditions:
BIG IP in forwarding mode. DHCP clients sending unicast renewal message to DHCP server
Impact:
Unicast DHCP renewal requests are not acked. DHCP clients will send broadcast renewal messages and will be acked by servers.
Workaround:
After unable to receive acks from DHCP servers for unicast DHCP renewal messages, DHCP client will send broadcast DHCP renewal messages and will be acked by DHCP server and acks forwarded by BIGIP and received by DHCP clients.
608408-4 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
Component: Access Policy Manager
Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.
Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.
Impact:
TMM may restart.
Workaround:
None.
Fix:
TMM no longer restarts when internal error happens upon adding new SAML SSO configurations. Instead, the system logs the following error in /var/log/apm to indicate problematic configuration object: Internal error processing sso config <name>.
608320-4 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
607713-4 : SIP Parser fails header with multiple sequential separators inside quoted string.
Component: Service Provider
Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.
Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.
Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.
Workaround:
None.
Fix:
The SIP parser has been improved to ignore multiple sequential separators if within quotes.
607360-2 : Safenet 6.2 library missing after upgrade★
Component: Local Traffic Manager
Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.
Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.
Impact:
Safenet 6.2 is not functional.
Workaround:
Reinstall Safenet 6.2. Or,
run this command at all blades of BIG-IP after the installation.
ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so
Fix:
Add symbolic link to libgem at time of pkcs11d daemon start/restart.
607304-2 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Component: Local Traffic Manager
Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Conditions:
This can occur under normal operation, while running the geo_update command.
Impact:
Traffic disrupted while tmm restarts.
606575-3 : Request-oriented OneConnect load balancing ends when the server returns an error status code.
Component: Local Traffic Manager
Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.
Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.
Impact:
The client remains connected to the server, and no further load-balancing decisions are made.
Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.
To do so, use an iRule similar to the following:
when HTTP_RESPONSE {
if { [HTTP::status] == 200 } { return }
if { [HTTP::status] == 401 } {
set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
# Connection-oriented auth. System should already be doing the right thing
unset auth_header
return
}
unset auth_header
}
catch { ONECONNECT::detach enable }
}.
Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).
Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.
606540-1 : DB variable changed via GUI does not sync across HA group
Component: TMOS
Symptoms:
If a configuration change is made in the BIG-IP GUI which is backed by a DB variable, the change is not synced to other devices in the same sync-failover device group.
If the same db variable change is made using the Traffic Management Shell (tmsh), the db variable change will be synced to other devices in the same sync-failover device group.
Note that db variable changes are never synced to devices in sync-only device groups.
Conditions:
1. BIG-IP systems in HA group, provisioned with modules (in addition to LTM) which create their own device groups (for example, ASM).
2. Original sync-failover device group replaced by a different sync-failover device group.
3. Using the GUI to change a configuration item which is backed by a DB variable.
Examples include:
failover.standby.linkdowntime (GUI: Device Management :: Device Groups : <fodg_name> : Failover : Link Down Time on Failover )
statemirror.clustermirroring (GUI: Device Management :: Devices : <device_name> : Cluster Options )
Impact:
Configuration of devices within a sync-failover device group may not be synchronized as expected.
Workaround:
To force synchronization of a db variable change made via the GUI, use a tmsh command of the following form:
tmsh modify cm device-group <sync-failover device group name> devices modify { <device name> { set-sync-leader } }
If the sync-failover device group is not automatically synced, manually sync the device group:
tmsh run cm config-sync to-group <sync-failover device group name>
To avoid creating a db variable change that will not be synchronized across sync-failover device group members, change the configuration or db variable using tmsh:
tmsh modify sys db <variable name> value <new value>
If the sync-failover device group is not automatically synced, manually sync the device group:
tmsh run cm config-sync to-group <sync-failover device group name>
Fix:
DB variable changed via GUI now syncs across HA group as expected.
605921 : scriptd and mcpd cores following multiple failovers due to bd (asm)
Component: Application Security Manager
Symptoms:
You encounter multiple failovers due to BD (asm) failure and mcpd coring. the GUI is sluggish, then bd becomes unresponsive or mcpd cores.
Conditions:
Apply policies on a device at the same time that it becomes the Master Blade.
Impact:
A deadlock condition can occur when policies are being applied at the same time as a change arrives in the cluster config.
Workaround:
None.
Fix:
Fixed a deadlock condition when applying policies.
605865-2 : Debug TMM produces core on certain ICMP PMTUD packets
Component: Local Traffic Manager
Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.
Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.
Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.
Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.
Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.
605616-3 : Creating 256 Fundamental Security policies will result in an out of memory error
Component: Application Security Manager
Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.
Conditions:
Create 256 fundamental security policies.
Impact:
Out of memory error.
Workaround:
None.
Fix:
Improved memory allocations for shared XML profiles to enable more than 256 fundamental security policies.
605476-2 : istatsd can core when reading corrupt stats files.
Component: TMOS
Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.
Conditions:
This issue occurs when the following condition is met:
The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.
Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.
Impact:
iStatsd process will restart due to resource exhaustion.
Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:
Impact of workaround: This workaround will cause all statistics in the iStats files to reset.
1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.
3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.
4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.
Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.
605427-2 : TMM may crash when adding and removing virtual servers with security log profiles
Component: Advanced Firewall Manager
Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.
Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.
Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.
Traffic disrupted while tmm restarts.
Fix:
TMM no longer crashes with multiple creation, modification and deletion of many virtual servers with security log profiles attached.
604977-3 : Wrong alert when DTLS cookie size is 32
Component: Local Traffic Manager
Symptoms:
When ServerSSL profile using DTLS receives cookie with length of 32 bytes it throws fatal alert.
Conditions:
Another LTM with ClientSSL profile issues 32byte long cookie.
Impact:
DTLS with cookie size 32 is not supported.
604931-1 : bgpd might core on restarting process with BGP debug enabled.
Component: TMOS
Symptoms:
On a BIG-IP system configured with dynamic routing using the BGP routing protocol, when BGP debugging is enabled, the bgpd daemon may crash.
Conditions:
- BGP configured and peering established.
- BGP debugging enabled.
- BGP process is restarted gracefully.
Impact:
bgpd may crash.
Workaround:
Disable BGP debug.
Fix:
The bgpd might core on restarting process with BGP debug enabled.
604767-4 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
Component: Access Policy Manager
Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.
Conditions:
BIG-IP is used as SAML SP.
Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.
Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.
604442-1 : iControl log
Vulnerability Solution Article: K12685114
603945-1 : BD config update should be considered as config addition in case of update failure
Component: Application Security Manager
Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.
Conditions:
The condition that leads to this scenario is not clear and is still under investigation.
Impact:
The update fails and the entity is not added.
Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.
This fixes the issue in the cases in which it is a single entity.
Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.
603606 : tmm core
Component: Local Traffic Manager
Symptoms:
A tmm core occurrs with the following log message: notice panic: ../kern/page_alloc.c:521: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
It is not known exactly what triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
603598-2 : big3d memory under extreme load conditions
Component: Global Traffic Manager
Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.
This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.
Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.
When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.
For this to happen, the Active queue must be full as well as the Pending queue.
One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.
Thus the Pending queue might become full and the memory leak can occur.
In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.
In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.
Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.
In later versions, the leak is still possible, but is less likely to occur.
Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.
Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.
This will minimize the chances that the Pending queue
does not become full.
There is no mechanism to resize the queues.
Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.
603479-1 : "ASM starting" while it's already running, causing the restart of all ASM daemons
Component: Application Security Manager
Symptoms:
ASM daemons suddenly restart, w/ the message "ASM Starting" in '/var/log/asm', while ASM is already running and without ASM stopping first.
Conditions:
Unknown
Impact:
ASM daemons restart
Workaround:
N/A
Fix:
We have prevented the ASM start script from being executed if it is already running.
Thus, preventing the possibility of a spurious ASM Start while it's already running.
603293-3 : Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs
Component: Access Policy Manager
Symptoms:
L4 Dynamic ACL is not applied to incoming traffic when assigned in combination with L7 ACL.
Conditions:
APM supports a combination of L7 ACL and L4 ACL to be assigned to one session. When L7 ACLs are assigned with higher priority than L4 ACLs, the processing of L4 ACLs is automatically deferred until L7 information is available. The issue here is that when none of L7 ACLs with higher priority match with the traffic, L4 ACL is incorrectly marked to be applied only to HTTP traffic. Therefore if the incoming traffic is not HTTP, for example, HTTPS, then this particular dynamic L4 ACL is bypassed.
Impact:
L4 Dynamic ACL is not applied correctly.
Workaround:
Reorder L4 ACLs with higher priority than L7 ACLs, if possible, or to prevent the issue from occurring, avoid assigning L7 ACLs if not needed.
Fix:
When L7 ACL is assigned in combination to L4 Dynamic ACL, L4 Dynamic ACL is correctly applied to all kinds of traffic, not only HTTP traffic.
603236-2 : 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
Component: Local Traffic Manager
Symptoms:
Creating 1024 and 4096 size keys fail when the SafeNet client version installed on BIG-IP is 6.2 and SafeNet appliance firmware is 6.10.9.
Conditions:
-- SafeNet appliance: 6.2.
-- SafeNet client: 6.2.
-- SafeNet firmware: 6.10.9.
Impact:
Cannot create 1024 or 4096 size RSA keys.
Workaround:
None.
Fix:
Removed the config line, RSAKeyGenMechRemap = 1, that was conflicting with 6.10.9 firmware.
603149-1 : Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
Component: TMOS
Symptoms:
Setting max data limit transmitted (in kilobytes) to a very large limit results in a smaller limit, causing SAs to expire too quickly. Values for ike-phase2-lifetime-kilobytes inside ipsec-policy can reach 2^32-1 kilobytes, but will be processed incorrectly, as if the value were smaller.
Conditions:
When lifetime-kilobytes is large enough, it can act as though it were smaller.
Impact:
Negotiated SAs expire too quickly when size lifetime is calculated too small.
Workaround:
Before the fix, decrease lifetime-kilobytes until properly stable.
Fix:
The fix should make every value no more than 4294967295 kilobytes work correctly, without becoming some smaller value. (Note this value is 2^32-1.) If the size of ike-phase2-lifetime-kilobytes becomes 64-bit in the future, this will also work, causing a 64-bit value for kilobytes to occur in isakmp negotiation.
603082-2 : Ephemeral pool members are getting deleted/created over and over again.
Component: Local Traffic Manager
Symptoms:
When fqdn nodes are configured, you may see ephemeral pool members getting created and deleted continuously. In severe cases, this can cause mcpd to run out of memory and crash.
Conditions:
It is not known exactly what triggers this condition, but it has been observed after running bigstart restart in a configuration containing many fqdn nodes.
Impact:
Traffic disrupted while mcpd restarts.
603071-1 : XHTML validation fails on obfuscated JavaScript
Component: Application Security Manager
Symptoms:
The obfuscated JavaScript injected by ASM for CSRF protection and other features causes web pages to fail w3c validation.
Conditions:
CSRF or WebScrapping enabled in ASM policy
Impact:
Threre is no end user impact, but if checking the page with w3c online validator it returns errors
Workaround:
N/A
Fix:
Wrapped the script in CDATA - the validator will not complain on errors.
603032-2 : clientssl profiles with sni-default enabled may leak X509 objects
Component: Local Traffic Manager
Symptoms:
SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.
Conditions:
clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.
Impact:
The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.
Workaround:
No workaround short of not using sni-default.
Fix:
SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.
602366-2 : Safenet 6.2 HA performance
Component: Local Traffic Manager
Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.
Conditions:
Safenet 6.2 client is installed and Safenet HA is used.
Impact:
Only one HSM is used for the HA setup.
Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>
Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable
Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test
Fix:
Installation script is updated for Safenet 6.2 HA.
602358-2 : BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
Component: Local Traffic Manager
Symptoms:
During SSL/TLS renegotiation, the TLS standard requires that the new ClientHello version matches the first session.
Usually, SSL/TLS servers require the new ClientHello version to match the previous negotiated (ServerHello) version. The BIG-IP ServerSSL default behavior is to match this requirement.
The problem occurs if the SSL/TLS server requires the ClientHello (both in the Record layer and Handshake Protocol) in the new ClientHello to be exactly the same as the SSL/TLS version of the first ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************
As a result, the SSL/TLS server will reject the renegotiation handshake, causing the connection to terminate.
Conditions:
This occurs when using virtual servers configured with one or more ServerSSL profiles, and an SSL/TLS renegotiation occurs, and the server requires the new ClientHello version to match the first ClientHello instead of the previous ServerHello version.
Impact:
SSL/TLS renegotiation between BIG-IP ServerSSL profile and server may fail, resulting in an unexpected connection close or reset.
Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.
Fix:
A new db variable called ssl.RenegotiateWithInitialClientHello has been added to control the SSL/TLS version in the 2nd ClientHello:
1. The default is disable, which means that the 2nd ClientHello SSL/TLS version will be set to the negotiated version in the 1st round ServerHello.
2. If it is set to enable, both ClientHello versions will be exactly the same.
602221-3 : Wrong parsing of redirect Domain
Component: Application Security Manager
Symptoms:
ASM learns wrong domain names
Conditions:
no '/' after domain name in the redirect domain
Impact:
wrong learning suggestion can lead to wrong policy
Workaround:
N/A
Fix:
Fixing an issue with parsing the URL in the location header
601938-3 : MCPD stores certain data incorrectly
Vulnerability Solution Article: K52180214
601927-3 : Security hardening of control plane
Component: TMOS
Symptoms:
File permissions changes needed as found by internal testing
Conditions:
N/A
Impact:
N/A
Fix:
Apply latest security practices to control plane files.
601905-4 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
Component: Access Policy Manager
Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.
Conditions:
Most likely, the POST request contains large post data.
Impact:
The POST request will fail.
Workaround:
The following iRule will workaround the issue:
when HTTP_REQUEST {
if {[HTTP::method] eq "POST"}{
# Trigger collection for up to $max_collect of data
set max_collect 1000000
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length $max_collect
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
601527-3 : mcpd memory leak and core
Component: TMOS
Symptoms:
Mcpd can leak memory during config update or config sync.
Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http
Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.
Fix:
Fixed a memory lean in mcpd
601502-1 : Excessive OCSP traffic
Component: TMOS
Symptoms:
With OCSP configured on a virtual server, you see excessive OCSP requests going to the OCSP server.
Conditions:
Virtual server configured with an OCSP profile
Impact:
OCSP responses are not cached properly and excessive requests are sent to the server.
Workaround:
None.
Fix:
OCSP responses are now cached properly, so excessive requests are no longer sent to the server.
601496-1 : iRules and OCSP Stapling
Component: Local Traffic Manager
Symptoms:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak.
You may notice warning messages similar to the following in /var/log/ltm:
warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.
Conditions:
This occurs when the following conditions are met:
-- Virtual server with OCSP Stabling enabled.
-- iRule attached to the virtual server that uses SSL::renegotiate.
Impact:
TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.
Workaround:
None.
Fix:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile no longer causes OCSP requests to be reissued, so there is no associated memory leak.
601255-3 : RTSP response to SETUP request has incorrect client_port attribute
Component: Service Provider
Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)
Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection
Impact:
Unicast media may forwarded to incorrect UDP port (0).
Fix:
Initialize 'client_port' attribute to value received from server when re-writing response to client.
601180-1 : Link Controller base license does not allow DNS namespace iRule commands.★
Component: Global Traffic Manager
Symptoms:
The Link Controller base license was improperly preventing DNS namespace iRule commands.
Conditions:
A Link Controller license without an add-on that allowed Layer 7 iRule commands.
Impact:
An administrator would not be able add DNS namespace commands to an iRule or upgrade from a pre-11.5 configuration where the commands were working to 11.5.4 through 12.1.1.
Workaround:
To address the inability to upgrade, removal of DNS namespace commands from the configuration prior to upgrade will allow the upgrade to proceed. The commands will then be able to be re-added after a fixed version is installed.
Fix:
DNS namespace iRule commands are now properly accepted with a Link Controller base license.
601178-3 : HTTP cookie persistence 'preferred' encryption
Component: Local Traffic Manager
Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.
Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.
Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.
600827-5 : Stuck nitrox crypto queue can erroneously be reported
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Hardware Error(Co-Processor): n3-crypto0 request queue stuck" will appear in the ltm log file.
Conditions:
Nitrox based system performing SSL under heavy load.
Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.
Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.
600662-4 : NAT64 vulnerability CVE-2016-5745
Vulnerability Solution Article: K64743453
600593-4 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
Component: Local Traffic Manager
Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.
Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.
Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.
Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:
when HTTP_PROXY_REQUEST {
if { [HTTP::method] equals "CONNECT" } {
ONECONNECT::reuse disable
}
else {
ONECONNECT::reuse enable
}
}
600558-3 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:
1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
Fix:
Errors are no longer logged after deleting user in GUI.
600535 : TMM may core while exiting if MCPD connection was previously aborted
Component: Local Traffic Manager
Symptoms:
TMM cores while exiting after MCPD has spontaneously restarted.
Conditions:
MCPD aborts connection to TMM, typically due to fatal internal configuration errors causing MCPD to exit. This is generally a rarely occurring issue.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
TMM no longer cores when exiting.
600198-4 : OpenSSL vulnerability CVE-2016-2178
Vulnerability Solution Article: K53084033
600174-1 : Wildcard "*" redirection domain cannot be deleted if list is scrollable
Component: Application Security Manager
Symptoms:
Wildcard "*" redirection domain cannot be deleted if list is scrollable
Conditions:
Add redirection domains until list becomes scrollable (at least 4 or 5)
Impact:
first redirection domain in the list cannot be deleted
Workaround:
first delete redirection domains (not first one) to make list not scrollable, then re-add again
Fix:
Any redirection domain can be removed from the list
600116-1 : DNS resolution request may take a long time in some cases
Component: Access Policy Manager
Symptoms:
DNS resolution may appear slow in some cases
Conditions:
All of following conditions should be met
1) DNS Relay proxy is installed on user's machine
2) User's machine has multiple network adapters and some of them are in disconnected state.
Impact:
DNS resolution will be slow
Workaround:
Disable network adapters that are not connected.
Fix:
Now DNS Relay proxy server doesn't proxy DNS servers on non-connected interfaces. This fixes slow resolution DNS issue.
599536-2 : IPsec peer with wildcard selector brings up wrong phase2 SAs
Component: TMOS
Symptoms:
If a remote IPsec peer sends a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector in phase2, the BIG-IP system will find a match against a non-wildcard selector and use that policy to complete phase2 negotiation.
You may encounter this problem if you have one or more remote peers attempting to negotiate phase2 with wildcard traffic-selectors. An IPsec tunnel may start but fail to pass data and at the same time another IPsec tunnel may stop working.
Conditions:
The remote IPsec peer sends a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector in phase2. Phase1 must be established first.
Impact:
A tunnel will start, but data communication (over ESP or AH) will fail.
Other tunnels may be subject to an accidental DOS when a peer establishes phase1 but uses wildcard traffic-selectors in phase2. A traffic-selector matched by wildcard might be bound to a tunnel already in use, which is then taken offline by the new Security Associations.
Fix:
Ensure that phase2 negotiation using a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector does not establish a Security Association with an ipsec-policy associated with a non-wildcard traffic-selector.
Behavior Change:
Previously, a wildcard selector was able to match a non-wildcard selector, and thus engage the wrong (IPsec) tunnel to attempt negotiation, usually failing.
In effect, a wildcard selector was able to bind to the wrong peer; but after this change only the right peer should bind. This cleans up behavior of selector as identity key, and prevents subjecting random wrong peers from noise.
599521-2 : Persistence entries not added if message is routed via an iRule
Component: Service Provider
Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.
Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.
Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.
Workaround:
An iRule could be used to route messages directed towards the original client.
Fix:
MRF SIP will add a persistence entry for message routed via an iRule.
599285-4 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
Vulnerability Solution Article: K51390683
599168-4 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Vulnerability Solution Article: K35520031
598983-4 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Vulnerability Solution Article: K35520031
598981-2 : APM ACL does not get enforced all the time under certain conditions
Component: Access Policy Manager
Symptoms:
APM ACL does not get enforced all the time under certain conditions
Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.
Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.
Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.
Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.
598909-1 : SQL produces errors. AVR does not display any statistics.
Component: Application Visibility and Reporting
Symptoms:
SQL produces errors. AVR does not display any statistics. AFM, APM, ASM, AVR, FPS and SWG might be non-functional.
Conditions:
In version 11.6.0 and 11.6.1, there is an issue that occurs intermittently during software build operations.
Impact:
SQL produces errors. AVR does not display any statistics.
Workaround:
If occurs:
1. Edit file /var/avr/avr_srv_code.sql.
2. Make sure that the following text starts in a new line:
'# Old tables (for DB upgrade only)'
3. touch /var/avr/init_avrdb.
4. Restart the Monpd daemon: bigstart restart monpd.
Fix:
SQL no longer produces errors in response to an intermittent issue that occurred during software build operations.
598874-3 : GTM Resolver sends FIN after SYN retransmission timeout
Component: Local Traffic Manager
Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.
Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.
Impact:
Firewalls may log the FIN as a possible attack.
Fix:
Do not send anything in response to a SYN retransmission timeout.
598854-1 : sipdb tool incorrectly displays persistence records without a pool name
Component: Service Provider
Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb
Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.
Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.
Fix:
The fix corrects the sipdb tool so that entries which do not have a pool name will display correctly.
598498-4 : Cannot remove Self IP when an unrelated static ARP entry exists.
Component: TMOS
Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.
Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.
Impact:
Must delete static ARP entries in order to delete Self IP addresses.
Workaround:
None.
Fix:
In this release, you can delete Self IP addresses if unrelated static ARP entries exist.
598211-2 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
Component: Access Policy Manager
Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.
Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.
Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.
Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.
when HTTP_REQUEST {
if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
HTTP::path "/Citrix/$store_name/"
}
}
Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.
598039-3 : MCP memory may leak when performing a wildcard query
Component: TMOS
Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.
Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).
Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).
Workaround:
Do not perform wildcard queries.
Fix:
Stopped MCP leaking when wildcard queries are performed.
597966 : ARP/neighbor cache nexthop object can be freed while still referenced by another structure
Component: Local Traffic Manager
Symptoms:
Use after free or double-free of the nexthop object may cause memory corruption or TMM core.
Conditions:
This can happen if the server-side connection establishment takes some time to complete, creating a large enough time window where the nexthop object might be freed.
Impact:
The BIG-IP dataplane might crash. This is a very timing/memory-usage-dependent issue.
Workaround:
None.
Fix:
Management of nexthop object reference counting is more consistent.
597835-1 : Branch parameter in inserted VIA header not consistent as per spec
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.
Conditions:
Enabling SIP Via header insertion on the BIGIP on SIP MRF profile and need to cancel an INVITE
Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.
Fix:
The code has been improved to ensure the branch field in the via header does not change.
597729-1 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:
1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
597601-4 : Improvement for a previous issue regressed NAT-T
Component: TMOS
Symptoms:
An earlier improvement request regressed NAT-T whereby phase2 cannot establish.
Conditions:
Using NAT-T with IKEv1.
Impact:
NAT-T does not work.
Fix:
NAT-T is now working after fixing the issue introduced in the improvement.
597431-4 : VPN establishment may fail when computer wakes up from sleep
Component: Access Policy Manager
Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues
Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation
Impact:
Issues with Network connectivity
Workaround:
Renew DHCP lease by running
ipconfig/renew.
or
reboot the machine.
597394-1 : Improper handling of IP options
Vulnerability Solution Article: K46535047
597089-5 : Connections are terminated after 5 seconds when using ePVA full acceleration
Component: Local Traffic Manager
Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.
Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.
Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.
Workaround:
Disabling the PVA resolves the issue.
597023-4 : NTP vulnerability CVE-2016-4954
Vulnerability Solution Article: K82644737
597010-4 : NTP vulnerability CVE-2016-4955
Vulnerability Solution Article: K03331206
596997-4 : NTP vulnerability CVE-2016-4956
Vulnerability Solution Article: K64505405
596945-2 : AVR DNS record lost after upgrade.
Component: Application Visibility and Reporting
Symptoms:
After upgrading to 11.5.1 through 11.6.0, you are unable to view DNS stats in AVR.
Conditions:
AVR enabled, DNS statistics visible in a version prior to 11.5.1, then upgrade to versions 11.5.1 through 11.6.0.
Impact:
You will be unable to view the DNS statistics.
Fix:
Fixed an issue with DNS stats not displaying in AVR after upgrade.
596814-3 : HA Failover fails in certain valid AWS configurations
Component: TMOS
Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.
Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.
Fix:
Failover now narrows network description by filtering with VPC id.
596619 : Some 10.2.x client SSL configurations fail to upgrade to 11.6.1.★
Component: Local Traffic Manager
Symptoms:
Some 10.2.x client SSL configurations fail to upgrade to 11.6.1. The upgrade fails with an error similar to the following:
emerg load_config_files: "/usr/libexec/bigpipe load" - failed. -- BIGpipe parsing error (/config/bigpipe/BIG-IP.conf Line 67): 012e0020:3: The requested item (myclientssl {) is invalid (<profile arg> ` show ` list ` edit ` delete ` stats reset) for 'profile'.
Conditions:
Running 10.2.x with a Client SSL profile that has a custom Certificate and Key, and attempting to upgrade to version 11.6.1 or higher.
Impact:
The system fails to upgrade and presents a bigpipe parsing error.
Workaround:
If you have already upgraded and are encountering this issue, do the following:
1. Make a backup copy of /config/bigpipe/BIG-IP.conf.
2. Edit /config/bigpipe/BIG-IP.conf and remove any reference to inherit-certificatechain in the affected ssl profiles.
3. Run /usr/libexec/bigpipe daol.
4. Run tmsh save sys config.
5. Run tmsh load sys config.
This should install the configuration after upgrade failure.
Fix:
A 10.2.x configuration containing a Client SSL profile with a custom Certificate and Key now successfully upgrades to 11.6.1.
596603-11 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
Component: TMOS
Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.
Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.
Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.
Workaround:
Choose c4.4xlarge or other instance types in AWS.
Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.
596569-2 : Memory leak on Central device in Symmetric deployment
Component: WebAccelerator
Symptoms:
When AAM is provisioned and symmetric configuration is deployed, a central unit will suffer a memory leak.
Conditions:
AAM is provisioned and a symmetric deployment is used.
Impact:
Due to memory leak BIG-IP will run out of memory and won't be able to properly serve new requests.
Fix:
It immediately releases a memory allocation which previously leaked once the allocation is no longer required.
596488-4 : GraphicsMagick vulnerability CVE-2016-5118.
Vulnerability Solution Article: K82747025
596340-3 : F5 TLS vulnerability CVE-2016-9244
Vulnerability Solution Article: K05121675
596116-2 : LDAP Query does not resolve group membership, when required attribute(s) specified
Component: Access Policy Manager
Symptoms:
Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.
Conditions:
This occurs when the following conditions are met:
-- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All".
-- The Required Attribute includes the "memberOf" LDAP attribute.
Impact:
Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.
Workaround:
Add the following attribute to the "Required Attributes" list:
"objectClass"
If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list:
"primaryGroupID"
Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.
Fix:
LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.
595874-4 : Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.★
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) instances that use the Amazon Web Services (AWS) hourly billing license model may fail when upgrading to version 12.1.0.
As a result of this issue, you may encounter the following symptom:
After upgrading to version 12.1.0, the BIG-IP VE instance license is invalid.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have BIG-IP VE instances that use the hourly billing licensing model.
-- Your BIG-IP VE instances are running 11.5.x or 11.6.x software versions.
-- Your BIG-IP VE instances are running within the AWS EC2 environment.
-- You upgrade the BIG-IP VE instance using the liveinstall method.
Impact:
BIG-IP VE instance licenses are not valid after upgrading to software version 12.1.0.
Workaround:
To work around this issue, you can use the liveinstall method on the hotfix image directly (instead of installing the base software image and then the hotfix image). To do so, perform the following procedure:
Impact of workaround: Performing the following procedure requires rebooting the system and should be performed only during a maintenance window.
Download the BIGIP-12.1.0.0.0.1434.iso and Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso files to your workstation. For more information about downloading software, refer to SOL167: Downloading software and firmware from F5.
Copy the downloaded files from your workstation to the /shared/images directory on the VE instance.
To perform the installation by using the liveinstall method, and reboot the BIG-IP VE instance to the volume running the new software, use the following command syntax:
tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume <volume-number> reboot
For example, to install the hotfix to volume HD1.3 and reboot to the volume running the newly installed software, type the following command:
tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume HD1.3 reboot
Verify the installation progress by typing the following command:
tmsh show sys software
Output appears similar to the following example:
Sys::Software Status
Volume Product Version Build Active Status
----------------------------------------------------------------
HD1.1 BIG-IP 12.0.0 0.0.606 yes complete
HD1.2 BIG-IP 12.1.0 0.0.1434 no complete
HD1.3 BIG-IP 12.1.0 0.0.1434 no installing 6.000 pct
Fix:
BIG-IP VE instances that use the AWS hourly billing license model now complete successfully when upgrading to version 12.1.0.
595773-3 : Cancellation requests for chunked stats queries do not propagate to secondary blades
Component: TMOS
Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.
Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).
Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.
Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.
595275-2 : Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
Component: Local Traffic Manager
Symptoms:
Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN when pool goes empty.
Conditions:
This occurs when the configuration contains a pool with only one FQDN pool member.
Impact:
VIP can go briefly RED and offline.
Workaround:
Configuring a fallback static IP node or multiple FQDN pool members removes this risk.
595270 : Memory leaks when session DB tables gets updated
Component: Traffic Classification Engine
Symptoms:
Memory usage stats indicate possible memory leaks.
Conditions:
When CEC flow bundling is used.
Impact:
Potential memory leaks.
Workaround:
Disable CEC flow bundling (tmm.gpa.cec.flow_bundling.enable = false).
594642-1 : Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
Component: Local Traffic Manager
Symptoms:
Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
Conditions:
Stream filter is active during low memory situations
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Stream may now be configured to parse xbufs in chunks. This limits the maximum amount of memory required and reduces the chance of an allocation failure.
594496-3 : PHP Vulnerability CVE-2016-4539
Vulnerability Solution Article: K35240323
593667 : Dashboard displays incomplete alert details when Polish characters are included
Component: Fraud Protection Services
Symptoms:
Polish alerts are not fully displayed fully in the dashboard.
Conditions:
Alert details contain Polish characters.
Impact:
Causes difficulty assigning alert severity.
Workaround:
None
Fix:
Alerts are now displayed correctly.
593530-1 : In rare cases, connections may fail to expire
Component: Local Traffic Manager
Symptoms:
Connections have an idle timeout of 4294967295 seconds.
Conditions:
Any IP (ipother) profile is assigned to virtual server.
Impact:
Connections may linger.
Workaround:
None.
Fix:
Fixed idle initialization error when using Any IP (ipother) profile.
593447-2 : BIG-IP TMM iRules vulnerability CVE-2016-5024
Vulnerability Solution Article: K92859602
593070-5 : TMM may crash with multiple IP addresses per session
Component: Policy Enforcement Manager
Symptoms:
TMM crash
Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Check for timer expiration prior to processing the timer.
592871-2 : Cavium Nitrox PX/III stuck queue diagnostics missing.
Component: Local Traffic Manager
Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.
Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.
Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.
Workaround:
None.
Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.
592870-3 : Fast successive MTU changes to IPsec tunnel interface crashes TMM
Component: TMOS
Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.
Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.
Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).
592868-4 : Rewrite may crash processing HTML tag with HTML entity in attribute value
Component: Access Policy Manager
Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.
Conditions:
HTML tag like this:
<script src=" " type="text/javascript"></script>
Impact:
Web application may not work correctly.
Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.
Fix:
Now rewrite correctly handles HTML entities in attribute values.
592854-4 : Protocol version set incorrectly on serverssl renegotiation
Component: Local Traffic Manager
Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.
Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.
Impact:
Protocol field is invalid (0), and the server will reset the connection.
Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.
592784-4 : Compression stalls, does not recover, and compression facilities cease.
Component: Local Traffic Manager
Symptoms:
Compression stalls, does not recover, and compression facilities may cease.
Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).
Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.
Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.
Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.
592591-1 : Deleting access profile prompts for apply access policy for other untouched access profiles
Component: Access Policy Manager
Symptoms:
After deleting an access profile, the 'Apply Access Policy' link shows up and the status flags for some other untouched access profiles turn yellow. Also, there are APM log messages indicating that the configurations for those untouched access profile have been changed.
Conditions:
If an access profile containing macros is copied on the admin UI and is deleted subsequently.
Impact:
There is no change to the access profiles that are affected by the deletion. Admin can go ahead to click "Apply Access Policy" link to make the link disappear.
592497-2 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
Component: Local Traffic Manager
Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.
Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.
Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.
Workaround:
None.
Fix:
This release honors the idle timeout in FIN_WAIT_2 when server-side expired and HTTP in fallback state.
592414-2 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
Component: Access Policy Manager
Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.
Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.
Impact:
Web application malfunction.
Workaround:
None.
Fix:
Fixed.
592113-1 : tmm core on the standby unit with dos vectors configured
Component: Advanced Firewall Manager
Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump
Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured
Impact:
Traffic disrupted while tmm restarts.
592070-1 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
Component: Policy Enforcement Manager
Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.
Conditions:
DHCP virtual created in a non-local traffic group.
Impact:
Variable sharing in the TCL context will not work.
Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.
