Supplemental Document : BIG-IP 12.0.0 Hotfixes :: Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 12.0.0

BIG-IP APM

  • 12.0.0

BIG-IP Link Controller

  • 12.0.0

BIG-IP Analytics

  • 12.0.0

BIG-IP LTM

  • 12.0.0

BIG-IP PEM

  • 12.0.0

BIG-IP AFM

  • 12.0.0

BIG-IP DNS

  • 12.0.0

BIG-IP ASM

  • 12.0.0
Original Publication Date: 03/18/2018 Updated Date: 04/18/2019

BIG-IP Hotfix Release Information

Version: BIGIP-12.0.0
Build: 674.0
Hotfix Rollup: 4

Cumulative fixes from BIG-IP v12.0.0 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v12.0.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.0.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v12.0.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-2 CVE-2016-5745 SOL64743453 CGNAT: NAT64 vulnerability CVE-2016-5745
599168-2 CVE-2016-5700 SOL35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-2 CVE-2016-5700 SOL35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
569467-12 CVE-2016-2084 SOL11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
580596-3 CVE-2013-0169 CVE-2016-6907 SOL14190 SOL39508724 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
596603-13 2-Critical AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
587791 2-Critical Set execute permission on /var/lib/waagent
606110-1 3-Major BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
596814-7 3-Major HA Failover fails in certain valid AWS configurations
592354-1 3-Major Raw sockets are not enabled on Cloud platforms



Cumulative fixes from BIG-IP v12.0.0 Hotfix 3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
591806-2 CVE-2016-3714 SOL03151140 ImageMagick vulnerability CVE-2016-3714
573124-1 CVE-2016-5022 SOL06045217 TMM vulnerability CVE-2016-5022
572495-1 CVE-2016-5023 SOL19784568 TMM may crash if it receives a malformed packet CVE-2016-5023
570667-7 CVE-2016-0701 CVE-2015-3197 SOL64009378 OpenSSL vulnerabilities
567475-6 CVE-2015-8704 SOL53445000 BIND vulnerability CVE-2015-8704
563670-3 CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 SOL86772626 OpenSSL vulnerabilities
563154-1 CVE-2015-2925 CVE-2015-5307 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104 SOL31026324 SOL94105604 SOL90230486 Multiple Linux Kernel vulnerabilities
560925-1 CVE-2015-3194 SOL86772626 OpenSSL Vulnerability fix
560910-1 CVE-2015-3194 SOL86772626 OpenSSL Vulnerability fix
560180-1 CVE-2015-8000 SOL34250741 BIND Vulnerability CVE-2015-8000
554624-3 CVE-2015-5300 CVE-2015-7704 SOL10600056 SOL17566 NTP CVE-2015-5300 CVE-2015-7704
553902-1 CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 SOL17516 Multiple NTP Vulnerabilities
534358 CVE-2015-5380 SOL17238 Node.js vulnerability CVE-2015-5380
591918-3 CVE-2016-3718 SOL61974123 ImageMagick vulnerability CVE-2016-3718
591908-3 CVE-2016-3717 SOL29154575 ImageMagick vulnerability CVE-2016-3717
591894-3 CVE-2016-3715 SOL10550253 ImageMagick vulnerability CVE-2016-3715
591881-3 CVE-2016-3716 SOL25102203 ImageMagick vulnerability CVE-2016-3716
550596-4 CVE-2016-6876 SOL52638558 RESOLV::lookup iRule command vulnerability CVE-2016-6876
546080-6 CVE-2016-5021 SOL99998454 Path sanitization for iControl REST worker
540018-1 CVE-2014-3940 CVE-2014-3184 CVE-2015-0239 SOL16429 SOL15685 SOL15912 Multiple Linux Kernel Vulnerabilities
534633-4 CVE-2015-5600 SOL17113 OpenSSH vulnerability CVE-2015-5600
520924-1 CVE-2016-5020 SOL00265182 Restricted roles for custom monitor creation
560969-1 CVE-2015-3196 SOL55540723 OpenSSL vulnerability fix
560962-1 CVE-2015-3196 SOL55540723 OpenSSL Vulnerability CVE-2015-3196
560948-1 CVE-2015-3195 SOL12824341 OpenSSL vulnerability CVE-2015-3195
523874-5 CVE-2013-1961 SOL16715 CVE-2013-1961
523873-5 CVE-2013-1960 SOL16715 CVE-2013-1960
567484-6 CVE-2015-8705 SOL86533083 BIND Vulnerability CVE-2015-8705


Functional Change Fixes

ID Number Severity Description
581438 3-Major Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
565554-2 3-Major The [HTTP::hsts] iRule API now also supports the retrieval of the full HTTP-Strict-Transport-Security (HSTS) header
560405-7 3-Major Optional target IP address and port in the 'virtual' iRule API is not supported.
453649-1 3-Major Added Enforce Autoconnection Mode to Edge Client


TMOS Fixes

ID Number Severity Description
538761-2 1-Blocking scriptd may core when MCP connection is lost
492460-4 1-Blocking Virtual deletion failure possible when using sFlow
570973-1 2-Critical L7 hardware syn cookie feature is broken in BIG-IP v12.0.0 hf1 and hf2
567293-1 2-Critical find-activate.pl stuck in infinite loop unable to resolve root nameserver.
564427-4 2-Critical Use of iControl call get_certificate_list_v2() causes a memory leak.
562122-2 2-Critical Adding a trunk might disable vCMP guest
555686-4 2-Critical Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
554609-1 2-Critical Kernel panics during boot when RAM spans multiple NUMA nodes.
552481-1 2-Critical Disk provisioning error after restarting ASM service.
544481-2 2-Critical IPSEC Tunnel fails for more than one minute randomly.
540456-1 2-Critical Policy deployment fails when deploying to a non-source device
571030-1 3-Major The iControlPortal.cgi process may leave files open eventually causing the SSL Certificate List screen to fail.
567774-2 3-Major ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root
565534-1 3-Major Some failover configuration items may fail to take effect
563475-4 3-Major ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
562044-3 3-Major Statistics slow_merge option does not work
560510-7 3-Major Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.
560423-3 3-Major VxLAN tunnel IP address modification is not supported
559939-1 3-Major Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
558573-1 3-Major MCPD restart on secondary blade after updating Pool via GUI
557648-2 3-Major AWS pool autoscale functionality does not work
557281-1 3-Major The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%
557059-1 3-Major When a virtual server has an Anti-Fraud Profile and a Web Acceleration profile, POST requests to non-protected URLs hang
554563-4 3-Major Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
553686-1 3-Major iControl method Management::LicenseAdministration::get_system_dossier() throws an error when passing multiple registration keys
553649-1 3-Major The SNMP daemon might lock up and fail to respond to SNMP requests.
553576-4 3-Major Intermittent 'zero millivolt' reading from FND-850 PSU
552585-4 3-Major AAA pool member creation sets the port to 0.
552153-1 3-Major Certain profiles may contain profile-fk-class-id attribute in them
551927-1 3-Major ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
551661-1 3-Major Monitor with send/receive string containing double-quote may fail to load.
551555-1 3-Major Poor performance for configurations containing a large number of pool member objects
550618 3-Major The BIG-IP Virtual Edition may fail to load the default configuration on the Microsoft Azure cloud service
549971-6 3-Major Some changes to virtual servers' profile lists may cause secondary blades to restart
548239-2 3-Major BGP routing using route-maps cannot match route tags
547532-1 3-Major Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
545214-3 3-Major OSPF distance command does not persist across restarts.
544989-1 3-Major distance cli command without access name in OSPF posts a memory allocation error.
544531-3 3-Major ConfigSync does not work in Virtual Edition configurations provisioned with a single NIC and single IP.
541569-2 3-Major IPsec NAT-T (IKEv1) not working properly
540923-2 3-Major TMSH list node filtering no longer filters correctly.
540871-2 3-Major Update/deletion of SNMPv3 user does not work correctly
539822 3-Major tmm may leak connflow and memory on vCMP guest.
539784-3 3-Major HA daemon_heartbeat mcpd fails on load sys config
539125-3 3-Major SNMP: ifXTable walk should produce the available counter values instead of zero
538024-2 3-Major Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load
530242-2 3-Major SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs
522871-5 3-Major [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)
517020-6 3-Major SNMP requests fail and subsnmpd reports that it has been terminated.
512130-3 3-Major Remote role group authentication fails with a space in LDAP attribute group name
496679-1 3-Major Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.
488417-1 3-Major Config load failure with 'Input error: can't create user' after upgrade
405635-1 3-Major Using the restart cm trust-domain command to recreate certificates required by device trust.
373949-5 3-Major Network failover without a management address causes active-active after unit1 reboot
553174-3 4-Minor Unable to query admin IP via SNMP on VCMP guest
545745-4 4-Minor Enabling tmm.verbose mode produces messages that can be mistaken for errors.
533790-3 4-Minor Creating multiple address entries in data-group might result in records being incorrectly deleted
401893-4 4-Minor Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies
413708-8 5-Cosmetic BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.
388274-4 5-Cosmetic LTM pool member link in a route domain is wrong in Network Map.