Fix:
Copy the traffic group from client to server connFlows such that both connFlows have the same traffic group.
591918-4 : ImageMagick vulnerability CVE-2016-3718
Vulnerability Solution Article: K61974123
591908-4 : ImageMagick vulnerability CVE-2016-3717
Vulnerability Solution Article: K29154575
591894-4 : ImageMagick vulnerability CVE-2016-3715
Vulnerability Solution Article: K10550253
591881-4 : ImageMagick vulnerability CVE-2016-3716
Vulnerability Solution Article: K25102203
591857 : 10-core vCMP guest with ASM may not pass traffic
Component: TMOS
Symptoms:
The TMM plugin manager does not expect/support an ASM guest configuration of 10 cores, thus its calculations as to the number of devices required and numbering does not match the existing number of threads/devices.
Conditions:
11.6.0 HF6
ASM provisioned on a vCMP guest
10 CPU cores allocated to an ASM guest
Impact:
System may not start or may exhibit intermittent failures.
Workaround:
Change the number of cores on the ASM guest to use either 8 CPU cores or 12 CPU cores.
Fix:
This issue was partially fixed in 11.6.0 HF6, but the tmplugin RPM was incorrect. This fix includes the proper RPM.
591806-3 : ImageMagick vulnerability CVE-2016-3714
Vulnerability Solution Article: K03151140
591789-1 : IPv4 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv4 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled on version 11.5.4, 11.6.0 HF6, or 11.6.1.
Impact:
IPv4 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv4 fragments are no longer incorrectly dropped when packet filtering is enabled.
591767-3 : NTP vulnerability CVE-2016-1547
Vulnerability Solution Article: K11251130
591733-2 : Save on Auto-Sync is missing from the configuration utility.
Component: TMOS
Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.
Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.
Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.
Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.
Fix:
This release adds per-device-group save_on_auto_sync flag to GUI: flag now shows in GUI and correctly saves.
GUI: The "Sync Type" option in the GUI must be set to "Automatic with Full/Incremental Sync" in order for "Save on Auto-Sync" option to show.
Behavior Change:
Beginning in version 11.5.0, the /cm trust-domain 'save-on-auto-sync' attribute is no longer configured as part of the trust-domain, but is part of the configuration of a device group. With this change, the option to set that attribute becomes available in the GUI on the condition that the "Sync Type" option is set to "Automatic with Full/Incremental Sync".
591659-3 : Server shutdown is propagated to client after X-Cnection: close transformation.
Component: Local Traffic Manager
Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.
Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.
Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.
Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.
Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.
591476-8 : Stuck crypto queue can erroneously be reported
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox-based systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck.
Conditions:
-- Running on one of the following platforms:
+ BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 5xxx, 7xxx, 10xxx, 11xxx, and 12xxx
+ VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.
Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.
Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:
tmsh modify sys db crypto.queue.timeout value 0
Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue.
591455-2 : NTP vulnerability CVE-2016-2516
Component: TMOS
Symptoms:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253
Conditions:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253
Impact:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253
Fix:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253
591447-3 : PHP vulnerability CVE-2016-4070
Component: TMOS
Symptoms:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html
Conditions:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html
Impact:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html
Fix:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html
591343-2 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
Component: Local Traffic Manager
Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.
Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.
Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.
Workaround:
None.
Fix:
The returned session ID in both the SERVERSSL_SERVERHELLO and SERVERSSL_HANDSHAKE events is the one presented by the SSL server.
591329-2 : CVE-2016-2108 fixed in Oracle Access Manager library used by BIG-IP APM
Vulnerability Solution Article: K36488941
591328-2 : OpenSSL vulnerability CVE-2016-2106
Vulnerability Solution Article: K36488941
591327-2 : OpenSSL vulnerability CVE-2016-2106
Vulnerability Solution Article: K36488941
591325-2 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
Vulnerability Solution Article: K75152412
591268-3 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
Component: Access Policy Manager
Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns
Conditions:
Specific client machine configuration
Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue
Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service
Fix:
Now DNS Relay proxy service cleans up DNS cache after initialization mitigating issue described
591117-1 : APM ACL construction may cause TMM to core if TMM is out of memory
Component: Access Policy Manager
Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.
Conditions:
BIG-IP is extremely loaded and out of memory.
Impact:
Traffic disrupted while tmm restarts.
Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.
591104-3 : ospfd cores due to an incorrect debug statement.
Component: TMOS
Symptoms:
ospfd cores due to an incorrect debug statement.
Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.
Impact:
ospfd might crash, interrupting dynamic routing.
Workaround:
Do not enable debugging in ospf that includes 'route ase'.
Fix:
ospfd no longer crashes when debugging is enabled in imish.
591042-5 : OpenSSL vulnerabilities
Vulnerability Solution Article: K23230229
590904-5 : New HA Pair created using serial cable failover only will remain Active/Active
Component: TMOS
Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.
Conditions:
Create a new sync-failover device-group without enabling network failover.
Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.
Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.
Fix:
After creating the sync-failover group with without network failover configured, but a serial failover cable installed, one of the devices becomes Standby and the other remains Active.
590820-2 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Component: Access Policy Manager
Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.
Impact:
Very low web application performance when using Microsoft Internet Explorer.
Workaround:
None.
Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.
589794 : APD might crash if LDAP Query agent failed to retrieve primary group for a user
Component: Access Policy Manager
Symptoms:
APD will crash and generate a core file.
Conditions:
The problem can happen only when the following is true:
1. LDAP Query is used with AD backend
2. "Fetch groups to which the user or group belong" is defined other value than None (direct/all)
3. There were logins to bigip before, so group cache is built and valid
4. New group created in the domain and assigned as a primary group for the user trying to authenticate
Impact:
Authentication service will be interrupted.
Workaround:
Administrator should reset group cache using either GUI (AAA LDAP Server configuration page) or tmsh (apm aaa ldap object). After cache is reset, it will be built from scratch on next request and the new group will be added to the cache.
589256-3 : DNSSEC NSEC3 records with different type bitmap for same name.
Component: Global Traffic Manager
Symptoms:
For a delegation from a secure zone to an insecure zone, BIG-IP returns different type bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.
Conditions:
For insecure delegations, our DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which we dynamically sign.
Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.
Workaround:
None.
Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.
589223-3 : TMM crash and core dump when processing SSL protocol alert.
Component: Local Traffic Manager
Symptoms:
TMM crash and core dump when processing SSL protocol alert.
Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
A problem of TMM restarting when processing SSL protocol alert has been fixed.
589118 : Horizon View client throws an exception when connecting to Horizon 7 VCS through APM.
Component: Access Policy Manager
Symptoms:
If APM is configured as PCoIP proxy against Horizon 7 VCS, the Horizon View client fails to retrieve the list of entitlements with an exception written in its logs.
Conditions:
APM as PCoIP proxy for Horizon 7 View Connection Server.
Impact:
Horizon View client cannot be used with APM to access Horizon 7.
Workaround:
You can use the following iRule to update the broker protocol version returned by APM to be 11.0 instead of 9.0.
when HTTP_REQUEST {
if { [HTTP::header "Origin"] ne "" } {
HTTP::header remove "Origin"
}
if { [ HTTP::method ] == "POST" && [ HTTP::uri ] == "/broker/xml" } {
set BROKER_REQUEST 1
HTTP::collect [HTTP::header Content-Length]
}
}
when HTTP_REQUEST_DATA {
if { [ info exists BROKER_REQUEST ] && [ regexp {<have-authentication-types[ \t\r\n]*>[ \t\r\n]*<name[ \t\r\n]*>[ \t\r\n]*saml[ \t\r\n]*</name>[ \t\r\n]*</have-authentication-types>} [HTTP::payload] ] } {
HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8"?><broker version="11.0"><set-locale><result>ok</result></set-locale><configuration><result>ok</result><broker-guid>1</broker-guid><authentication><screen><name>saml</name><params></params></screen></authentication></configuration></broker>} Content-Type text/xml
}
}
when HTTP_RESPONSE {
if { ! [ IP::addr [ IP::remote_addr ] equals 127.0.0.0/8 ] } { return }
set BROKER_RESPONSE 1
set content_length 0
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
when HTTP_RESPONSE_DATA {
if { ! [ info exists BROKER_REQUEST ] || ! [ info exists BROKER_RESPONSE ] } { return }
regsub "<broker version=\"9.0\">" [HTTP::payload] "<broker version=\"11.0\">" payload
HTTP::payload replace 0 [HTTP::payload length] $payload
HTTP::release
}
Fix:
Horizon View client can now be used with APM to access Horizon 7.
588888-2 : Empty URI rewriting is not done as required by browser.
Component: Access Policy Manager
Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat this type of URI in a specific way).
Conditions:
A tag with an empty 'src' or 'href' attribute.
Impact:
Web application malfunction, such as incorrect or unexpected behavior or error messages.
Workaround:
Use an application-specific iRule that modifies the empty URI.
-- For example, for JavaScript methods such as setAttribute(), an iRule should change this:
'F5_Invoke_setAttribute(o, "src", uri)'
to this:
'(uri=="")?o.setAttribute("src", uri):F5_Invoke_setAttribute(o, "src", uri)'.
-- As another example, for JavaScript methods such as write(str), writeln(str), innerHTML=str, outerHTML=str, and similar methods, if str contains <img src="" ... >, the iRule must remove the src attribute.
Fix:
This release fixes the issue of rewriting the empty URI the same way at the server side and client side: as empty URI (all browsers treat this type of URI in a specific way).
588496-3 : SSL Renegotiation vulnerability - CVE-2009-3555 / VU#120541
Vulnerability Solution Article: K10737
588442-3 : TMM can core in a specific set of conditions.
Component: Local Traffic Manager
Symptoms:
TMM can core and assert: 'ifc not set'.
Conditions:
This occurs under the following conditions:
- A unit with license that ratelimits throughput performance to something other than max or 1.
- One or more virtual IP addresses configured with DNS profiles with rapid-response enabled.
- Something causing the listener to be disabled or a listener to not be found.
- A DNS request sent to the disabled listener.
Impact:
TMM might core and assert: 'ifc not set'.
Workaround:
None.
588351-2 : IPv6 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
IPv6 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.
588289-4 : GTM is Re-ordering pools when adding pool including order designation
Component: Global Traffic Manager
Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.
Conditions:
This occurs when adding pools with a specified order.
Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.
588115-3 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
Component: Local Traffic Manager
Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.
Conditions:
- Unit configured with a floating self-IP and allow-service != none.
- More specific route exists via GW to the self-IP.
- Configured gateway for the overlapping route is unreachable.
- Ingress traffic to the floating self-IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.
Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.
587966-3 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
Component: Local Traffic Manager
Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.
Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.
Impact:
A Type DNS Query dropped intermittently.
Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.
Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.
587892-1 : Multiple iRule proc names might clash, causing the wrong rule to be executed.
Component: Local Traffic Manager
Symptoms:
Multiple iRule proc names might clash, causing the wrong rule to be executed.
Conditions:
This occurs when there is an iRule configured with more than one proc, which might cause the wrong proc to get executed.
Impact:
The call proc might execute the wrong proc.
Workaround:
None.
Fix:
Multiple iRules configured with more than one proc no longer cause the wrong proc to get executed.
587698-2 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
Component: TMOS
Symptoms:
bgpd daemon crashes
Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.
Impact:
bgpd daemon crashes leading to route loss and traffic loss.
Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.
587656-3 : GTM auto discovery problem with EHF for ID574052
Component: Global Traffic Manager
Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.
Conditions:
After applying EHF9-685.88-ENG
Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.
Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG
Fix:
This problem only occurs with the one faulty EHF9-685.88-ENG and does not occur anywhere else.
587617-3 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core
Component: Global Traffic Manager
Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.
Conditions:
No GTM server object configured with existent selfip.
Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.
Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671
Fix:
gtmd will not core.
587077-3 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
Vulnerability Solution Article: K37603172
586878-2 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
Component: TMOS
Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.
The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.
Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).
Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.
Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
For example, it might look similar to the following:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
"" { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
default { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.
586738-2 : The tmm might crash with a segfault.
Component: Local Traffic Manager
Symptoms:
The tmm might crash with a segfault.
Conditions:
Using IPsec with hardware encryption.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.
586718-3 : Session variable substitutions are logged
Component: Access Policy Manager
Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged
Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.
Impact:
Session variable substitution should not be logged, even if it is secure.
Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.
Fix:
Session variable substitutions are no longer logged.
586131-3 : SSLv3 vulnerability CVE-2014-3566
Vulnerability Solution Article: K15702
586006-3 : Failed to retrieve CRLDP list from client certificate if DirName type is present
Component: Access Policy Manager
Symptoms:
Client certification revocation check will fail.
Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.
Impact:
Users may fail access policy evaluation when client certification is used.
Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.
585562-1 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
Component: Access Policy Manager
Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.
Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.
Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.
Workaround:
when HTTP_REQUEST {
if { [HTTP::header "Origin"] ne "" } {
HTTP::header remove "Origin"
}
}
Fix:
VMware View HTML5 client shipped with Horizon 7 now work sthrough BIG-IP APM in Chrome/Safari.
585485-4 : inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP
Component: TMOS
Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.
BIG-IP sends and expect messages with two SPI's inside.
Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.
Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.
Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:
(tmos)# delete net ipsec ipsec-sa ?
Properties:
"{" Optional delimiter
dst-addr Specifies the destination address of the security associations
spi Specifies the SPI of the security associations
src-addr Specifies the source address of the security associations
traffic-selector Specifies the name of the traffic selector
Fix:
The BIG-IP system will remove both SAs associated with one traffic-selector (tunnel) when the peer sends a delete SPI message.
585424-3 : Mozilla NSS vulnerability CVE-2016-1979
Vulnerability Solution Article: K20145801
585412-2 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
Component: Local Traffic Manager
Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'
Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.
8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.
Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.
Workaround:
None.
Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.
585097-3 : Traffic Group score formula does not result in unique values.
Component: TMOS
Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.
Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.
The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.
Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.
Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.
Fix:
The Active device selection logic has been changed to deterministically choose the Active device location, even in cases with identical static scores.
584373-3 : AD/LDAP resource group mapping table controls are not accessible sometimes
Component: Access Policy Manager
Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds
Conditions:
very long group names and resource names
Impact:
Impossible to delete and move rows in table - still possible to edit tho.
Workaround:
Spread one assign thru multiple rows
Fix:
Scroll bar is appearing when needed
584029-2 : Fragmented packets may cause tmm to core under heavy load
Component: Local Traffic Manager
Symptoms:
tmm core due to assertion
Conditions:
tmm offloads a fragmented packet via an ffwd operation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
583957-4 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.
Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.
Impact:
The TMM will be restarted by SOD.
Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.
583936-3 : Removing ECMP route from BGP does not clear route from NSM
Component: TMOS
Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.
Conditions:
ECMP routing must be enabled and in-use.
Impact:
ECMP routes are not properly removed from the main routing table.
Fix:
Now properly removing ECMP routes from the routing table.
583686-3 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
Component: Application Security Manager
Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.
Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.
Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered
583516-3 : tmm ASSERT's "valid node" on Active, after timer fire..
Component: TMOS
Symptoms:
TMM crashes on ASSERT's "valid node".
Conditions:
The cause is unknown, and this happens rarely.
Impact:
tmm crash
Workaround:
no
Fix:
TMM no longer asserts on 'valid node'
583445 : Alert dashboard does not correctly display Hebrew characters in alerts.
Component: Fraud Protection Services
Symptoms:
Alert server cannot decrypt Hebrew characters in alerts.
Conditions:
Malicious script injection containing wide characters.
Impact:
Incorrectly displayed alerts in dashboard.
Workaround:
None.
Fix:
Alerts are sent encoded and are decoded in the dashboard.
583285-7 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the second part of a fix provided for this issue. See fixes for bug 569236 for the first part.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system.
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part two of a two-part fix. Fixes for bug 569236 provide part one of the fix.
583113-3 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials.
when HTTP_PROXY_REQUEST {
if { [HTTP::uri] contains "disable" } {
ACCESS::disable
}
}
Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.
Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.
Workaround:
The following iRule works from HTTP_REQUEST
when HTTP_REQUEST {
if { [HTTP::uri] contains "disable" } {
ACCESS::disable
ECA::disable
}
}
Fix:
When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin"
Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."
583010-9 : Sending a SIP invite with "tel" URI fails with a reset
Component: Service Provider
Symptoms:
Using a "INVITE tel:" URI results in SIP error (Illegal value).
Conditions:
Sending a SIP "INVITE tel:" to BIG-IP does not work.
Impact:
"INVITE tel:" messages are not accepted by BIG-IP.
Workaround:
None
Fix:
An EHF will be released to address this issue. It will also be addressed in a future release.
582813-1 : Linux Kernel CVE-2016-0774
Vulnerability Solution Article: K08440897
582752-2 : Macrocall could be topologically not connected with the rest of policy.★
Component: Access Policy Manager
Symptoms:
It is possible to create macrocall access policy item that:
1. Belongs to policy items list.
2. Correctly connected to ending.
3. Have no incoming rules (i.e., no items pointing at it).
Conditions:
1. Create access policy with macrocall item in one of the branches.
2. Remove the item which refers to this macrocall item from AP
As a result, macrocall item remains.
Impact:
VPE fails to render this access policy.
Workaround:
Delete macrocall access policy item manually using tmsh commands.
Fix:
Any modification of access policy is not allowed if it makes any access policy item non-referenced.
At upgrade time, non-referenced access policy items are deleted. All subsequent access policy items are deleted as well. Resulting access policies can be rendered correctly by VPE. Note that only active configuration is corrected, saved configuration file (/config/bigip.conf) contains uncorrected version until any new configuration changes are done. Active configuration can be saved by explicit tmsh command ('tmsh save sys config partitions all").
582683-5 : xpath parser doesn't reset a namespace hash value between each and every scan
Component: Application Security Manager
Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.
Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.
Impact:
XML content based routing does not work dependably.
Workaround:
N/A
Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.
582526-2 : Unable to display and edit huge policies (more than 4000 elements)
Component: Access Policy Manager
Symptoms:
It takes a very long time or is not possible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple halts.
Conditions:
Huge Access Policy, for example, containing 4000 or more elements.
Impact:
Unable to edit policy because VPE times out.
Workaround:
None.
Fix:
VPE loading times for APM policies is greatly improved, so displaying very large policies (for example, 4000 elements) now completes successfully.
582440-2 : Linux client does not restore route to the default GW on Ubuntu 15.10
Component: Access Policy Manager
Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.
Conditions:
Ubuntu 15.0, network access tunnel connect and then disconnect
Impact:
User will not be able to reach internet after disconnecting from network access.
Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.
582029-1 : AVR might report incorrect statistics when used together with other modules.
Component: Application Visibility and Reporting
Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.
Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.
Impact:
AVR reports incorrect statistics: unexpectedly large numbers.
Workaround:
None.
Fix:
AVR now identifies the other modules' activity and collects the activity statistics accordingly.
582003-2 : BD crash on startup or on XML configuration change
Component: Application Security Manager
Symptoms:
BD crash.
out of memory XML message in the bd.log.
The BD doesn't startup and keeps crashing upon startup.
Conditions:
Many XML profiles and relatively large XML configuration.
Impact:
ASM down, machine is offline.
Workaround:
Increase the XML available memory.
Fix:
Fixed an XML memory sanity test that caused a crash when out of XML memory upon reading XML configuration.
581840 : Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
Component: Device Management
Symptoms:
If trying to manage a BIG-IP version 11.6.1 or 11.6.1 HF1 with an administrator account named other than “admin”, this can fail.
Conditions:
This can occur with a BIG-IQ managing a BIG-IP version 11.6.1 or 11.6.1HF1 system with a different account than “admin”.
Impact:
You cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
Workaround:
Install 11.6.1 HF2 on the BIG-IP system, or use an administrator account named “admin” for managing the device.
Fix:
Can now manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
Behavior Change:
local requests through iControl client are now made on port 80, instead of 443.
581835-3 : Command failing: tmsh show ltm virtual vs_name detail.
Component: TMOS
Symptoms:
The following command fails: tmsh show ltm virtual vs_name detail. The system posts the following error:
01020036:3: The requested profile exchange: virtual server object (exchange_profile_name:vs_name) was not found.
Conditions:
Occurs when an APM Access Profile has an Exchange Profile attached and the access profile is then assigned to a virtual server.
Impact:
No information is displayed by the tmsh show command.
Workaround:
None.
Fix:
The tmsh show command now presents information, and 'tmsh show ltm virtual vs_name detail' shows the expected details without error.
581834-4 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above
Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin
Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above
Fix:
The Firefox plugin now supports all versions.
581770-2 : Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6
Component: Access Policy Manager
Symptoms:
Network Access clients are unable to pass IPv6 traffic
Conditions:
Network Access resource configured with IPv4&IPv6
Client attempts to pass IPv6 traffic
Impact:
IPv6 traffic is dropped
Fix:
APM will now pass IPv6 traffic through the tunnel if an IPv4&IPv6 resource is configured.
580893-1 : Support for Single FQDN usage with Citrix Storefront Integration mode
Component: Access Policy Manager
Symptoms:
Adding a new login account onto Citrix Receiver enumerates the applications and desktop. Logging off and reconnecting using the same account starts failing.
Conditions:
-- Citrix Storefront Integration mode with APM.
-- Using the same FQDN to access both Storefront as well as an APM virtual server.
Impact:
Clients are unable to connect.
Workaround:
No workaround other than using different FQDNs.
Fix:
You can now use the same FQDN to successfully access both Storefront as well as an APM virtual server.
580817-3 : Edge Client may crash after upgrade★
Component: Access Policy Manager
Symptoms:
The Edge client may crash after upgrading to 11.4.1 through 12.0.0.
Conditions:
Access Policy with Firewall Checker
Update BIG-IP to 12.1.0
Impact:
Users are unable to use the Edge client
Fix:
Fixed a crash in the Edge client
580686-1 : Hostagentd might leak memory on vCMP hosts.
Component: Device Management
Symptoms:
hostagentd resident memory keeps leaking over time. Unexplained system instability. Health monitors might work intermittently.
Conditions:
This occurs when host uptime is two months or longer.
Impact:
hostagentd consumes more than 400 MB of resident memory. In some cases, the process consumes more than 1 GB. This might cause system instability and intensive usage of vCMP host swap memory.
Workaround:
Restart hostagentd on vCMP host.
Fix:
Many stability and other improvements have been made to hostagentd daemon and associated functionality, so that memory leaks on vCMP hosts no longer occur.
580596-9 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
Vulnerability Solution Article: K14190 K39508724
580460-1 : Client side integrity defense or proactive may break application
Component: Advanced Firewall Manager
Symptoms:
A blank page is shown when client side integrity/proactive is turned on.
Conditions:
1. Client side integrity/proactive is turned on
2. IE 11 in compatibility mode - version 8 or lower. IE6 and 7 work.
Impact:
Application is broken - blank page is shown
Workaround:
N/A
580429-5 : CTU does not show second Class ID for InstallerControll.dll
Component: Access Policy Manager
Symptoms:
Client troubleshooting utility does not display the registered class id of Installer control.dll.
Conditions:
Client troubleshooting utility is used to display all installed edge client components.
Impact:
No impact to end user or administrator. Impacts F5 support.
Workaround:
None.
Fix:
CTU now shows the class id of installer control.dll.
580421-3 : Edge Client may not register DLLs correctly
Component: Access Policy Manager
Symptoms:
After an end-user confirms that they want to install InstallerControll.cab, the browser gets stuck in 'Checking client'.
Conditions:
Client is using Internet Explorer
Impact:
Clients are unable to install the Edge client components
Fix:
Edge client components are now getting properly registered.
580340-3 : OpenSSL vulnerability CVE-2016-2842
Vulnerability Solution Article: K52349521
580313-3 : OpenSSL vulnerability CVE-2016-0799
Vulnerability Solution Article: K22334603
580303-3 : When going from active to offline, tmm might send a GARP for a floating address.
Component: Local Traffic Manager
Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.
Conditions:
Using high availability, and switching a device from active to offline.
Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.
Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.
Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.
580168-2 : Information missing from ASM event logs after a switchboot and switchboot back
Component: Application Security Manager
Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back
Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone
Impact:
Information missing from ASM event logs after a switchboot and switchboot back
Workaround:
N/A
Fix:
N/A
580026-3 : HSM logging error
Component: Local Traffic Manager
Symptoms:
In some cases HSM logging does not function as designed.
Conditions:
Installing SafeNet HSM to BIG-IP chassis.
Impact:
Inaccurate HSM logs
Fix:
Improve HSM logging
579975-3 : OpenSSL vulnerability
Vulnerability Solution Article: K79215841
579955-2 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
Vulnerability Solution Article: K01587042
579919-1 : TMM may core when LSN translation is enabled
Component: Local Traffic Manager
Symptoms:
tmm core
Conditions:
Virtual uses LSN translation with a destination matching a pool-based route
Impact:
Traffic disrupted while tmm restarts.
Fix:
Virtual with LSN translation no longer leads tmm coring when destination matches a pool-based route.
579909-2 : Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error
Component: Access Policy Manager
Symptoms:
Secondary blade MCPD exits if APM Sandbox intends to log a warning message when it fails to remove the corresponding sandbox directory /var/sam/www/webtop/sandbox/files_d/<partition_name>_d while the user is removing the partition.
There are multiple cases that can potentially log such kind of Sandbox warning message and cause an mcpd crash and/or tmm crash. APM can log the warning if it encounters a directory which is not empty, or if the directory does not exist. You will see this error signature in /var/log/ltm:
Mar 11 11:36:49 slot2/viprion-3 warning mcpd[6022]: 010717ac:4: Configuration Warning: Cannot remove directory with symlink to sandbox for partition (p1). Error: Directory not empty. If you have access to bash shell, try to run command: rmdir /var/sam/www/webtop/sandbox/files_d/p1_d/
Conditions:
The sandbox directory corresponding to the partition that you are deleting cannot be removed due to any reason such as Not Existing, Not Empty, etc. on the secondary blade. This can occur on the secondary blades if you create a partition before provisioning APM, then delete the partition on the primary blade, and auto-sync is enabled in the device group.
Impact:
Secondary MCPD exits and blade restarts. Tmm can core. Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Fixed such that Secondary MCP will not exit but only log the warning message as the partition is successfully deleted.
579843-3 : tmrouted may not re-announce routes after a specific succession of failover states
Component: Local Traffic Manager
Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
Conditions:
- Active/Standby HA pair set up
- Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
- Active unit has the following succession of failover states:
Active->Offline->Online->Standby->Active
Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.
Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.
Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
579829-3 : OpenSSL vulnerability CVE-2016-0702
Vulnerability Solution Article: K79215841
579559-2 : DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
Component: Access Policy Manager
Symptoms:
Network Access always fallbacks to TLS connection even if DTLS is configured when connecting to some hardware platforms.
Conditions:
Network Access is configured to use DTLS
Hardware BIG-IP with DTLS Nitrox acceleration is used,
Impact:
Network Access connection always fallbacks to TLS connection
Workaround:
N/A
Fix:
Previously, Network Access always fell back to a TLS connection even if DTLS was configured when connecting to some hardware platforms. Network Access no longer falls back to TLS.
579524-2 : DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name'
Component: Application Security Manager
Symptoms:
Policy Import via iControl REST in an HA pair occasionally fails on the Standby device with - DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name'
Conditions:
Active/Standby pair configured
ASM provisioned
Import a security policy, via iControl REST
Impact:
Policy import fails
Workaround:
n/a
Fix:
We have fixed the import policy via iControl REST so that it does not generate the database error
579371-2 : BIG-IP may generate ARPs after transition to standby
Component: Local Traffic Manager
Symptoms:
tmm generates unexpected ARPs after entering standby.
Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.
Impact:
Unexpected ARP requests that might result in packet loops.
Workaround:
None.
Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.
579284 : Potential memory corruption in MCPd
Component: TMOS
Symptoms:
Memory in mcpd could get corrupted. The effect of this is unpredictable.
Conditions:
Varies. One way (but not the only way) this could be seen is by cancelling a chunked stats query (e.g. hitting ctrl-c during "show sys connection").
Impact:
Varies. Sometimes nothing will happen; other times MCP could start acting unpredictably. In one case it closed its connection to TMM, which caused all TMMs to restart.
Fix:
Identified and fixed areas of potential memory corruption in MCP.
579237-3 : OpenSSL Vulnerability CVE-2016-0705
Vulnerability Solution Article: K93122894
579220-3 : Mozilla NSS vulnerability CVE-2016-1950
Vulnerability Solution Article: K91100352
579085-4 : OpenSSL vulnerability CVE-2016-0797
Vulnerability Solution Article: K40524634
579049-1 : TMM core due to wrong assert
Component: Application Visibility and Reporting
Symptoms:
Under stress traffic tmm can core with the following backtrace:
frame 3:
in *__GI___assert_fail
frame 4 will look like this:
.... avr_alloc_segmempool_with_id .. mempool.c:278
Conditions:
AVR provision and collecting statistic.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an issue that intermittently caused the TMM to core.
578971-1 : When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
Component: Local Traffic Manager
Symptoms:
When mcpd is restarted on a blade, the clusterd process on that blade may become blocked for some time. This may result in cluster member heartbeat timeouts, which are seen in the /var/log/ltm log file with messages that include:
"Slot 1 suffered heartbeat timeout ..."
This causes cluster members to be marked failed. The condition resolves itself within one minute, and the cluster fully recovers on its own.
Conditions:
Mcpd is restarted on a blade.
Impact:
Though all blades recover on their own, the cluster members being marked fail may result in a failover.
Workaround:
There is no workaround for this issue. It is recommended to avoid restarting mcpd on any blade belonging to the active unit of an HA group. The issue resolves itself within about a minute, and all cluster members will be marked as up again.
Fix:
The clusterd daemon has been fixed to no longer become blocked when mcpd is restarted. This prevents the cluster member heartbeat timeouts from occurring, and thus no cluster members will be marked failed.
578844-2 : tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
Component: Access Policy Manager
Symptoms:
tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
Conditions:
NA resource with IPv4&IPv6 is used (SNAT pool in NA resource is set to None). User is connected to IPv4 Virtual server.
While connected user clicks on 'Change server' and chooses an IPv6 virtual server.
Impact:
Traffic disrupted while tmm restarts.
578570-2 : OpenSSL Vulnerability CVE-2016-0705
Vulnerability Solution Article: K93122894
578564-3 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
Component: Service Provider
Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"
Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.
Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.
Fix:
HTTP::respond works as expected even on an HTTP response returned by an ICAP server after request adaption.
578353 : Statistics data aggregation process is not optimized
Component: Application Visibility and Reporting
Symptoms:
CPU spikes may occur every 5 minutes
Conditions:
Occurs all the time
Impact:
High CPU usage may be observed every 5 minutes
Workaround:
For versions based on 11.5.4 and 11.6.0 take the following steps:
1. Edit the entry 'AggregationMode' under the /etc/avr/monpd/monpd.cfg file and set it to be 'low' instead of 'medium' or 'high'.
2.Restart Monpd afterwards.
For 12.0.0 and on:
tmsh modify sys db avr.stats.aggregation value low
Fix:
The aggregation process of statistics in DB which is done using monpd should be optimized, and skip redundant updates of tables.
578334-3 : Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy.
Component: Application Security Manager
Symptoms:
These errors are visible in asm log:
--------------------
Mar 3 20:18:33 Bip_102 crit g_server.pl[29381]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ImportExportPolicy::Base::fatal_error): no such file '/ts/var/sync/admin~t6jsI8OQtyjKrbs2Djpjng'
Mar 3 20:18:33 Bip_102 info perl[29340]: 01310053:6: ASMConfig change: Import Policy Task Import Policy Task (1457029113.860000) [update]: Status was set to FAILURE. End Time was set to 1457029114. Message was set to Exported policy file not found!.. { audit: username = admin, client IP = 172.18.185.226 }
--------------------
The policy created on the peer device is a stub - default policy.
Conditions:
ASM provisioned
HA pair (CMI)
Policy Import (REST, inline XML import)
Impact:
Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy on the peer device.
Workaround:
n/a
Fix:
We have fixed the import/export mechanism on HA pair (CMI).
577939-1 : DNS suffixes on user's machine may not be restored correctly in some cases
Component: Access Policy Manager
Symptoms:
DNS suffixes on user's may not be restored correctly if user reboots his machine without disconnecting VPN.
This may result in incorrect or failed DNS resolution.
Conditions:
1)DNS relay proxy components is installed on user's machine
2) User reboots the machine without disconnecting VPN first
Impact:
DNS suffixes are not restored correctly, which may lead to incorrect or failed DNS resolution
Workaround:
Disconnect VPN before rebooting machine
Fix:
DNS Suffixes are now restored properly.
577863-2 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime
Component: Policy Enforcement Manager
Symptoms:
If routing table on DHCP server is mis-configured, so that DHCP server know how to send packets to BigIP selfIP(used by BigIP DHCP relay), but does not know how to send packets to DHCP clients, DCHP client will not receive DHCP reply for unicast request and will start to broadcast DHCP renewal. After a while, BigIP will stop to relay DHCPOFFER and DHCPACK back to DHCP clients all together.
Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets(with client's IP as source IP).
Impact:
BigIP will stop to relay DHCPOFFER and DHCPACK back
to DHCP clients
Workaround:
Fix the DHCP server routing table, so that DHCP server can deliver DHCP reply packet back to client successfully.