Local Traffic Manager Fixes

ID Number Severity Description
592699-1 2-Critical IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
565810-3 2-Critical OneConnect profile with an idle or strict limit-type might lead to tmm core.
562566-1 2-Critical High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems
558612-1 2-Critical System may fail when syncookie mode is activated
554967-1 2-Critical Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
540568-1 2-Critical TMM core due to SIGSEGV
540473-3 2-Critical peer/clientside/serverside script with parking command may cause tmm to core.
521336-3 2-Critical pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core
511782-7 2-Critical The HTTP_DISABLED event does not trigger in some cases
567369-1 3-Major HTTP profile stats are updated incorrectly
567100-1 3-Major A HTTP CONNECT request should not be closed
566361-1 3-Major RAM Cache Key Collision
563591-1 3-Major reference to freed loop_nexthop may cause tmm crash.
563419-6 3-Major IPv6 packets containing extended trailer are dropped
563112-1 3-Major Adding/removing a SPDY profile can affect virtual reachability
561859-1 3-Major Occasional Rapid Response Crash
560231-1 3-Major Pipelined requests may result in a RST if the server disconnects
559554-1 3-Major CHD congestion control can have erroneous very large cwnd.
559377 3-Major Empty cookie values in the Set-Cookie/Set-Cookie2 header yield iRule cookie parsing errors
558517-1 3-Major Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.
557645-4 3-Major Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
557484 3-Major Setting the cookie expiration to 0 seconds with the 'HTTP::cookie expires' server-side iRule API fails
556560-3 3-Major DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
555020-1 3-Major TCP handshake may fail on layer 7 VIPs in Software syncookiemode
554769-2 3-Major CPM might crash when TCLRULE_HTTP_RESPONSE is triggered.
554761-6 3-Major Unexpected handling of TCP timestamps under syncookie protection.
554593-1 3-Major SSL might report a memory leak in a specific configuration.
554295-2 3-Major CMP disabled flows are not properly mirrored
553688-2 3-Major TMM can core due to memory corruption when using SPDY profile.
553613-1 3-Major FQDN nodes do not support session user-disable
552931-3 3-Major Configuration fails to load if DNS Express Zone name contains an underscore
552865-3 3-Major SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
551451-1 3-Major SSL cipher selection and HTTP/2 may not be in sync leading to connection errors
550782-3 3-Major Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit
550689-1 3-Major Resolver H.ROOT-SERVERS.NET Address Change
549800-1 3-Major Renaming a virtual server with an attached plugin can cause buffer overflow
549406-1 3-Major Destination route-domain specified in the SOCKS profile
548680-1 3-Major TMM may core when reconfiguring iApps that make use of iRules with procedures.
548583-1 3-Major TMM crashes on standby device with re-mirrored SIP monitor flows.
548563-1 3-Major Transparent Cache Messages Only Updated with DO-bit True
545704-1 3-Major TMM might core when using HTTP::header in a serverside event
544028-1 3-Major Verified Accept counter 'verified_accept_connections' might underflow.
543993-2 3-Major Serverside connections may fail to detach when using the HTTP and OneConnect profiles
542853-1 3-Major tmm crash
542564-1 3-Major bigd detection and logging of load and overload
542009-1 3-Major tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message.
541571-2 3-Major FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses
540893-4 3-Major Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.
538639-2 3-Major P-256 ECDH performance improvements
537326-3 3-Major NAT available in DNS section but config load fails with standalone license
536191-1 3-Major Transparent inherited TCP monitors may fail on loading configuration
535759-2 3-Major SMTP monitor might mark the server down even if the server answers the HELO message.
533820-6 3-Major DNS Cache response missing additional section
530812-6 3-Major Legacy DAG algorithm reuses high source port numbers frequently
530795-4 3-Major In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.
529627-2 3-Major LDAP StartTLS may fail on serverside when persistence is configured
528407-7 3-Major TMM may core with invalid lasthop pool configuration
527149-1 3-Major FQDN template node transitions to 'unknown' after configuration reload
525557-2 3-Major FQDN ephemeral nodes not re-populated after deleted and re-created
503257-11 3-Major Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST
500786-3 3-Major Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile
499615-2 3-Major RAM cache serves zero length documents.
442139-4 3-Major Some iRules can result in stuck UDP connections
433897-2 3-Major Data group elements must contain fewer than 65535 bytes each
429075-1 3-Major GetCPUInfo for F5.IsHandler.dll throws an exception when IIS is running on a virtual machine
372473-1 3-Major mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes
551614-3 4-Minor MTU Updates should erase all congestion metrics entries


Performance Fixes

ID Number Severity Description
548796-1 2-Critical Avrd is at CPU is 100%


Global Traffic Manager Fixes

ID Number Severity Description
469033-16 2-Critical Large big3d memory footprint.
576539-1 3-Major installation of 'linkcost.im' fails due to architecture mismatch
559975-6 3-Major Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth
551767-1 3-Major GTM server 'Virtual Server Score' not showing correctly in TMSH stats
552352-1 4-Minor tmsh list display incorrectly for default values of gtm listener translate-address/translate-port


Application Security Manager Fixes

ID Number Severity Description
565463-1 1-Blocking ASM-config consumes 1.3GB RAM after repeated Policy Import via REST
569583-2 2-Critical Secondary Blade Rejects All Traffic after being added to the chassis
555057-2 2-Critical ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
555006-4 2-Critical ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
553131-1 2-Critical ASM CMI: HA Pair returns to PENDING State after receiving a push with a new active policy
515690 2-Critical BD crash on stratup due to memory corruption
568610-1 3-Major Policy Diff/Merge Does Not Work Correctly For Brute Force Protection
567400-1 3-Major Policy Diff/Merge Does Not Work Correctly For Session Awareness Login Pages
563621-1 3-Major ASM REST: URL link reference in URL level parameter is malformed
562775-1 3-Major Memory leak in iprepd
562189-1 3-Major The "installation complete" progress will proceed to about 96% and then appear to hang for 10+ minutes
560765-1 3-Major ASM REST: "kind" for collections is incorrect
558642-2 3-Major Cannot create the same navigation parameter in two different policies
557556-1 3-Major First log message is not sent to remote logger
550625-1 3-Major Policy Diff Does Not Display All Differences
547000-5 3-Major Enforcer application might crash on XML traffic when out of memory
540390-3 3-Major ASM REST: Attack Signature Update cannot roll back to older attack signatures
531809-3 3-Major FTP/SMTP traffic related bd crash
529610-7 3-Major On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db


Application Visibility and Reporting Fixes

ID Number Severity Description
580898-1 2-Critical AVRD goes into an infinite loop and wont collect statistics


Access Policy Manager Fixes

ID Number Severity Description
581299 2-Critical DNSRelay Proxy re-transmits DNS requests indefinitely every second if NA DNS servers do not respond
580817-2 2-Critical Edge Client may crash after upgrade
580059 2-Critical DNS Relay proxy component of edge client on windows consumes lot of CPU cycles
579559-6 2-Critical DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
572563-1 2-Critical PWS session does not launch on Internet Explorer
569306-2 2-Critical Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
565648-1 2-Critical APM process (apmd) file descriptor leak
565056-2 2-Critical Fail to update VPN correctly for non-admin user.
559138-1 2-Critical Linux CLI VPN client fails to establish VPN connection on Ubuntu
556774-3 2-Critical EdgeClient cannot connect through captive portal
552342-1 2-Critical APMD logging at debug level may log passwords in clear text
534555-1 2-Critical BIG-IP APM SAML and RSA v1.5 encryption key transport algorithm
580421-2 3-Major Edge Client may not register DLLs correctly
574860 3-Major HTTP request dropped when using ACCESS::disable from iRule and a Per-Request Policy
570563-3 3-Major CRL is not being imported/exported properly
570064-2 3-Major IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
569255-2 3-Major Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
568576-1 3-Major Version Check fails when upgrading across a major version boundary
567660-1 3-Major Disabling global Auto Last Hop setting breaks APM's Remote Desktop Gateway (RDG) feature
567199-2 3-Major NLA-awareness works incorrectly in "Always Connected Mode"
566646-3 3-Major Portal Access could respond very slowly for large text files when using IE < 11
565527-1 3-Major Static proxy settings are not applied if NA configuration
565231-3 3-Major Importing a previously exported policy which had two object names may fail
564521-4 3-Major JavaScript passed to ExternalInterface.call() may be erroneously unescaped
564496-1 3-Major Applying APM Add-on License Does Not Change Effective License Limit
564482-1 3-Major Kerberos SSO does not support AES256 encryption
564262-1 3-Major Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
564253-1 3-Major Firefox signed plugin for VPN, Endpoint Check, etc
563474-1 3-Major SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile
563443-1 3-Major WebSSO plugin core dumps under very rare conditions.
561798-2 3-Major Windows edge client may show scripting error on certain 3rd party authentication sites
559334 3-Major Network Access fails on Windows platform
558870-1 3-Major Protected workspace does not work correctly with third party products
558631-1 3-Major APM Network Access VPN feature may leak memory
557399-1 3-Major Browser could become unresponsive when page with specific script constructions is accessed through Portal Access
556597-1 3-Major CertHelper may crash when performing Machine Cert Inspection
555457-1 3-Major Reboot is required, but not prompted after F5 Networks components have been uninstalled
554899-1 3-Major MCPD core with access policy macro during config sync in HA configuration
554074-2 3-Major If the user cancels a connection attempt, there may be a delay in estabilshing the next connection.
554041-1 3-Major No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
553925-1 3-Major Manual upgrade of Edge Client fails in some cases on Windows
553734-2 3-Major Issue with assignment of non-string value to Form.action in javascript.
553268-1 3-Major Edge client shows "Invalid Cookies" message on third party IdP sites
551999-1 3-Major Edge client needs to re-authenticate after lost network connectivity is restored
551260-1 3-Major When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated
550536-1 3-Major Incorrect information/text (in French) is displayed when the Edge Client is launched
547546-1 3-Major Add support for auto-update of MachineCertService
534901-2 3-Major VMware View HTML5 client may load/initialize with delays
533114-1 3-Major All DNS requests are sent to NA DNS server if local clients manually change their dns setting
531983-3 3-Major [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added
528139-2 3-Major Windows 8 client may not be able to renew DHCP lease
519059-4 3-Major [PA] - Failing to properly patch webapp link, link not working
516219-1 3-Major User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled
472446-1 3-Major Customization group template file might cause mcpd to restart
461084-1 3-Major Kerberos Auth might fail if client request contains Authorization header
431467-2 3-Major Mac OS X support for nslookup and dig utilities to use VPN DNS
381238-2 3-Major APM fails to verify Java applets signed with Mozilla NSS Signtool
580429-2 4-Minor CTU does not show second Class ID for InstallerControll.dll
572543-8 4-Minor User is prompted to install components repeatedly after client components are updated.
555272-1 4-Minor Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade
554690-2 4-Minor VPN Server Module generates repeated Error Log "iface eth0 "... every 2 secs
552346-1 4-Minor Some log messages run together without a new line seprarator.
541156-1 4-Minor Network Access clients experience delays when resolving a host
488866-1 4-Minor Added support of NLA to Always connect mode of EdgeClient