577828-5 : BIND vulnerability CVE-2016-2088
Vulnerability Solution Article: K59692558
577826-4 : BIND vulnerability CVE-2016-1286
Vulnerability Solution Article: K62012529
577823-4 : BIND vulnerability CVE-2016-1285
Vulnerability Solution Article: K46264120
577814-4 : MCPd might leak memory in PEM stats queries.
Component: Policy Enforcement Manager
Symptoms:
Memory leak may result in an "Out of Memory" condition causing functional issues in the BIG-IP.
Conditions:
Occurs when a valid PEM stats query is issued by a UI (GUI TMSH, REST, etc.) and PEM is configured on the BIG-IP.
Impact:
System may be unresponsive or crash due to being out of memory.
Workaround:
None.
Fix:
Fixed the potential MCPd memory leak in PEM stats queries.
577664-2 : Policy import, to inactive policies list, results in different policies on the sync-failover peers
Component: Application Security Manager
Symptoms:
Having a standard Active/Standby setup, with a single Sync-Failover DG, Auto-Sync, with ASM enabled.
When importing an ASM policy (named "ddddd") into the inactive policies list, the following results in GUI at -
"Security ›› Application Security : Security Policies : Inactive Policies"
On active device:
Security Policy Name - Version
ddddd - 2016-02-25 10:39:49
ddddd_2 - 2016-03-01 00:11:46
On standby device:
Security Policy Name - Version
ddddd - 2016-03-01 00:11:41
ddddd_2 - 2016-02-25 10:39:49
According to the "Version" field (time stamps), the "ddddd" on active is actually "ddddd_2" on standby and then the other two policies are not the same.
The group ends up with three different policies on the two devices.
Conditions:
Active/Standby pair
ASM provisioned
Import security policy to the inactive policies list
Impact:
Three different policies are created on the two devices.
Workaround:
n/a
Fix:
We have fixed the import policy process so that it results in consistent state on both devices in a device group.
577440-1 : audit logs may show connection to hagel.mnet
Component: TMOS
Symptoms:
An iControl host header is improperly formatted with the name hagal.mnet
The request is properly delivered to the correct host but contains a badly addressed host header that is ignored.
If the authorization fails for the icontrol query then the audit log will contain this destination information which may be confusing.
Conditions:
Setting up device trust exercises this code path.
Impact:
No impact to functionality but is confusing for log interpretation.
Workaround:
There is not workaround
Fix:
When this bug is fixed then the host header is properly formatted with the destination of the iControl request.
576591-4 : Support for some future credit card number ranges
Component: Application Security Manager
Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.
Impact:
The traffic passes unmasked or unblocked to the end client.
Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.
576350-2 : External input from client doesn't pass to policy agent if it is not the first in the chain.
Component: Access Policy Manager
Symptoms:
When client gets authenticated, and then the session is deleted (times out or is manually deleted from memcache), the browser still has its authorization token.
If client refreshes the page, the browser passes the existing 'authorization' token, which gets deleted by the agent processing the existing task (a message box, in this case) for the targeted agent (HTTP_401_Response agent, in this case).
Conditions:
When a logon page is not the first agent in the access policy chain and it gets a pre-authenticated token from browser.
Impact:
Although client (browser) sends the pre-authenticated token, the browser still posts a challenge for credential (pop up window). This is unnecessary and should not occur.
Workaround:
None.
Fix:
An HTTP_401_RESPONSE page can be placed anywhere in the access policy chain. Any pre-authenticated information for the targeted agent will not be consumed by another agent sitting in front.
576314-2 : SNMP traps for FIPS device fault inconsistent among versions.
Component: Local Traffic Manager
Symptoms:
The snmp traps bigipFipsDeviceError and bigipFipsFault are inconsistent among versions.
Conditions:
This trap is raised if the FIPS device firmware has stopped responding to requests and is no longer functional. The trap is different on the BIG-IP 10350 FIPS platform.
Impact:
The meaning of the trap is that the system is not able to perform any FIPS operations and process FIPS related traffic. You will need to be mindful of which version you are on to interpret the OIDs correctly.
Fix:
An SNMP trap is generated when the system has detected a FIPS device fault indicating that said device can no longer service FIPS operations. The OIDs are different across versions and one specific platform. Here is the OIDs and versions:
BIGIP-COMMON-MIB::bigipFipsDeviceError .1.3.6.1.4.1.3375.2.4.0.152
This trap means "Encountered error in the FIPS card operation" on all FIPS platforms
BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.156 (from v11.5.4-hf1 and 11.6.1, not 12.0.0)
BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.166 (from v12.1.0)
These traps mean "The FIPS card is currently in faulty state" for the specific FIPS hardware included on the BIG-IP 10350
576305-3 : Potential MCPd leak in IPSEC SPD stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IPSEC SPD stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.
576296-2 : MCPd might leak memory in SCTP profile stats query.
Component: Local Traffic Manager
Symptoms:
The memory allocation for mcpd might grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.
Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.
Impact:
Performance may be degraded.
Workaround:
None.
Fix:
Resolved a memory leak in mcpd resulting from a query of SCTP profile stats.
576224-1 : NetHSM does not come back after TCP connection to device is reset
Component: Local Traffic Manager
Symptoms:
NetHSM does not come back after TCP connection to device is reset.
Conditions:
TCP connection to NetHSM device is reset.
Impact:
NetHSM stops working.
Workaround:
None.
Fix:
NetHSM connectivity is restored after TCP connection to device is reset.
576069-2 : Rewrite can crash in some rare corner cases
Component: Access Policy Manager
Symptoms:
Rewrite can crash in some rare corner cases when some specific erroneous elements are present in an HTML content.
Conditions:
Any of the strings:
<meta http-equiv="refresh" />
<meta http-equiv="location" />
<param name="general_servername" />
<param name="wmode" />
triggers guaranteed rewrite crash.
Impact:
Web application malfunction.
Workaround:
iRule or direct fix of improper HTML tag.
Fix:
Fixed.
575735-2 : Potential MCPd leak in global CPU info stats code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying global CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying global CPU information stats.
575726-2 : MCPd might leak memory in vCMP interface stats.
Component: TMOS
Symptoms:
MCPd might leak memory in vCMP interface stats.
Conditions:
The memory leak occurs when viewing VCMP interface statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying vCMP interface stats.
575716-2 : MCPd might leak memory in VCMP base stats.
Component: TMOS
Symptoms:
MCPd might leak memory in VCMP base stats.
Conditions:
This occurs when looking at VCMP base statistics.
Impact:
Over time this might cause MCPd to run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying VCMP base stats.
575708-2 : MCPd might leak memory in CPU info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in CPU info stats.
Conditions:
In some cases, querying CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying CPU information stats.
575671-2 : MCPd might leak memory in host info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in host info stats.
Conditions:
In some cases, querying host information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying host information stats.
575660-2 : Potential MCPd leak in TMM rollup stats stats
Component: TMOS
Symptoms:
MCPd leaks memory so the amount of used memory will grow over time.
Conditions:
In rare cases, such as immediately after a reboot before system performance stats are populated, querying system performance stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying system performance stats.
575649-2 : MCPd might leak memory in IPFIX destination stats query
Component: TMOS
Symptoms:
MCPd might leak memory in IPFIX destination stats query.
Conditions:
In some cases, querying IPFIX destination stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPFIX destination stats.
575631-3 : Potential MCPd leak in WAM stats query code
Component: WebAccelerator
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying WAM stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying WAM stats.
575626 : Minor memory leak in DNS Express stats error conditions
Component: Local Traffic Manager
Symptoms:
A minor memory leak might occur in certain error conditions relating to DNS Express statistics.
Conditions:
There are no known DNS Express configurations that lead to this issue. The problem was detected through standard code review practices.
Impact:
Memory leaks might eventually lead to system reboots.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur in certain error conditions relating to DNS Express statistics.
575619-2 : Potential MCPd leak in pool member stats query code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying pool member stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying pool member stats.
575612-3 : Potential MCPd leak in policy action stats query code
Component: Local Traffic Manager
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying policy action stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying policy action stats.
575609-3 : Zlib accelerated compression can result in a dropped flow.
Component: Access Policy Manager
Symptoms:
Some compression requests would fail when the estimated compression output block was too small. Such errors deposit an error in the log similar to: Device error: n3-compress0 Zip engine ctx eviction (comp_code=2): ctx dropped.
Conditions:
A block that will not compress can generate a compression output that exceeds the estimated output block size.
Impact:
The flow that encounters the error is dropped.
Workaround:
Disable hardware accelerated compression.
Fix:
Difficult to compress requests may be dropped.
575608-2 : MCPd might leak memory in virtual server stats query.
Component: TMOS
Symptoms:
MCPd might leak memory in virtual server stats query.
Conditions:
In some cases, querying virtual server stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying virtual server stats.
575595-1 : Potential MCPd leak in eviction policy stats.
Component: TMOS
Symptoms:
The memory allocation for mcpd will grow by a small amount if a eviction policy stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.
Conditions:
An eviction policy is configured, and the stats are displayed in TMSH or the GUI.
Impact:
Performance may be degraded.
Fix:
Resolved a memory leak in mcpd resulting from a query of eviction policy stats.
575591-2 : Potential MCPd leak in IKE message stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IKE message stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IKE message stats.
575589-1 : Potential MCPd leak in IKE event stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IKE event stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IKE event stats.
575587-2 : Potential MCPd leak in BWC policy class stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying BWC policy stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.
575571-2 : MCPd might leak memory in FW DOS SIP attack stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW DOS SIP attack stats query.
Conditions:
This occurs when looking at firewall DOS SIP stats.
Impact:
Over time this can cause MCPd to run out of memory and core.
575499-1 : VPN filter may leave renew_lease timer active after teardown
Component: Access Policy Manager
Symptoms:
TMM core making the system unavailable for a period of time until it comes back up.
Conditions:
When using both IPv4 & IPv6 network access resources with static IP address for IPv4 and dynamic address assignment for IPv6 tmm will core while NA tunnel is running or on NA's disconnect time.
Impact:
TMM core and bring down the system.
Workaround:
N/A
Fix:
No more stale renew_lease timer in vpn_ctx to cause TMM core.
575347-2 : Unexpected backslashes remain in monitor 'username' attribute after upgrade
Component: Local Traffic Manager
Symptoms:
The monitor 'username' attribute contains unexpected backslashes.
Conditions:
Upgrading from an earlier version with a configuration that contains a monitor 'username' attribute with at least one escaped backslash ('\\').
Impact:
Monitor probes contain excess backslashes which can lead to monitor failures.
Workaround:
Un-escape backslashes after upgrade by transforming '\\' sequences to '\'.
Fix:
Removed excess backslashes from monitor 'username' attribute during upgrade process.
575292-4 : DNS Relay proxy service does not respond to SCM commands in timely manner
Component: Access Policy Manager
Symptoms:
DNS relay proxy service may appear unresponsive when stopped/started through Service control manager and user may see a system dialog box saying "Service did not respond in a timely manner"
Conditions:
DNS relay services component of edge client is installed on user's machine
Impact:
Usability, User may think that service has failed.
Workaround:
Wait for service to respond proper status
Fix:
Service now reports correct status to service control manager immediately.
575170-3 : Analytics reports may not identify virtual servers correctly
Component: Application Visibility and Reporting
Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.
Conditions:
This occurs for virtual servers that are configured in one of these ways:
1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.
2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).
Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.
Workaround:
None.
Fix:
Correct identification of the virtual server and the activity reported in the charts is displaying to the right virtual server.
575027-2 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Component: TMOS
Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.
Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)
Workaround:
Use untagged VLANs and hypervisor side tagging.
Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.
575011-4 : Memory leak. Nitrox3 Hang Detected.
Component: Local Traffic Manager
Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".
Conditions:
Compression device unavailable during creation of a new context.
Impact:
System can run out of memory.
Workaround:
Disable hardware compression using tmsh:
% tmsh modify sys db compression.strategy softwareonly
Fix:
Repaired memory leak.
574781-2 : APM Network Access IPV4/IPV6 virtual may leak memory
Component: Access Policy Manager
Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, xhead and xdata caches grow over time. Additionally, the ppp_npmode_errors in the ppp stat table will increment with each leak.
Conditions:
APM virtual with Network Access configured with IPV4 and IPv6.
Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.
Workaround:
No workaround short of not enabling IPv6.
Fix:
APM Network Access now correctly manages its memory resources.
574451-2 : ASM chassis sync occasionally fails to load on secondary slot
Component: Application Security Manager
Symptoms:
ASM chassis sync occasionally fails to load on secondary slot when a new policy is created after a series of other configuration changes in quick succession.
Conditions:
A new policy is created after a series of other configuration changes in quick succession
Impact:
ASM chassis sync fails to load on secondary slot.
Workaround:
Make another system-wide configuration change, such as creating a user-defined signature, or wait until the hourly sync occurs.
Fix:
ASM chassis blades are now synchronized correctly after every policy creation.
574153-2 : If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout.
Component: Local Traffic Manager
Symptoms:
If an SSL connection gracefully begins to disconnect at the same time as data is being encrypted by SSL acceleration hardware, the connection will remain open until the TCP profile timeout occurs instead of being closed immediately. This can cause unwanted higher memory usage, possibly causing crashes elsewhere.
Conditions:
* A virtual server with ClientSSL or ServerSSL profile.
* BIG-IP SSL acceleration hardware.
* While an SSL record is being encrypted by SSL accelerator hardware, the SSL connection begins to close by client TCP FIN or by any iRule command that closes the connection.
Impact:
There is a potential for higher memory usage, which in turn may cause TMM crash due to memory exhaustion resulting in service disruption.
Workaround:
If the affected SSL traffic does not include any long idle periods, memory consumption can be mitigated by reducing the idle timeout of the TCP or SCTP profile.
Fix:
SSL connections now disconnect normally if a disconnect attempt occurs while data is being encrypted by SSL acceleration hardware.
574116-2 : MCP may crash when syncing configuration between device groups
Component: TMOS
Symptoms:
mcpd on the sync target crashes when syncing configuration.
Conditions:
This can occur when a local non-synced object references an object that is synced (such as a local-only virtual server referencing a synced iRule), and a non-synced object on the target machine happens to be referencing the same synced object. In this condition, mcpd could crash if objects in a sync group are deleted and synced.
Impact:
Outage due to mcp crash which causes tmm to restart.
Workaround:
When you have devices with local-only resources that are referencing objects contained in a sync/failover group, avoid deleting any objects (such as iRules) that might be referenced by other local-only resources on other devices. Instead of a "this object is in use error", mcpd on the target machine will crash.
Fix:
Verify existence of rule objects when validating configuration.
574055-3 : TMM crash after changing raccoon log level
Component: TMOS
Symptoms:
TMM crashes after changing the raccoon log level to debug2
Conditions:
Debug level is set to debug2 while tmm is passing traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
set debug level to INFO
Fix:
A tmm crash related to changing the debug level while passing traffic has been fixed.
574052-2 : GTM autoconf can cause high CPU usage for gtmd
Component: Global Traffic Manager
Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.
In large configurations of LTM vses that contain "." (dot) in the name.
Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.
This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.
This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)
Impact:
CPU usage is high, which may impact monitoring and LB decisions.
Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.
1. Rename the virtual servers on the LTM to remove the "."
This would require deleting the GTM configuration and
rediscovering it and recreating pools.
2. Turn off autoconf.
Run autoconf once to populate the config, then turn it
off.
3. Reduce the frequency of autoconf. It will still cause
a high CPU usage scenario, but it will be less frequent.
Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.
Fix:
Change algorithm used to match LTM VS names to GTM VS to reduce linear walk of all VSes on a server.
574045-2 : BGP may not accept attributes using extended length
Component: TMOS
Symptoms:
If a BGP peer sends a path attribute using the "extended length" flag and field, the attribute may be rejected and the BGP connection terminated.
Conditions:
Neighbor sends path attributes using extended length.
Impact:
The BGP adacency will repeatedly bounce and the RIB will never converge.
Fix:
Received BGP attributes using extended length are no longer rejected.
574020-4 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')
Component: Local Traffic Manager
Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').
Conditions:
This issue occurs when the following conditions are met:
-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').
Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.
Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).
Fix:
Safenet HSM installation script install now completes successfully if partition password contains special metacharacters (!#{}').
Note: When using passwords with non-alphanumeric characters, make sure that they are escaped correctly, so that bash does not attempt to reinterpret or expand the password.
573778-7 : QEMU vulnerability CVE-2016-1714
Vulnerability Solution Article: K75248350
573643-2 : flash.utils.Proxy functionality is not negotiated
Component: Access Policy Manager
Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.
Conditions:
Presence of flash.utils.Proxy descendants.
Impact:
Customer application malfunction.
Workaround:
None.
573581-4 : DNS Search suffix are not restored properly in some cases after VPN establishment
Component: Access Policy Manager
Symptoms:
Modified DNS suffix after VPN establishment and closure may result in failure to resolve some DNS names
Conditions:
DNS Relay proxy service is stopped in the middle of VPN session.
User's machine is rebooted.
Impact:
DNS suffixes are not restored properly which may lead to incorrect resolution of certain DNS names.
Workaround:
Any of the following workarounds
1) Do not stop DNS relay proxy service in the middle of a VPN session
2)Restore DNS search suffixes manually.
573429-1 : APM Network Access IPv4/IPv6 virtual may leak memory
Component: Access Policy Manager
Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, connflow and tunnel_nexthop caches grow over time.
Conditions:
APM virtual with Network Access configured with no SNAT and both IPV4 and IPV6 enabled.
Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.
Workaround:
No workaround short of not enabling IPv6 support.
Fix:
Network Access now correctly manages its memory resources.
573406-3 : ASU cannot be completed if license was last activated more than 18 months before
Component: Application Security Manager
Symptoms:
Attack Signature Update (ASU) if license was last activated more than 18 months before.
Conditions:
The license was last activated more than 18 months before.
Impact:
Attack SIgnature Update (ASU) cannot be performed.
Workaround:
The license must be re-activated.
Fix:
Attack Signature Update (ASU) can now be completed based on a license retrieved from server.
573402-2 : "C_GetAttributeValue error" with netHSM
Component: Local Traffic Manager
Symptoms:
When netHSM is used with BigIP, sometimes you will see "C_GetAttributeValue error".
Conditions:
When netHSM is used, this error message may appear.
Impact:
This message is benign and can be ignored.
Workaround:
This error message is not harmful. User can ignore them in the log.
Fix:
When netHSM is used, the benign 'C_GetAttributeValue error' messages are no longer posted.
573343-3 : NTP vulnerability CVE-2015-8158
Vulnerability Solution Article: K01324833
573124-2 : TMM vulnerability CVE-2016-5022
Vulnerability Solution Article: K06045217
573075-2 : ADAPT recursive loop when handling successive iRule events
Component: Service Provider
Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause "ADAPT unexpected state transition".
The adapt profile statistic "records adapted" reaches a very high number as it counts every attempt.
Conditions:
A requestadapt or responseadapt profile is configured.
An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.
Impact:
The connection is aborted with RST cause "ADAPT unexpected state transition".
The statistic "records adapted" reaches a very high number.
Eventually the TMM crashes and the Big-IP fails over.
Workaround:
If possible, arrange the iRules to avoid the conditions above.
In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.
Fix:
ADAPT correctly processes successive iRule events exactly once for each adaptation, and the "records adapted" statistic reports the correct number.
572922-2 : Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.★
Component: Application Security Manager
Symptoms:
The following error is produced in ASM log during upgrade:
-----------
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
-----------
Conditions:
ASM provisioned
Impact:
Different portions of the security policy may be incorrectly upgraded.
Workaround:
N/A
Fix:
We have fixed the root cause so that the following error does not reproduce upon upgrading:
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
572887-2 : DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client
Component: Access Policy Manager
Symptoms:
DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client. This happens because f5fpc fails to patch /etc/resolv.conf on Ubuntu 15.10 release.
Conditions:
/etc/resolv.conf, Ubuntu 15.10, f5fpc CLI client and network access establishment.
Impact:
DNS doesn't work properly on Ubuntu 15.10
Fix:
Now DNS works fine on Ubuntu 15.10 because /etc/resolv.conf can be patched correctly now by f5fpc command line client.
572563-3 : PWS session does not launch on Internet Explorer
Component: Access Policy Manager
Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).
Conditions:
One of the DLLs provided by APM, vdeskctrl.dll, provides COM services. Internet Explorer (IE), consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. For some reason (especially on slow systems), IE does not unload the the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, old DLL provides the service. Due to the recent renewal of our signing certificate, old DLL can't certify the integrity of the new PWS components. We have researched the issue, but we have not found a way to instruct IE to unload the old DLL after upgrade.
Impact:
PWS session does not launch.
Workaround:
After upgrade, if Internet Explorer(IE) does not enter into PWS within 60 seconds, close IE and start a new session. This is an one time event.
Fix:
Internet Explorer can now launch a Protected Workspace session.
572543-2 : User is prompted to install components repeatedly after client components are updated.
Component: Access Policy Manager
Symptoms:
After auto-update of client components from internet explorer, user will be prompted to install components again if he goes to VPN site again.
Conditions:
Administrator upgrades big-ip to 12.1.
User has client components from a release older than 12.1
Impact:
User is prompted to install components again and again
Workaround:
Restart browser after components are updated the first time.
572495-3 : TMM may crash if it receives a malformed packet CVE-2016-5023
Vulnerability Solution Article: K19784568
572281-2 : Variable value in the nesting script of foreach command get reset when there is parking command in the script
Component: Local Traffic Manager
Symptoms:
When there is something like the following script:
foreach a [list 1 2 3 4] {
set a 10
after 100
}
There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.
Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962
Impact:
Variable values get reset.
Workaround:
Set(or set again) the variable value after the parking command.
Fix:
Will fix in later release.
572224-4 : Buffer error due to RADIUS::avp command when vendor IDs do not match
Component: Service Provider
Symptoms:
Errors similar to the following in the ltm log:
err tmm3[21915]: 01220001:3: TCL error: /Common/RadiusTest CLIENT_DATA - Buffer error (line 1) (line 1) invoked from within 'RADIUS::avp 26 ip4 index 0 vendor-id 12345 vendor-type 6'.
Conditions:
The issue happens when there is a RADIUS::avp command for a vendor specific AVP and there's a RADIUS request that contains a different vendor-id than what was specified in the iRule command.
Impact:
You are unable to use vendor-specific RADIUS AVP commands
Workaround:
None.
Fix:
Vendor-specific RADIUS AVP commands no longer generate errors.
572133-2 : tmsh save /sys ucs command sends status messages to stderr
Component: TMOS
Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.
Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.
Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.
Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.
Fix:
The command will send the status messages to stdout.
572086 : Unable to boot v11.6.0 on 7250 or 10250 platforms
Component: TMOS
Symptoms:
Unable to boot or system constantly rebooting.
Conditions:
Booting into v11.6.0 on 7250 or 10250 platform with RAID disk layout.
Impact:
Unable to boot.
Workaround:
None.
Fix:
This version of the software boots boots correctly on 7250 or 10250 platforms with RAID disk layout.
572025-2 : HTTP Class profile using a path selector upgrade to a policy that does not match the entire path★
Component: Local Traffic Manager
Symptoms:
If you upgrade to version 11.4.0 through 12.0.0, and your configuration contains a HTTP Class profile containing a paths selector, the generated policy does not match.
Conditions:
A HTTP Class profile containing a paths selector.
Impact:
The generated policy does not match the same paths as original HTTP Class profile.
Workaround:
Manually edit resulting policy
Fix:
The path selector specifier is no longer added to the generated policy allowing the entire http-uri to matched.
572015-3 : HTTP Class profile is upgraded to a case-insensitive policy★
Component: Local Traffic Manager
Symptoms:
If you upgrade to version 11.4.0 through 12.0.0, and your configuration contains a HTTP Class profile, the generated policy will be case-insensitive.
Conditions:
HTTP Class profile
Impact:
Generated policy does not match on the same conditions as original HTTP Class profile.
Workaround:
Manually edit generated policy
Fix:
The case-sensitive attribute is added to generated policies during upgrade.
571573-2 : Persistence may override node/pmbr connection limit
Component: Local Traffic Manager
Symptoms:
In certain circumstances the BIG-IP system may load balance connections to a node or poolmember over the configured connection limit.
Conditions:
- Node or pool member configured with connection limit.
- L4 or L7 virtual server.
- Persistence configured on the Virtual Server.
- Very high load on unit.
Impact:
BIG-IP system may load balance connections to a node or pool member over the configured connection limit.
Workaround:
Remove persistence or use another method of limiting the connections (rate limiting or connection limit on the Virtual Server).
Fix:
The BIG-IP system now correctly enforces the pool member/node connection limit.
571344-3 : SSL Certificate with special characters might cause exception when GUI retrieves items list page.★
Component: TMOS
Symptoms:
After upgrading, unable to view certain certs from gui. Catalina.out file could contain the signature MalformedByteSequenceException: Invalid byte 2 of 3-byte UTF-8 sequence.
iControl SOAP methods
====================
Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 will return an exception if returning a certificate with special characters.
Conditions:
SSL Certificate with special characters might cause exception when GUI retrieves items list page. This has been observed on upgrades to BIG-IP version 11.5.4 through 12.0.0.
Impact:
The GUI does not display the page containing certificate information. iControl SOAP cannot return a list of certificates if they contain information with special characters.
Workaround:
None.
Fix:
The GUI now correctly displays certificates with special characters, and iControl SOAP methods Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 no longer return exceptions.
571210-4 : Upgrade, load config, or sync might fail on large configs with large objects.
Component: TMOS
Symptoms:
Attempting to load a large config with large objects may result in the following error message:
err mcpd[7366]: 01070710:3: Database error (52), Can't write blob data, attribute:implementation status:52 - EdbBlobData.cpp, line 57
Attempting to synchronize a large change may result in the following error messages and a crash of the MCPD process:
err mcpd[8210]: 01071693:3: Incremental sync: Caught an exception while adding a transaction to the incremental config sync cache: unexpected exception.
err mcpd[8210]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: Can't write blob data, attribute:msgs status:52
err mcpd[8210]: 01070596:3: An unexpected failure has occurred, request_group destroyed while processing, exiting...
Conditions:
The config must be approximately 19.75 MB (slightly less) prior to processing a large object in the config that exceeds 256 KB.
Or, once config exceeds 19.75 MB and 2 MB of additional memory has been allocated, processing config objects that exceed 256 KB (the larger, the more likely to occur) lead to the error.
Impact:
Upgrade, load config, or sync might fail, and a system crash and restart might occur.
Workaround:
Stagger the load, or reduce the size of particularly large objects within a config.
Fix:
Memory handling is improved so that large configs with large objects now successfully complete upon upgrade, load config, or sync.
571183-2 : Bundle-certificates Not Accessible via iControl REST.
Component: Local Traffic Manager
Symptoms:
Bundle-certificates Not Accessible via iControl REST.
Conditions:
This occurs when using iControl REST to look at bundle certificates via /mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt/bundle-certificates
Impact:
Unable to get data from the command.
Workaround:
If you do not need to do it via iControl REST, you can view bundle certificates using the tmsh command tmsh list sys file ssl-cert ca-bundle.crt bundle-certificates
Fix:
The iControl rest command for viewing bundle-certificates now displays all of the certificates.
571090 : When BIG-IP is used as SAML IdP, tmm may restart under certain conditions
Component: Access Policy Manager
Symptoms:
tmm restarts.
Conditions:
It is not known exactly what the conditions are, but this occurs when BIG-IP is configured as SAML IdP.
Impact:
Tmm may restart.
Workaround:
None
571019-3 : Topology records can be ordered incorrectly.
Component: TMOS
Symptoms:
Topology records can contain missing order numbers, duplicate order numbers, and differences in the ordering of topology records on BIG-IP's in a sync group.
Conditions:
When adding or deleting topology records or modifying the order of existing topology records, the resulting ordering of the topology records can be inconsistent. This can lead to ordering issues including differences in the ordering of topology records on BIG-IP's in a sync group.
Impact:
It is difficult to manage the order of topology records. Topology records are evaluated in different orders on different BIG-IP's in a sync group.
Workaround:
None.
Fix:
Topology records are now ordered consistently.
571003-1 : TMM Restarts After Failover
Component: Access Policy Manager
Symptoms:
TMM generates core file and restarts.
Conditions:
1. In a HA pair running pre 11.5.3-HF2 or 11.6.0-HF6, the standby is upgraded to 11.6.0-HF6 EHF 186, 241, 243, or 247.
2. Force failover.
3. A new session is established or an existing session terminated.
Impact:
Serivce is disrupted. All existing sessions are terminated.
Workaround:
None.
Fix:
TMM no longer generates core file and restarts upon upgrade.
570973-2 : L7 hardware syn cookie feature is broken in BIG-IP v12.0.0 hf1 and hf2
Component: TMOS
Symptoms:
In BIG-IP v12.0.0 hf1 and hf2 hardware syn cookie feature for L7 (e.g. Standard Virtual Server type or FastL4 with http profile) virtual server is broken due to HSB bitstream update with a new hardware syn cookie algorithm. It does not impact 12.0.0 base release.
Conditions:
Hardware syn cookie is enabled (which is the default setting) on L7 virtual server.
Impact:
When syncookie protection is triggered, ingress legitimate traffic may be dropped by BIG-IP.
Workaround:
Disable hardware syn cookie on L7 virtual servers.
Note: After this workaround you may encounter Bug ID 555020 SW syncookies and windowscaling will cause 3WHS to fail on L7 VIP in which case you would need to apply the workaround from that as well.
Fix:
This bug is fixed in 12.0.0-hf3 and 12.1.0.
570881-4 : IPsec configuration mismatch in IKEv2 causes TMM crash in isakmp_parse_proposal ()
Component: TMOS
Symptoms:
crash (NULL pointer access)
Conditions:
IPsec configuration mismatch in IKEv2 (for initiator and responder)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
use correct configuration
Fix:
Proper reaction (connection reject) was added for improper configuration.
570818-2 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
Component: TMOS
Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.
Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.
Impact:
Failure in establishing IPsec SA.
Workaround:
None.
Fix:
Address lease-pool in IKEv2 no longer interferes with IKEv2 negotiations.
570716-3 : BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
Vulnerability Solution Article: K10133477
570667-16 : OpenSSL vulnerabilities
Vulnerability Solution Article: K64009378
570663-3 : Using iControl get_certificate_bundle_v2 causes a memory leak
Component: TMOS
Symptoms:
Using iControl call get_certificate_bundle_v2() causes a memory leak. iControlPortal memory use grows unbounded every time the method is called.
Conditions:
This occurs anytime the method is invoked; BIG-IP devices managed by Enterprise Manager can be especially impacted.
Impact:
Eventually iControlPortal will run out of memory and crash.
Fix:
The memory leak issue has been fixed.
570640-2 : APM Cannot create symbolic link to sandbox. Error: No such file or directory
Component: Access Policy Manager
Symptoms:
The user may encounter the following configuration error when adding a new APM sandbox-contained object in a non-default partition (other than /Common) if the user has ever attempted (but failed) to delete this partition (for example, couldn't delete it because it was not empty).
01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Validating configuration process failed.
Conditions:
The user has ever attempted (but failed) to delete the partition.
Impact:
No more APM sandbox object such as Hosted-Content can be added to the partition.
Upgrade may fail to install configuration with the impacted sandbox object.
Workaround:
Manually use the shell command 'mkdir -p' to re-create the missing folder where the symbolic link is suppsed to be created as shown in the error message.
Directories are: {to do mkdir -p)
/config/filestore/files_d/OUTSIDE_PROD_d/sandbox_file_d
/var/sam/www/webtop/sandbox/files_d/OUTSIDE_PROD_d/sandbox_file_d
After creating the directors sync to active unit.
570617-4 : HTTP parses fragmented response versions incorrectly
Component: Local Traffic Manager
Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.
Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.
Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.
Workaround:
None.
Fix:
HTTP correctly bounds the response version for other filters to parse.
570563-2 : CRL is not being imported/exported properly
Component: Access Policy Manager
Symptoms:
CRL assigned as part of Machine Cert Auth is not being imported/exported properly.
Conditions:
This occurs when importing SSL Certificates and Keys using the CRL type. Or when adding the Machine Cert Check agent to import an Access Profile in when creating a New Certificate Authority Profile.
Impact:
Prevents CRL from being exported. Might also impact the import/export of Certificate Authority Profiles.
Workaround:
1. Copy and install the CRL to the other BIG-IP system separately.
2. Modify the exported configuration to use CRL from step 1
Fix:
Import and export of CRL is fully supported.
570535 : Multiple Kernel Vulnerabilities
Vulnerability Solution Article: K15685 K15912 K31300371 K16011 K21632201 K31026324 K17239 K17543 K17121 K41739114 K17246 K17458 K17244 K17245 K90230486 K17309 K17307 K31026324 K94105604
570419-2 : Use of session DB on multi-process appliances and blades may core.
Component: TMOS
Symptoms:
On selected devices and blades, tmm runs multiple processes. When running multiple processes, the session DB may occasionally attempt an operation that will cause a tmm segfault.
Conditions:
In order to experience this failure, tmm must be running in multiple processes on the appliance or on the blade, and session DB usage is required with mirroring.
Impact:
Outage and restart of tmm. This applies when bringing up blades as well as bringing peers online.
Workaround:
None.