WebAccelerator Fixes

ID Number Severity Description
551010-1 3-Major Crash on unexpected WAM storage queue state
401324-1 3-Major qpdf cores when processing a document with no pages


Wan Optimization Manager Fixes

ID Number Severity Description
568795-3 1-Blocking Dedup Cache Refresh may fail to re-initialize WOM endpoint
552198-1 3-Major APM App Tunnel/AM iSession Connection Memory Leak


Service Provider Fixes

ID Number Severity Description
536932-1 2-Critical Under heavy load, BIGIP may crash due to some operations not exiting properly
538784-2 3-Major ICAP implementation incorrect when HTTP request or response is missing a payload
545985-2 4-Minor ICAP 2xx response (except 200, 204) is treated as error


Advanced Firewall Manager Fixes

ID Number Severity Description
550926-1 2-Critical AFM rule with "unknown" source Geo-entity stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule
550144-1 2-Critical A partial UDP SIP message with AFM SIP DoS configured can cause a crash
564956-3 3-Major PCCD core and slow running SQL
557273 3-Major Idle Timeout configuration through timer policy does not apply for Performance L4 Virtual Server with Fast L4 profile
556417 3-Major GUI and tmsh Interfaces May be Unresponsive While Loading Huge Firewall Rule Configuration
552566-1 3-Major AFM DoS Profile Sweep vector configured thresholds are per blade instead of being per device
551849-4 3-Major If 1 tmm gets more than 1 Mpps then the 1m stats in dos_stats can be wrong
538566-1 3-Major Timer policy rule with "unspecified" idle-timeout
510728-2 3-Major Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.


Policy Enforcement Manager Fixes

ID Number Severity Description
553735-2 2-Critical TMM core on HTTP response with steering action .
564263-1 3-Major PEM: TMM asserts when Using Debug Image when Gy is being used
560607-2 3-Major Resource Limitation error when removing predefined policy which has multiple rules
557675-2 3-Major Failover from PEM to PCRF can cause session lookup inconsistency
556357-1 3-Major iRule URLCAT query for URL longer than 256 characters causes crash


Carrier-Grade NAT Fixes

ID Number Severity Description
555369-2 2-Critical CGNAT memory leak when non-TCP/UDP traffic directed at public addresses
545783-2 2-Critical TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool
535101-2 2-Critical Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile.
544979 3-Major Changing the LSN pool to an unsupported mode may result in a TMM crash
532365-2 3-Major lsndb cores with "Assertion `size < bin_key_size' failed"


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
547367-2 3-Major When adding a Virtual Server and selecting again Virtual Server menu bar, this can lead to an error message in the UI
554936-1 4-Minor Unable to remove peer address of BIG-IP DNS redundant server object


Device Management Fixes

ID Number Severity Description
555184 2-Critical BIG-IQ Reporting for Network and Application Firewall does not work with Big-IP 12.0 and 12.0HF1/HF2.



Cumulative fixes from BIG-IP v12.0.0 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
574060-1 CVE-2015-7547 SOL47098834 glibc: getaddrinfo stack-based buffer overflow
570716-2 CVE-2016-5736 SOL10133477 BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
527364-1 CVE-2015-1781 CVE-2013-7423 SOL16865 GNU C Library (glibc) vulnerability CVE-2015-1781 & CVE-2013-7423


Functional Change Fixes

None



Cumulative fixes from BIG-IP v12.0.0 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
563089 CVE-2015-8611 SOL05272632 CVE-2015-8611
546140-1 CVE-2015-7759 SOL22843911 CVE-2015-7759
542314-6 CVE-2015-8099 SOL35358312 TCP vulnerability - CVE-2015-8099
545786 CVE-2015-7393 SOL75136237 Privilege escalation vulnerability CVE-2015-7393
540849-6 CVE-2015-5986 SOL17227 BIND vulnerability CVE-2015-5986
540846-6 CVE-2015-5722 SOL17181 BIND vulnerability CVE-2015-5722
540767-3 CVE-2015-5621 SOL17378 SNMP vulnerability CVE-2015-5621
540174-1 CVE-2015-5364 CVE-2015-5366 SOL17307 SOL17309 CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1623.html
539923 CVE-2016-1497 SOL31925518 BIG-IP APM access logs vulnerability CVE-2016-1497
532522-2 CVE-2015-1793 SOL16937 CVE-2015-1793
533413-2 CVE-2011-5321 CVE-2015-3636 CVE-2015-1593 CVE-2015-2830 CVE-2015-2922 SOL51518670 CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1221.html


Functional Change Fixes

ID Number Severity Description
539130-1 3-Major bigd may crash due to a heartbeat timeout
532685-3 3-Major PAC file download errors disconnect the tunnel


TMOS Fixes

ID Number Severity Description
549943 1-Blocking Remote LDAP Auth with SSL is not working
548909 2-Critical New EPVA bitstream
547047-5 2-Critical Older cli-tools unsupported by AWS
544913-5 2-Critical tmm core while logging from TMM during failover
542898-2 2-Critical Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0
520380-7 2-Critical save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory
502928-1 2-Critical TMM core in AWS and Azure Enviroments
493053-3 2-Critical Route domains' firewall policies may be removed after sync
490801-1 2-Critical mod_ssl: missing support for TLSv1.1 and TLSv1.2
485293-2 2-Critical unmounting file systems fail during Reboots or Halt
365219-1 2-Critical Trust upgrade fails when upgrading from version 10.x to version 11.x.
556284-1 3-Major iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
551622-1 3-Major Untagged interface in Q-in-Q VLAN will cause bcm56xxd crash
546410-3 3-Major Configuration may fail to load when upgrading from version 10.x.
544888-6 3-Major Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
542860-2 3-Major TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event
541316-4 3-Major Unexpected transition from Forced Offline to Standby to Active
540328-1 3-Major SSL key/certificate/csr file renewal/overwrite fails silently.
538663-2 3-Major SSO token login does not work due to remote role update failures.
538133-3 3-Major Only one action per sensor is displayed in sensor_limit_table and system_check
534582-5 3-Major HA configuration may fail over when standby has only base configuration loaded.
533826-7 3-Major SNMP Memory Leak on a VIPRION system.
533458-6 3-Major Insufficient data for determining cause of HSB lockup.
528971-1 3-Major 'Force to Standby' button greyed out when using 'Select All' for traffic groups.
528310-2 3-Major Upgrade failure when CertKeyChain exists in non-Common partition
528276-1 3-Major The device management daemon can crash with a malloc error
487625-1 3-Major Qkview might hang
440895-1 3-Major Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
433466-3 3-Major Disabling bundled interfaces affects first member of associated unbundled interfaces
548268-1 4-Minor Disabling an interface on a blade does not change media to NONE
473163-8 4-Minor RAID disk failure and alert.conf log message mismatch results in no trap


Local Traffic Manager Fixes

ID Number Severity Description
555549-1 1-Blocking 'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline.
552937-3 2-Critical HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
550124 2-Critical SSL has memory leak when peer sent a certificate chain but BIGIP SSL configured only Root certificate as trust CA.
538255-5 2-Critical SSL handshakes on 4200/2200 can cause TMM cores.
527011-5 2-Critical Intermittent lost connections with no errors on external interfaces
517590-3 2-Critical Pool member not turning 'blue' when monitor removed from pool
493743 2-Critical TCP4 filter allows non-SYN packet to create new connflow after sending RST.
481162-7 2-Critical vs-index is set differently on each blade in a chassis
553311-3 3-Major Route pool configuration may cause TMM to produce a core file
547815-3 3-Major Potential DNS Transparent Cache Memory Leak
543220-4 3-Major Global traffic statistics does not include PVA statistics
542640-1 3-Major bigd intentionally cores when it should shutdown cleanly
540213-1 3-Major mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary
538603 3-Major TMM core file on pool member down with rate limit configured
537964-6 3-Major Monitor instances may not get deleted during configuration merge load
537498 3-Major Oracle Access Manager SSO with client certificates authentication may fail
527027-2 3-Major DNSSEC Unsigned Delegations Respond with Parent Zone Information
527024-4 3-Major DNSSEC Unsigned Delegations Respond with Parent Zone Information
510951-1 3-Major Status of connection limited pool is reported incorrectly
488581-2 3-Major The TMM process may restart and produce a core file when using the SSL::disable clientside iRule command within a HTTP_REQUEST event
447958-1 3-Major Slow client side SSL connection can be prematurely reset.
441058-4 3-Major TMM can crash when a large number of SSL objects are created
424831-5 3-Major State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover
418890-3 3-Major OpenSSL bug can prevent RSA keys from rolling forward
406001-4 3-Major Host-originated traffic cannot use a nexthop in a different route domain
364994-12 3-Major TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.
534458 4-Minor SIP monitor marks down member if response has different whitespace in header fields.


Performance Fixes

ID Number Severity Description
542282 3-Major Portal Access performance is lower for small size payloads


Application Security Manager Fixes

ID Number Severity Description
553162-1 2-Critical Heavy usage of memory when ASM remote logger destinations are non responsive
552139-1 2-Critical ASM limitation in the pattern matching matrix builtup
553146-1 3-Major BD memory leak
552534-1 3-Major A false 404 response is returned when session hijacking by device ID is turned on
547435-1 3-Major BIG-IQ ASM remote logger: Requests are not be logged.
541852-2 3-Major ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails
541406-2 3-Major ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request
539336-1 3-Major Missing Setting in Security Policy XML Export
538827-2 3-Major Getting error when trying to update collection of gwt-profiles with override metacharacters
538195-2 3-Major Incremental Manual sync does not allow overwrite of 'newer' ASM config
535188-4 3-Major Response Pages custom content with \n instead of \r\n on policy import.
534246-3 3-Major rest_uuid should be calculated from the actual values inserted to the entity
538837-2 4-Minor REST: Filtering login pages or parameters by their associated URL does not work


Application Visibility and Reporting Fixes

ID Number Severity Description
552488-2 3-Major Missing upgrade support for AFM Network DoS reports.
549393-1 3-Major SWG URL categorization may cause the /var file system to fill.
537435-2 3-Major Monpd might core if asking for export report by email while monpd is terminating
535246-3 3-Major Table values are not correctly cleaned and can occupy entire disk space.
525708-6 3-Major AVR reports of last year are missing the last month data


Access Policy Manager Fixes

ID Number Severity Description
553330 1-Blocking Unable to create a new document with SharePoint 2010
555507-1 2-Critical Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
553516 2-Critical Unable to sync events from SharePoint 2010 to local Outlook calendar
551764-2 2-Critical [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
541978-1 2-Critical Using non-existant perflow variables in per-request policy agent's VPE results in system crash
553497 3-Major [Portal Access][sharepoint 2013] unable to create a new document.
553470 3-Major An error occurs when creating an item in SharePoint 2010 thru Site Options
552430 3-Major Expression evaluator in per-request policy VPE might result in system crash
551819-1 3-Major NTLM Type 1 message no longer sets NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag
550221-2 3-Major Policy resync failed after removing a policy item with more remaining
549588-1 3-Major EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
549086-1 3-Major Windows 10 is not detected when Firefox is used
548361-2 3-Major Performance degradation when adding VDI profile to virtual server
543222-2 3-Major apd may crash if an un-encoded session variable contains "0x"
539270 3-Major A specific NTLM client fails to authenticate with BIG-IP
539229-2 3-Major EAM core while using Oracle Access Manager
539201-1 3-Major Endpoint Management System type 'Fiberlink' is now called 'IBM MaaS360'
539018-4 3-Major TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file.
539013-1 3-Major DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
538198-1 3-Major Security warning popup on tunnel establishment
538192-1 3-Major Response for sesstimeout.js contains two cache-control http headers.
537614-3 3-Major Machine certificate checker fails to use Machine cert check service if Windows has certain display languages
537000-1 3-Major Installation of Edge Client can cause Windows 10 crash in some cases
534374-1 3-Major IdP Support pipe-separated session variables ( | a | b | c | ) as multi-valued attributes in SAML assertion
534373-3 3-Major Some Text on French Localized Edge client on windows has grammatical error
533566-2 3-Major Support for View HTML5 client v3.5 shipped with VCS 6.2
531883-1 3-Major Windows 10 App Store VPN Client must be detected by BIG-IP APM
531483-3 3-Major Copy profile might end up with error
530800-2 3-Major Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use.
528808-4 3-Major Source NAT translation doesn't work when APM is disabled using iRule
526677-5 3-Major VMware Horizon HTML5 View access client can not connect when using View Connection Server running version 6.1.1
526637-3 3-Major tmm crash with APM clientless mode
519012-1 3-Major Support launching RDS pool with HTML5 client from APM Full Webtop
518550-2 3-Major Incorrect value of form action attribute inside 'onsubmit' event handler in some cases
514287 3-Major Deleting a policy-item and its associated agent via IControl Rest transaction fails
462598-6 3-Major Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.
446860-2 3-Major APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
550537-1 4-Minor Need to change 'Fiberlink' to 'IBM Maas360' in UI help
533723-5 4-Minor [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
532394-3 4-Minor Client to log value of "SearchList" registry key.
507321-4 4-Minor JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields


WebAccelerator Fixes

ID Number Severity Description
476460-1 3-Major WAM Range HTTP header limited to 8 ranges


Wan Optimization Manager Fixes

ID Number Severity Description
547537-2 3-Major TMM core due to iSession tunnel assertion failure


Service Provider Fixes

ID Number Severity Description
523854-2 3-Major TCP reset with RTSP Too Big error when streaming interleaved data


Advanced Firewall Manager Fixes

ID Number Severity Description
528616-1 2-Critical Failure to add a custom bot signature
549794-1 3-Major Requests my be dropped when proactive bot defense is on, but Block Suspicious Browsers is off


Policy Enforcement Manager Fixes

ID Number Severity Description
542781-2 2-Critical Tmm crash observed during load testing
551303-1 3-Major TMM may core during processing of a CCA-T.
548114-2 3-Major RAR for already deleted session returns RAA with 5012 error code
546516-2 3-Major PEM: TMM core when deleting sessions not aware to PCRF
545558-2 3-Major Send RAA when RAR is sent by PCRF and session is deleted immediately after its created.
541592-2 3-Major PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions
537034-2 3-Major PEM: CPU spike seen when irule is used to update non existent sessions
534323-2 3-Major Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.
528247-2 3-Major PEM: New Requested units empty for when used units matches granted service units
528238-2 3-Major Quota Policy Added multiple times will lead to reset of Subscriber flows
526786-2 3-Major Session lookup fails
525633-2 3-Major Configurable behavior if PCRF returns unknown session ID in middle of session.


Carrier-Grade NAT Fixes

ID Number Severity Description
540484-1 2-Critical "show sys pptp-call-info" command can cause tmm crash

 

Cumulative fix details for BIG-IP v12.0.0 Hotfix 4 that are included in this release

606110-1 : BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.

Component: TMOS

Symptoms:
On AWS and Azure, dataplane interfaces use socket-based networking instead of UNIC modules. After upgrading a version later than 12.1.0, the default module for dataplane interfaces is UNIC modules instead of socket-based networking.

Conditions:
Upgrading BIG-IP VE on AWS or Azure running versions 12.0.0 or 12.1.0.

Impact:
The raw socket-based tmm driver is replaced by a UNIC driver. The socket-based driver eliminates kernel driver dependencies and provides better portability during kernel/driver upgrades.

Workaround:
None.

Fix:
BIG-IP VE socket-based networking driver retained after upgrade on AWS or Azure.


600662-2 : CGNAT: NAT64 vulnerability CVE-2016-5745

Vulnerability Solution Article: SOL64743453


599168-2 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: SOL35520031


598983-2 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: SOL35520031


596814-7 : HA Failover fails in certain valid AWS configurations

Component: TMOS

Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.

Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.

Fix:
Failover now narrows network description by filtering with VPC id.


596603-13 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.

Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.


592699-1 : IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance

Component: Local Traffic Manager

Symptoms:
IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP might encounter significant performance impacts when initiated over a BIG-IP data port using IPv6.

Conditions:
-- Protocols: HTTPS, SCP, SSH, DNS, SMTP.
-- IPv6.
Note: Management port is not impacted.

Impact:
Performance impact pulling data over affected ports from the BIG-IP over IPv6.
BIG-IQ performance is impacted trying to manage BIG-IP devices over IPv6.

Workaround:
Disable TSO for IPv6 at the command line by running the following command: ethtool -K tmm tso off.
Note: This command must be run each time after reboot.

Fix:
The issue has been corrected, so that there is no performance impact pulling data over affected ports using HTTPS, SCP, SSH, DNS or SMTP from the BIG-IP over IPv6, and there is no BIG-IQ performance issue managing BIG-IP devices over IPv6.


592354-1 : Raw sockets are not enabled on Cloud platforms

Component: TMOS

Symptoms:
Cloud VMs come configured with UNIC driver instead of using raw sockets.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
UNIC is used instead of raw sockets.

Workaround:
Manually disabling unic driver will force raw sockets to be used.

Fix:
Enabled raw sockets by default on Cloud deployments.


591918-3 : ImageMagick vulnerability CVE-2016-3718

Vulnerability Solution Article: SOL61974123


591908-3 : ImageMagick vulnerability CVE-2016-3717

Vulnerability Solution Article: SOL29154575


591894-3 : ImageMagick vulnerability CVE-2016-3715

Vulnerability Solution Article: SOL10550253


591881-3 : ImageMagick vulnerability CVE-2016-3716

Vulnerability Solution Article: SOL25102203


591806-2 : ImageMagick vulnerability CVE-2016-3714

Vulnerability Solution Article: SOL03151140


587791 : Set execute permission on /var/lib/waagent

Component: TMOS

Symptoms:
Due to recent changes of the build process /var/lib/waagent didn't have proper execute permission set. This caused failure in executing user custom scripts during deploying.

Conditions:
First deployment of VM in Azure, which requires executing custom scripts.

Impact:
Custom scripts cannot be executed.

Workaround:
N/A

Fix:
Properly set execute permissions to /var/lib/waagent directory.


581438 : Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.

Component: Global Traffic Manager

Symptoms:
Prior to this, only 16 pool members could be chosen during a single load-balancing decision.

Impact:
Cannot return more than 16 pool members in a DNS response.

Fix:
GTM now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.

Behavior Change:
GTM now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.


581299 : DNSRelay Proxy re-transmits DNS requests indefinitely every second if NA DNS servers do not respond

Component: Access Policy Manager

Symptoms:
DNS relay service will send lot of DNS requests inside the network access tunnel if the DNS server is unreachable or unresponsive.