Fix:
Use of session DB on multi-process appliances and blades no longer cores when bringing up blades as well as bringing peers online.
570363-2 : Potential segfault when MRF messages cross from one TMM to another.
Component: Service Provider
Symptoms:
Potential segfault when Message Routing Framework (MRF) messages cross from one TMM to another.
Conditions:
This issue occurs when MRF messages travel from one TMM to another, and an asynchronous operation also occurs (like persistence).
Impact:
It is possible for the message object to be removed before the asynchronous operation completes. If this occurs, a segfault may occur and the system might restart.
Workaround:
None.
Fix:
This release corrects the issue of potential segfault occurring when MRF messages cross from one TMM to another.
570064-3 : IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
Component: Access Policy Manager
Symptoms:
When logging into a VPN connection using Internet Explorer, Internet Explorer may prompt "Do you want to run ... InstallerControll.cab"
Conditions:
BIG-IP APM configured and is accessed by Internet Explorer. This can happen after an upgrade of BIG-IP.
Impact:
The prompt should not occur.
Fix:
Internet Explorer will no longer prompt to run InstallerControll.cab
570057-3 : Can't install more than 16 SafeNet HSMs in its HA group
Component: Local Traffic Manager
Symptoms:
With installation script on the BIG-IP, you can't install more than 16 SafeNet HSMs in its high availability group with versions 5.2 and 5.4.
Conditions:
Attempt to install more than 16 SafeNet HSMs.
Impact:
Installer script failure.
Workaround:
The limit is set by SafeNet. Currently, with F5-supported 5.2 and 5.4 client software, SafeNet doesn't allow more than 16 HSMs in one high availability configuration.
Fix:
Updated SafeNet installation scripts by replacing "vtl" to "lunacm" for high availability group creation and member adding operations for version 6.2.
570053-2 : HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
Component: TMOS
Symptoms:
HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
Conditions:
The issue is seen when all the below conditions are met.
1. When more than one certkeychains are configured in the clientSSL profile.
2. When the content of a certkeychain of the clientSSL profile is modified. For example, "modify ltm profile client-ssl a4 cert-key-chain modify { default { cert rsa.crt key rsa.key } }".
3. Performs config sync in HA setup.
Impact:
Missing certkeychain of a clientSSL profile can result in its inability to handle some kind of SSL traffic. For example, if the clientSSL originally has EC key/cert but loses it, then it is no longer able to handle SSL connection using EC cipher suites.
Workaround:
Basically reconfigure certkeychain but avoid modifying the content.
1. On any BIG-IP system, leave only the RSA certkeychain in the clientSSL profile, just like the default configuration.
2. Config sync, so that both systems have only the RSA certkeychain.
3. In any BIG-IP system, add certkeychains for other types (EC or DSA) you need. You can "add" or "delete" but do not "modify" any existing certkeychain.
4. Do config sync, so that both systems have the same certkeychains in the clientSSL profile.
569972-2 : Unable to create gtm topology records using iControl REST
Component: Global Traffic Manager
Symptoms:
The user is unable to create gtm topology records using iControl REST.
Conditions:
This occurs when a user issues an iControl REST POST command for a gtm topology record.
Impact:
The iControl REST POST command fails with the following error: 'Topologies must specify both regions: ldns: server:'.
Workaround:
Use TMSH, iControl SOAP, or the GUI to create gtm topology records.
Fix:
You can now create gtm topology records using iControl REST.
Please be sure to format the gtm topology oid string using the following rules:
1) Use only a single space between each item in the topology string.
2) Use a fully-pathed name for datacenter, isp, region, and pool objects.
For example:
"ldns: subnet 11.11.11.0/24 server: datacenter /Common/DC".
569958-2 : Upgrade for application security anomalies
Component: Application Visibility and Reporting
Symptoms:
If upgrading to newer version, old statistics for application security anomalies are not shown.
Conditions:
Upgrade from BIG-IP version older than 12.1.0 to newer version
Impact:
Losing old statistics for application security anomalies
Fix:
Upgrade to newer version and verify that old statistics are shown.
569642-4 : Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
Component: Local Traffic Manager
Symptoms:
In certain circumstances TMM may core if an HA pair configured with mirroring has all the routes to the server pool removed.
Conditions:
- HA pair.
- FastL4 VIP with mirroring.
- default route to pool via an intermediate router.
- The active unit is handling traffic.
- Active unit fails over and loses its mirroring connection.
- Prior active unit comes back and HA connection is reestablished.
- During the loss of HA and its recovery the now active unit loses its only route to the pool member.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not remove all routes to poolmembers. If this is needed please create other backup routes prior to the deletion.
Fix:
TMM no longer cores on deleting all routes on a unit with a mirroring fastL4 Virtual during HA connection loss and recovery.
569634 : Aced process is not able to listen to port 6000
Component: TMOS
Symptoms:
When Aced process cannot listen to the port, it aborts and causes core dump to be produced.
Conditions:
In certain scenarios, an exiting instance of aced process does not perform a proper cleanup of the socket(listening of port 6000) and does not exit completely and the new instance of aced wont be able to listen to it.
Impact:
Aced process keeps crashing repeatedly.
Fix:
Aced process is fixed in order to explicitly close the socket file descriptor during exit. The new instance will be able to listen to that port.
569521-4 : Invalid WideIP name without dots crashes gtmd.
Component: Global Traffic Manager
Symptoms:
If a user creates a WideIP or WideIP Alias with a name that does not contain a dot, gtmd crashes.
The symptom is a crash and core dump from gtmd.
Conditions:
This occurs when the following conditions are met:
-- FQDN validation is suppressed by the following setting: gtm global-settings general domain-name-check == 'none'.
-- User attempts to create a WideIP with a name that does not contain a dot.
Impact:
gtmd crashes and WideIPs do not function.
Workaround:
When creating a WideIP or WideIP Alias while FQDN validation has been disabled (by setting gtm global-settings general domain-name-check == 'none'), make sure that the WideIP or WideIP Alias name contains at least one dot, and follows these rules:
-- The name must not end with a dot.
-- The name must not begin with a dot, unless '.' is the entire name.
-- The name contains no consecutive dots.
Fix:
FQDN now validates to confirm that a WideIP or WideIP Alias name has at least one dot in an appropriate position, and has no consecutive dots, so there is no crash and core dump from gtmd. This validation occurs even when other FQDN validation has been suppressed by setting
gtm globlal-settings general domain name check == 'none'.
569472-2 : TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled
Component: Global Traffic Manager
Symptoms:
tmm cores with sigsegv within lb_why_pmbr_str.
Conditions:
1. Disable a GTM/BIG-IP DNS pool or pool member;
2. pool-member-selection is enabled for load-balancing-decision-log-verbosity.
Impact:
tmm cores.
Workaround:
Disable pool-member-selection for load-balancing-decision-log-verbosity.
Fix:
tmm no longer cores when disabling pool-member-selection for load-balancing-decision-log-verbosity.
569467-11 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
Vulnerability Solution Article: K11772107
569356-2 : BGP ECMP learned routes may use incorrect vlan for nexthop
Component: TMOS
Symptoms:
BGP with ECMP may result in learned routes using an incorrect next-hop vlan if there are more than one VLAN configured with global IPv6 addresses in the same RD where the routing protocol is running.
Conditions:
BIG-IP configuration with two or more VLANs configured with IPv6 global addresses and BGP with ECMP is peered with an active IPv6 BGP neighbor. The BGP is also configured with max-paths.
Impact:
The traffic randomly gets sent using the incorrect nexthop.
Workaround:
None
Fix:
Routes learned from the peer will have the correct nexthop VLANs.
569349-2 : Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled
Component: Local Traffic Manager
Symptoms:
When net cos (class of Service) feature is enabled, vlan priority for those cmp redirected packets are not being preserved from ingress to egress.
Conditions:
1. net cos feature is enabled
2. packet is being cmp redirected from one tmm to another tmm for processing.
Impact:
Egress packets are not being processed according to the ingress vlan priority by BIG-IP and down stream router. Certain packets will be dropped by downstream router due to the wrong mark of vlan priority.
Workaround:
None.
569337-2 : TCP events are logged twice in a HA setup
Component: Advanced Firewall Manager
Symptoms:
TCP log events are logged twice (if enabled in security log profile) with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).
Conditions:
When there's a HA setup (Active/Standby) or both client side and server side connection flow.
Impact:
TCP log events are logged twice (duplicate events from active unit and standby unit or from both client side and server side of the connection flow).
Workaround:
N/A
Fix:
TCP log events are no longer logged twice when enabled in the security log profile with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).
569309-1 : Clientside HTML parser does not recognize HTML event attributes without value
Component: Access Policy Manager
Symptoms:
Assignment of a specific HTML content to tag.innerHTML could lead to a JavaScript error. This happens when one or more of tags in HTML text contain html event attributes without value (such as <div onclick />)
Following or similar error is logged in browser JavaScript console:
Unable to get property 'charAt' of undefined or null reference
Impact:
Web application does not work when accessed through Portal Access.
Workaround:
iRule could be provided for specific application.
Fix:
Now empty inline event handler attributes are not rewritten on client side.
569306-3 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
Component: Access Policy Manager
Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.
Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected
Impact:
User has to retype his credentials to connect to VPN
Workaround:
Enter the credentials again to connect to VPN
Fix:
Now logged on credentials are used automatically to connect to VPN
569288-2 : Different LACP key may be used in different blades in a chassis system causing trunking failures
Component: Local Traffic Manager
Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.
Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.
Impact:
Non aggregated trunk members won't be able to pass traffic.
Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"
569255-3 : Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
Component: Access Policy Manager
Symptoms:
When Network Access is already established and a second network interface is being connected to client system, VPN quickly reconnects, which breaks existing TCP connections. Because reconnect occurs very quickly, it might appear to the user that nothing happened.
Conditions:
-- 'Allow Local subnet access' enabled.
-- Client system is getting second network interface connected.
Impact:
Long-standing TCP connection may break, for example, VPN over Network Access.
Workaround:
Disable 'Allow Local subnet access'.
Fix:
Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.
569236-4 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the first part of a fix provided for this issue. See fixes for bug 569236 for the second part.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system.
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part one of a two-part fix. Fixes for bug 583285 provide part two of the fix.
569206-2 : After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades.
Component: Local Traffic Manager
Symptoms:
After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades.
Conditions:
Connectivity loss and restoration between HSM and pkcs11d.
Impact:
Sometimes, one or more blades have SSL failure consistently. Others are working fine after the network restoring.
Workaround:
None. This is an intermittent failure.
Fix:
All blades now recover the working condition after the network is restored.
568889-2 : Some ZebOS daemons do not start on blade transition secondary to primary.
Component: TMOS
Symptoms:
In some specific cases the standby unit's secondary blade ZebOS daemons might not get started when it becomes active.
Conditions:
If the failover occurs as a result of the primary blade's mcpd restarting
Impact:
The new primary blade does not start some ZebOS daemons resulting in ospf not working as expected on the standby unit.
Workaround:
Run the following tmsh command on the new active unit: bigstart restart tmrouted.
Fix:
The BIG_IP system now correctly starts ZebOS daemons on the standby unit on a new blade that is starting up as a primary.
568743-3 : TMM core when dnssec queries to dns-express zone exceed nethsm capacity
Component: Local Traffic Manager
Symptoms:
tmm crashes, and in /var/log/ltm you see entries indicating "Signature failed":
err tmm1[16816]: 01010216:3: DNSSEC: Signature failed (signature creation) for RRSET (host0530.f5test.net, 1) with key /Common/myZSK2, generation 1.
Conditions:
This can occur when a dns-express zone generates more responses than the Thales can sign. The excess requests are queued and tmm can core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer core when dnssec queries to dns-express zone exceed nethsm capacity.
568670-2 : ASM fails to start with error - ndefined subroutine &F5::CRC::get_crc32
Component: Application Security Manager
Symptoms:
ASM fails to start with error in ts_debug.log -
Undefined subroutine &F5::CRC::get_crc32 called at /usr/local/share/perl5/F5/RamCache.pm line 69
Conditions:
asm provisioned
Impact:
asm fails to start
Workaround:
n/a
Fix:
A rare condition in which asm fails to start has been fixed
568543-3 : Syncookie mode is activated on wildcard virtuals
Component: Local Traffic Manager
Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.
Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.
Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.
Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.
Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)
567862-1 : intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance
Component: Local Traffic Manager
Symptoms:
BIG-IP intermittently has SSL traffic failures with HSM. This symptom happens on both chassis and appliance. The general error messages are logged with
"FIPS acceleration device failure: fips_poll_completed_reqs: req: 44 status: 0x1 : Cancel"
Conditions:
When Safenet HSM is used with BIG-IP.
Impact:
SSL traffic is failing.
Workaround:
"bigstart restart pkcs11d" might mitigate this issue.
Fix:
Multiple issues are fixed including better sync-up between tmm and pkcs11d. Fixes are also included to deal with key handle changes at HSM.
567774-1 : ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root
Component: TMOS
Symptoms:
The properties 'ca-devices' and 'non-ca-device' are available in the 'restart' command but are not valid.
Conditions:
None
Impact:
You should not use the restart command with the properties 'ca-devices' and 'non-ca-device'. It has to be used similar to the delete command.
Workaround:
A new tmsh command to reset a device trust was added:
'restart cm trust-domain Root' which operates exactly like 'delete cm trust-domain Root'. The properties 'ca-devices' and 'non-ca-device' are available in the 'restart' command but are not valid. These properties are not available in the 'delete cm trust-domain'. Workaround for customer is to not use these two properties when running the 'restart cm trust-domain' command or to use the 'delete cm trust-domain'
Fix:
The 'ca-devices' and 'non-ca-devices' properties were removed from the tmsh command 'restart cm trust-domain' command because they are not valid.
567660-2 : Disabling global Auto Last Hop setting breaks APM's Remote Desktop Gateway (RDG) feature
Component: Access Policy Manager
Symptoms:
Existing TCP connection is being sporadically disrupted by BIGIP virtual server sending out a SYN, ACK, causing existing connection to fail.
The client and virtual server setup a good tcp connection, complete SSL handshake and starts to pass application data.
APM virtual then sends SYN, ACK with sequence and ack numbers which do not match existing stream.
The APM then tries three syn-ack's before giving up and sends out a rst-ack which drops the connection attempt, but as it shares the same ip:port number as the existing connection, resets the good connection.
Conditions:
Auto Last Hop setting is disabled
Impact:
APM RDG feature does not work
Workaround:
1. Enable Auto Last Hop
OR
2. Set cmp_enabled to 'NO' on virtual
Fix:
APM RDG feature now works as expected when Auto Last Hop is disabled.
567503-5 : ACCESS::remove can result in confusing ERR_NOT_FOUND logs
Component: Access Policy Manager
Symptoms:
When using the iRule command ACCESS::remove, ERR_NOT_FOUND messages may appear in /var/log/apm. Theses are not real errors. ACCESS is trying to insert a session variable, but it is not able to find the session because the iRule already deleted the session.
The logs in /var/log/apm look something like this:
err tmm1[15932]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_save_init_req_to_sessiondb, Line: 14823.
Conditions:
An iRule using the command ACCESS::remove, and the end-user does a POST.
Impact:
No functional impact, the iRule correctly deletes the session, and BIG-IP does not send a reset. But the log messages can be alarming or confusing.
Workaround:
None.
Fix:
ACCESS::remove no longer results in confusing ERR_NOT_FOUND logs.
567484-5 : BIND Vulnerability CVE-2015-8705
Vulnerability Solution Article: K86533083
567475-5 : BIND vulnerability CVE-2015-8704
Vulnerability Solution Article: K53445000
567457-3 : TMM may crash when changing the IKE peer config.
Component: TMOS
Symptoms:
TMM might crash when changing the IKE peer config. It can happen with either IKEv1 or IKEv2 (TMM config crash).
Conditions:
This occurs when making changes to IPsec tunnels that causes the configuration to become invalid. For example, changing ISAKMP phase1 from SHA-1 to MD5 results in an invalid configuration.
Note: This occurs in the GUI only. The tmsh 'create' command does not cause this core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use tmsh to make the affected configuration changes... this occurs in the GUI only. The tmsh 'create' command does not cause this core.
Fix:
TMM no longer crashes when changing the IKEv1 or IKEv2 peer config, even if the changes are not valid for the configuration.
567379-1 : libtar vulnerability CVE-2013-4397
Vulnerability Solution Article: K16015326
567355-1 : Scheduled report lost after loading configuration
Component: Application Visibility and Reporting
Symptoms:
Saved scheduled report will be lost after loading the system configuration.
Conditions:
Create scheduled report.
Save the configuration.
Load the configuration.
The scheduled report wont be existing anymore.
Impact:
The scheduled report can be lost.
Fix:
A saved scheduled report is no longer lost after loading the system configuration.
566998-2 : Edge client upgrade fails if client was configured in locked mode★
Component: Access Policy Manager
Symptoms:
Edge client cannot be upgraded automatically to a newer version
Conditions:
Edge client package was downloaded with "Enable Always Connected mode" option checked
Server contains a newer version of edge client
Impact:
Automatic upgrade of edge client will fail
Workaround:
Manually uninstall and re-install client
566908-5 : Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
Component: Access Policy Manager
Symptoms:
Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN if proxy.pac is defined in a way that forwards all web traffic over VPN.
Conditions:
proxy.pac, network access, OS X system.
Impact:
Local web server is inaccessible if proxy.pac is defined in a way that forwards all traffic over VPN to corporate proxy server.
Workaround:
None.
Fix:
Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server.
566758-2 : Manual changes to policy imported as XML may introduce corruption for Login Pages
Component: Application Security Manager
Symptoms:
Manual changes to policy imported as XML may introduce corruption for Login Pages. If the expiration period is omitted, the Login Page will be inaccessible.
Conditions:
Expiration period is omitted in hand-crafted XML policy file.
Impact:
The Login Page created as a result is inaccessible in GUI and REST.
Workaround:
Ensure that expiration period exists in XML policy file before import.
Fix:
A policy file, with a missing expiration field, imported as XML is now handled correctly.
566646-4 : Portal Access could respond very slowly for large text files when using IE < 11
Component: Access Policy Manager
Symptoms:
When accessing a large 'text/plain' file from server with Internet Explorer versions 7 through 10 client browsers, Portal Access sometimes holds the response until it fetches and processes the entire file contents. This can take several dozen seconds, or even minutes.
Conditions:
Internet Explorer version 7 through 10 with Portal Access
Impact:
Large text files can't be accessed or downloaded through Portal Access.
Workaround:
Irule that does any of following:
a) Preferred: append F5CH=I to request uri in HTTP_REQUEST for affected requests.
b) Call REWRITE::disable for affected requests.
Fix:
Fixed the issue where Portal Access could try to buffer contents of some large files and respond with significant delay.
566576-2 : ICAP/OneConnect reuses connection while previous response is in progress
Component: Service Provider
Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.
Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.
Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.
Workaround:
Remove OneConnect.
Fix:
Big-IP with ICAP and OneConnect never reuses a server connection while a previous ICAP transaction is still in progress. Whenever the IVS disconnects prior to completion of an ICAP transaction, the connection is not pooled for reuse.
566507-2 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system. Note: The ZebOS routing protocol suite available for BIG-IP configurations does not support traffic groups, so this issue might still be seen in certain circumstances.
566361-8 : RAM Cache Key Collision
Component: Local Traffic Manager
Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled
Conditions:
This occurs when RAM cache is enabled in certain circumstances.
Impact:
Invalid response format, and/or serving the wrong object from cache, and/or tmm crash, interruption of service.
Workaround:
None.
Fix:
The system now avoids RAM Cache Key collisions, the correct object and response format are delivered from the cache, and tmm no longer cores.
566061-3 : Subscriber info missing in flow report after subscriber has been deleted
Component: Policy Enforcement Manager
Symptoms:
If we have a subscriber flow during which the subscriber gets deleted, then the flow reports begin to report subscriber id as "unknown". It becomes difficult to map the flow to that specific subscriber.
Conditions:
Flow reporting is enabled for a subscriber. And the subscriber gets deleted in the middle of a flow.
Impact:
If the customer is looking for subscriber id to match the flows, then they would miss out on these flows that get reported with unknown subscriber.
Fix:
We now save the subscriber id so that it can be accessed even after the subscriber has been deleted.
565895-4 : Multiple PCRE Vulnerabilities
Vulnerability Solution Article: K17235
565810-2 : OneConnect profile with an idle or strict limit-type might lead to tmm core.
Component: Local Traffic Manager
Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.
Conditions:
OneConnect profile with a limit-type value of idle or strict.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a limit-type of 'none'.
Fix:
A OneConnect profile using an idle or strict limit-type no longer causes the tmm to core when attempting to shutdown idle connections.
565799-2 : CPU Usage increases when using masquerade addresses
Component: Local Traffic Manager
Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.
Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.
Impact:
Possible performance degradation or reduction in capacity
Fix:
Performance of masquerade address checks is restored.
565765-3 : Flow reporting does not occur for unclassified flows.
Component: Policy Enforcement Manager
Symptoms:
Flow reports are missing for some of the flows.
Conditions:
Flow reporting action has been configured with no classification filter. This was observed for flows that remained unclassified until the very end.
Impact:
If you are using flow reports to track the data usage of the subscriber, the usage will not be accurate.
Workaround:
None.
Fix:
For flows that do not get classified at all, the system now sends out flow reports at the end of the flow. The FLOW_INIT and FLOW_END reports are sent out in this case (that is, there are no FLOW_INTERIM reports). This is correct behavior
565534-2 : Some failover configuration items may fail to take effect
Component: TMOS
Symptoms:
These symptoms apply to version 12.0.0 and later:
When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device.
These symptoms can occur on all versions:
When the unicast address list is changed at the same time as other device properties, sod (the failover daemon) may fail to recognize one of the other changes.
Conditions:
For version 12.0.0 and later:
Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location, or after performing the procedure in K13030: Forcing the mcpd process to reload the BIG-IP configuration https://support.f5.com/csp/article/K13030.
For all versions:
A change is made to the cm device configuration that includes a unicast-address change along with something else.
Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.
Workaround:
Mitigation for v12.0.0 (and later) symptom:
To restore multicast failover, disable and re-enable multicast failover.
To do so, perform the following procedure on the the local device.
1. Determine which interface is being used for multicast failover by running the following tmsh command:
list cm device device1 multicast-interface.
3. Disable and re-enable multicast failover by running the following tmsh commands:
modify cm device device1 { multicast-interface none }.
modify cm device device1 { multicast-interface eth0 }.
Mitigation for all versions symptoms:
Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.
Fix:
With the fix, sod now sends out multicast FO heartbeat datagrams under the same condition.
565527-3 : Static proxy settings are not applied if NA configuration
Component: Access Policy Manager
Symptoms:
Applications that cannot evaluate PAC file cannot make use of static proxy configuration either.
Conditions:
- Network Access (NA) setting has static proxy configuration.
- Application on user's system does not support proxy auto configuration, but does support static proxy configuration.
Impact:
Application cannot make connections if the proxy is required to connect to the destination. This could result in failed connection from that application
Workaround:
None.
Fix:
Static proxy settings are now applied in Network Access configurations. This allow applications that do not support PAC files to work inside the VPN.
565463-2 : ASM-config consumes 1.3GB RAM after repeated Policy Import via REST
Component: Application Security Manager
Symptoms:
Multiple ASM-config processes are running (more than 10) and consuming more than a GB.
Conditions:
ASM provisioned.
Repeated policy import via REST.
Impact:
The BIG-IP system might run low on memory and post the following message in /var/log/kern.log: Out of memory: Kill process 22699.
Workaround:
Restart asm - disrupting
Restart asm_config_server.pl - non disrupting
Fix:
We modified an operation to limit the number of ASM configuration processes. The operation now reuses processes instead of creating new ones, so the system no longer runs out of memory.
565409-4 : Invalid MSS with HW syncookies and flow forwarding
Component: Local Traffic Manager
Symptoms:
A packet may have an MSS set to 65536 when using HW syncookies and flow forwarding.
Conditions:
The conditions which cause this are not fully known.
Impact:
TMM core/reboot.
Workaround:
Disable HW syncookies or TSO.
565231-2 : Importing a previously exported policy which had two object names may fail
Component: Access Policy Manager
Symptoms:
If an exported access policy includes two object names profile_name-aaa and aaa, import that policy may fail or be incorrect.
Conditions:
For example:
access policy name "test"
access policy item name "test-empty"
access policy item name "empty"
For example:
access policy name "test"
access policy item name "test-empty"
macro name "empty"
Impact:
Rare case, but the import of such a policy may fail.
Workaround:
One of the objects could be renamed in the bigip.conf file to avoid such a naming pattern.
Fix:
Objects are being exported correctly without error.
565169 : Multiple Java Vulnerabilities
Vulnerability Solution Article: K48802597
565085-2 : Analytics profile allows invalid combination of entities for Alerts setup
Component: Application Visibility and Reporting
Symptoms:
When non cumulative metrics are selected for an Alert on a dimension that's other than a Virtual Server, errors appear in the log.
Conditions:
Analytics in use, and non-cumulative metrics such as the following are used on a time dimension:
- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput
Impact:
You are able to configure invalid alerts but no warning is given and the metric does not work and generates errors in the /var/log/monpd.log file.
Workaround:
None needed. This is Cosmetic.
Fix:
Invalid combination of entities for Alerts setup is no longer allowed. Validation is present both on UI side and the backend.
565056-3 : Fail to update VPN correctly for non-admin user.
Component: Access Policy Manager
Symptoms:
VPN is not updated correctly for non-admin users.
Conditions:
Steps to Reproduce:
1. In BIG-IP 12.0, create Access Policy containing (Firewall Check, Machine Info, Machine Cert Auth, Cache and Session Control, Protected Workspace, VPN Resources with Optimized Applications.)
2. Login with a User without admin privileges
3. Run FF
4. Login to VS and install components
5. Click on NA resource on the webtop to start VPN tunnel => a user is asked for an admin password and VPN is successfully installed and established
6. Close FF and exit PWD
Impact:
VPN is not updated. A user is not asked to enter admin credentials and an error is given: "Error downloading required files (-1)"
Workaround:
None.
Fix:
VPN is now updated as expected for non-admin users.
564876-1 : New DB variable log.lsn.comma changes CGNAT logs to CSV format
Component: Carrier-Grade NAT
Symptoms:
New CSV format that does not use quotes as delimiters was not present prior to 12.1.2.
Conditions:
Setting the DB variable log.lsn.comma
Impact:
More control of logging format via the DB variable log.lsn.comma
Workaround:
N/A
Fix:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.
Behavior Change:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.
564521-3 : JavaScript passed to ExternalInterface.call() may be erroneously unescaped
Component: Access Policy Manager
Symptoms:
JavaScript passed to ExternalInterface.call() may be erroneously unescaped.
Conditions:
Adobe ActionScript 3.0 version 24 or less.
Impact:
Adobe Flash application may crash.
Workaround:
None
Fix:
Completely fixed.
564496-3 : Applying APM Add-on License Does Not Change Effective License Limit
Component: Access Policy Manager
Symptoms:
When an add-on license is applied on the active node, the effective license limit is not updated, even though telnet output shows that it is.
Conditions:
1. Set up a high availability (HA) configuration with a base APM license.
2. Apply an APM add-on license to increase Access and CCU license limits.
Impact:
The actual number of sessions that can be established remains unchanged after adding an add-on license.
Workaround:
To make the add-on license effective, run the following command:
bigstart restart tmm.
For systems running v11.5.3, v11.5.4, and v11.6.0, use the following workaround:
- Take one unit Offline.
- Remove the HA configuration.
- Reactivate license on the offline unit.
- Take a peer unit Offline.
- Release the first unit from Offline.
- Reactivate license on the peer unit.
- Rebuild HA configuration.
- Release the peer unit from Offline.
Fix:
Applying APM add-on license now increases Access and CCU license limits, as expected.
564493 : Copying an access profile appends an _1 to the name.
Component: Access Policy Manager
Symptoms:
Copying an access profile appends an _1 to the name.
Conditions:
This occurs on every copy operation on an access profile.
Impact:
This is a cosmetic issue that does not impact system functionality.
Workaround:
To workaround this:
1. Copy the profile.
2. Edit bigip.conf to remove the _1 from the profile name.
3. Issue the command: tmsh load sys config.
Fix:
Copying an access profile no longer appends an _1 to the name unless it is needed, for example, when copying a profile whose name already exists.
564482-2 : Kerberos SSO does not support AES256 encryption
Component: Access Policy Manager
Symptoms:
If the delegation account is enforced to use AES256 encryption, then APM Kerberos SSO will fail. Example error message: Dec 18 19:22:19 bigip8910mgmt err websso.7[31499]: 014d0005:3: Kerberos: can't decrypt S4U2Self ticket for user 'username' - Decrypt integrity check failed (-1765328353).
Conditions:
Delegation account is enforced to use AES256 encryption.
Impact:
Kerberos SSO will fail and user will be prompted to enter credential.
Workaround:
Disable the option to enforce AES256 encryption for the delegation account.
Fix:
Delegation account can be enforced to use AES256 encryption, provided the delegation account is configured as SPN format on the Kerberos SSO configuration.
564427-3 : Use of iControl call get_certificate_list_v2() causes a memory leak.
Component: TMOS
Symptoms:
Use of iControl call get_certificate_list_v2() causes a memory leak.
Conditions:
This occurs when using the Management::KeyCertificate::get_certificate_list_v2 method in iControl.
Impact:
memory leak.
Workaround:
Restarting httpd helps reduce memory, but it must be restarted periodically to clear up the memory issues.
Fix:
Use of Management::KeyCertificate::get_certificate_list_v2 method in iControl no longer causes a memory leak.
564371-2 : FQDN node availability not reset after removing monitoring
Component: Local Traffic Manager
Symptoms:
If you are using FQDN nodes that are being monitored, the node status will remain set to whatever it was before the monitor was removed.
Conditions:
This occurs when removing monitoring from FQDN nodes
Impact:
The expected behavior is that the node status becomes 'unknown'. This could make it so FQDN nodes are permanently marked down or up.
Workaround:
None
Fix:
FQDN node status will now change to Unknown if monitoring is removed.
564263-3 : PEM: TMM asserts when Using Debug Image when Gy is being used
Component: Policy Enforcement Manager
Symptoms:
TMM assert leading to restart.
Conditions:
When a policy P1 is installed over Gx with a reference to rating group R1 and later when an update is received over Gx to remove P1 and add policy P2 which also referring to same rating group R1 then TMM will core when Policy P2 is being removed.
Impact:
TMM restart and disruption of service.
Workaround:
PCRF should make sure add and remove policies are not done in single update.
Fix:
Issue has been fixed now.
564262-4 : Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
Component: Access Policy Manager
Symptoms:
Tunnel server component of Edge client crashes, and user cannot establish VPN.
Conditions:
-DNS names cannot be resolved on client system.
-PAC file used to determine proxy server uses JavaScript DNS resolution function.
Impact:
Tunnel server crashes and user cannot establish VPN.
Workaround:
Enable DNS resolution on client or do not use DNS resolution JavaScript functions in PAC file.
Fix:
Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.
564253-5 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
Firefox v44.0 and later does not allow loading of Netscape Plugin Application Programming Interface (NPAPI) plugins, which are not signed by Firefox.
Conditions:
Using APM with Firefox v44.0 and later.
Impact:
Firefox v44.0 and later cannot establish network access or perform endpoint checking.
Workaround:
- Use Firefox v43.0 and earlier on all platforms.
- Use Safari on Mac systems and Microsoft Internet Explorer on Microsoft Windows systems.
Fix:
Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.
564111-1 : Multiple PCRE vulnerabilities
Vulnerability Solution Article: K05428062
564040-4 : Differentiation of missing component alerts
Component: Fraud Protection Services
Symptoms:
The alert reads as 'no cookie' while the actual situation is different.
Conditions:
The component check cookie exists, but it fails to be parsed by the plugin.
Impact:
False positive missing component no-cookie alerts.
Workaround:
None.
Fix:
If the Component Check cookie exists and cookie parsing fails for different reasons, the system now sends different alert components (Unseal Failed or Cookie Malformed).
564039-3 : WebSafe "Missing component" check gets applied on request with different referrer domain.
Component: Fraud Protection Services
Symptoms:
The "Missing component" checker looks only looks at referrer header path and not the domain name. The result is a false positive alert indicating the cookie is missing.
Conditions:
The referrer is coming from a different domain and the system is still performing component validation check.
Impact:
False positive missing component alerts when redirecting from other sites to a WebSafe protected site.
Workaround:
Do not configure the same URL as a protected page.
Fix:
The Missing Component check now looks at the referrer header path as well as the domain name. This prevents false-positive Missing Component alerts when redirecting from other sites to a WebSafe protected site.
563670-11 : OpenSSL vulnerabilities
Vulnerability Solution Article: K86772626
563591-2 : reference to freed loop_nexthop may cause tmm crash.
Component: Local Traffic Manager
Symptoms:
tmm may crash intermittently when there are cmp directed VIP (Virtual IP) to VIP traffic.
Conditions:
When CMP directed VIP to VIP traffic exists.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none.
Fix:
tmm should not crash on this condition any more
563554-3 : Accept-language in alerts
Component: Fraud Protection Services
Symptoms:
Accept-language header is not sent in alerts generated by FPS plugin.
Conditions:
Alerts generated by FPS plugin.