Conditions:
DNS Relay proxy service is installed on user's machine
One or more DNS servers are not reachable or unresponsive

Impact:
Will generate lot of DNS traffic from user's machine and may have an adverse impact on customer infrastructure.

Workaround:
Stop DNS Relay proxy service from service control manager.

Fix:
Excessive DNS queries are no longer being sent from the EDGE client if the DNS server is unreachable.


580898-1 : AVRD goes into an infinite loop and wont collect statistics

Component: Application Visibility and Reporting

Symptoms:
1. AVRD CPU consumption is 100%
2. AVR won't collect any statistic.

This issue occurred due to memory corruption.

Conditions:
1. AFM provision.
2. DNS/SIP or network statistic is collected.

Impact:
AVR won't collect statistic.
AVRD consume 100% CPU.

Workaround:
Restart avrd periodically.

Fix:
Fixed an issue that caused memory corruption resulting in avrd running in an infinite loop and not collecting statistics.


580817-2 : Edge Client may crash after upgrade

Component: Access Policy Manager

Symptoms:
The Edge client may crash after upgrading to 11.4.1 through 12.0.0.

Conditions:
Access Policy with Firewall Checker
Update BIG-IP to 12.1.0

Impact:
Users are unable to use the Edge client

Fix:
Fixed a crash in the Edge client


580596-3 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Vulnerability Solution Article: SOL14190 SOL39508724


580429-2 : CTU does not show second Class ID for InstallerControll.dll

Component: Access Policy Manager

Symptoms:
Client troubleshooting utility does not display the registered class id of Installer control.dll.

Conditions:
Client troubleshooting utility is used to display all installed edge client components.

Impact:
No impact to end user or administrator. Impacts F5 support.

Workaround:
None.

Fix:
CTU now shows the class id of installer control.dll.


580421-2 : Edge Client may not register DLLs correctly

Component: Access Policy Manager

Symptoms:
After an end-user confirms that they want to install InstallerControll.cab, the browser gets stuck in 'Checking client'.

Conditions:
Client is using Internet Explorer

Impact:
Clients are unable to install the Edge client components

Fix:
Edge client components are now getting properly registered.


580059 : DNS Relay proxy component of edge client on windows consumes lot of CPU cycles

Component: Access Policy Manager

Symptoms:
In certain conditions, DNS relay proxy component of edge clients goes in a state where it takes most of the CPU cycles and starts filling up the log file very quickly with messages of 'Unknown event signaled'

Conditions:
DNS Relay proxy is installed on user's machine

Impact:
User's machine will become very slow and appear to be unresponsive.

Workaround:
Stop DNS Relay proxy service from service control manager.

Fix:
Fixed DNS relay proxy so it does not go in a state where it starts consuming huge CPU cycles.


579559-6 : DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration

Component: Access Policy Manager

Symptoms:
Network Access always fallbacks to TLS connection even if DTLS is configured when connecting to some hardware platforms.

Conditions:
Network Access is configured to use DTLS
Hardware BIG-IP with DTLS Nitrox acceleration is used,

Impact:
Network Access connection always fallbacks to TLS connection

Workaround:
N/A

Fix:
Nitrox hardware acceleration support was fixed


576539-1 : installation of 'linkcost.im' fails due to architecture mismatch

Component: Global Traffic Manager

Symptoms:
'im linkcost.im' fails during install, issuing the following error:
"package linkCost-1.0-0.0.241.x86_64 is intended for a x86_64 architecture"

Conditions:
Running BIG-IP version is v12.0.0

Impact:
Cannot install the linkcost feature

Workaround:
none

Fix:
Installation of 'linkcost.im' now completes successfully.


574860 : HTTP request dropped when using ACCESS::disable from iRule and a Per-Request Policy

Component: Access Policy Manager

Symptoms:
When ACCESS::disable command is used in an iRule along with a Category Lookup agent in a per-request policy, the HTTP request we be incorrectly dropped and the connection reset. This error condition may also occur with other per-request policy agents.

Conditions:
APM deployed with a Per-Request policy using a Category-Lookup agent and an iRule which issues the ACCESS::disable command associated on the same virtual server.

Impact:
The HTTP request will be dropped or the HTTP connection will stall and timeout.

Fix:
When ACCESS::disable is used in an iRule on a virtual server with an Access Profile and Per-Request Policy assigned, BIG-IP APM will not run the Per-Request policy.


574060-1 : glibc: getaddrinfo stack-based buffer overflow

Vulnerability Solution Article: SOL47098834


573124-1 : TMM vulnerability CVE-2016-5022

Vulnerability Solution Article: SOL06045217


572563-1 : PWS session does not launch on Internet Explorer

Component: Access Policy Manager

Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).

Conditions:
One of the DLLs provided by APM, vdeskctrl.dll, provides COM services. Internet Explorer (IE), consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. For some reason (especially on slow systems), IE does not unload the the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, old DLL provides the service. Due to the recent renewal of our signing certificate, old DLL can't certify the integrity of the new PWS components. We have researched the issue, but we have not found a way to instruct IE to unload the old DLL after upgrade.

Impact:
PWS session does not launch.

Workaround:
After upgrade, if Internet Explorer(IE) does not enter into PWS within 60 seconds, close IE and start a new session. This is an one time event.

Fix:
Internet Explorer can now launch a Protected Workspace session.


572543-8 : User is prompted to install components repeatedly after client components are updated.

Component: Access Policy Manager

Symptoms:
After auto-update of client components from internet explorer, user will be prompted to install components again if he goes to VPN site again.

Conditions:
Administrator upgrades big-ip to 12.1.
User has client components from a release older than 12.1

Impact:
User is prompted to install components again and again

Workaround:
Restart browser after components are updated the first time.


572495-1 : TMM may crash if it receives a malformed packet CVE-2016-5023

Vulnerability Solution Article: SOL19784568


571030-1 : The iControlPortal.cgi process may leave files open eventually causing the SSL Certificate List screen to fail.

Component: TMOS

Symptoms:
When accessing the SSL Certificate List via the configuration utility (System/File Management/SSL Certificate List), the configuration utility may report the error "General database error retrieving information.".

In addition, the ltm log will contain dlopen errors similar to:
/var/log/ltm.1:Feb 1 05:41:47 bigip1 err iControlPortal.cgi[2572]: dlopen returned /usr/lib/fips/pkcs11_nethsm.so: cannot open shared object file: Too many open files for module /usr/lib/fips/pkcs11_nethsm.so
/var/log/ltm.1:Feb 1 05:41:47 bigip1 err iControlPortal.cgi[2572]: dlopen returned /usr/lib/fips/cavium_luna.so: cannot open shared object file: Too many open files for module /usr/lib/fips/cavium_luna.so
/var/log/ltm.1:Feb 1 05:41:47 bigip1 err iControlPortal.cgi[2572]: dlopen returned /usr/lib/fips/cavium_ngfips.so: cannot open shared object file: Too many open files for module /usr/lib/fips/cavium_ngfips.so

Conditions:
The system contains files under tmsh list sys file ssl-csr. In the configuration utility, these will show in the SSL Certificate List with "Certificate Signing Request" as part of the entry in the "Contents" column.

Each time that the SSL Certificate List page is loaded, files are held open and will eventually cause the issue.

Impact:
The SSL Certificate List becomes unusable.

Workaround:
To temporarily restore the functionality of the configuration utility, you can kill the iControlPortal.cgi process from an advanced shell, or restart httpd from tmsh.

From bash:
 pkill iControlPortal

From tmsh:
 restart /sys service httpd

Fix:
The configuration utility's SSL Certificate List no longer reports the "General database error retrieving information." error after visiting the page several times.


570973-1 : L7 hardware syn cookie feature is broken in BIG-IP v12.0.0 hf1 and hf2

Component: TMOS

Symptoms:
In BIG-IP v12.0.0 hf1 and hf2 hardware syn cookie feature for L7 (e.g. Standard Virtual Server type or FastL4 with http profile) virtual server is broken due to HSB bitstream update with a new hardware syn cookie algorithm. It does not impact 12.0.0 base release.

Conditions:
Hardware syn cookie is enabled (which is the default setting) on L7 virtual server.

Impact:
When syncookie protection is triggered, ingress legitimate traffic may be dropped by BIG-IP.

Workaround:
Disable hardware syn cookie on L7 virtual servers.

Note: After this workaround you may encounter Bug ID 555020 SW syncookies and windowscaling will cause 3WHS to fail on L7 VIP in which case you would need to apply the workaround from that as well.

Fix:
This bug is fixed in 12.0.0-hf3 and 12.1.0.


570716-2 : BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736

Vulnerability Solution Article: SOL10133477


570667-7 : OpenSSL vulnerabilities

Vulnerability Solution Article: SOL64009378


570563-3 : CRL is not being imported/exported properly

Component: Access Policy Manager

Symptoms:
CRL assigned as part of Machine Cert Auth is not being imported/exported properly.

Conditions:
This occurs when importing SSL Certificates and Keys using the CRL type. Or when adding the Machine Cert Check agent to import an Access Profile in when creating a New Certificate Authority Profile.

Impact:
Prevents CRL from being exported. Might also impact the import/export of Certificate Authority Profiles.

Workaround:
1. Copy and install the CRL to the other BIG-IP system separately.
2. Modify the exported configuration to use CRL from step 1

Fix:
Import and export of CRL is fully supported.


570064-2 : IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"

Component: Access Policy Manager

Symptoms:
When logging into a VPN connection using Internet Explorer, Internet Explorer may prompt "Do you want to run ... InstallerControll.cab"

Conditions:
BIG-IP APM configured and is accessed by Internet Explorer. This can happen after an upgrade of BIG-IP.

Impact:
The prompt should not occur.

Fix:
Internet Explorer will no longer prompt to run InstallerControll.cab


569583-2 : Secondary Blade Rejects All Traffic after being added to the chassis

Component: Application Security Manager

Symptoms:
After an upgrade ends in errors, the device may be left in a state that it erroneously believes to still be in the middle of the upgrade.

Conditions:
A second blade is installed into a chassis and there are errors as it comes up.
System configuration is never successfully loaded. This can occur during upgrades to versions prior to 12.0.0.

Impact:
Secondary blade blocks all ASM traffic.

Workaround:
1) Delete the /var/ts/var/install/ucs_install.pid file on all blades
2) Push a fresh sync from a good device.

Fix:
The system correctly detects that it is no longer in the middle of an upgrade.


569467-12 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Vulnerability Solution Article: SOL11772107


569306-2 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected

Component: Access Policy Manager

Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.

Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected

Impact:
User has to retype his credentials to connect to VPN

Workaround:
Enter the credentials again to connect to VPN

Fix:
Now logged on credentials are used automatically to connect to VPN


569255-2 : Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON

Component: Access Policy Manager

Symptoms:
When Network Access is already established and a second network interface is being connected to client system, VPN quickly reconnects, which breaks existing TCP connections. Because reconnect occurs very quickly, it might appear to the user that nothing happened.

Conditions:
-- 'Allow Local subnet access' enabled.
-- Client system is getting second network interface connected.

Impact:
Long-standing TCP connection may break, for example, VPN over Network Access.

Workaround:
Disable 'Allow Local subnet access'.

Fix:
Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.


568795-3 : Dedup Cache Refresh may fail to re-initialize WOM endpoint

Component: Wan Optimization Manager

Symptoms:
WOM endpoints are not always re-initialized
correctly when for dedup cache refresh operations:
    tmsh modify wom remote-endpoint all dedup-action cache-refresh

Conditions:
WOM

Impact:
iSession tunnels do not establish.

Workaround:
bigstart restart

Fix:
The problem of WOM endpoints not establishing after configuration changes has been corrected.


568610-1 : Policy Diff/Merge Does Not Work Correctly For Brute Force Protection

Component: Application Security Manager

Symptoms:
Using Policy Merge to add Brute Force Protection for a Login URL fails.

Conditions:
Policy Merge is used to add Brute Force Protection for a Login URL.

Impact:
Policy merge fails

Workaround:
The Brute Force items can be ignored from the diff, and the rest of the items will successfully auto-merge. Brute Force Protection can then be added manually to the target Policy.

Fix:
Policy Merge now successfully adds a new Brute Force Protection to a target policy.


568576-1 : Version Check fails when upgrading across a major version boundary

Component: Access Policy Manager

Symptoms:
The Edge client's version check is failing to check across a major version boundary, which causes the installer to not automatically update. F5InstServLog.txt reports the the following message service.cpp, 2015, VerifyPackage(), (0x64d) EXCEPTION - this is an old or same version - do not upgrade

Conditions:
Install EdgeClient from BIG-IP v12.0.0. Use EdgeClient to connect to a BIG-IP v12.1.0

Impact:
Edge Client auto-installer fails.

Fix:
The Edge client version check now properly detects new versions.


567774-2 : ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root

Component: TMOS

Symptoms:
The properties 'ca-devices' and 'non-ca-device' are available in the 'restart' command but are not valid.

Conditions:
None

Impact:
You should not use the restart command with the properties 'ca-devices' and 'non-ca-device'. It has to be used similar to the delete command.

Workaround:
A new tmsh command to reset a device trust was added:
'restart cm trust-domain Root' which operates exactly like 'delete cm trust-domain Root'. The properties 'ca-devices' and 'non-ca-device' are available in the 'restart' command but are not valid. These properties are not available in the 'delete cm trust-domain'. Workaround for customer is to not use these two properties when running the 'restart cm trust-domain' command or to use the 'delete cm trust-domain'

Fix:
The 'ca-devices' and 'non-ca-devices' properties were removed from the tmsh command 'restart cm trust-domain' command because they are not valid.


567660-1 : Disabling global Auto Last Hop setting breaks APM's Remote Desktop Gateway (RDG) feature

Component: Access Policy Manager

Symptoms:
Existing TCP connection is being sporadically disrupted by BIGIP virtual server sending out a SYN, ACK, causing existing connection to fail.
The client and virtual server setup a good tcp connection, complete SSL handshake and starts to pass application data.
APM virtual then sends SYN, ACK with sequence and ack numbers which do not match existing stream.
The APM then tries three syn-ack's before giving up and sends out a rst-ack which drops the connection attempt, but as it shares the same ip:port number as the existing connection, resets the good connection.

Conditions:
Auto Last Hop setting is disabled

Impact:
APM RDG feature does not work

Workaround:
1. Enable Auto Last Hop
OR
2. Set cmp_enabled to 'NO' on virtual

Fix:
APM RDG feature now works as expected when Auto Last Hop is disabled.


567484-6 : BIND Vulnerability CVE-2015-8705

Vulnerability Solution Article: SOL86533083


567475-6 : BIND vulnerability CVE-2015-8704

Vulnerability Solution Article: SOL53445000


567400-1 : Policy Diff/Merge Does Not Work Correctly For Session Awareness Login Pages

Component: Application Security Manager

Symptoms:
When comparing Security Policies with Session Awareness enabled for specific Login Pages, false differences are shown in the Diff.
Additionally, attempting to merge policies with these elements does not provide expected enforcement, as the Login Pages will not be enabled correctly in the target policy.

Conditions:
A Security Policy with Session Awareness Login Pages are compared with Policy Diff.

Impact:
False differences may appear, and merging them will not provide expected enforcement.

Workaround:
These elements can be ignored in the Diff Summary before an auto-merge, and handled manually.

Fix:
Session Awareness Login Pages are now handled correctly in Policy Diff and Merge.


567369-1 : HTTP profile stats are updated incorrectly

Component: Local Traffic Manager

Symptoms:
If the HTTP server closes the HTTP connection, the payload statistics (resp-bucket-1k/4k/etc) may not ever get updated. Looking at ltm profile stats will show connections happened but they will not be recorded in the expected size buckets. For example, 100 small requests should show up as 100 in resp-bucket-1k but instead it shows 0.

Conditions:
HTTP profile in use
Server closes the connection.

Impact:
Incorrect payload statistics when looking at HTTP profile stats

Workaround:
None

Fix:
HTTP profile payload statistics are now correctly reported.


567293-1 : find-activate.pl stuck in infinite loop unable to resolve root nameserver.

Component: TMOS

Symptoms:
If find-activate.pl gets an ICMP udp port 53 unreachable message when trying to resolve the root nameserver, it keeps re-trying in what seems an infinite loop.

Conditions:
If find-activate.pl gets an ICMP udp port 53 unreachable message when trying to resolve the root nameserver.

Impact:
This might eventually result in an out-of-memory condition.

Workaround:
This must be done per unit (each VIPRION blade, all BIG-IP systems in an HA configuration, etc.). Perform the following steps as the root user:

1) mount /usr read-write (see SOL 11302)
mount -o remount,rw /usr


2) edit the file:
/usr/lib/perl5/Net/DNS/Resolve/Recurse.pm


line 115 has this statement:
    return $self->hints();

modify that statement to this:
    return;


3) sync the filesystems and remount /usr as read-only (remount command, see SOL11302):
sync && mount -o remount,ro /usr

Fix:
find-activate.pl no longer becomes stuck in an apparent infinite loop when unable to resolve root nameserver.


567199-2 : NLA-awareness works incorrectly in "Always Connected Mode"

Component: Access Policy Manager

Symptoms:
Edge Clients configured with Network Location Awareness and Always Connected Mode will fail to connect if the client is outside of the enterprise LAN and "Allow traffic only in enterprise networks" is configured.

Conditions:
1. Generate package which contains EdgeClient in always connected code, specify "Allow traffic only in enterprise networks"
2. Connect client to LAN which is not enterprise (without suffix)
3. Install and run EdgeClient

Impact:
Clients will be unable to connect to enterprise resources

Workaround:
None.

Fix:
The Edge client will now pass through NLA Awareness events so that they can connect to enterprise resources.


567100-1 : A HTTP CONNECT request should not be closed

Component: Local Traffic Manager

Symptoms:
A HTTP CONNECT request may be closed early if the server doesn't respond with a Keep-Alive header.

Conditions:
The server's response to the HTTP CONNECT request does not contain a Keep-Alive header.

Impact:
HTTP CONNECT requests will fail due to early termination.

Fix:
HTTP CONNECT requests are kept alive even without a Keep Alive header or 1.1 response.


566646-3 : Portal Access could respond very slowly for large text files when using IE < 11

Component: Access Policy Manager

Symptoms:
When accessing a large 'text/plain' file from server with Internet Explorer versions 7 through 10 client browsers, Portal Access sometimes holds the response until it fetches and processes the entire file contents. This can take several dozen seconds, or even minutes.

Conditions:
Internet Explorer version 7 through 10 with Portal Access

Impact:
Large text files can't be accessed or downloaded through Portal Access.

Workaround:
Irule that does any of following:
a) Preferred: append F5CH=I to request uri in HTTP_REQUEST for affected requests.
b) Call REWRITE::disable for affected requests.

Fix:
Fixed the issue where Portal Access could try to buffer contents of some large files and respond with significant delay.


566361-1 : RAM Cache Key Collision

Component: Local Traffic Manager

Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled

Conditions:
This occurs when RAM cache is enabled in certain circumstances.

Impact:
Invalid response format, and/or serving the wrong object from cache, and/or tmm crash, interruption of service.

Workaround:
None.