Impact:
Prevents analyzing the cause for plugin-generated alerts.
Workaround:
None.
Fix:
The accept-language header is now sent in alerts generated by the FPS plugin.
563475-3 : ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
Component: TMOS
Symptoms:
ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. If dynamic offloading is enabled in the fastl4 profile, flows that collide in the ePVA will ping/pong in and out of the ePVA due to immediate eviction and re-offloading. Flows that are evicted due to collisions are reported in the epva_flowstat stats, tot.hash_evict.
Conditions:
A fastl4 profile with PVA Offload Dynamic enabled and two flows that result in a hash collision, resulting in an evicted flow.
Impact:
Flows that collide will be re-offloaded, evicted, and then re-offloaded again within a short time span. It is unknown if there is a direct impact, but in some cases a delay in processing packets on a connection may occur.
Workaround:
Disable PVA Offload Dynamic in the fastl4 profile. Another option would be to disable PVA Flow Evict in the fastl4 profile.
Fix:
The system now handles flows involved in hash collisions such that ePVA dynamic offloading no longer results in immediate eviction and re-offloading of flows.
563474-2 : SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile
Component: Access Policy Manager
Symptoms:
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns a zero value for an APM access profile that has been edited but not yet applied, which should instead return a non-zero value.
config # snmpwalk -v2c 127.0.0.1 -c public F5-BIGIP-APM-MIB::apmPmStatConfigSyncState
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState."/Common/my-test-access" = Counter64: 0
Conditions:
The access profile has been edited but not yet applied.
Impact:
SNMP users cannot discriminate the status of an APM access profile: applied or not applied.
Workaround:
None available.
Fix:
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState now returns the correct non-zero value.
563419-5 : IPv6 packets containing extended trailer are dropped
Component: Local Traffic Manager
Symptoms:
Some IPv6 packets are dropped
Conditions:
IPv6 packet contains trailing bytes after payload
Impact:
Packet loss
Fix:
IPv6 packets that exceed the size of the 'Payload Length' header will be trimmed and processed instead of being dropped.
563349-4 : On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established
Component: Access Policy Manager
Symptoms:
In some cases, user may not be able to browse to external or internal web sites, Because the proxy settings won't be used.
Conditions:
User's machine has local proxy settings configured
NA settings specify a proxy configuration
Impact:
User may not be able to browse some sites, or the connection would not take the proxy settings into account.
Workaround:
None
563237 : ASM REST: name for ipIntelligenceReference is incorrect
Component: Application Security Manager
Symptoms:
The reference name for a Security Policy's ip-intelligence configuration is not consistent with F5 REST standards; which dictate that a reference name starts with a lower case letter.
In the return for a policy resource the following is seen:
...
'IpIntelligenceReference': {
'link': 'https://localhost/mgmt/tm/asm/policies/<POLICY ID>/ip-intelligence'
...
This should be 'ipIntelligenceReference'
This has already been corrected in versions 12.0.0 and later.
Conditions:
ASM REST is used to access IP Intelligence for Security Policies.
Impact:
Reference names are inconsistent and confusing.
Workaround:
If an API client wishes to $expand the resource wanted in a way that works against all versions, the pre-expanded name can be used.
?$expand=ip-intelligence
Fix:
We corrected an inconsistent reference name.
'IpIntelligenceReference' is now 'ipIntelligenceReference'.
563232-2 : FQDN pool in resource prevents Access Policy Sync.
Component: Local Traffic Manager
Symptoms:
FQDN pool in resource causes Access Policy Sync to fail. You will see an error such as "PolicySyncMgr: Failed to create the policy /Common/ap_vdi" after making changes with the following error: "01070734:3: Configuration error: Cannot assign (/Common/myfqdnpool.example.com-10.10.10.10) as a pool member."
Conditions:
- Create a pool with FQDN node
- Add the pool to a resource such as remote-desktop
- Add the resource to an access policy
- Start a policy sync with the policy
Impact:
Policy cannot sync to other devices.
Fix:
User can sync an access policy that include a resource with FQDN pool.
563227-3 : When a pool member goes down, persistence entries may vary among tmms
Component: Local Traffic Manager
Symptoms:
When a pool member goes down, persistence entries may vary among tmms. The result will be that rather than persisting to a single pool member, the new connections may arrive on different pool members based on the number of tmms on the BIG-IP platform in use.
Conditions:
Using persistence with some connections persisted to a pool member that goes down, either administratively or due to a monitor. During this time, the client is issuing several new connections to the BIG-IP system.
Impact:
Inconsistent persistence entries.
Workaround:
None.
Fix:
The race conditions that involved dropping an offline pool member have been resolved.
563064-1 : Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
Component: TMOS
Symptoms:
Cipher memory initialized when an IPsec tunnel is created is not cleaned up when IPsec tunnel is removed.
Conditions:
Every time an IPsec tunnel is established and then removed will leave the allocated cipher memory in the system.
Impact:
Slowly leak TMM memory
Fix:
Cipher memory is freed when an IPsec tunnel is removed
562959-2 : In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
Component: TMOS
Symptoms:
In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
Conditions:
This occurs when there is some issue processing the packet going through IPsec tunnel.
Impact:
Tmm restart without core due to internal connection timeout.
Workaround:
None.
Fix:
IPsec now only sends packets intended for IPsec over the tunnel.
562928 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
Component: TMOS
Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.
Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.
Impact:
TCP connections do not complete the three way handshake and traffic does not pass.
Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.
Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.
562919-2 : TMM cores in renew lease timer handler
Component: Access Policy Manager
Symptoms:
TMM generates core.
Conditions:
All three following conditions have to be met for this to trigger :
1) Both IPv4 and IPv6 network access connection has to be enabled for the same network access resource.
2) IPv4 address have to be statically assigned.
3) IPv6 address have to be dynamically assigned from the leasepool.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Workaround 1) Use IPv4 only network access connection.
Workaround 2) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint addresses from IPv4 and IPv6 leasepool respectively.
Workaround 3) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint statically.
Fix:
TMM no longer cores in renew lease timer handler
562775-2 : Memory leak in iprepd
Component: Application Security Manager
Symptoms:
The IP reputation daemon (iprepd) has a small leak of around ~8 to ~16 bytes every 5 minutes.
Conditions:
This occurs when the BIG-IP box is licensed with IPI Subscription, and iprepd is running.
Impact:
Memory increases slowly until the kernel out-of-memory kills the iprepd process.
Workaround:
None.
Fix:
This release fixes a memory leak in the IP reputation daemon (iprepd).
562644-4 : TMM may crash when AAM receives a pipelining HTTP request while shutting down the connection
Component: WebAccelerator
Symptoms:
In rare conditions when a client sends pipelining HTTP requests and AAM is configured it may incorrectly process a consequent request resulting in crashing of TMM.
Conditions:
AAM and ASM licensed and provisioned
HTTP compression profile configured on a virtual server
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when AAM receives a pipelining HTTP request which while shutting down the connection
562566-2 : High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems
Component: Local Traffic Manager
Symptoms:
Prior to expiration, the age of persistence entries is reset back to 0, thus retaining the persistence entries forever.
Conditions:
Persistence is configured on a multi-blade system, a configured High Availability peer is present, and a flap occurs on the High Availability connection between active and standby systems.
Impact:
Retention of persistence entries leads to eventual low memory conditions, performance degradation, and traffic outage or restarting of some daemons.
Workaround:
Although no reasonable workaround exists, you can clear the persistence table to reclaim leaked memory.
Fix:
Persistence entries are no longer retained beyond their expiration.
562308-2 : FQDN pool members do not support manual-resume
Component: Local Traffic Manager
Symptoms:
FQDN pool members do not support manual-resume, but allow its configuration.
Conditions:
Attempting to use manual-resume for FQDN pool members.
Impact:
FQDN pool members do not honor manual-resume setting.
Workaround:
Do not configure manual-resume on FQDN pool members.
Fix:
FQDN pool members do not support manual-resume, and BIG-IP no longer allows its configuration.
562292-1 : Nesting periodic after with parking command could crash tmm
Component: Local Traffic Manager
Symptoms:
If an iRule contains a periodic after command, and within this there is another periodic after command whose contents park, it can lead to tmm crashes.
Conditions:
A periodic after command is used, and within this there is another periodic after command whose contents park.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not nest after commands with parking command.
Fix:
TMM no longer crashes with iRules that contain a periodic after command, which itself contains a periodic after command whose contents park. These iRules now complete as expected.
562122-5 : Adding a trunk might disable vCMP guest
Component: TMOS
Symptoms:
If a vCMP guest is running when a trunk is added, the guest might fail until vCMP is restarted.
Conditions:
-- vCMP guest running
-- Trunk added.
Impact:
Guest failure. vCMP restart required.
Workaround:
Restart vCMP.
Fix:
Adding a trunk no longer disables vCMP guests.
562044-2 : Statistics slow_merge option does not work
Component: TMOS
Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge' then the merging of statistics stops working. This causes statistics to no longer appear to be updated.
Conditions:
The DB variable 'merged.method' is set to 'slow_merge'.
Impact:
Statistics no longer appear to be updated.
Workaround:
1) Set "merged.method" to "fast_merge" which is the default.
-or-
2) Create the /var/tmstat/cluster directory using mkdir. Please note the directory must be created on every blade in a chassis. Additionally, this directory needs to be re-created after reboots, so something like "/bin/mkdir /var/tmstat/cluster" should be added to "/config/startup"
Fix:
Statistics are now updated as expected when the statistics DB variable option 'merged.method' is set to 'slow_merge'.
561976 : Values of high-water and low-water mark for 'apd' pending request queue might not handle requests completely.
Component: Access Policy Manager
Symptoms:
Under heavy authentication requests from tmm with a slow or down back-end authentication server, the apd accept connection queue could get full, resulting in apd logs: AD module: authentication with '1439805563539620' failed: Too many open files.
Conditions:
- Incoming authentication request to apd (from tmm) is very high.
- Back-end authentication server is slow or down.
Impact:
Authentication failures; might bring authentication rate down to zero.
Workaround:
Adjust the value of connhwm, connlwm and soconnmax values using tmsh commands.
- To set the value to 1024, use the following command:
sysctl -w net.core.somaxconn=1024.
- Change Low water mark first using the following command:
tmsh modify sys db apm.apd.connlwm value 480.
- Change highwater mark next using the following command:
tmsh modify sys db apm.apd.connhwm value 512.
Fix:
Values of high-water and low-water mark for the 'apd' pending request queue now handle requests as expected.
561814-1 : TMM Core on Multi-Blade Chassis
Component: TMOS
Symptoms:
TMM core.
Conditions:
On a multi-blade chassis with WAM caching in use, where the datastor daemon is stopped and restarted, and where traffic is being cached by datastor.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The software defect has been found and fixed.
561623-3 : Realtime encryption causes high CPU usage in older browsers
Component: Fraud Protection Services
Symptoms:
When encrypting using realtime encryption, CPU usage on the browser rises very high
Conditions:
Client: Internet Explorer 8 or below
FPS: Configured to encrypt password using realtime encryption
Impact:
In extreme cases, browser may prompt user to stop the encryption script.
Workaround:
Disable realtime encryption in your anti-fraud policy.
Fix:
Improved performance of realtime encryption
561539-2 : [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.★
Component: Global Traffic Manager
Symptoms:
When upgrading from 10.x to 11.x Wide IP pool member ratio value is changed from 0 to 1.
Conditions:
1. Upgrade from v10.x to v11.x through 12.0.0
2. Have a Wide IP pool member ratio set to 0.
Impact:
Wide IP pool member ratio is changed to 1 (the default) from 0 after upgrading, potentially enabling selection of members that had been "disabled" with a ratio of 0.
Workaround:
Manually change ratio back to 0 after upgrade.
561500-1 : ICAP Parsing improvement
Component: Service Provider
Symptoms:
If a malformed ICAP message is sent to the Big-IP the ICAP parser can enter a state where it consumes an increasing amount of CPU and memory.
Conditions:
A request-adapt or response-adapt profile is configured.
An ICAP message is received from an ICAP server lacking "ICAP/1.0" as initial header line.
Impact:
Memory and CPU usage increase.
Eventually the TMM may crash causing Big-IP fail-over.
Fix:
ICAP parser checks for correct initial ICAP/1.0 header line and rejects message if missing.
561433-3 : TMM Packets can be dropped indiscriminately while under DOS attack
Component: Advanced Firewall Manager
Symptoms:
When we have a loaded tmm which cannot consume packets fast enough, then packets could be dropped while DMAing from the HW.
Conditions:
This could happen for a variety of reasons which cause tmm to be loaded.
Impact:
Packets will be dropped indiscriminately.
Workaround:
none
Fix:
We've now added a sys db tunable (sys db dos.scrubtime) which can be set to drop DoS attack packets in HW more aggressively. This will prevent other non-attack packets from being dropped indiscriminately.
561348-4 : krb5.conf file is not synchronized between blades and not backed up
Component: Access Policy Manager
Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.
Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.
Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.
Workaround:
None.
Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.
In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.
Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.
When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.
560969-2 : OpenSSL vulnerability fix
Vulnerability Solution Article: K55540723
560962-2 : OpenSSL Vulnerability CVE-2015-3196
Vulnerability Solution Article: K55540723
560948-2 : OpenSSL vulnerability CVE-2015-3195
Vulnerability Solution Article: K12824341
560925-2 : OpenSSL Vulnerability fix
Vulnerability Solution Article: K86772626
560910-2 : OpenSSL Vulnerability fix
Vulnerability Solution Article: K86772626
560791 : FPS doesn't encrypt inputs of type "hidden"
Component: Fraud Protection Services
Symptoms:
FPS doesn't encrypt inputs of type "hidden"
Conditions:
HTML input element of type "hidden" needs encrypting.
Impact:
Unable to support some applications
Workaround:
None
Fix:
FPS now encrypts all input types, including the 'hidden' type.
560685 : TMM may crash with 'tmsh show sys conn'.
Component: Local Traffic Manager
Symptoms:
Although unlikely, the 'tmsh show sys conn' command may cause the tmm process to crash when displaying connections.
Conditions:
Although the conditions under which this occurs are not well understood, this is a rarely occurring issue.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The only workaround is to not issue the command: tmsh show sys conn.
Fix:
Running the command 'tmsh show sys conn' no longer causes TMM to crash when displaying connections.
560683-3 : HA IPSEC: tmm core/crash on standby in function ikev2_child_delete_outbound()
Component: TMOS
Symptoms:
tmm crash after a number of failovers (approximately two to four).
Conditions:
This occurs in a high availability (HA) configuration with IPSEC traffic and multiple failovers. This is an intermittent issue.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The intermittent tmm crash no longer occurs in a high availability (HA) configuration with IPSEC traffic and multiple failovers.
560607-3 : Resource Limitation error when removing predefined policy which has multiple rules
Component: Policy Enforcement Manager
Symptoms:
Resource Limitation error when removing a predefined policy which has multiple rules referring to the same rating group.
Conditions:
- Gx and Gy are configured for the session
- All rules refer to the same rating group
Impact:
Unable to remove an existing policy
Workaround:
none
Fix:
Policies can be removed and updated regardless of rules or rating group limitations.
560510-6 : Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.
Component: TMOS
Symptoms:
When MCPD is not in the running state, dhclient directly writes domain-name-server information into /etc/resolv.conf. If multiple domain-name-servers are given by DHCP server, they are written in the incorrect format with multiple domain-name-servers in a single line comma-separated. Each domain-name-servers entry should be written in a single line with "nameserver" prefix.
Conditions:
- MCPD is not in the running state.
- DHCP is enabled.
- DHCP server has provided multiple domain-name-server entries in the lease.
Impact:
Domain name resolution doesn't work.
Workaround:
Bring up MCPD which would write the resolv.conf in the correct format. Alternatively, user can manually modify /etc/resolv.conf to write multiple nameserver entry one per line.
Fix:
DHCP will now write a single nameserver per line in /etc/resolv.conf when multiple nameservers are configured in DHCP.
560423-2 : VxLAN tunnel IP address modification is not supported
Component: TMOS
Symptoms:
VxLAN tunnel local and remote tunnel IP address change is not supported.
Conditions:
If a user tries to change the local and/or remote tunnel IP address, the configuration handler will fail the configuration change.
Impact:
The user must delete and recreate the VxLAN tunnel in order to change the tunnel local and/or remote address. Tunnel deletion also requires removing references to the tunnel, for example the tunnel self IP address and routes pointing to the tunnel, before the tunnel can be deleted. Those self IP addresses and routes must be re-added after recreating the tunnel with changed IP address parameters. This can be error-prone, especially if the number of tunnels is extremely large.
Workaround:
Delete existing VxLAN tunnel, and add a new tunnel with the modified tunnel IP address parameters.
Fix:
Modifying VxLAN tunnel IP addresses now works. Only tunnels that have been created with a multicast flooding type and have a multicast remote IP address are supported.
560220-1 : Missing partition and subPath fields for some objects in iControl REST
Component: TMOS
Symptoms:
When using iControl REST, the return output of some objects does not include the partition and subPath properties. Also the name property contains the full path instead of only the object name.
Conditions:
This occurs when running BIG-IP systems with 11.6.0 HF6 installed.
Impact:
This breaks custom scripts that rely on those properties.
Workaround:
Do not use custom scripts to gather the partition and subPath properties of objects on BIG-IP systems with 11.6.0 HF6 installed.
560180-2 : BIND Vulnerability CVE-2015-8000
Vulnerability Solution Article: K34250741
560069-1 : Default obfuscator configuration causes very slow javascript in some browsers
Component: Fraud Protection Services
Symptoms:
Slow javascript causes page to render with a slight delay.
Conditions:
FPS enabled on highly optimized web page
Impact:
Mainly on older browsers, a slight rendering delay (~1 second) may be noticed.
Workaround:
Run the following commands on the BIG-IP system:
echo "-x" > /shared/datasync/compiler_conf/cs_fpm/OBF_FLAGS
chattr +i /shared/datasync/compiler_conf/cs_fpm/OBF_FLAGS
Fix:
Improved performance of obfuscated javascript.
559975-5 : Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth
Component: Global Traffic Manager
Symptoms:
HTTP basic authentication uses a base64 encoded string. When an HTTP monitor username or password is changed, the b64 string is regenerated and may become malformed.
Conditions:
When an http monitor username or password is changed, e.g. shortened, then the HTTP basic auth string may be mangled.
Impact:
An HTTP monitor may show its resource as unavailable after changing the username or password.
Workaround:
Restart big3d, or delete then recreate the monitor instead of modifying the existing monitor.
Fix:
HTTP monitors will now correctly handle a username or password change.
559973-2 : Nitrox can hang on RSA verification
Component: Local Traffic Manager
Symptoms:
With certain signatures, RSA verification can hang the Nitrox crypto accelerator chip. Errors in the ltm log show crit tmm[11041]: 01010260:2: Hardware Error(Co-Processor): n3-crypto2 request queue stuck
Conditions:
RSA verification with certain signatures.
Impact:
Nitrox crypto accelerator can hang.
Fix:
The Nitrox crypto accelerator will no longer hang when performing RSA verification.
559939-2 : Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
Component: TMOS
Symptoms:
If the UI System::Platform screen is used to change the hostname on a Standalone VIPRION, the non-primary blades in the chassis may temporarily report an offline state.
Conditions:
This affects only multi-blade chassis systems in Standalone mode.
Impact:
If the system is hosting vCMP guests, it may cause unexpected failovers, and interruption of traffic.
Workaround:
To change the hostname on the VIPRION, use the tmsh command:
'modify sys global-settings hostname new-host-name'.
Fix:
Changing hostname on Standalone VIPRION no longer causes the non-primary blade to go RED / HA TABLE offline.
559933-2 : tmm might leak memory on vCMP guest in SSL forward proxy
Component: Local Traffic Manager
Symptoms:
In SSL forward proxy configuration on vCMP guest tmm might slowly leak memory when subjected to SSL Hello messages containing server name extension (SNI) that is not configured on the virtual server.
Conditions:
This occurs with the following conditions are met:
-- SSL forward proxy configuration.
-- SSL hello with SNI extension.
Impact:
tmm might leak memory
Workaround:
None.
Fix:
tmm no longer leaks leak memory on the vCMP guest in SSL forward proxy configurations.
559584-2 : tmsh list/save configuration takes a long time when config contains nested objects.
Component: TMOS
Symptoms:
A configuration containing a number of nested objects takes a long time to list or save. For example, the tmsh listing time for a ~2 MB config can exceed 30 seconds.
Conditions:
Following is an example of nested objects in a config. If the config contains thousands of such virtual servers, it might take longer than 30 seconds to run either of the following commands: -- tmsh list ltm virtual. -- tmsh save config.
ltm virtual vs {
destination 10.10.10.10:http
ip-protocol tcp
mask 255.255.255.255
profiles { ::: nested object
http { }
http_security { }
tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 26
}
.
Impact:
When commands take longer than 30 seconds to complete, iControlREST times out.
Workaround:
None.
Fix:
A configuration containing a number of nested objects no longer takes a long time to list or save, so iControlREST no longer times out. Note: You might still encounter this issue in configurations that have greater than ~6000 nested objects, which is the largest number tested.
559541-2 : ICAP anti virus tests are not initiated on XML with when should
Component: Application Security Manager
Symptoms:
ICAP anti virus tests are not performed on XML with sensitive data.
Conditions:
ICAP and XML profile are configured on the policy, the ICAP configured to inspect the XML.
The XML has sensitive data configured.
The XML request contained sensitive data.
The expectation was that XML with sensitive data would initiate ICAP tests.
Impact:
Virus tests will not be enabled on this request if the only reason for testing the ICAP was the existence of the sensitive XML data.
Fix:
ICAP tests are performed on XML with sensitive data.
559382-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
Component: Policy Enforcement Manager
Symptoms:
CCR-I requests from PEM to PCRF contain subscriber ID type is set to 6 (UNKNOWN) for DHCP subscribers instead of NAI.
Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.
Impact:
Might impact the way policies are provided from the PCRF.
Workaround:
None.
Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.
559218-2 : Iframes could be inaccessible to a parent window on a page accessed through Portal Access
Component: Access Policy Manager
Symptoms:
document.write from window to iframe could silently fail, if page is accessed by FQDN, and Same Origin Policy restrictions were relaxed with assignment to a document.domain.
The code on the page will be executed without errors, but no content will appear in iframe.
Conditions:
This can occur with web applications that use heavy javascript including javascript across iFrames.
Impact:
Some content could be not displayed on a page accessed through Portal Access.
Workaround:
iRule workaround specific to a web application
Fix:
Now iFrame with empty origin inherits origin value from parent window being accessed via Portal Access in the same manner as all browsers do.
559129-3 : Update Generic Malware Signatures to detect new Dyre variant
Component: Fraud Protection Services
Symptoms:
The generic malware signatures aren't detecting a new Dyre variant.
Conditions:
Dyre detection.
Impact:
Systems targeted by the new Dyre variant will not receive alerts from the FPS module when attacked.
Workaround:
None.
Fix:
Detect the new Dyre variant with an updated generic malware signature.
559082-1 : Tunnel details are not shown for MAC Edge client
Component: Access Policy Manager
Symptoms:
Tunnel details are not shown for MAC Edge client.
Tunnel details are located in Edge client :: View details :: Connection :: Tunnel details
Conditions:
MAC Edge client and established network access connection.
Impact:
Minor. Only diagnostic information is missing, otherwise tunnel works fine.
Workaround:
None.
Fix:
Tunnel details are now shown for MAC Edge client.
559060-3 : AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration.
Component: Application Visibility and Reporting
Symptoms:
AVR presents incorrect data in the GUI statistics (for example, unexpected pool members, and so on, with hitcount 0).
Conditions:
Multiple BIG-IP systems are configured, one is acting as server for the other and both have 'collect client latency' enabled.
Impact:
Invalid data is presented in the statistics.
Workaround:
Turn off 'collect client latency' in the AVR profile on the BIG-IP system that is acting as the server.
Fix:
Correct data is now presented in the statistics of a configuration in which one BIG-IP system is acting as the server in a multiple BIG-IP device configuration.
559055-1 : Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"
Component: Application Security Manager
Symptoms:
Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".
Conditions:
Learn New Parameters is set to "Add All Entities".
Impact:
Staging on wildcard parameter "*" remains unchanged.
Workaround:
Disable staging on wildcard parameter "*" manually.
Fix:
Staging is now disabled correctly on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".
559034-1 : Mcpd core dump in the sync secondary during config sync
Component: TMOS
Symptoms:
mcpd will crash if certain files are missing from the file store during sync operations.
Conditions:
This can happen when files associated with file objects are removed from the file store. Users are not permitted to directly modify the contents of the file store.
Impact:
mcpd will crash
Workaround:
Users are not permitted to directly modify the contents of the file store. Use tmsh or the Configuration Utility to manage BIG-IP objects such certificates.
Fix:
Mcpd will no longer crash during a config sync if a file store object is missing.
558946-4 : TMM may core when APM is provisioned and access profile is attached to the virtual
Component: Access Policy Manager
Symptoms:
TMM may core when APM is provisioned and access profile is attached to the virtual.
Conditions:
This crash is most likely to occur when there are more than 1 ABORT events sent to a connection on a virtual with attached access profile.
Impact:
Traffic disrupted while tmm restarts.
Fix:
APM virtual server that can have multiple ABORTs events to a connection will no longer cause TMM to crash and restart.
558870-3 : Protected workspace does not work correctly with third party products
Component: Access Policy Manager
Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines.
2) Microsoft OneDrive does not work correctly inside protected workspace.
Conditions:
Norton Internet Security 22.x is installed on user's desktop.
Protected workspace is used.
Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace.
Files cannot be synced to OneDrive.
Workaround:
There is no workaround.
Fix:
User can now launch Internet Explorer or Firefox inside protected workspace.
558858-4 : Unexpected loss of communication between slots of a vCMP Guest
Component: TMOS
Symptoms:
1. Within the vCMP guest, the affected slot shows the other slot(s) to be offline. When logged into any other "offline" slot, the slot shows itself to be online.
2. Within the vCMP guest, on the affected slot, the log files (such as /var/log/ltm) have stopped recording log entries from the other slot(s).
3. Within the vCMP guest, on the affected slot, the eth1 interface shows TX increasing but RX not increasing. The eth1 interface on other slots shows both TX and RX increasing.
Conditions:
Only affects vCMP guests with 2 or more slots on VIPRION C2000-series chassis.
Impact:
The number of working slots in a vCMP guest is reduced to 1 slot. The effect on traffic may range from none to severe.
Workaround:
Within the vCMP guest, login to the command line (vconsole or SSH) of the affected slot and run the following:
ifconfig eth1 down ; ifconfig eth1 up
Alternatively, from the hypervisor, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
Fix:
This release no long exhibits loss of communication between slots of a vCMP Guest.
558779-6 : SNMP dot3 stats occassionally unavailable
Component: TMOS
Symptoms:
SNMP would not provide values for some dot3 stats.
Conditions:
Always under affected version
Impact:
SNMP would not provide values for some dot3 stats.
This is no impact actual traffic.
Workaround:
None
Fix:
The dot3 stats are now available.
558642-1 : Cannot create the same navigation parameter in two different policies
Component: Application Security Manager
Symptoms:
Cannot create the same navigation parameter in two different policies. A validation issue blocks the user from adding a navigation parameter that is already defined in a different security policy.
Conditions:
This occurs after adding navigation parameter X to one policy, and then attempting to add the same parameter to another policy.
Impact:
Cannot add navigation parameter X to another policy after adding it to the first policy.
Workaround:
None.
Fix:
The system now supports adding the same navigation parameter to different security policies.
558631-2 : APM Network Access VPN feature may leak memory
Component: Access Policy Manager
Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.
Conditions:
-- APM Network Access feature is configured.
-- VPN connections are being established.
Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.
Workaround:
No workaround short of not using the APM Network Access feature.
Fix:
The APM Network Access VPN feature no longer leaks memory.
558612-4 : System may fail when syncookie mode is activated
Component: Local Traffic Manager
Symptoms:
TMM may core when syncookie mode has been activated when under extreme memory pressure.
Conditions:
L7 VIP with certain TCP profile attributes enabled.
Syncookies have been activated.
System under memory pressure due to heavy load.
Impact:
tmm may core.
Workaround:
Use the default TCP profile for all L7 VIPs.
Fix:
The BIG-IP will not encounter a system failure when syncookie mode has been activated.
558573-2 : MCPD restart on secondary blade after updating Pool via GUI
Component: TMOS
Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster.
When this occurs, errors similar to the following will be logging from the secondary blades:
-- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found.
-- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.
Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.
Impact:
Daemon restarts, disruption of traffic passing on secondary blades.
Workaround:
Perform pool updates via the tmsh command-line utility.
Fix:
Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.
558534-3 : The TMM may crash if http url rewrite is used with APM
Component: Local Traffic Manager
Symptoms:
The HTTP uri rewrite feature depends on having a client-side to determine the ip address of that client. However, APM may use the HTTP filter without having a client-side. This can cause a TMM crash when the missing ip address is used by the HTTP uri rewrite feature.
Conditions:
APM + HTTP uri rewrite feature. (This is different to the "rewrite" profile.)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the HTTP uri rewrite feature when using APM. An iRule may be used to safely implement its transformations.
Fix:
The TMM no longer crashes when the HTTP uri rewrite feature is used with APM.
558517-3 : Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.★
Component: Local Traffic Manager
Symptoms:
Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.
After upgrading the bigip.conf still has the old #TMSH-VERSION header. This is behavior is an intended behavior in 12.1.0, so it is not a bug; the configuration is still loaded in memory properly. The TMSH-VERSION string will be updated the next time a save sys config command is issued.
Conditions:
This occurs only when upgrading BIG-IP software in the following situations:
-- From 11.6.0 base version, or from 11.6.0 HF1 through 11.6.0 HF5 (or any engHF built on these versions) to final :11.6.0 HF6 through 11.6.0 HF8
-- From 11.5.3 base version, or from 11.5.3 HF1 or 11.5.3 HF2 (or any engHF for these versions) to 11.5.3 HF2 engHF2 or 11.5.3 HF2 engHF45.
Impact:
Monitors send/recv strings contain extra escape characters, for example: \\r, \\n etc. Post upgrade the monitors containing escaped characters will fail.
Workaround:
Manually/by script remove the additional escaping within the send/recv strings.
Fix:
The system no longer appends extra escape characters to monitor send/receive strings after upgrading.
558255-2 : Filtering encryption alerts
Component: Fraud Protection Services
Symptoms:
There was no option in 11.6.0 or earlier to filter out encryption alerts.
Conditions:
Encryption is failing.
Impact:
There is always an alert sent, even if it comes from an unsupported browser.
Workaround:
None.
Fix:
A new DB variable 'AntiFraud.EncryptionAlerts' has been added that controls whether or not the FPS plugin filters encryption alerts.
558053-2 : Pool's 'active_member_cnt' attribute may not be updated as expected.
Component: Local Traffic Manager
Symptoms:
If a pool has no associated monitors, new pool members added to the pool do not increment the active_member_cnt even if traffic will be passed to it. In other cases, for FQDN pool members, the active_member_cnt does not update in user-down scenarios, or other state transitions.
Conditions:
1) Configure a pool without a monitor, and make use of an iRule that attempts to use the 'active_member_cnt' attribute.
2) Configure a pool with FQDN nodes and change the state to user-down, and check the active_member_cnt via an iRule or GUIshell.
Impact:
Although this does not impact load balancing and is not visible in the GUI or tmsh, it is exposed as a consumable attribute in iRules, which can impact your scripts.
Workaround:
member_count returns total members with no status information.
Fix:
Pool's 'active_member_cnt' attribute is now updated as expected, even for pools that have no assigned monitors.
557783-2 : TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr
Component: Local Traffic Manager
Symptoms:
TMM might use a link-local IPv6 address when attempting to reach an external global address for traffic generated from TMM (for example, dns resolver, sideband connections, etc.).
Conditions:
- ECMP IPv6 routes to a remote destination where the next hop is a link local address. Typically this occurs with dynamic routing.
- Have configured a virtual server that generates traffic from TMM (for example, dns resolver, sideband connections, etc.).
Impact:
Traffic might fail as its egresses from a link-local address instead of a global address.
Workaround:
It might be possible to work around if the dynamic routing peer can announce the route from a global address instead of a link local.
Use of static routes might also work around the issue.
Fix:
TMM now uses the correct IPv6 global address when generating traffic to a remote address using ECMP routes via link-local next-hops.
557680-1 : Fast successive MTU changes to IPsec tunnel interface crashes TMM
Component: TMOS
Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.
Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.
Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).
557675-3 : Failover from PEM to PCRF can cause session lookup inconsistency
Component: Policy Enforcement Manager
Symptoms:
A small number of PEM sessions can be looked up only by their session-ip, but not by their subscriber-id.
Conditions:
Using PEM, failover to PCRF.
Impact:
Fails to find sessions needed for traffic processing.
Workaround:
none
Fix:
The code change provides an internal fixup for incorrect sessions.
557645-5 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
Component: Local Traffic Manager
Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.
Multiple devices in an HA configuration.
TMM incorrectly identifies which TMM should handle host connections from an HA peer.
The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.
Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.
Workaround:
None.
Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.
557358-1 : TMM SIGSEGV and crash when memory allocation fails.
Component: Local Traffic Manager
Symptoms:
TMM SIGSEGV and crash when memory allocation fails.
Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.
Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.
Workaround:
None known at this time.
Fix:
TMM SIGSEGV and crash no longer occur when memory allocation fails due to a command attempting to remove the connection for removal from the SSL queue a second time.
557281-2 : The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%
Component: TMOS
Symptoms:
audit_forwarder and mcpd consume almost 100% CPU. When syslog-ng restarts it will start another audit_forwarder process, but it is the orphaned audit_forwarder process that will consume almost 100% CPU. When syslog-ng is restarted and audit_forwarder does not exit cleanly, the mcpd process will also begin consuming high CPU.
Conditions:
syslog-ng is stopped manually or sometimes (rarely) during a normal resstart of syslog-ng.
Impact:
The audit_forwarder and mcpd processes consume excessive CPU.
Workaround:
Stop audit_forwarder manually (kill -9), once the orphaned audit_forwarder process is stopped, mcpd will return to normal CPU consumption.
Fix:
When syslog-ng is stopped manually (or when expected), audit_forwarder also exits, so the audit_forward process no longer consumes increasing CPU.
557221-7 : Inbound ISP link load balancing will use pool members for only one ISP link per data center
Component: Global Traffic Manager
Symptoms:
In BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0, the inbound ISP link load balancing functionality uses pool members for more than one ISP link per data center.
Conditions:
Using the inbound ISP link load balancing functionality in BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0.
Impact:
If a pool has multiple members that use different ISP links within a data center, the system uses only pool members associated with the ISP link of the first available pool member. The system marks pool members associated with subsequent ISP links as unavailable (grey).
Fix:
The inbound ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.
Behavior Change:
Beginning in BIG-IP Link Controller and GTM 11.5.4, 11.6.1, and BIG-IP DNS 12.1.0, the ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.
The link that is associated with the first configured and available pool member within each data center will determine the link that will be used for the data center. The system will use only pool members associated with that link.
557144-3 : Dynamic route flapping may lead to tmm crash
Component: TMOS
Symptoms:
When dynamic routing is in use and routes are being actively added and removed, tmm may crash.
Conditions:
Virtual Server configured with Dynamic Routing
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Flapping dynamic routes no longer trigger a tmm crash.
557062-2 : The BIG-IP ASM configuration fails to load after an upgrade.★
Component: Application Visibility and Reporting
Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version - (11.3 or 11.4) and upgrading to a version prior to 12.1.0.
Conditions:
Define scheduled report with 'predefined-report-name: '/Common/Top alerted URLs' on version 11.3 or 11.4 upgrade the version.
Impact:
Version upgrade fails (the BIG-IP system becomes unusable).
Workaround:
Manually change predefined-report-name '/Common/Top alerted URLs' to predefined-report-name '/Common/Top alarmed URLs'.
Fix:
If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs.
557059-2 : When a virtual server has an Anti-Fraud Profile and a Web Acceleration profile, POST requests to non-protected URLs hang
Component: TMOS
Symptoms:
A POST request to a virtual will timeout and will not immediately return a response. After a timeout occurs, an HTTP 400 response status will be returned.
Conditions:
This issue is encountered when sending a POST request to a virtual server that is configured with an Anti-Fraud Profile and a Web Acceleration profile.
Impact:
The request times out and 400 HTTP response status is returned. The application will break.
Fix:
POST requests no longer time out when sent to a virtual server that has an Anti-Fraud Profile and a Web Acceleration profile.
556597-5 : CertHelper may crash when performing Machine Cert Inspection
Component: Access Policy Manager
Symptoms:
CertHelper may crash while checking of machine certificate.
Conditions:
APM installed
Impact:
Authentication may fail.
Fix:
Fixed crash cause in CertHelper.
556568-2 : TMM can crash with ssl persistence and fragmented ssl records
Component: Local Traffic Manager
Symptoms:
Unusual fragmented ssl records may be handled incorrectly resulting in tmm crash.
Conditions:
Ssl persistence and fragemented ssl records.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Possibly switch to different persistence type.
Fix:
The error in parsing fragmented ssl records has been resolved.
556560-2 : DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
Component: Local Traffic Manager
Symptoms:
DNS messages which contain an OPT record followed by more than one record in the additional section will become malformed when they pass through a virtual with an assigned DNS profile.
Conditions:
A DNS message contains and OPT record in the Additional section, the message is compressed, and more than one record follow the OPT record.
Impact:
This issue impacts all DNS messages that contain an OPT record followed by more than one record. The DNS handling code expects a message containing an OPT record to have 0 or 1 TSIG record following the OPT record in the additional record section of a message.
The RFCs permit the OPT record to be placed anywhere in the additional record section of a DNS message, with the exception of a TSIG record. If a TSIG record is present, it must always be last. If no TSIG record is present, then an OPT record can be last.
The RFCs do not restrict a query from containing records in the additional record section of the message.
When a DNS query or response is passed through the TMM DNS message handler, and that message contains an OPT record followed by more than one record, and those records that follow the OPT record contain compression pointers to other records that also follow the OPT record, then the message becomes mangled.
Workaround:
Disable DNS compression on the resolver, or configure the resolver to place OPT records at the end of the additional section (except TSIG records which must always be last).
Fix:
DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted.
The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers.
The subsequent code paths which depend on the OPT record's position now work as expected.
556383-1 : Multiple NSS Vulnerabilities
Vulnerability Solution Article: K31372672
556380-2 : mcpd can assert on active connection deletion
Component: TMOS
Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.
Conditions:
Removal of all peers while a connection is handling a transaction.
Impact:
MCPD asserts and restarts.
Workaround:
No workaround is necessary. MCPD restarts.
Fix:
Connection tear down checks for active connections and does not result in an assert when removing all peers while a connection is handling a transaction.
556284-5 : iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
Component: TMOS
Symptoms:
GTM/LC config sync fails with error in /var/log/gtm and /var/log/ltm similar to the following:
Monitor /Common/my_http_monitor parent not found
Conditions:
There is a customized GTM monitor on one member of a high availability configuration, but not on others.
Impact:
Config sync fails. On the device that does not have the monitor, the system logs a parent-not-found message into /var/log/gtm.
Workaround:
None.
Fix:
GTM/LC sync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition.
556277-6 : Config Sync error after hotfix installation (chroot failed rsync error)★
Component: TMOS
Symptoms:
Once an installation has been booted into, applying a hotfix over that installation does not change the SELinux policy, but instead uses the previously installed SELinux policy.
Conditions:
This affects installations of a later hotfix atop an earlier hotfix, or onto a base build of the same software version. Installation onto a new volume is unaffected.
To determine whether the configuration will experience this issue, use md5sum to see whether the following have the same checksums:
-- /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp
-- /usr/share/selinux/targeted/f5_mcpd.pp.
If the checksums are the same, the system will use the SELinux policy installed with the previous hotfix, and this issue will occur.
Impact:
Sync of file objects might fail with an error similar to the following:
01071488:3: Remote transaction for device group [name] to commit id [number] failed with error 01070712:3: Caught configuration exception (0), verify_sync_result:() :Failed to sync files. - sys/validation/FileObject.cpp, line 6276..
Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install the base ISO (for example 11.5.4) into a volume, and then install the hotfix onto that volume, without booting the volume in between.
Fix:
Installing a hotfix over an existing base install now rebuilds the SELinux policy as expected.
556162-3 : Default obfuscator configuration causes very slow javascript in some browsers
Component: Fraud Protection Services
Symptoms:
Slow javascript causes page to render with a slight delay.
Conditions:
Client on Explorer 8 on a slow machine or VM.
Impact:
Mainly on older browsers, a slight rendering delay (~1 second) may be noticed.
Workaround:
Run the following commands on the BIG-IP system:
echo "-x" > /shared/datasync/compiler_conf/cs_fpm/OBF_FLAGS
chattr +i /shared/datasync/compiler_conf/cs_fpm/OBF_FLAGS
Fix:
Improved performance of obfuscated javascript.
556117-2 : client-ssl profile is case-sensitive when checking server_name extension
Component: Local Traffic Manager
Symptoms:
The client-ssl profile is Case-Sensitive when configuring server-name in the client-ssl profiles and checking server_name extension in the ClientHello Message.
Conditions:
When using mixed upper-lower case server-name in the client-ssl profile configuration and ClientHello messages.
Impact:
The system treats mixed upper-lower case server-name as different names which violate the RFC6066, which states: "Currently, the only server names supported are DNS hostnames. DNS hostnames are case-insensitive."
Workaround:
1. Configure only one client-ssl profile with same server-name.
2. Use only lower-case server-name when configure the client-ssl profile.
3. Use lower-case server-name in the Client side.
Fix:
The system now treats mixed upper-lower case server-names as the same name, so server-name is no longer case sensitive.
556103-3 : Abnormally high CPU utilization for external monitors
Component: Local Traffic Manager
Symptoms:
High CPU utilization for external monitors that use SSL.
Conditions:
External monitor using SSL.
Impact:
Abnormally high CPU utilization.
Workaround:
None.
Fix:
This release improves the handling of external monitors that use SSL so that CPU utilization no longer increases.
555905-3 : sod health logging inconsistent when device removed from failover group or device trust
Component: TMOS
Symptoms:
When a device is in a failover group, sod logs the state change messages indicating the reachability of other devices in the group. For example:
Nov 2 11:34:54 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Online).
Nov 2 11:31:19 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Offline).
Nov 2 11:31:43 BIGIP-1 notice sod[5716]: 010c007e:5: Not receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Disconnected).
If a reachable device is removed from the failover group, no "Disconnected" message is issued, so the last reported status will be inaccurate.
When a device is part of a trust, sod logs messages indicating what unicast addresses it is monitoring on remote devices:
Nov 2 11:34:29 BIGIP-1 info sod[5716]: 010c007a:6: Added unicast failover address 10.145.192.5 port 1026 for device /Common/BIGIP-3.localdomain.
If devices are removed from the trust, sod does not log a message that those unicast addresses are no longer in use.
Conditions:
When a device is removed from a failover device group, or removed from a device trust.
Impact:
Inaccurate state reporting.
Fix:
When a device is removed from a failover device group, it is now reported as "Disconnected".
When a device is removed from the device trust, sod on the other devices correctly reports that the unicast addresses belonging to the other devices have been deleted.
555827-2 : No fallback for alerts.
Component: Fraud Protection Services
Symptoms:
No fallback for alerts.
Conditions:
Alerts blocked by proxy.
Impact:
Alerts do not reach alert server.
Workaround:
When alert sending fails, other methods of contacting the alert server should be tried. In some scenarios, these fallbacks are not attempted.
Fix:
Use fallback methods when primary alert fails.
555818-3 : Bait failure alerts do not give details of the cause of failure
Component: Fraud Protection Services
Symptoms:
Bait fail alert details are always the same.
Conditions:
Honeypot mechanism failed due to http error, clientside error, timeout, etc.
Impact:
Difficult to find cause of failures due to poor granularity of error alert
Workaround:
None
Fix:
The following details were added to the Bait Failure alert:
bf_malformed : Malformed bait response
bf_jserror : Bait checks errored
bf_timeout : Bait request timed out
bf_<status_code> : Bait response was not 200 OK. Eg bf_404
bf_unknown : Other failure
555686-5 : Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
Component: TMOS
Symptoms:
Some OPT-0015 copper small form-factor pluggable (SFP) transceiver might cause an internal bus to hang.
Conditions:
This happens only when the following conditions are met:
-- 10000-series appliances.
-- At reboot, at a restart of the bcm56xxd daemon, or when a copper SFP is enabled or disabled.
-- There is at least one copper SFP present in the appliance.
-- Interfaces are spread between hardware muxes. That means some SFPs are in ports 1.1-1.8 and other SFPs are in ports 1.9-1.16.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up. Enable and disable of copper SFPs may not work.
Workaround:
None.
Fix:
The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.
555507-2 : Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
Component: Access Policy Manager
Symptoms:
Under certain conditions, SSO plugin can overrun memory not owned by the plugin. Symptoms could be different based on the owner of overrun memory.
Conditions:
This occurs when the following conditions are met:
1. The BIG-IP system is configured and used as SAML Identity Provider.
2. Single Logout (SLO) protocol is configured on an attached SP connector.
3. At least one user executed SAML WebSSO profile.
Impact:
Symptoms might differ based on the owner of overrun memory.
Potentially, tmm could restart as a result of this issue.
Workaround:
Disable SAML SLO: remove SLO request and SLO response URLs from configuration in appropriate SAML SP connectors.
Fix:
SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues:
The BIG-IP system is configured and used as a SAML Identity Provider.
Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector.
At least one user executed SAML webSSO profile.
555457-5 : Reboot is required, but not prompted after F5 Networks components have been uninstalled
Component: Access Policy Manager
Symptoms:
Attempt to establish a VPN connection from a Windows 10, Windows 8.1, Windows 7, or Vista desktop fails if F5 Networks components have been removed previously and the desktop was not rebooted.
Typically this issue can be identified by these log records:
<snip>
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter (7) <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 155, GetVPNDriverRASDeviceName, found device, F5 Networks VPN Adapter
<snip>
DIALER, 1, \urdialer.cpp, 1573, CURDialer::OnRasCallback(), RAS error (state=RASCS_OpenPort, error=633: The modem (or other connecting device) is already in use or is not configured properly.)
Conditions:
Windows desktop.
Existing F5 components uninstalled.
Reboot was not performed after uninstall.
Impact:
End users cannot establish a VPN connection from Windows-based clients.
Workaround:
Reboot the affected Windows desktop.
Fix:
After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected.
555435-2 : AD Query fails if cross-domain option is enabled and administrator's credentials are not specified
Component: Access Policy Manager
Symptoms:
AD Query fails in cross-domain environment, when AAA AD Server has no administrator credentials configured and user's logon name is different from pre-win2k name
Conditions:
- AD Query is configured in an Access Policy.
- The administrator's credentials are not specified at AAA AD Server configuration page (that is in use by AD Query).
- The domain logon name is different from pre-win2k name.
Impact:
AD Query fails
Workaround:
The administrator should provide AD administrator credentials at AAA AD Server configuration page.
Fix:
AD Query now completes as expected if cross-domain option is enabled and administrator's credentials are not specified.
555432-1 : Large configuration files may go missing on secondary blades
Component: Local Traffic Manager
Symptoms:
bigip.conf or other configuration files may go missing on secondary blades once the configuration exceeds a certain size (approximately 8 MB).
Conditions:
This is only relevant on chassis.
Impact:
If the primary changes, then the configuration is at risk of being lost.
Workaround:
touch the relevant configuration file (usually bigip.conf) and the configuration file will reappear.
Fix:
bigip.conf or other configuration files would go missing on secondary blades once the configuration exceeded a certain size (approximately 8 MB). This has been fixed.
555369-3 : CGNAT memory leak when non-TCP/UDP traffic directed at public addresses
Component: Carrier-Grade NAT
Symptoms:
When rejecting non-TCP/UDP inbound traffic a small amount of memory is leaked with each packet. Depending on the volume of such traffic this may be a slow or fast leak.
Conditions:
CGNAT configured with inbound connections enabled or hairpinning enabled
Non-TCP/UDP traffic with a destination in the LSN Pool address space
Impact:
TMM might eventually run out of available memory. The aggressive mode sweeper might be triggered, causing connections to be killed. Eventually TMM restarts.
Workaround:
None.
Fix:
This release fixes a memory leak that occurred When rejecting non-TCP/UDP inbound traffic.
555272-8 : Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★
Component: Access Policy Manager
Symptoms:
Previously, F5 Client components were signed using SHA1 certificate. SHA1 is now considered insecure and Windows will reject components signed using a SHA1 certificate after March 31st 2016.
To support this new requirement, F5 has changed the client component signing certificates to utilize a higher security validation algorithm.
The result of this change is that clients utilizing client components built prior to these versions:
Big-IP 12.0.0HF1 or earlier
Big-IP 11.6.0 HF8 or earlier
Big-IP 11.5.4 (base release) or earlier
cannot Endpoint Security updates build 431 or greater.
If you require updated Endpoint Security (OPSWAT / EPSEC) builds greater than 431 you must upgrade to these versions:
Big-IP 12.1.0 or later
Big-IP 12.0.0HF2 or later
Big-IP 11.6.1 or later
Big-IP 11.5.4 HF1 or later
Conditions:
Running incompatible BIG-IP version with EPSEC build 431 or later.
Impact:
User will see certificate warnings and installation of client component updates may fail. The failure may occur multiple times.
Workaround:
Upgrade BIG-IP to the correct version.
Use the BIG-IP Web GUI's Software Management :: Antivirus Check Check Updates section to install an EPSEC build prior to 431.
Fix:
Updated signing certificate to a sha256 certificate. Client components and EPSEC binaries are now signed using the new, higher security certificate. Please note that upgrade to a HF in which client is signed using updated certificate is needed to install updated EPSEC releases. Please review the information carefully.
555057-3 : ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
Component: Application Security Manager
Symptoms:
When using ASM REST to remove a signature set association from a policy (DELETE), the set is removed from all policies in the system.
Conditions:
ASM REST is used to remove a signature set association from a policy.
DELETE /mgmt/tm/asm/policies/<ID>/signature-sets/<ID>
Impact:
All policies will lose their association to that signature set. This may leave some policies not enforcing all the Attack Signatures that they are expected to.
Workaround:
A DELETE can be issued to the collection endpoint: /mgmt/tm/asm/policies/<ID>/signature-sets utilizing the $filter parameter to delete only the desired sets.
Ex. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets?$filter=id eq '<ID>'
Fix:
When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.
555039-2 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
Component: TMOS
Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop
Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.
Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.
Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.
Workaround:
None.
Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.
555006-3 : ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
Component: Application Security Manager
Symptoms:
The lastUpdateMicros field is meant to be updated if a user changes a custom signature, but it is not.
Conditions:
REST client is used to look at/filter the signatures collection (/mgmt/tm/asm/sigantures)
Impact:
Checking for updated signatures does not return the expected result.
Workaround:
None.
Fix:
REST: The lastUpdateMicros field is now correctly updated after updating a user defined signature.
554993-2 : Profile Stats Not Updated After Standby Upgrade Followed By Failover
Component: Access Policy Manager
Symptoms:
1. The current active sessions, current pending sessions, and current established sessions counts shown in commands 'tmsh show /apm profile access' and 'tmctl profile_access_stat' become zero after failover.
2. The system posts an error message to /var/log/apm:
01490559:3: 00000000: Access stats encountered error: SessionDB operation failed (ERR_NOT_FOUND).
Conditions:
This issue happens when the following conditions are met:
1. The HA configuration is running a release prior to 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
2. A standby unit is upgraded to version 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
3. Failover is triggered.
Impact:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats remain zero after failover.
Workaround:
Upgrade all devices in the HA configuration to the same release and reboot them simultaneously.
Fix:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats now report correctly after failover.
554967-3 : Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
Component: Local Traffic Manager
Symptoms:
A resolver sending a query with a small EDNS0 UDP buffer limit can lead to packet truncation. These response packets are flagged as truncated in the header, but the OPT record might be cut/missing leading some resolvers to consider the packet malformed.
Conditions:
Primarily via dynamic settings such as iRules on DNS_RESPONSE events adding new records, or DNSSEC record signing with responses over UDP.
Impact:
Some resolvers regard OPT-less truncated packets as malformed and cease follow-up requests via TCP or a larger EDNS0 UDP limit.
Workaround:
none
Fix:
Truncated DNSSEC or iRule DNS packets are RFC-compliant.
554928-1 : tmm eventually crashes when classification profile is configured on the virtual
Component: Traffic Classification Engine
Symptoms:
tmm crash
Conditions:
classification profile configured on the virtual server;
many ssl/ftp/rtp/sip flows processed by the bigip
Impact:
Traffic disrupted while tmm restarts.
Workaround:
remove classification profile from the virtual
Fix:
Fixed after 11.6 HF6
554899-2 : MCPD core with access policy macro during config sync in HA configuration
Component: Access Policy Manager
Symptoms:
In high availability config sync, the destination mcpd might crash if the user does the following steps:
1. Manually edit bigip.conf file at source to remove an access policy item (my-ap-1_mac_mymac1) that calls a macro, from the original access policy (my-ap-1) to another access policy (my-ap-2);
2. Load the modified config into running config;
3. Delete the original access policy (my-ap-1) before manually starting the config sync.
The modified source configuration is sent to the destination during the manual incremental config sync, resulting in destination mcpd logging an error message:
err mcpd[5441]: 01020036:3: The requested access_policy_name (/Common/my-ap-1) was not found.
Immediately following the error message, the destination mcpd will crash and generate a core file.
Conditions:
Config sync is manual incremental, and the user manually edits /config/bigip.conf to modify the source configuration such that an access policy item with a macrocall is removed from the original access policy to another access policy, and then the original access policy is deleted, all before the manual config sync is started.
Impact:
During config sync, the destination BIG-IP system's mcpd crashes and restarts.
Workaround:
After removing the access policy item with a macrocall from the original access policy to another access policy and loading into the source running the configuration, do not delete the original access policy. Instead, start the config sync right away.
After this first config sync is successful, delete the original access policy at the source, and then start the second config sync to finish the operation.
Fix:
MCPD no longer cores with access policy macro during config sync in high availability configuration.
554774-2 : Persist lookup across services might fail to return a matching record when multiple records exist.
Component: Local Traffic Manager
Symptoms:
Persist lookup across services might fail to return a matching record when multiple records exist.
Conditions:
Persistence profile with 'match-across-services' enabled, and the configuration contains multiple records that correspond to the same pool.
Impact:
Connection routed to unexpected pool member.
Workaround:
None.
Fix:
The operation now continues searching persistence records when 'match-across-services' is enabled until the operation finds a record that corresponds to the same pool.
554769-4 : CPM might crash when TCLRULE_HTTP_RESPONSE is triggered.
Component: Local Traffic Manager
Symptoms:
TMM might crash if CONNFLOW_FLAG_L7_POLICY is not set in the connection flow flags, but the system still tries to call Centralized Policy Matching (CPM).
Conditions:
This occurs when TCLRULE_HTTP_RESPONSE is triggered from the server-side, if the server-side does not process the policy, and the connection flow flags do not have CONNFLOW_FLAG_L7_POLICY set.
Impact:
TMM/(CPM Module) might crash.
Workaround:
None.
Fix:
The system now adds the flag check of CONNFLOW_FLAG_L7_POLICY if it is not already set, so there is no crash in TMM or Centralized Policy Matching (CPM).
554761-5 : Unexpected handling of TCP timestamps under syncookie protection.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system experiences intermittent packet drops.
Despite being negotiated during TCP handshake, the BIG-IP system fails to present timestamp option in subsequent segments.
The BIG-IP system calculates invalid round trip time immediately after handshake, which might result in delayed retransmissions.
Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- The syncookie mode has been activated.
- Clients that support timestamps.
Impact:
Connection might be reset by remote TCP stack (e.g., NetBSD and FreeBSD), which requires timestamps to be maintained once negotiated.
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.
Workaround:
Choose or create a TCP profile that has timestamps disabled.
Fix:
TCP Timestamps are now maintained on all negotiated flows.
554690-3 : VPN Server Module generates repeated Error Log "iface eth0 "... every 2 secs
Component: Access Policy Manager
Symptoms:
Chatty log messages seen in svpn.log file
Conditions:
Establish tunnel server and check svpn.log file (VPN server module) to see verbose logs
Impact:
Verbose logging having a general CPU and disk write impact.
Fix:
VPN Server Module doesn't generate repeated Error Log "iface eth0 (4)" every 2 secs
554626-1 : Database logging truncates log values greater than 1024
Component: Access Policy Manager
Symptoms:
The Logging agent truncates log values greater than 1024. If the log value size is greater than 4060, the field is empty or null.
Conditions:
Logging into local database with log values (such as session variables) greater than 1024. If this size is too high (greater than 4060), the field displays as empty or null in reports.
Impact:
The reporting UI displays null or empty fields when the logged value is too large in size, such as a huge session variable.
Workaround:
No workaround.
Fix:
This release handles large single log values.
554624-2 : NTP CVE-2015-5300 CVE-2015-7704
Vulnerability Solution Article: K10600056 K17566
554609-4 : Kernel panics during boot when RAM spans multiple NUMA nodes.
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) crashes in the kernel during early boot.
Conditions:
This occurs when the following conditions are met:
* VE is running on Hyper-V.
* VE RAM is configured in a such a way that it spans multiple NUMA nodes.
Impact:
Kernel panic during boot.
Workaround:
No workaround.
Fix:
The kernel now properly aligns memory on multiple NUMA nodes, so there is no kernel panic during boot.
554563-3 : Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
Component: TMOS
Symptoms:
Class of Service Queues (cosq) egress drop statistics are counted against both Drops In and Drops Out interface statistics.
Conditions:
This occurs for all cosq drops in response to excess egress traffic and MMU egress congestion.
Impact:
Any CoS queue egress drop is also counted against ingress drop stats, which could be interpreted incorrectly as doubled total drop stats.
Workaround:
None.
Fix:
The Drops In interface statistics no longer includes Class of Service Queues (cosq) egress drop counts, which is correct behavior.
554546-2 : Only first entry in 'Mandatory Words' list is effective
Component: Fraud Protection Services
Symptoms:
Despite adding two or more 'Mandatory Words' items, alerts are only sent on the first item.
Conditions:
Multiple 'Mandatory Words' items are configured. One of the items (not the top item) is injected into page.
Impact:
No 'Mandatory Words' alert sent (False negative).
Workaround:
None.
Fix:
The entire 'Mandatory Words' list is now checked.
554540 : RAT detection failure
Component: Fraud Protection Services
Symptoms:
When flash cookies are disabled, RAT detection fails.
Conditions:
Flash cookies disabled.
Impact:
RAT attacks are not reported to the alert server.
Workaround:
Enable flash cookie.
Fix:
RAT detection now works with regular cookies.
554537-2 : Failed alerts on Internet Explorer
Component: Fraud Protection Services
Symptoms:
Sending page data in alerts can cause alerts to fail.
Conditions:
This occurs under the following conditions:
-- 'attach HTML to alerts' enabled.
-- Alert is sent from a large HTML page.
Impact:
Missed alerts
Workaround:
Disable 'attach HTML to alerts'.
Fix:
If page data overwhelms alert sending, only partial page data is sent, so the alert now completes as expected.
554458 : No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports with reduced zeros in Session ID
Component: Access Policy Manager
Symptoms:
No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports
Conditions:
When Session ID has 1 or more leading zero
Impact:
Empty in the APM Session Variable report
Workaround:
Run "Session Variables" report. When enter session ID, prepend 0s if the session ID has less 8 chars. The total length of session ID is 8 chars.
Fix:
Session Variables report shows correctly.
554367-1 : BIG-IQ ASM remote logger: Requests are not be logged.
Component: Application Security Manager
Symptoms:
BIG-IQ ASM does not log requests for the first remote logger configured on the system.
Conditions:
No remote logger has been previously configured for ASM.
Impact:
No requests are sent to remote logger that was just configured.
Workaround:
This issue resolves itself after a few seconds when the remote destination is responsive.
Fix:
An issue with requests not being logged after configuring a new remote logger for BIG-IQ ASM has been fixed.
554340-4 : IPsec tunnels fail when connection.vlankeyed db variable is disabled
Component: TMOS
Symptoms:
When connection.vlankeyed db variable is disabled, if the data traffic coming out of IKEv1 tunnels that needs to be secured using IKEv2 tunnels lands on tmm's other than tmm0, it will be dropped. The system establishes the IKEv2 tunnel but the data traffic will not be secured.
Conditions:
This issue is seen when the interesting data traffic lands on tmm's other than tmm0. The reason for this issue is due to incorrectly creating a flow on another TMM that is the owner of the outbound SA (IKEv2 tunnel).
Impact:
The system drops the data traffic to be secured using IPsec and connections fail.
Workaround:
Disable the cmp in the virtual server configuration.
Fix:
Flow creation at the TMM that owns the outbound SA for the IKEv2 tunnel is properly handled. TMM can handle the inner traffic from IKEv1 tunnel and secure it over another IKEv2 tunnel.
554324-1 : Signatures cannot be updated after Signature Systems have become corrupted in database★
Component: Application Security Manager
Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database.
Conditions:
Signature systems are corrupted in configuration database. This can occur after upgrading to v11.6.0, v11.6.1, or v12.0.0.
Impact:
Signatures cannot be updated.
Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:
mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"
Fix:
Signature System data corruption is corrected upon upgrade, and Signatures can be subsequently upgraded.
554295-3 : CMP disabled flows are not properly mirrored
Component: Local Traffic Manager
Symptoms:
A client connection to a virtual server configured for 'cmp-enabled no' and 'mirror enabled' will be dropped if the standby unit is promoted to active.
Conditions:
The virtual server is configured for 'cmp-enabled no' and 'mirror enabled' on multiple BIG-IP appliances peered in a high availability configuration.
Impact:
Mirroring does not work as expected on BIG-IP appliances.
Note: CMP is required on VIPRION chassis, so this expectation applies only to appliances.
Workaround:
Do not disable CMP on virtual servers that are mirrored.
Fix:
The system now supports mirroring connections between BIG-IP appliances in a high availability configuration on CMP-disabled virtual servers.
Note: If CMP is disabled, hardware syn cookie must also be disabled for virtual servers to mirror connections. This is expected behavior.
554228-5 : OneConnect does not work when WEBSSO is enabled/configured.
Component: Access Policy Manager
Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.
Conditions:
WEBSSO and OneConnect.
Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.
Workaround:
None.
Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections.
554041-5 : No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client loses all connectivity and an option to establish VPN is not available.
Conditions:
All of the following conditions must apply.
1) Edge Client is installed in "Always Connected" mode.
2) The Connectivity profile on server has location DNS list entries.
3) One of the DNS locations matches the DNS suffix set on the local network adapter.
Impact:
Client shows "LAN Detected" in the UI and does not try to connect to VPN.
All traffic to and from the user's machine is blocked.
Workaround:
This issue has no workaround at this time.
Fix:
Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks.
553976-1 : AJAX File uploads don't work in IE (import policy doesn't work)
Component: Application Security Manager
Symptoms:
You cannot import policies either XML or binary through the webui, but tmsh import works. When using the GUI you select the file and it gets stuck on "verifying".
The issue occurs only in when uploading using Internet Explorer.
Conditions:
Attempting to upload a policy using Internet Explorer.
Impact:
You cannot import any policy from the GUI.
Workaround:
Other browsers such as FireFox or Chrome work.
Fix:
You can now import policies (XML and binary) using the Configuration utility in addition to the command line.
553902-2 : Multiple NTP Vulnerabilities
Vulnerability Solution Article: K17516
553795-4 : Differing certificate/key after successful config-sync
Component: TMOS
Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.
2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.
Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.
2) High Availability failover systems configured with Manual Sync.
Impact:
1) An abandoned FIPS key is left behind.
2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.
Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Delete the FIPS key by-handle on the peer system(s).
2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).
Fix:
Systems now have the same certificate/key after successful config-sync of High Availability configurations.
553735-3 : TMM core on HTTP response with steering action .
Component: Policy Enforcement Manager
Symptoms:
TMM process will crash.
Conditions:
HTTP profile is not attached to a PEM virtual receiving the HTTP response. In this case on receiving a connection request from the client, BIGIP establishes server side connection without waiting for the HTTP request from the client. Meanwhile, a steering policy got installed. The server responds with HTTP request time out message and TMM cores trying to steer the existing connection.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Attaching an HTTP profile to the PEM virtual in question will avoid this issue.
Fix:
Issue has been fixed.
553734-1 : Issue with assignment of non-string value to Form.action in javascript.
Component: Access Policy Manager
Symptoms:
Exception in javascript code.
Conditions:
Attempt to assign non-string value to a Form.action in javascript code.
Impact:
Web application misfunction.
Workaround:
There is no workaround at this time.
Fix:
The issue is fixed for non string value types.
553688-4 : TMM can core due to memory corruption when using SPDY profile.
Component: Local Traffic Manager
Symptoms:
TMM corefiles containing memory corruption within 112-byte memory cache.
Conditions:
Virtual server using a SPDY profile encounters an internal error while processing a SPDY packet.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release contains a fix that prevents a double free on error within the SPDY component.
553649-3 : The SNMP daemon might lock up and fail to respond to SNMP requests.
Component: TMOS
Symptoms:
The SNMP daemon might lock up and fail to respond to SNMP requests.
Conditions:
If the SNMP configuration on the BIG-IP changes and the SNMP daemon restarts. This is a timing issue that might appear intermittently.
Impact:
The BIG-IP system stops responding to SNMP requests. You then cannot monitor the BIG-IP system via SNMP.
Workaround:
If the SNMP daemon is locked up, restart it by issuing the following command: bigstart restart snmpd.
Fix:
The SNMP daemon no longer locks up and become unresponsive when it is restarted.
553613-3 : FQDN nodes do not support session user-disable
Component: Local Traffic Manager
Symptoms:
FQDN nodes do not support session user-disable.
Conditions:
Configure a monitor with recv-disable string, and set node to session user-disabled. Monitor does not mark the node down for draining persistent connections.
Impact:
Unable to use session drain.
Workaround:
None.