Fix:
The system now avoids RAM Cache Key collisions, the correct object and response format are delivered from the cache, and tmm no longer cores.


565810-3 : OneConnect profile with an idle or strict limit-type might lead to tmm core.

Component: Local Traffic Manager

Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.

Conditions:
OneConnect profile with a limit-type value of idle or strict.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use a limit-type of 'none'.

Fix:
A OneConnect profile using an idle or strict limit-type no longer causes the tmm to core when attempting to shutdown idle connections.


565648-1 : APM process (apmd) file descriptor leak

Component: Access Policy Manager

Symptoms:
Access policy operations invoked by internal BIGIP functions (iRules/Rewrite) may cause the APM process (apmd) to leak file descriptors. After some time the APM process file descriptor table is exhausted and no more access policies are processed.

Error messages may be observed in the logs:

Jan 5 09:10:24 ENBig-AP1 err apmd[5251]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 62 Msg: epoll_create() failed [Too many open files].

Jan 5 09:10:24 ENBig-AP1 err apmd[5251]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1573 Msg: error 3 reading/parsing response from socket 1015. strerror: Too many open files, queue size 0, time since accept 0

Conditions:
Access policies invoked by internal functions such as iRules or plugins can cause the leak.

Impact:
The APM process is unable to create sessions leading to an inability to process access policy operations.

Workaround:
Restart the apmd process.

Fix:
The APM process (apmd) no longer leaks file descriptors when access policy functions are invoked by internal BIGIP functions.


565554-2 : The [HTTP::hsts] iRule API now also supports the retrieval of the full HTTP-Strict-Transport-Security (HSTS) header

Component: Access Policy Manager

Symptoms:
HTTP profile does not honor HSTS header for /my.policy redirect on an APM virtual server.

Conditions:
APM,and LTM provisioned. APM virtual server with HTTP profile featuring HSTS configuration.

Impact:
Functional. HSTS header is missing on APM redirect pages.

Workaround:
An iRule can be attached to the APM virtual server to retrieve and then explicitly set the HSTS header upon URL redirection.

DevCentral iRule example: https://devcentral.f5.com/questions/hsts-and-apm-ssllabs

Fix:
An iRule can be attached to the APM virtual server to retrieve and then explicitly set the HSTS header upon URL redirection.

DevCentral iRule example: https://devcentral.f5.com/questions/hsts-and-apm-ssllabs

Behavior Change:
The [HTTP::hsts] iRule API now also supports the retrieval of the full HTTP-Strict-Transport-Security (HSTS) header, by using either of the following invocations:

[HTTP::hsts]
[HTTP::hsts value]

These APIs are read-only. For writing/updating the HSTS header, the following APIs are used:

HTTP::hsts mode <enable|disable>
HTTP::hsts maximum-age <age>
HTTP::hsts include-subdomains <enable|disable>


565534-1 : Some failover configuration items may fail to take effect

Component: TMOS

Symptoms:
These symptoms apply to version 12.0.0 and higher:

When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device.

These symptoms can occur on all versions:

When the unicast address list is changed at the same time as other device properites, sod (the failover daemon) may fail to recognize one of the other changes.

Conditions:
For version 12.0.0 and higher:

Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location or after performing the procedure in Sol13030.

For all versions:

A change is made to the cm device configuration that includes a unicast-address change along with something else.

Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.

Workaround:
Mitigation for v12.0.0 symptom:

To restore multicast failover, disable and re-enable multicast failover.

CLI:
This must be done on the the local device:
Determine which interface is being used for multicast failover:
tmsh> list cm device bigip1 multicast-interface
Disable and re-enable multicast failover.
tmsh> modify cm device bigip1 { multicast-interface none }
tmsh> modify cm device bigip1 { multicast-interface eth0 }


Mitigation for all versions symptoms:
Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.

Fix:
With the fix, sod now sends out multicast FO heartbeat datagrams under the same condition.


565527-1 : Static proxy settings are not applied if NA configuration

Component: Access Policy Manager

Symptoms:
Applications that cannot evaluate PAC file cannot make use of static proxy configuration either.

Conditions:
- Network Access (NA) setting has static proxy configuration.
- Application on user's system does not support proxy auto configuration, but does support static proxy configuration.

Impact:
Application cannot make connections if the proxy is required to connect to the destination. This could result in failed connection from that application

Workaround:
None.

Fix:
Static proxy settings are now applied in Network Access configurations. This allow applications that do not support PAC files to work inside the VPN.


565463-1 : ASM-config consumes 1.3GB RAM after repeated Policy Import via REST

Component: Application Security Manager

Symptoms:
Multiple ASM-config processes are running (more than 10) and consuming more than a GB.

Conditions:
ASM provisioned.
Repeated policy import via REST.

Impact:
The BIG-IP system might run low on memory and post the following message in /var/log/kern.log: Out of memory: Kill process 22699.

Workaround:
Restart asm - disrupting
Restart asm_config_server.pl - non disrupting

Fix:
We modified an operation to limit the number of ASM configuration processes. The operation now reuses processes instead of creating new ones, so the system no longer runs out of memory.


565231-3 : Importing a previously exported policy which had two object names may fail

Component: Access Policy Manager

Symptoms:
If an exported access policy includes two object names profile_name-aaa and aaa, import that policy may fail or be incorrect.

Conditions:
For example:
access policy name "test"
access policy item name "test-empty"
access policy item name "empty"

For example:
access policy name "test"
access policy item name "test-empty"
macro name "empty"

Impact:
Rare case, but the import of such a policy may fail.

Workaround:
One of the objects could be renamed in the bigip.conf file to avoid such a naming pattern.

Fix:
Objects are being exported correctly without error.


565056-2 : Fail to update VPN correctly for non-admin user.

Component: Access Policy Manager

Symptoms:
VPN is not updated correctly for non-admin users.

Conditions:
Steps to Reproduce:
1. In BIG-IP 12.0, create Access Policy containing (Firewall Check, Machine Info, Machine Cert Auth, Cache and Session Control, Protected Workspace, VPN Resources with Optimized Applications.)
2. Login with a User without admin privileges
3. Run FF
4. Login to VS and install components
5. Click on NA resource on the webtop to start VPN tunnel => a user is asked for an admin password and VPN is successfully installed and established
6. Close FF and exit PWD

Impact:
VPN is not updated. A user is not asked to enter admin credentials and an error is given: "Error downloading required files (-1)"

Workaround:
None.

Fix:
VPN is now updated as expected for non-admin users.


564956-3 : PCCD core and slow running SQL

Component: Advanced Firewall Manager

Symptoms:
Search in network firewall log is very slow.

Conditions:
This occurs with large log files.

Impact:
Log searches could get really slow for very large log files.

Workaround:
Use custom search filters to speed up the search times.

Fix:
Search times for searching in large network firewall logs have been improved.


564521-4 : JavaScript passed to ExternalInterface.call() may be erroneously unescaped

Component: Access Policy Manager

Symptoms:
JavaScript passed to ExternalInterface.call() may be erroneously unescaped.

Conditions:
Adobe ActionScript 3.0 version 24 or less.

Impact:
Adobe Flash application may crash.

Workaround:
None

Fix:
Completely fixed.


564496-1 : Applying APM Add-on License Does Not Change Effective License Limit

Component: Access Policy Manager

Symptoms:
When an add-on license is applied on the active node, the effective license limit is not updated. even though telnet output shows that it is.

Conditions:
1. Set up a high availability (HA) configuration with a base APM license.
2. Apply an APM add-on license to increase Access and CCU license limits.

Impact:
The actual number of sessions that can be established remains unchanged after adding an add-on license.

Workaround:
To make the add-on license effective, run the command: bigstart restart tmm.

Fix:
Applying APM add-on license now increases Access and CCU license limits, as expected.


564482-1 : Kerberos SSO does not support AES256 encryption

Component: Access Policy Manager

Symptoms:
If the delegation account is enforced to use AES256 encryption, then APM Kerberos SSO will fail. Example error message: Dec 18 19:22:19 bigip8910mgmt err websso.7[31499]: 014d0005:3: Kerberos: can't decrypt S4U2Self ticket for user 'username' - Decrypt integrity check failed (-1765328353).

Conditions:
Delegation account is enforced to use AES256 encryption.

Impact:
Kerberos SSO will fail and user will be prompted to enter credential.

Workaround:
Disable the option to enforce AES256 encryption for the delegation account.

Fix:
Delegation account can be enforced to use AES256 encryption, provided the delegation account is configured as SPN format on the Kerberos SSO configuration.


564427-4 : Use of iControl call get_certificate_list_v2() causes a memory leak.

Component: TMOS

Symptoms:
Use of iControl call get_certificate_list_v2() causes a memory leak.

Conditions:
This occurs when using the Management::KeyCertificate::get_certificate_list_v2 method in iControl.

Impact:
memory leak.

Workaround:
Restarting httpd helps reduce memory, but it must be restarted periodically to clear up the memory issues.

Fix:
Use of Management::KeyCertificate::get_certificate_list_v2 method in iControl no longer causes a memory leak.


564263-1 : PEM: TMM asserts when Using Debug Image when Gy is being used

Component: Policy Enforcement Manager

Symptoms:
TMM assert leading to restart.

Conditions:
When a policy P1 is installed over Gx with a reference to rating group R1 and later when an update is received over Gx to remove P1 and add policy P2 which also referring to same rating group R1 then TMM will core when Policy P2 is being removed.

Impact:
TMM restart and disruption of service.

Workaround:
PCRF should make sure add and remove policies are not done in single update.

Fix:
Issue has been fixed now.


564262-1 : Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code

Component: Access Policy Manager

Symptoms:
Tunnel server component of Edge client crashes, and user cannot establish VPN.