Fix:
FQDN nodes now support session user-disable
553576-3 : Intermittent 'zero millivolt' reading from FND-850 PSU
Component: TMOS
Symptoms:
In rare instances, certain BIG-IP platforms may erroneously generate power supply error messages that indicate zero milli-voltage.
Specific symptoms include:
- SNMP alert 'bigipSystemCheckAlertMilliVoltageLow' detected.
- Front panel Alarm LED is blinking amber.
- Errors such as the following are logged:
emerg system_check[<#>]: 010d0017:0: Power supply #<x> meas. main outpu: milli-voltage (0) is too low.
[where <x> is the power supply location (either 1 or 2)]
- Errors such as the following may also be logged:
-- err chmand[<#>]: 012a0003:3: Sensor read fault for Power supply #<x> meas. main outpu : File sensor/LopSensSvc.cpp Line 1453.
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
Note that this condition may affect either PSU 1 or PSU 2.
Conditions:
This may occur intermittently on BIG-IP 10000-/12000-series appliances (including 10000s/10200v, 10050s/10250v, 10055/10255, 10350v and 12250v models) with FND850 model DC power supplies.
Impact:
There is no impact; these error messages are benign.
Workaround:
None.
Fix:
Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.
553454-2 : Mozilla NSS vulnerability CVE-2015-2730
Vulnerability Solution Article: K15955144
553330-3 : Unable to create a new document with SharePoint 2010
Component: Access Policy Manager
Symptoms:
VPN users are unable to create a new document with SharePoint 2010
An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid
Conditions:
Create a new document using the"New Document button".
Impact:
User cannot create a new document with SharePoint 2010.
Workaround:
none
Fix:
You can create a new document with Microsoft SharePoint 2010.
553174-4 : Unable to query admin IP via SNMP on VCMP guest
Component: TMOS
Symptoms:
The admin IP address is not returned via ipAdEntAddr.
Conditions:
Query admin IP via SNMP on VCMP guest via ipAdEntAddr.
Impact:
Unable to obtain admin IP address via SNMP for VCMP guests.
Workaround:
none
Fix:
ipAdEntAddr will now return the admin IP address on a VCMP guest.
553146-2 : BD memory leak
Component: Application Security Manager
Symptoms:
BD memory increases. May reach a kernel 'OOM killer' scenario.
Conditions:
Usually a policy with missing content profiles (XML, etc.) on a post request that causes the POST to be parsed incorrectly and issue many parameter violations.
Impact:
High memory consumption on the system, swap memory usage, potential crashes.
Workaround:
Apply the correct content profiles.
Note: Valid requests typically do not have that many parameters in them. If you have requests that do, apply the 'apply value signature' on those big POSTs.
Fix:
This release fixes a memory leak in the Enforcer.
553063-1 : Epsec version rolls back to previous version on a reboot
Component: Access Policy Manager
Symptoms:
If administrator has installed multiple EPSEC packages, after a reboot the EPSEC version rolls back to the previously installed version.
Conditions:
The BIG-IP system needs to be rebooted for this issue to be seen, and multiple EPSEC packages must have been installed on the system before the reboot.
Impact:
OPSWAT version rolls back without prompting or logging. This might open up the end-point security issues that are supposed to be fixed by the latest installed OPSWAT package.
Workaround:
The workaround is to upload a dummy file in Sandbox.
1. Go to Access Policy :: Hosted Content :: Manage Files.
2. Upload any dummy file, even a 0 byte file. Change the security level to 'session'.
After this change, even if you reboot or shutdown-restart, the EPSEC version does not revert.
Fix:
The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart.
552937-1 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
Component: Local Traffic Manager
Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.
Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.
Impact:
TMM core.
Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.
Fix:
The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.
552931-4 : Configuration fails to load if DNS Express Zone name contains an underscore
Component: Local Traffic Manager
Symptoms:
A configuration with a DNS Express Zone with an underscore in the name does not load, even though the gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
Conditions:
-- Configuration setting gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
-- DNS Express Zone exists with an underscore in the name.
Impact:
Cannot load the LTM configuration when restarting BIG-IP system when DNS Express Zones that have an underscore character in the name.
Workaround:
Force the GTM configuration to load by sequentially running the following commands:
tmsh load sys config gtm-only.
tmsh load sys config.
Fix:
All FQDNs may now contain underscore character. The BIG-IP system now correctly load configurations that contain DNS Express Zones with underscores in the name.
552865-4 : SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
Component: Local Traffic Manager
Symptoms:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, handshake might fail if the client sends an invalid signed Certificate Verify message.
Conditions:
When SSL client certificate mode is request, and the client sends an invalid signed Certificate Verify message to the BIG-IP system.
Impact:
The handshake does not ignore the invalid signed certificate verify message, and handshake might fail. SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. Regardless of whether the Certificate and Certificate Verify message is valid, the handshake should ignore the Certificate Verify signature error and let the handshake continue.
Workaround:
None.
Fix:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.
552585-3 : AAA pool member creation sets the port to 0.
Component: TMOS
Symptoms:
When the AAA server pool member is created (for Radius mode BOTH and for AD), the port is set to 0 (Any) as there are more than one ports for that pool member.
Conditions:
Create AAA pool member while creating an AAA RADIUS server or Active Directory server. The created pool member does not support the ability of having multiple port numbers and for that reason is updated with 0 (Any) as the port number for the pool member. If the user continues to modify using the Admin UI, the port changes made using tmsh will be overwritten again to 0.
Impact:
AAA pool member port is set to 0 (Any) rather than the port specified in the GUI. This is correct as the pool member does not support more and 1 port number.
552498-1 : APMD basic authentication cookie domains are not processed correctly
Component: Access Policy Manager
Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to pool members.
Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.
Impact:
Cookies assigned during the authentication handshake might not be sent to pool members.
Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.
Fix:
Domain fields in Set-Cookie headers found in 401 responses are processed correctly.
552488-1 : Missing upgrade support for AFM Network DoS reports.★
Component: Application Visibility and Reporting
Symptoms:
When upgrading, the statistics of AFM Network DoS reports are not migrated correctly to the new version, leading to loss of data about the Client-IP addresses.
Conditions:
Upgrade from versions 11.4.x or 11.5.x to versions 11.6.x or 12.0.0.
Impact:
The IP Addresses information of AFM Network DoS is lost. However, new activity is collected correctly.
Workaround:
There is no workaround for this issue.
Fix:
This release provides upgrade support for AFM Network DoS reports.
552481 : Disk provisioning error after restarting ASM service.
Component: TMOS
Symptoms:
Disk provisioning error after restarting ASM service.
In newer BIG-IP software versions ASM uses a different application volume name. Older BIG-IP software versions identify the application volume as being owned by ASM, and allows ASM to be provisioned and start. However, in the older versions, ASM create the application volume so there will be two ASM application volumes. If ASM is restarted with bigstart or tmsh, or if the BIG-IP system is rebooted, provisioning does not allow ASM to start.
Conditions:
ASM provisioned on both pre-v12.0.0 and post-v12.0.0 versions.
Impact:
ASM does not start, and bigstart status asm indicates a disk provisioning error.
Workaround:
Follow these steps:
1. Boot into the affected version of BIG-IP software.
2. If DoS profiles are applied, they need to be removed from the virtual servers before the provisioning can be carried out. i.e:
# tmsh modify ltm virtual all profiles delete { DoS-A-profile }
# tmsh modify ltm virtual all profiles delete { DoS-B-profile }
.....
3. Run the command: tmsh modify sys provision asm level none.
4. Wait for unprovision to complete (do so by monitoring /var/log/asm).
5. Run the command: tmsh delete sys disk application-volume asmdata1.
6. Run the command: tmsh modify sys provision asm level nominal
Fix:
ASM starts successfully with no disk provisioning error after restarting ASM service using newer BIG-IP software.
552476-2 : Use of JavaScript's 'eval' function may be prohibited by site's content security policy
Component: Fraud Protection Services
Symptoms:
Websafe JavaScript does not run on sites that prohibit the use of 'eval' by using CSP headers.
Conditions:
CSP headers present that do not allow 'unsafe-eval'.
Impact:
Websafe JavaScript does not run and false positive 'component check' alerts are received in the dashboard.
Workaround:
None.
Fix:
Websafe JavaScript now runs as expected, so no false positive 'component check' alerts are received in the dashboard.
552352-2 : tmsh list display incorrectly for default values of gtm listener translate-address/translate-port
Component: Global Traffic Manager
Symptoms:
tmsh list displays incorrectly for default values of GTM listener translate-address/translate-port settings.
Conditions:
Using the tmsh list command to show translate-address/translate-port for GTM listener.
Impact:
tmsh list gtm listener does not display 'translate-address'/'translate-port' when it is set to enabled, but the command does show the values when it is set to disabled. The tmsh list gtm listener command should not show the default settings. This becomes an issue when used with the TMSH merge command, where the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. This might eventually result in failing traffic.
Workaround:
Use tmsh list with 'all-properties' instead.
Fix:
GTM Listener's translate-address and translate-port field are now always displayed in TMSH commands. This is because there are different defaults in GTM Listeners than the LTM virtual servers. When used with the TMSH merge command, the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. By always displaying this attribute, no matter what the value is, the merge will always be handled appropriately.
552198-5 : APM App Tunnel/AM iSession Connection Memory Leak
Component: Wan Optimization Manager
Symptoms:
A memory leak occurs when APM application tunnels or AM iSession connections are aborted while waiting to be reused.
Conditions:
The iSession profile reuse-connection attribute is true.
A large number of iSession connections are aborted while waiting to be reused.
Impact:
Available memory might be significantly reduced when a large number of iSession connections waiting to be reused are aborted.
Workaround:
Disable the iSession profile reuse-connection attribute. Restart TMM.
Fix:
This release fixes an APM App Tunnel/AM iSession connection memory leak.
552151-2 : Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
Component: Local Traffic Manager
Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3.
Conditions:
This occurs when the system encounters errors during hardware compression handling. This occurs on the BIG-IP 5000-, 7000-, 10000-, and 12000-series platforms, and on VIPRION B22xx blades.
Impact:
Compression is (eventually) performed by software. This can result in high CPU utilization.
Workaround:
Disable compression if CPU usage is too high.
Fix:
Improved the device exception handling so that errors are correctly propagated to compression clients, thus preventing the progressive failure of the compression engine, and stopping the offload to software compression (which was driving up the CPU).
552139-2 : ASM limitation in the pattern matching matrix builtup
Component: Application Security Manager
Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.
Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.
Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).
Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.
Fix:
Fixed a limitation in the attack signature engine.
551999-2 : Edge client needs to re-authenticate after lost network connectivity is restored
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client restarts executing access policy after lost connectivity is restored. Usually that means Edge client will try to re-authenticate (if access policy is configured so) after lost network connectivity is restored.
Conditions:
Edge Client for Mac, APM with access policy with authentication configured.
Impact:
User needs to input credentials again.
Workaround:
Access policy can have "Save password" option enabled. In this case Edge Client caches the password based on password caching policy in connectivity profile and will not ask for password if cache is still valid.
Fix:
Edge Client for Mac now tries to restore session after lost network connectivity is restored.
551927-2 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
Component: TMOS
Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, ltm sends packets to the client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.
Conditions:
fastl4 profile and asymetric routing on client side
Impact:
Return traffic could use the wrong vlan
Workaround:
none
Fix:
Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN
551893-2 : Alerts send from FPS plugin via HSL are sent in a malformed HTTP format
Component: Fraud Protection Services
Symptoms:
FPS alerts end with \r\n\r\n, HSL adds an extra \n.
Conditions:
FPS plugin send an alert via HSL.
Impact:
Alerts sent by FPS plugin via HSL are in malformed format with extra \n at the end.
Workaround:
None.
Fix:
One hard-coded \n was removed from the end of the FPS alerts format, so that they now end with \r\n\r. When alerts are sent via HSL, an extra \n is added and the final alert format is correct (\r\n\r\n).
551767-3 : GTM server 'Virtual Server Score' not showing correctly in TMSH stats
Component: Global Traffic Manager
Symptoms:
GTM server 'Virtual Server Score' is not showing correct values in TMSH stats. Instead, stats shows zero value.
Conditions:
You have a virtual server configured with a non-zero score.
Impact:
tmsh show gtm server server-name detail lists 'Virtual Server Score' as zero. Note that there is no impact to actual load balancing decisions. Those decisions take into account the configured score. This is an issue only with showing the correct information and stats.
Workaround:
None.
Fix:
TMSH now shows the correct value for 'Virtual Server Score' when you have a virtual server configured with a non-zero score.
551764-3 : [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
Component: Access Policy Manager
Symptoms:
Successful execution of an Access Policy will result in the client receiving a HTTP status 500 error response when clientless mode is set. This error response is generated by APMD. This is a regression condition that occurs when the fix for bug 374067 is included.
Conditions:
-- The system has the fix for bug 374067.
-- Clientless mode is enabled.
-- BIG-IP platform is chassis platform.
-- The administrator does not override the Access Policy response with iRule command.
Impact:
Client receives an invalid response.
Workaround:
None.
Fix:
Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.
551742-2 : Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
Component: TMOS
Symptoms:
In rare occurrences, BIG-IP hardware is susceptible to parity errors due to unknown source. This bug mitigates parity errors that occur in the SOURCE_VP table of the switch hardware, indicated with the following message in the ltm log:
Sep 15 12:12:12 info bcm56xxd[8066]: 012c0016:6: _soc_xgs3_mem_dma: SOURCE_VP.ipipe0 failed(NAK)
Conditions:
This occurs only on the BIG-IP 10000s/10200v/10250v platforms, and on the VIPRION B4300/B4340N and B2250 blades. The exact trigger of the parity error is unknown at this time.
Impact:
This impacts several series of BIG-IP products with hardware parity error mitigation capabilities.
Workaround:
Rebooting BIG-IP hardware should clear issues caused by hardware parity errors.
Fix:
A hardware parity error issue has been fixed.
551661-2 : Monitor with send/receive string containing double-quote may fail to load.
Component: TMOS
Symptoms:
When a monitor string contains contains \" (backslash double-quote) but does not contain a character that requires quoting, one level of escaping is lost at each save/load.
Note: Re-loading a config happens during licensing. If you decide to upgrade, first verify that you have an escaped quote in the monitor string. If you do, remove the re-licensing step from your MOP (Method of Procedure). The failure message for reloading the license with an escaped quote appears similar to the following example:
Monitor monitor_1 parameter contains unescaped " escape with backslash.
Conditions:
If the string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Monitors are marked down due to expected string not matching or incorrect send string. Potential load failure.
Workaround:
You can use either of the following workarounds:
-- Modify the content the BIG-IP system retrieves from the web server for the purposes of health monitoring, so that double quotes are not necessary.
-- Use an external monitor instead.
Fix:
If the monitor send-recv strings contain a double-quote ", character, the system now adds quotes to the input.
If a configuration contains '/"', does not reload the license before upgrade.
551614-2 : MTU Updates should erase all congestion metrics entries
Component: Local Traffic Manager
Symptoms:
MTU updates erase cwnd cache entries, but not ssthresh or RTT, while an MTU update generally indicates a path change, meaning that these values might be invalid.
Conditions:
TCP cached congestion metrics from a previous connection, and subsequently receives an ICMP PMTU message.
Impact:
Connection might use invalid congestion metrics.
Workaround:
Disable cmetrics-cache, accept the suboptimal cached values, or write an iRule to purge the entry after path change.
Fix:
MTU updates now erase all congestion metrics entries, which is correct behavior.
551612 : BIG-IP SSL does not support sending multiple certificate verification requests to the hardware accelerator at the same time in 11.6.0.
Component: Local Traffic Manager
Symptoms:
When SSL sends multiple certificate verification requests at the same time, the handshake is disconnected with 'bad certificate'.
Conditions:
SSL simultaneously sends multiple certificate verification requests.
Impact:
BIG-IP SSL does not support this case and the SSL handshake is disconnected with "bad certificate".
Workaround:
None.
Fix:
BIG-IP SSL now supports sending multiple certificate verification requests at the same time.
551481-3 : 'tmsh show net cmetrics' reports bandwidth = 0
Component: TMOS
Symptoms:
'tmsh show net cmetrics' reports bandwidth = 0
Conditions:
tcp profile enables cmetrics-cache.
connection involves at least 4 rtt updates.
Impact:
User cannot view cmetrics data.
Workaround:
For 12.0.0 and later, you can get this data using the ROUTE::bandwidth iRule. For earlier versions, there is no workaround.
Fix:
Properly compute bandwidth with the formula cwnd/rtt.
551454-5 : Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server
Component: Access Policy Manager
Symptoms:
Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server. This has no functional impact on end user.
Conditions:
End user specifies incorrect VPN server URL in edge client
Impact:
None. This has no functional impact on end user.
Workaround:
Specify correct server URL in edge client
Fix:
No Edge client caches results of probe query reducing number of queries sent to probe URL.
551303-3 : TMM may core during processing of a CCA-T.
Component: Policy Enforcement Manager
Symptoms:
TMM may core during processing of a CCA-T.
Conditions:
For every session there is Gx context and Main session Context. There are always stitched to same processing unit to have synchronous look ups when a flow arrives for the session. These contexts are mirrored on a different blades for high availability (HA).
The issue occurs when the following events happen.
1. Main session moveds to a new processing unit (Failover) trigger.
2. This session is marked for deletion by RAR from PCRF or RADIUS Stop.
3. Session delete is initiated from main session by sending a local message.
4. Gx context has not yet moved to this processing unit.
5. CCR-T was sent for this session after asynchronous lookup for the Gx context and we freed the local message. This is the bug. (See explanation below)
6. Gx context moved
7. PCRF sends CCA-T came back and tried to look up local message queued to acknowledge to main session.
8. Local message was deleted at step 5 and TMM cored.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release prevents freeing of the Gx context when a CCR-T is sent out even if the Gx session is remote (present on another tmm), which prevents the TMM core.
551287-4 : Multiple LibTIFF vulnerabilities
Vulnerability Solution Article: K16715
551260-2 : When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML Service Provider, and IdP-Connectors Single Sign On Service URL contains ampersand (&),
part of the URL may be truncated when user is redirected to IdP for authentication.
Conditions:
All conditions must be true:
- BIG-IP is used as SAML Service Provider
- Single Sign On Service URL property of IdP connector contains ampersand, e.g. https://idp.f5.com/saml/idp/profile/redirectorpost/sso?a=b&foo=bar
- User performs SP initiated SSO
Impact:
The query part of the redirect URL after ampersand will be lost when user is redirected to SSO URL with Authentication Request.
Fix:
Redirect URL is no longer truncated after ampersand sign.
551208-1 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.
Component: TMOS
Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.
Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435
Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.
Workaround:
None.
Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.
551189 : Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data
Component: Local Traffic Manager
Symptoms:
Upon repeatedly modifying the same HTTP cookie value (in the Set-Cookie header) within an iRule attached to a virtual server, the HTTP::cookie API may produce stale HTTP header data (e.g. HTTP Set-Cookie header and/or other HTTP headers).
Conditions:
LTM Virtual Server handling HTTP traffic, with iRule attached which modifies a given HTTP cookie value through the HTTP::cookie API, on ingress and/or egress traffic (through the HTTP_REQUEST and/or HTTP_RESPONSE events). An example use-case for producing the error would be encrypting and decrypting HTTP cookies via an iRule.
Impact:
Repeatedly altering the same HTTP cookie value in an iRule, via the HTTP::cookie API, may yield to an HTTP request/response with inconsistent HTTP header data, including but not limited to the Set-Cookie HTTP header.
Workaround:
None.
551010-7 : Crash on unexpected WAM storage queue state
Component: WebAccelerator
Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.
Conditions:
WAM configured on virtual with request queuing enabled
Impact:
Crash
Workaround:
none
Fix:
Gracefully recover from unexpected WAM storage queue state
550782-4 : Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit
Component: Local Traffic Manager
Symptoms:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache.
Conditions:
If standard DNS requests are made against a Validating Resolver DNS cache that points to a second BIG-IP which in turn contains a wideip in a signed zone
Impact:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache
Workaround:
N/A
Fix:
Update message encoding to depend on client DO bit.
550694-3 : LCD display stops updating and Status LED turns/blinks Amber
Component: TMOS
Symptoms:
The LCD display may stop updating and the Status LED may turn Amber and begin blinking on BIG-IP 2000, 4000, 5000, 7000, or 10000-series appliances.
Conditions:
The Status LED turns Amber if the LED/LCD module stops receiving updates from the BIG-IP host, and begins blinking Amber if the LED/LCD module does not receive updates from the BIG-IP host for three minutes or longer.
This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled.
Due to changes in BIG-IP v11.5.0 and later, the frequency and likelihood of this condition is greatly reduced, but may still occur under rare conditions.
Impact:
When this condition occurs, the front-panel LCD display does not display the current BIG-IP host status, and the Status LED blinks Amber. There is no impact to BIG-IP host operations, and no disruption to traffic.
Workaround:
This condition can be cleared by either of the following actions:
1. Press one of the buttons on the LCD display to navigate the LCD menus.
2. Issue the following command at the BIG-IP host console:
/sbin/lsusb -v -d 0451:3410.
Either action generates USB traffic, which triggers recovery from the USB stalled transfer condition.
Fix:
Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 2000, 4000, 5000, 7000, 10000 or 12000-series appliances.
550689-2 : Resolver H.ROOT-SERVERS.NET Address Change
Component: Local Traffic Manager
Symptoms:
The IPv4 and IPv6 addresses for H.ROOT-SERVERS.NET are changing on December 1st 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). The old addresses will be good for 6 months after the change, and then the IPv4 address will go completely offline, and the IPv6 address is subject to go offline as well. More details http://h.root-servers.org/renumber.html
Conditions:
DNS Resolver uses hard-coded root hints for H.ROOT-SERVERS.NET.
Impact:
Incorrect address for a root-server means no response to that query.
Workaround:
There are 12 other root-servers that also provide answers to TLD queries, so this is cosmetic, but the addresses still need to be updated to respond to the change.
Fix:
Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53).
For more information, see H-Root will change its addresses on 1 December 2015, available here: http://h.root-servers.org/renumber.html.
550669-1 : Monitors stop working - throttling monitor instance probe because file descriptor limit 65436 reached
Component: Local Traffic Manager
Symptoms:
Monitor checks stop working.
The ltm log file contains error messages similar to the following: 01060154:4: Bigd PID 7147, instance 0, throttling monitor instance probe because file descriptor limit 65436 reached.
Conditions:
- You have a monitor type configured that uses Tcl internally (for example, FTP, IMAP, POP3, SMTP monitors).
- You have monitor logging enabled for the pool members or nodes.
tmsh list ltm pool <pool_name>
members {
...
<member> {
...
logging enabled
tmsh list ltm node <node_ip>
...
logging enabled
Impact:
Monitoring stops working; pool members are marked down when they are not.
Workaround:
No workaround if Tcl-using monitors are configured.
If pool member or node level monitor logging is configured, cease logging and restart bigd.
Disable monitor logging with appropriate commands on all pools and nodes necessary:
tmsh modify ltm pool <pool-name> members modify { all { logging disabled }}
tmsh modify ltm node <node-ip> logging disabled
Restart bigd:
tmsh restart sys service bigd
Fix:
Resolved resource leak so monitors continue to work properly.
550596-3 : RESOLV::lookup iRule command vulnerability CVE-2016-6876
Vulnerability Solution Article: K52638558
550536-3 : Incorrect information/text (in French) is displayed when the Edge Client is launched
Component: TMOS
Symptoms:
Incorrect information/text (in French) is displayed when the Edge Client is launched.
Conditions:
Edge client is used in French locale.
Impact:
User sees grammatically incorrect text in French. This is a cosmetic error that has no impact on system functionality.
Workaround:
None.
Fix:
The correct information/text (in French) is now displayed when the Edge Client is launched.
550434-5 : Diameter connection may stall if server closes connection before CER/CEA handshake completes
Component: Service Provider
Symptoms:
Serverside connection stalls. Connection is not torn down and packets are not forwarded to serverside.
Conditions:
Selected pool member closes (via FIN) connection before sending CEA as part of Diameter handshake.
Impact:
Connection stalls until handshake timeout and then it is reset.
Workaround:
none
Fix:
Serverside diameter connections will be immediately reset if FIN is received before CEA (Capabilities-Exchange-Answer).
549971-5 : Some changes to virtual servers' profile lists may cause secondary blades to restart
Component: TMOS
Symptoms:
If a virtual server's ip-protocol is not set, then some changes to the list of attached profiles may cause a validation error on secondary blades. This will cause those blades to restart.
Conditions:
This may happen in some cases when changing the list of profiles attached to a virtual server, but does not happen if 'ip-protocol' was explicitly set by the user.
Impact:
mcpd will restart on secondary blades. This will cause most other daemons on those blades to restart as well, including the TMM. Traffic will be lost.
Workaround:
You should explicitly set the ip-protocol when changing the profiles of a virtual server. Then this bug will not occur.
Fix:
If a virtual server's ip-protocol was not set, then some changes to the list of attached profiles would cause a validation error on secondary blades. This would cause those blades to restart. This issue has been fixed.
549868-4 : 10G interoperability issues reported following Cisco Nexus switch version upgrade.
Component: Local Traffic Manager
Symptoms:
10G link issues reported with VIPRION B2250, B4300 blades and BIG-IP 10x00 appliances connected to Cisco Nexus switches.
Conditions:
Issues reported after version upgrade on Cisco switch to version 7.0(5)N1(1).
Impact:
The links might not come up.
Workaround:
Toggling the SFP+ interfaces reportedly usually restores link.
Fix:
The BIG-IP system's 10G link now consistently becomes active when it is connected to other switches.
549800-2 : Renaming a virtual server with an attached plugin can cause buffer overflow
Component: Local Traffic Manager
Symptoms:
Renaming a virtual server (essentially, moving one virtual server to a new location, which effectively renames it) might cause buffer overflow and potentially result in Failover.
Conditions:
The database variable 'mcpd.mvenabled' must be set to 'true'.
Also, when moving a virtual server, the new name must be longer than the original name.
Impact:
Buffer overflow and potentially failover.
Workaround:
Do not use the move command. Instead, issue a delete followed by a create command in a transaction.
Fix:
Renaming a virtual server now works as expected, and does not results in buffer overflow or failover.
549782-1 : XFV driver can leak memory
Component: Local Traffic Manager
Symptoms:
When the interface goes down, memory is not correctly freed.
Conditions:
the leak happens when the interface goes down
Impact:
Over a long enough period of time the BIG-IP can go out of memory and TMM needs to be restarted.
Workaround:
none
Fix:
The driver was corrected so that when the interface is brought down, all the xfrags currently in the ring buffer are freed.
549588-2 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
Component: Access Policy Manager
Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.
Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.
Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.
Workaround:
No Workaround
Fix:
EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.
549543-3 : DSR rejects return traffic for monitoring the server
Component: TMOS
Symptoms:
System DB variable 'tm.monitorencap' controls whether the server monitor traffic is encapsulated inside DSR tunnel. If it is set to 'enable', monitor traffic is encapsulated, and return traffic is without the tunnel encapsulation. In such a case, the return traffic is not mapped to the original monitor flow, and gets rejected/lost.
Conditions:
System DB variable 'tm.monitorencap' is set to 'enable', and DSR server pool is monitored.
Impact:
Monitor traffic gets lost, and server pool is marked down.
Workaround:
None.
Fix:
The DSR tunnel flow now sets the correct underlying network interface, so that the return monitor flow can match the originating flow, which results in the DSR monitor working as expected.
549406-5 : Destination route-domain specified in the SOCKS profile
Component: Local Traffic Manager
Symptoms:
The SOCKS profile route-domain setting is supposed to control which route domain is used for destination addresses. It is currently used to identify the listener/tunnel interface to use when forwarding the traffic, but does not set the route domain on the destination address used by the proxy to determine how to forward the traffic.
Conditions:
When the virtual server receives a SOCKS request and the route-domain is not the default (0).
Impact:
SOCKS connection fails immediately and the system returns the following message to the client: Results(V5): General SOCKS server failure (1). Traffic is forwarded correctly only when the destination is route-domain 0. Other route domains might result in error messages and possible failed traffic.
Workaround:
Use a destination route-domain of 0 when working with the SOCKS profile.
Fix:
The system now uses the destination route-domain specified in the SOCKS profile. This allows the SOCKS profile to work correctly when the destination is not in route-domain 0.
549393-3 : SWG URL categorization may cause the /var/lib/mysql file system to fill.
Component: Application Visibility and Reporting
Symptoms:
Secure Web Gateway (SWG) URL categorization may cause the /var file system to fill. This might manifest in the following ways.
1. The /var/lib/mysql file system is full or approaching 100% utilization, as shown in the following example:
# df -h /var/lib/mysql
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg--db--vda-app.ASWADB.set.1.mysqldb
12G 11G 576M 95% /var/lib/mysql
2. The database and index files for SWG URL categorization have grown very large, as shown in the following example:
-- /var/lib/mysql/AVR/AVR_DIM_APM_SWG_URL.MYD: 8.1G <--- Database!
-- /var/lib/mysql/AVR/AVR_DIM_APM_SWG_URL.MYI: 765M <--- Index!
Conditions:
SWG is provisioned and configured to perform URL classification, and a large amount of web traffic is being proxied by the SWG system.
Impact:
This results in the following impacts: - SWG-related operations dependent on MySQL may fail. - Once the /var/lib/mysql file system reaches 100% utilization, other BIG-IP system functions that are dependent on the MySQL system may also experience issues.
Workaround:
The issue can be worked around by resetting the AVR statistics. You can find information on how to reset AVR statistics in SOL14956: Resetting BIG-IP AVR statistics, available at https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14956.html.
Impact of procedure: The procedure removes all Analytics data and resets the MySQL database.
Fix:
Secure Web Gateway (SWG) URL categorization no longer causes the /var file system to fill.
549329-1 : L7 mirrored ACK from standby to active box can cause tmm core on active
Component: Local Traffic Manager
Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.
Conditions:
HA active-standby configuration setup for L7 packet mirroring.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
549283-3 : Add a log message to indicate transition in the state of Gx and Gy sessions.
Component: Policy Enforcement Manager
Symptoms:
Without a state transition indicator, it is difficult to determine if the Gx and Gy session is active and UP on the BIG-IP device.
Conditions:
Gx or Gy state transitions need to occur.
Impact:
Difficult to identify and debug issues related to Gx and Gy state transitions.
Workaround:
None needed. This is an improvement.
Fix:
Added a log message to indicate the state transitions for Gx and Gy sessions.
549108-1 : RDP resource 'Custom parameters' fail to accept parameters containing spaces or colon in the value
Component: Access Policy Manager
Symptoms:
Some RDP parameters may contain whitespaces or colon in the value, e.g.:
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.RDSFarm
The configuration utility will throw a validation error "01070734:3: Configuration error: apm resource remote-desktop rdp: Parse error on line 0: <parameter>"
Conditions:
This occurs when using RDP parameters containing spaces or colon in the value.
Impact:
Administrator is unable to configure the RDP resource as desired.
Workaround:
None.
Fix:
RDP parameters parsing has been refined to support values containing colons or whitespaces.
549086-8 : Windows 10 is not detected when Firefox is used
Component: Access Policy Manager
Symptoms:
Windows 10 is not detected when the Firefox browser is used.
Conditions:
Windows 10 and Firefox (at least versions 40 and 41).
Impact:
The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client.
Workaround:
There is no workaround.
Fix:
Now Windows 10 is properly detected with the Firefox browser.
548796-2 : Avrd is at CPU is 100%
Component: Performance
Symptoms:
When the Application Visibility and Reporting (AVR) module is being used, the avrd daemon can consume all CPU. The avrd log will contain error messages similar to Semaphore DB_Publisher_ready is not set, for xxxx seconds
Conditions:
This can occur when using the AVR module.
Impact:
Avrd gets to 100% CPU and stays there even when no traffic is being passed, which will impact system performance
Workaround:
Restarting tmm will temporarily mitigate this problem
Fix:
Avrd is no longer susceptible to consuming all CPU indefinitely even when traffic is not being passed.
548680-2 : TMM may core when reconfiguring iApps that make use of iRules with procedures.
Component: Local Traffic Manager
Symptoms:
TMM may core when reconfiguring iApps that make extensive use of iRules with procedures.
Conditions:
During the reconfiguration of more than one iApp by switching templates, prior and new templates to contain iRules with procedures of the same name.
After the second or later reconfiguration TMM may core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Modify iApp template to generate procedures that have a unique name per iApp.
Fix:
TMM no longer cores when reconfiguring more than one iApp that contains iRule procedures of the same name.
548678-2 : ASM blocking page does not display when using SPDY profile
Component: Local Traffic Manager
Symptoms:
The ASM blocking page will not be displayed when using the SPDY profile.
Conditions:
Virtual configured with ASM and spdy profile and request is blocked by ASM.
Impact:
Request blocked page is not displayed.
Workaround:
If possible, disable the SPDY profile on virtual servers configured to use ASM.
Fix:
ASM will now correctly display its blocking page when the SPDY profile is enabled and an ASM blocking rule is triggered.
548583-3 : TMM crashes on standby device with re-mirrored SIP monitor flows.
Component: Local Traffic Manager
Symptoms:
Occasionally, the standby system with a SIP monitor crashes in a configuration where the active system contains a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled.
Conditions:
This occurs on an active-standby setup in which there is an L4 forwarding virtual server or SNAT listener configuration with a wildcard IP address and port, and with connection mirroring enabled. Also, the standby has a SIP monitor configured.
Impact:
Packets that are sent by the SIP monitor on the standby get routed back to the active unit (possibly due to a routing loop) and are then sent to the standby because of the wildcard mirrored configuration. tmm on standby might crash. When the crash occurs, the standby system posts the following assert and crashes: tmm failed assertion, non-zero ha_unit required for mirrored flow.
Workaround:
-- If a routing or switching loop is the reason the packets come back to the active unit, then the routing issues can be eliminated.
-- The mirroring of the wildcard virtual server or SNAT listener can be disabled.
Fix:
TMM no longer crashes on standby device with re-mirrored SIP monitor flows.
548563-2 : Transparent Cache Messages Only Updated with DO-bit True
Component: Local Traffic Manager
Symptoms:
When a transparent cache stores a message with DNSSEC OK (DO) bit TRUE and its TTL expires, the message is only updated when a new message arrives with DO-bit TRUE.
Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.
Impact:
When the DO-bit TRUE's cached message TTL expires, the general impact is DO-bit FALSE queries will be proxied until the message cache is updated with DO-bit TRUE.
Workaround:
None.
Fix:
The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.
548385-3 : iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results
Component: TMOS
Symptoms:
If the active folder is not same as the folder in which the query is being run, and the corresponding key/cert extension is not present in the name of the key/certificate file, the query result returns incorrect results.
Conditions:
This occurs when iControl calls that query key/cert from parent folder, and the name is missing the extension.
Impact:
The query result returns incorrect results.
Workaround:
You can use one of the following workarounds:
-- Change the filename to include the extension.
-- Change to the folder containing the iControl call you are executing.
Fix:
The system now correctly loads key/cert/csr/crl files without an extension, so iControl calls that query those files from parent folder, now return correct results.
548361 : Performance degradation when adding VDI profile to virtual server
Component: Access Policy Manager
Symptoms:
Performance degradation when adding VDI profile to virtual server
Conditions:
This occurs when using the VDI profile
Impact:
0.3s latency increase comparing with previous result
Workaround:
none
Fix:
Fixed 0.3s latency between client and server SSL hello if VDI profile is added to virtual server.
548239-3 : BGP routing using route-maps cannot match route tags
Component: TMOS
Symptoms:
When a route-map is used to redistribute routes into BGP, matching on the route tag fails.
Conditions:
Dynamic routing using BGP, redistribution into BGP using a route-map, route-map matches route tag.
Impact:
BGP may not get all prefixes from other routing protocols.
Workaround:
None.
Fix:
Route-maps used with BGP now correctly match route tags.
547732-1 : TMM may core on using SSL::disable on an already established serverside connection
Component: Local Traffic Manager
Symptoms:
TMM process may crash if the SSL::disable iRule command is used on a serverside with a connection that has already established SSL.
Conditions:
Use of the 'SSL::disable serverside' iRule command on a serverside connection that has already established SSL
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use SSL::disable on an event where the serverside SSL connection is already established.
Fix:
TMM no longer cores on using SSL::disable on an already established serverside connection, it will now log a warning Connection error: hud_ssl_handler:605: disable profile (80)
547657-1 : A TCL error in a DNS_RESPONSE iRule event can cause a tmm crash.
Component: Local Traffic Manager
Symptoms:
A TCL error, such as referencing an undefined variable, in a DNS_RESPONSE iRule event can cause a tmm crash. This can occur on a UDP listener with a DNS profile without datagram load balancing enabled. A DNS_REQUEST event, with any content, on the same listener is also required.
Conditions:
All of the following:
UDP listener with DNS profile without datagram load balancing.
A TCL error, such as referencing an undefined variable, in a DNS_RESPONSE iRule event.
A DNS_REQUEST iRule event with any content.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Either add datagram load balancing to the listener or correct the TCL errors that lead to the problem.
Fix:
The TCL error handling is now processed asynchronously which prevents the problem from occurring.
547546-3 : Add support for auto-update of MachineCertService
Component: Access Policy Manager
Symptoms:
Auto-update of MachineCertService wasn't implemented. If APM contains newer MachineCertService EdgeClient doesn't pick it up automatically.
Conditions:
Upgrading existing APM install.
Impact:
Since MachineCertService is not auto-updatable service redeployment is required.
Fix:
Added support of auto-update to MachineCertService.
547537-3 : TMM core due to iSession tunnel assertion failure
Component: Wan Optimization Manager
Symptoms:
TMM core due to "valid isession pcb" assertion failure in isession_dedup_admin.c.
Conditions:
Deduplication endpoint recovery occurs on a BIG-IP that has duplication is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none
Fix:
An iSession tunnel initialization defect has been corrected.
547532-2 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
Component: TMOS
Symptoms:
Error messages similar to this are present in the ltm log:
-- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
-- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
Conditions:
A chassis-based system with multiple blades. This can occur a few different ways:
- A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).
- A monitor defined in the Common partition is attached to an object from a partition where the default route domain is different.
Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.
Workaround:
There are two possible workarounds:
-- Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.
-- Do not use monitors from other partitions where the default route domain is different.
Fix:
The complete state for addresses on the primary blade is propagated to secondary blades.
547047 : Older cli-tools unsupported by AWS
Component: TMOS
Symptoms:
Older EC2 tools stopped working in some AWS regions.
Conditions:
This can happen in some AWS regions.
Impact:
BIG-IP high availability configurations may stop working in some AWS regions.
Workaround:
None.
Fix:
F5 Networks added the latest available version (1.7.5.1) of EC2 tools in this release/hotfix.
547038-2 : In very fast transactions, some detection data is missing
Component: Fraud Protection Services
Symptoms:
In very fast transactions, some automatic transaction detection data is missing.
Conditions:
Form submitted before page finishes loading.
Impact:
False positive automatic transaction alerts.
Workaround:
None
Fix:
Loss of data in the Automatic Transactions cookie can be prevented by initializing cookies earlier.
547000-4 : Enforcer application might crash on XML traffic when out of memory
Component: Application Security Manager
Symptoms:
Enforcer application might crash on XML traffic when out of memory.
Conditions:
This occurs when the system is out of memory.
Impact:
The BIG-IP system might temporarily fail to process traffic.
Workaround:
None.
Fix:
This release fixes a scenario where the system might crash when the XML parser ran out of memory.
546747-2 : SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets
Component: Local Traffic Manager
Symptoms:
Sometimes BIG-IP system responds with a fatal-handshake alert and closes the SSL session for a new connection when a ClientHello record is split between two or more packets.
If SSL debug logging is enabled, the system logs an error such as the following:
01260009:7: Connection error: ssl_hs_rxhello:6210: ClientHello contains extra data (47).
Note: For information on SSL debug logging, see SOL15292: Troubleshooting SSL/TLS handshake failures at https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html.
Conditions:
This occurs when a SSL ClientHello record is split across multiple TCP segments, and the last segment is relatively small.
Impact:
SSL connections fail to complete with a handshake failure.
Workaround:
No workaround.
Fix:
SSL handshakes no longer fails to complete when the ClientHello is split across multiple TCP segments, and the last segment is relatively small.
546640 : tmsh show gtm persist <filter option> does not filter correctly
Component: Global Traffic Manager
Symptoms:
Following commands fail to return results even if there are matching records:
# tmsh show gtm persist level wideip
# tmsh show gtm persist target-type pool-member
Conditions:
This only happens when running the tmsh commands listed in the Symptoms.
Impact:
It is not possible to get a granular detail for persist stats.
Workaround:
Use GUI.
Fix:
Filters for the tmsh show gtm persist command now apply the filters correctly.
546410-2 : Configuration may fail to load when upgrading from version 10.x.★
Component: TMOS
Symptoms:
After upgrade from 10.x to 11.5.3 HF2, configuration fails to load with the following error:
01070734:3: Configuration error: Invalid primary key on monitor_param object () - not a full path 2.
Conditions:
Configuration contains a user-created monitor (A) that inherits from user-created monitor (B). Monitor A appears first within the configuration files and monitor B does not have a 'destination' attribute.
Impact:
Configuration fails to load.
Workaround:
Re-order monitors such that Monitor B appears first, or add a 'destination' attribute (i.e., 'destination *:*') to monitor B.
Fix:
10.x upgrade now completes successfully, even when parent monitors appear later in the monitor list, or when there is no destination attribute in the child monitor.
546082-5 : Special characters might change input.
Component: iApp Technology
Symptoms:
Special characters by users might change the intended data.
Conditions:
Use of special characters.
Impact:
Incorrect or unwanted response.
Workaround:
None.
Fix:
Updated data handling to properly account for special characters.
546080-5 : Path sanitization for iControl REST worker
Vulnerability Solution Article: K99998454
545985-3 : ICAP 2xx response (except 200, 204) is treated as error
Component: Service Provider
Symptoms:
An ICAP status code from the ICAP server of 2xx (other than 200 or 204) is treated as an error, causing the reset of the ICAP connection and the service-down-action to be performed on the parent virtual server (as configured in the requestadapt or responseadapt profile). The RFC 3507 requires the ICAP client (BigIP) to handle the response normally (ie. like 200).
Conditions:
The ICAP server returns a 2xx status code that is not defined explicitly for ICAP.
Impact:
Transsactions involving an ICAP server that returns a non-IACP 2xx response do not work, and the service-down action is performed.
Workaround:
If possible, have the ICAP server return status code 200.
Fix:
An ICAP status code from the ICAP server of 2xx (other than 200 or 204) is treated as a normal 200 status code, thus the encapsulated HTTP request or response is returned to the HTTP client or server.
545810-1 : ASSERT in CSP in packet_reuse
Component: Local Traffic Manager
Symptoms:
Causes TMM to crash
Conditions:
This crash will happen on LTM virtuals that meet the following two configuration criteria:
- the virtual is configured with fasthttp profile.
- the virtual's enabled VLAN is mapped to the _loopback interface.
Impact:
Crash and restart of TMM
Workaround:
None
Fix:
Fixed the logic in determining if we are an L7 loopback connection. This way CSP receives only packets that it owns and can be re-used
545786-4 : Privilege escalation vulnerability CVE-2015-7393
Vulnerability Solution Article: K75136237
545783-3 : TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool
Component: Carrier-Grade NAT
Symptoms:
TMM crashes when forwarding an inbound connection and the flow sweeper tries to update the flow before the forwarding operation completes.
Conditions:
A small or over utilized LSN pool that creates inbound entries that require forwarding.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Add more IP addresses to the LSN pool.
Fix:
TMM no longer crashes when forwarding inbound connections configured with an LSN pool
545762 : CVE-2015-7394
Vulnerability Solution Article: K17407
545745-2 : Enabling tmm.verbose mode produces messages that can be mistaken for errors.
Component: TMOS
Symptoms:
When tmm first starts, the system logs multiple messages containing the words "error:" and "best_error:" in the tmm log files when tmm.verbose is enabled, and hardware accelerators are present.
Conditions:
Must have an accelerator device, and enable tmm.verbose logging.
Impact:
The system posts messages that could be mistaken for errors. For example: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000. These are not errors, and may be safely ignored.
Workaround:
Ignore the lines with format similar to the following:
en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000
Fix:
The cosmetic messages containing 'err' and 'best err' are no longer posted on initial tmm startup when tmm.verbose logging on hardware accelerated devices.
545704-2 : TMM might core when using HTTP::header in a serverside event
Component: Local Traffic Manager
Symptoms:
In certain circumstances TMM might core when using an HTTP iRule command in a HTTP_REQUEST_SEND serverside event.
Conditions:
- iRule with an HTTP command in a serverside event prior to the serverside being completely established, such as HTTP_REQUEST_SEND.
- OneConnect configured on the virtual server.
Impact:
The command might either return invalid value or lead to a condition where TMM might core.
Workaround:
Use the {clientside} Tcl command to execute on the client side.
Alternatively, you might use the HTTP_REQUEST_RELEASE event for HTTP inspection/modification on the server-side.
Fix:
TMM no longer cores when using HTTP iRule commands on the server-side of the HTTP_REQUEST_SEND event.
545558-1 : Send RAA when RAR is sent by PCRF and session is deleted immediately after its created.
Component: Policy Enforcement Manager
Symptoms:
BIGIP does not send RAA for certain sessions.
Conditions:
If session is created , CCR-I is send, CCA-I received and session is deleted immediately then RAA for RAR update from the PCRF for the session is not sent.
Impact:
PCRF has no way of knowing why RAA was not received for the session.
Workaround:
No workaround and this is extremely remote scenario where radius start and stop are received almost at the same time.
545450-3 : Log activation/deactivation of TM.TCPMemoryPressure
Component: Local Traffic Manager
Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.
Conditions:
TM.TCPMemoryPressure set to "enable".
Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.
Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.
544980-3 : BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
Component: TMOS
Symptoms:
The size of /var volume is 500 MB instead of 3 GB for BETTER and BEST license bundles.
Conditions:
BIG-IP VE BETTER and BEST vm_bundle images.
Impact:
Not enough space in /var.
Workaround:
In the current volume:
1. Modify global_attributes file.
* The global_attributes file is located at /shared/.tmi_config, so modify global_attributes file by using vi command.
From:
{"TMI_VOLUME_FIX_VAR_MIB":"500","TMI_VOLUME_FIX_CONFIG_MIB":"500"}
To:
{"TMI_VOLUME_FIX_VAR_MIB":"3000","TMI_VOLUME_FIX_CONFIG_MIB":"500"}
2. Install version.
3. Modify global_attributes file to back original value.
4. Switchboot to newly installed volume.
5. To change /var to 3 GB and from tmsh, run the following command:
modify /sys disk directory /var new-size 3145728
6. Reboot.
Fix:
BIG-IP Virtual Edition now has 3GB of disk space for the /var software partition when deploying from OVA for the Better or Best license bundle
544913-6 : tmm core while logging from TMM during failover
Component: TMOS
Symptoms:
TMM crash and coredump while logging to remote logging server when an HA failover occurs.
Conditions:
The problem might occur when:
1. A log message is created as the result of errors that can occur during log-connection establishment.
2. An error occurs while attempting to connect to the remote logging server.
3. The Primary HA member fails over. The crash occurs on the HA member which was the Primary member prior to the failover.
Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.
Workaround:
Two possible workarounds are available:
1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs.
2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.
Fix:
Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.
544888-5 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
Component: TMOS
Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.
Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.
Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.
Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.
Fix:
Once the TCP connection reaches established state, the idle timeout is now set to the value found in the associated profile. By default the profile timeout value is 300 seconds.
544481-5 : IPSEC Tunnel fails for more than one minute randomly.
Component: TMOS
Symptoms:
IPsec IKEv1: DPD ACK may be dropped when excessive DPD message exchange. This causes the IPsec tunnel to fail.
Conditions:
Excessive DPD message exchange.
Impact:
Connection resets.
Workaround:
None.
Fix:
Excessive DPD message exchange no longer causes the IPsec tunnel to fail.
544375-1 : Unable to load certificate/key pair
Component: Local Traffic Manager
Symptoms:
After creating SSL profile, 'could not load key/certificate file' appears in /var/log/ltm with profile name. Unable to connect to virtual with SSL profile.
Conditions:
Certificate uses sha1WithRSA or dsaWithSHA1_2 signature algorithm.
Impact:
Unable to load certificate.
Workaround:
None.
Fix:
Can now load certificates with sha1WithRSA or dsaWithSHA1_2 signature algorithm.
544325-3 : BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).
Component: Local Traffic Manager
Symptoms:
A BIG-IP UDP virtual server may not send an ICMP Destination Unreachable message Code 3 (port unreachable). As a result of this issue, you may encounter the following symptoms:
-- Client applications may not respond or appear to hang.
-- When attempting to troubleshoot the connectivity issue from remote devices, no ICMP diagnostic data is available from the BIG-IP system.
Conditions:
This issue occurs when the following condition is met: All pool members for the UDP virtual server are unavailable.
Impact:
In versions 11.3.0 through 11.4.1, the system silently drops the request. In versions 11.5.0 and later, the system sends back the ICMP message with type 13 ('administratively filtered').
Workaround:
None.
Fix:
LTM now sends back an ICMP Destination Unreachable message Code 3 (port unreachable), which is expected behavior.
Behavior Change:
In version 11.2.1 and earlier, the system responded to a request with an ICMP packet containing the type code 'port unreach' when a UDP virtual server pool member was down due to no available pool members. For the same scenario in versions 11.3.0 through 11.4.1, the system sends no ICMP packet. In versions 11.5.0 through this hotfix/release, the system sends an ICMP packet containing the 'administratively filtered' type code for the same scenario.
In this hotfix/release, the 11.2.1 behavior is restored. In this case, the system responds with an ICMP packet containing the type code set to 'port unreach'.
544028-5 : Verified Accept counter 'verified_accept_connections' might underflow.
Component: Local Traffic Manager
Symptoms:
Verified Accept counter 'verified_accept_connections' might underflow.
Conditions:
When the verified accept setting on a TCP profile is changed for an active virtual server.
Impact:
When the counter underflows, new connections on any verified-accept enabled virtual server are dropped. The counter will never recover.
Workaround:
Avoid changing the verified accept setting on a TCP profile for an active virtual server.
Fix:
This release corrects the issue in which the Verified Accept counter 'verified_accept_connections' might underflow.
543993-3 : Serverside connections may fail to detach when using the HTTP and OneConnect profiles
Component: Local Traffic Manager
Symptoms:
Serverside connection does not detach when using OneConnect profile
Conditions:
An HTTP/1.1 response without Content-Length header is received in response to an HTTP/1.0 HEAD request
Impact:
HTTP requests on the same connection are not LB'ed across pool members.
Workaround:
Remove OneConnect profile
Fix:
Ensure serverside detachment when handling HTTP responses to HEAD requests.
543924 : Update kernel to latest public RHEL6.4 kernel: 2.6.32-358.61.1.el6
Component: TMOS
Symptoms:
This is a major update from RHEL6.4 2.6.32-358.23.2 used in 11.6.0 releases (including all 11.6.0 hotfixes).
This includes many critical bugfixes and security fixes as of the last published kernel Redhat Security Advisory:
https://rhn.redhat.com/errata/RHSA-2015-1030.html
Note that there are some additional security fixes beyond RHSA-2015-1030.html which have been backported from upstream RHEL6 kernels: 6.5, 6.6 and 6.7.
This does not include later 6.4 kernel updates from Redhat which are only available for Redhat AUS customers:
https://rhn.redhat.com/errata/RHSA-2015-1211.html
https://rhn.redhat.com/errata/RHSA-2015-1643.html
https://rhn.redhat.com/errata/RHBA-2015-1843.html
https://rhn.redhat.com/errata/RHBA-2015-2005.html
https://rhn.redhat.com/errata/RHSA-2016-0004.html
Conditions:
This is a kernel-related update.
Impact:
Addresses many critical bugfixes and security fixes.
Workaround:
None needed.
Fix:
Updated kernel to 2.6.32-358.61.1.el6 [RHEL6.4].
543222-3 : apd may crash if an un-encoded session variable contains "0x"
Component: Access Policy Manager
Symptoms:
when a session variable value contains "0x" (for example 'value0x not encoded'),
apd process treat the value as HEX-encoded and tries to decode it.
decoding the not-encoded string causes apd to crash
Conditions:
session variable contains substring "0x"
Impact:
apd crash
Workaround:
None
Fix:
With this release:
1. Only values starting from 0x are treated as hex-encoded.
2. If hex decoding fails, apd does not crash.
543220-1 : Global traffic statistics does not include PVA statistics
Component: Local Traffic Manager
Symptoms:
Global traffic statistics shown in the GUI and in TMSH are not correct.
Conditions:
Hardware acceleration enabled.
Impact:
Statistics discrepancy in global traffic statistics.
Workaround:
None.
Fix:
Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH.
543208 : Upgrading v11.6.0 to v12.x in a sync-failover group might cause mcpd to become unresponsive.★
Component: TMOS
Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:
01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..
Conditions:
-- Some systems in the trust are running a pre-12.x version of TMOS.
-- Some systems in a device group have been upgraded to 12.x.
-- A failover event occurs on traffic-group-1.
-- This appears to be most evident in APM configurations.
Impact:
mcpd on the devices running pre-12.x version may become unresponsive. Upgrade fails.
Workaround:
None.
Fix:
This release corrects an issue in which a group of devices in a trust domain could potentially cause mcpd to become unresponsive and log failure messages.
542860-4 : TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event
Component: TMOS
Symptoms:
TMM can crash when IPsec SA's are deleted using TMSH or racoonctl utility during HA Active to Standby or vice versa.
Conditions:
During the HA Active to standby or vice versa event, Use of TMSH or racoonctl utility to delete IPsec SA's can cause TMM crash. This is a race condition and can occur rarely.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Running TMSH command or racoonctl utility to delete IPsec SA's during HA Active to Standby or vice versa event does not result in TMM crash and IPsec SA's will be deleted as per the request.
542742-2 : SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
Component: TMOS
Symptoms:
SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
Conditions:
Querying the OIDs.
Impact:
Unable to monitor the moving averages of the current connection counts as they return 0.
Workaround:
There is no known workaround.
Fix:
SNMP now reports valid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
542724-1 : If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash
Component: Local Traffic Manager
Symptoms:
If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash.
Conditions:
This occurs when the following conditions are met:
- There is an OCSP request in progress.
- There is a configuration change.
- The handshake is aborted.
- The HTTP response for the OCSP request indicates a status code that is not 200.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes if there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions.
542640-2 : bigd intentionally cores when it should shutdown cleanly
Component: Local Traffic Manager
Symptoms:
Bigd can core instead of graceful shutdown under certain error conditions where a core is not needed.
Conditions:
Anything that caused bigd to shutdown under abnormal conditions.
Impact:
Bigd crash, core file created. Note that the shutdown scenario was already under error conditions, so this is not a sign that something has broken or failed outside that condition that caused the shutdown.
Fix:
Made bigd more selective about the situations where it self-cores on abnormal shutdown.
542586-3 : Fallback alert mechanism can result in page refresh in Internet Explorer 8
Component: Fraud Protection Services
Symptoms:
If browser sent alerts fail to be received, secondary sending mechanisms may cause page to refresh in browser.
Conditions:
Internet explorer 8 or older.
HTML page with websafe enabled.
HTML page contains a form.
Alert sent.
Alert receives failed response.
Impact:
HTML page refreshes in browser
Workaround:
None.
Fix:
Fallback alert mechanism no longer results in page refresh in older browsers.
542581-3 : Websafe alerts with HTML attached cause the page to run slowly
Component: Fraud Protection Services
Symptoms:
When "attach HTML to alerts" is enabled, large webpages can be caused to run slowly.
Conditions:
"Attach HTML to alerts" is enabled.
Page source is large.
Websafe alert is sent.
Impact:
Page may experience a noticeable delay in reacting to user actions.
Workaround:
Disbale "Attach HTML to alerts".
Fix:
HTML encoding for Websafe alerts is now faster and can be configured to send only a section of the page source.
542564-3 : bigd detection and logging of load and overload
Component: Local Traffic Manager
Symptoms:
The bigd process cannot detect overload, and does not log its load status. This makes it difficult to determine whether bigd is close to its limits.
Conditions:
The bigd process might reach limits when there is very high load with high probe rate (monitor instances per second).
Impact:
bigd might fail to service monitors in a timely fashion, when under extreme load, which might result in 'flapping' nodes/pool members (where the node/pool member goes down and back up even though the server itself has not gone down).
Workaround:
-- Increase the probe interval for monitors so they probe less often. -- Switch from more 'expensive' monitors (e.g., https) to simpler monitors (e.g., http, tcp, tcp half-open, icmp).
Fix:
This release provides modifications to peak performance to significantly reduce the chance of node flapping. In addition, the ability to monitor bigd load has been added.
Because bigd is not integrated with tmstats, the system logs load stats to the debug log file, /var/log/bigdlog. When debug logging is turned on, stats are mixed with the debug output. Load stats can be emitted independently with the following sys db var: modify sys db bigd.debug.timingstats value enable.
With this db variable enabled, the system emits bigd load data to the debug log periodically (every 15 seconds per bigd process). The columns correspond to these stats:
- load (0-100%) 1-minute mean.
- load (0-100%) 5-minute mean.
- number of monitor instances active for this bigd process.
- number of active file descriptors, 30-second average, this process.
- peak number of active file descriptors past 30 seconds, this process.
In addition, the system logs warning messages to /var/log/ltm when bigd reaches 80%, 90%, and 95% load levels. The system logs an overload error to /var/log/ltm when bigd detects it is overloaded. The load level indicating overload is in the bigd.overload.latency sys db variable, which is set to 98% load, by default.
542511-2 : 'Unhandled keyword ()' error message in GUI and/or various ASM logs
Component: Application Security Manager
Symptoms:
'Unhandled keyword ()' error message may appear in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log.
In the case of learning manager, it causes a crash of the latter. Learning manager process is then restarted ~15 seconds later.
Conditions:
ASM provisioned.
Session Awareness Tracking is enabled.
Impact:
Uninformative errors in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log.
Learning manager process restart.
Workaround:
None.
Fix:
Learning manager now handles the 'Unhandled keyword ()' exception in a graceful manner and does not crash.
542472 : SSL::disable for alerts does not take effect and first alert fails
Component: Fraud Protection Services
Symptoms:
Command 'SSL::disable serverside' fails when sending alerts.
Conditions:
The alert is received on an already established clientside TCP connection that has a current connection through to the regular virtual server pool member.
Impact:
Alert may take a very long time (more than 30 seconds) to receive a response from the alert server.
Workaround:
To resolve the issue, add a OneConnect profile to the virtual server, or use an iRule that performs an 'LB::detach' when a request is received for /rstats/.
Fix:
Command 'SSL::disable serverside' now completes successfully when sending alerts.
542347-1 : Denied message in audit log on first time boot
Component: TMOS
Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:
type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.
Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.
Impact:
This error message is benign and can be ignored.
Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.
Fix:
Fixed an erroneous error message in the audit log related to lastlog during manufacturing install.
542320-1 : no login name may appear when running ssh commands through management port
Component: TMOS
Symptoms:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"
Conditions:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"
Impact:
Display issue
Fix:
Properly display login name
542314-5 : TCP vulnerability - CVE-2015-8099
Vulnerability Solution Article: K35358312
542097-2 : Update to RHEL6 kernel
Component: TMOS
Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic
Conditions:
Running RHEL6 kernel under heavy disk load, more likely on a vCMP host
Impact:
Unexpected machine reboot causing loss of service
Workaround:
None.
Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:
jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()
541852-1 : ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails
Component: Application Security Manager
Symptoms:
The "validationFiles" is not allowed to be modified via a PATCH call and will fail validation.
Even if validationFiles is passed back in unmodified, the call still fails.
Conditions:
An ASM REST client attempts to PATCH the mgmt/tm/asm/policies/<ID>/xml-profiles/<ID> endpoint using "validationFiles"
Impact:
The XML Profile cannot be modified
Workaround:
The user can PATCH the object without supplying this field.
However if there were Validation Files before, then Bug 541406 will affect them, removing the existing Validation Files. The XML validation file association task would then need to be run again.
Fix:
ASM REST: The system correctly recognizes that the validationFiles field has not changed in value and does not fail the call.
541670-1 : Memory leak and potential crash bug in secure channel cookie handling
Component: Fraud Protection Services
Symptoms:
Under certain rare circumstances, the process handling secure channel cookies may leak memory. It may also result in underflow crashes in Tcl and other processes.
Conditions:
This occurs under rare conditions.
Impact:
Eventual out of memory condition or crash.
Workaround:
None.
Fix:
This release fixes a memory leak and potential crash bug in secure channel cookie handling.
541622-6 : APD/APMD Crashes While Verifying CAPTCHA
Component: Access Policy Manager
Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA
Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.
Impact:
Authentication service will be disrupted until APD/APMD is up again.
Fix:
Create one cURL session for each user session that requires CAPTCHA verification
541592-1 : PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions
Component: Policy Enforcement Manager
Symptoms:
Radius Start, Stop does not trigger any diameter traffic except DWR/DWA.
Conditions:
Diameter virtual reconfiguration and possibly any virtual configuration change might trigger this behavior.
Impact:
Subscriber sessions created by radius are not provisioned by the PCRF. Sessions that are deleted are also not reported to PCRF or Usage reports are also not reported.
Workaround:
Restarting TMM is the only work around for now.
Fix:
Issue has been fixed now. Even if diameter configuration is changed there should be no impact on CCR-I/U/T being stopped.
541571-3 : FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, ephemeral nodes that are force-deleted may not repopulate as expected.
Conditions:
Sync group, multiple FQDNs resolving to different IP addresses.
FQDNs deleted and re-created, with IP addresses swapped from deleted nodes to re-created ones.
Impact:
Ephemeral nodes may not repopulate as expected.
Workaround:
None.
Fix:
FQDN ephemeral nodes are now repopulated after being force-deleted and re-created with different IP addresses.
541569-3 : IPsec NAT-T (IKEv1) not working properly
Component: TMOS
Symptoms:
The incorrect source port is chosen for the IPsec/IKE NAT-T UDP encapsulated traffic. When IKE decides to float port when NAT device is detected, it should use port 4500 for both its source port and destination port.
Conditions:
NAT traversal is enabled on the IKE Peer configuration object and NAT device is detected during IKE negotiation.
Impact:
When NAT-T is enabled, IPsec tunnel cannot be established.
Workaround:
None.
Fix:
Now, when NAT-T is enabled, IPsec tunnel can be established as expected.
541549-4 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
Component: TMOS
Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.
Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.
Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.
Workaround:
None.
Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
541406-1 : ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request
Component: Application Security Manager
Symptoms:
Updating an XML Profile via ASM REST with a partial body (ex. just an updated description) removes all attached WSDL validation files as if it had also received:
"validationFiles": []
Conditions:
XML Profiles that utilize validation files are updated via REST
Impact:
If the full validation files structure is not re-iterated in the body, then the entire list of WSDL validation files will be emptied. This will cause the XML Schema to not be validated properly during enforcement.
Workaround:
Run the validation file association task again after updating the XML Profile
Fix:
ASM REST now correctly updates only specified fields on a PATCH request.
541320-6 : Sync of tunnels might cause restore of deleted tunnels.
Component: TMOS
Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.
Conditions:
Viewing tunnels after a full load sync.
Impact:
This might result in a deleted tunnel being restored to the configuration.
Workaround:
None.
Fix:
Sync of tunnels no longer causes restore of deleted tunnels.
541316-3 : Unexpected transition from Forced Offline to Standby to Active
Component: TMOS
Symptoms:
If a BIG-IP configuration is reset to default, and then restored from a saved UCS that was taken while the system was Forced Offline, the system will be restored to the Forced Offline state, but the state may not persist across reboots.
Conditions:
Restore a saved UCS that was created while the BIG-IP system was Forced Offline.
Impact:
System may unexpectedly go Active after a reboot.
Workaround:
None.
Fix:
Device forced offline remains forced offline after restoring a UCS and rebooting.
541231-2 : Resolution of multiple curl vulnerabilities
Vulnerability Solution Article: K16704 K16707
541156-2 : Network Access clients experience delays when resolving a host
Component: Access Policy Manager
Symptoms:
The DNS Relay proxy for Network Access clients operating in split-tunnel mode intercepts a client's DNS request for a non-matching host and will forward it to the client's local DNS server. If the client contains multiple NICs, one containing a down or invalid DNS server, this could cause a delay in resolving the host.
Conditions:
Network Access with the DNS Relay Proxy configured
A client machine has multiple NICs
One of the NICs has an invalid or down DNS server configured
Client attempts to resolve a host not matching the Network Access policy
Impact:
Clients will experience unusual delays (10+ seconds) when resolving hosts.
Workaround:
Clients can check their system setup and remove the affected interfaces that contain an invalid DNS server (virtual machine network adapters are becoming increasingly common and can exhibit this), or they can ensure that they are mapped only to valid DNS servers that can resolve the host.
Fix:
The DNS Relay proxy will now avoid sending DNS requests to down DNS servers for DNS requests that do not match the Network Access policy while Network Access is connected.
541134-2 : HTTP/HTTPS monitors transmit unexpected data to monitored node.
Component: Local Traffic Manager
Symptoms:
HTTP/HTTPS) monitors send unexpected data (crlfcrlf) after completion of TCP and/or SSL handshake.
Conditions:
HTTP/HTTPS monitor with a send attribute set to 'none'. HTTP/HTTPS monitors with a 'none' send string should complete the TCP handshake(+SSL handshake) and then close the connection without sending any data.
Impact:
A monitor configured with a 'none' send string sends a 4-byte string, \r\n\r\n (crlfcrlf), after completing the handshake. This is ignored by the monitored node, which might cause it to be marked down.
Workaround:
None.
Fix:
HTTP/HTTPS monitor no longer transmits any L7 data when send attribute is set to 'none'.
541126-4 : Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed
Component: Local Traffic Manager
Symptoms:
netHSM usage may fail for Safenet users with error message in the ltm log similar to the following:
warning tmm1[11930]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:9678: sign_srvkeyxchg (80).
info tmm1[11930]: 01260013:6: SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001.
warning pkcs11d[12005]: 01680022:4: Crypto operation [2] failed.
crit tmm1[11930]: 01260010:2: FIPS acceler