Conditions:
-DNS names cannot be resolved on client system.
-PAC file used to determine proxy server uses JavaScript DNS resolution function.

Impact:
Tunnel server crashes and user cannot establish VPN.

Workaround:
Enable DNS resolution on client or do not use DNS resolution JavaScript functions in PAC file.

Fix:
Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.


564253-1 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
Firefox v44.0 and later does not allow loading of Netscape Plugin Application Programming Interface (NPAPI) plugins, which are not signed by Firefox.

Conditions:
Using APM with Firefox v44.0 and later.

Impact:
Firefox v44.0 and later cannot establish network access or perform endpoint checking.

Workaround:
- Use Firefox v43.0 and earlier on all platforms.
- Use Safari on Mac systems and Microsoft Internet Explorer on Microsoft Windows systems.

Fix:
Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.


563670-3 : OpenSSL vulnerabilities

Vulnerability Solution Article: SOL86772626


563621-1 : ASM REST: URL link reference in URL level parameter is malformed

Component: Application Security Manager

Symptoms:
When using URL level parameters, the reference link appears incorrectly in REST

Conditions:
URL level parameters exist and ASM REST is being used.

Impact:
REST API clients may not be able to correctly parse the response.

Workaround:
The ID on the end of the link is correct and can be used given that the client should know the correct full path for URLs within the policy.

Additionally the expanded reference (?$expand=urlReference) will have the correct full URL and selfLink.

Fix:
The URL link for a URL level Parameter in REST now correctly has the policy as part of the URI.


563591-1 : reference to freed loop_nexthop may cause tmm crash.

Component: Local Traffic Manager

Symptoms:
tmm may crash intermittently when there are cmp directed VIP (Virtual IP) to VIP traffic.

Conditions:
When CMP directed VIP to VIP traffic exists.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none.

Fix:
tmm should not crash on this condition any more


563475-4 : ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.

Component: TMOS

Symptoms:
ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. If dynamic offloading is enabled in the fastl4 profile, flows that collide in the ePVA will ping/pong in and out of the ePVA due to immediate eviction and re-offloading. Flows that are evicted due to collisions are reported in the epva_flowstat stats, tot.hash_evict.

Conditions:
A fastl4 profile with PVA Offload Dynamic enabled and two flows that result in a hash collision, resulting in an evicted flow.

Impact:
Flows that collide will be re-offloaded, evicted, and then re-offloaded again within a short time span. It is unknown if there is a direct impact, but in some cases a delay in processing packets on a connection may occur.

Workaround:
Disable PVA Offload Dynamic in the fastl4 profile. Another option would be to disable PVA Flow Evict in the fastl4 profile.

Fix:
The system now handles flows involved in hash collisions such that ePVA dynamic offloading no longer results in immediate eviction and re-offloading of flows.


563474-1 : SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile

Component: Access Policy Manager

Symptoms:
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns a zero value for an APM access profile that has been edited but not yet applied, which should instead return a non-zero value.

config # snmpwalk -v2c 127.0.0.1 -c public F5-BIGIP-APM-MIB::apmPmStatConfigSyncState
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState."/Common/my-test-access" = Counter64: 0

Conditions:
The access profile has been edited but not yet applied.

Impact:
SNMP users cannot discriminate the status of an APM access profile: applied or not applied.

Workaround:
None available.

Fix:
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState now returns the correct non-zero value.


563443-1 : WebSSO plugin core dumps under very rare conditions.

Component: Access Policy Manager

Symptoms:
WebSSO plugin core dumps under very rare conditions.

Conditions:
This occurs rarely when the WebSSO plugin is enabled.

Impact:
WebSSO plugin core dumps.

Workaround:
None.

Fix:
This release fixes a rare core dump related to the Websso plugin.


563419-6 : IPv6 packets containing extended trailer are dropped

Component: Local Traffic Manager

Symptoms:
Some IPv6 packets are dropped

Conditions:
IPv6 packet contains trailing bytes after payload

Impact:
Packet loss

Fix:
IPv6 packets that exceed the size of the 'Payload Length' header will be trimmed and processed instead of being dropped.


563154-1 : Multiple Linux Kernel vulnerabilities

Vulnerability Solution Article: SOL31026324 SOL94105604 SOL90230486


563112-1 : Adding/removing a SPDY profile can affect virtual reachability

Component: Local Traffic Manager

Symptoms:
Virtual Server is not reachable or reachable on unexpected addresses

Conditions:
SPDY profile has been added or removed

Impact:
Traffic passing failures on the affected virtual server

Fix:
Interfaces associated with a virtual server are preserved when updating its profiles.


563089 : CVE-2015-8611

Vulnerability Solution Article: SOL05272632


562775-1 : Memory leak in iprepd

Component: Application Security Manager

Symptoms:
The IP reputation daemon (iprepd) has a small leak of around ~8 to ~16 bytes every 5 minutes.

Conditions:
This occurs when the BIG-IP box is licensed with IPI Subscription, and iprepd is running.

Impact:
Memory increases slowly until the kernel out-of-memory kills the iprepd process.

Workaround:
None.

Fix:
This release fixes a memory leak in the IP reputation daemon (iprepd).


562566-1 : High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems

Component: Local Traffic Manager

Symptoms:
Prior to expiration, the age of persistence entries is reset back to 0, thus retaining the persistence entries forever.

Conditions:
Persistence mirroring is configured on a multi-blade system, a configured High Availability peer is present, and a flap occurs on the High Availability connection between active and standby systems.

Impact:
Retention of persistence entries leads to eventual low memory conditions, performance degradation, and traffic outage or restarting of some daemons.

Workaround:
No reasonable workaround exists.

One of workaround idea is to clear the persistence table does allow to reclaim the memory leak

Fix:
Persistence entries are no longer retained beyond their expiration.


562189-1 : The "installation complete" progress will proceed to about 96% and then appear to hang for 10+ minutes

Component: Application Security Manager

Symptoms:
The installation completion progress will proceed to about 96% and then appear to hang for 10+ minutes

Conditions:
ASM provisioned
Upgrade to a newer version
for an example: 11.6.x -> 12.0.x

Impact:
The installation completion progress will proceed to about 96% and then appear to hang for 10+ minutes

Workaround:
none

Fix:
We have fixed the installation portion of the upgrade process (that occurs before rebooting to the newly installed version) so that it would not take so long.


562122-2 : Adding a trunk might disable vCMP guest

Component: TMOS

Symptoms:
If a vCMP guest is running when a trunk is added, the guest might fail until vCMP is restarted.

Conditions:
-- vCMP guest running
-- Trunk added.

Impact:
Guest failure. vCMP restart required.

Workaround:
Restart vCMP.

Fix:
Adding a trunk no longer disables vCMP guests.


562044-3 : Statistics slow_merge option does not work

Component: TMOS

Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge' then the merging of statistics stops working. This causes statistics to no longer appear to be updated.

Conditions:
The DB variable 'merged.method' is set to 'slow_merge'.

Impact:
Statistics no longer appear to be updated.

Workaround:
Use fast_merge.

Fix:
Statistics are now updated as expected when the statistics DB variable option 'merged.method' is set to 'slow_merge'.


561859-1 : Occasional Rapid Response Crash

Component: Local Traffic Manager

Symptoms:
DNS Rapid Response can occasionally crash.

Conditions:
Running UDP listener with Rapid Response enabled in DNS profile and a default action of Drop.

Impact:
TMM crashes

Workaround:
Change default action to Allow, at the risk of slowdown.

Fix:
Dropped packets no longer cause an occasional crash.


561798-2 : Windows edge client may show scripting error on certain 3rd party authentication sites

Component: Access Policy Manager

Symptoms:
User sees JavaScript error on third party IDP sites.

Conditions:
Windows Edge client is used
Access policy requires user to authenticate on a third party site

Impact:
Usability of Edge Client

Fix:
Edge Client now runs embedded browser in Internet Explorer 10 emulation mode, which has support for modern JavaScript.


560969-1 : OpenSSL vulnerability fix

Vulnerability Solution Article: SOL55540723


560962-1 : OpenSSL Vulnerability CVE-2015-3196

Vulnerability Solution Article: SOL55540723


560948-1 : OpenSSL vulnerability CVE-2015-3195

Vulnerability Solution Article: SOL12824341


560925-1 : OpenSSL Vulnerability fix

Vulnerability Solution Article: SOL86772626


560910-1 : OpenSSL Vulnerability fix

Vulnerability Solution Article: SOL86772626


560765-1 : ASM REST: "kind" for collections is incorrect

Component: Application Security Manager

Symptoms:
In versions 11.5.x and 11.6.x when querying a collection, the kind of the collection would be returned as "kind": "x:x:xcollectionstate" and the items in the collection had "kind": "x:x:xstate"

Version 12.0 introduced a regression and the collection and the items within it are all returned in the form of "x:x:xstate"

This may cause an issue for a REST client that expected specific "kind" results for collections and items.

Conditions:
ASM REST is used to query collections and the client is concerned about the "kind" returned for the collection

Impact:
A 3rd party REST Client may stop working correctly

Workaround:
A REST Client that performs logic based on the "kind" of the collection would need to be modified to accept either form and recognize when it is a collection.

Fix:
REST: The "kind" for a collection is now returned correctly as the collectionstate.


560607-2 : Resource Limitation error when removing predefined policy which has multiple rules

Component: Policy Enforcement Manager

Symptoms:
Resource Limitation error when removing a predefined policy which has multiple rules referring to the same rating group.

Conditions:
- Gx and Gy are configured for the session
- All rules refer to the same rating group

Impact:
Unable to remove an existing policy

Workaround:
none

Fix:
Policies can be removed and updated regardless of rules or rating group limitations.


560510-7 : Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.

Component: TMOS

Symptoms:
When MCPD is not in the running state, dhclient directly writes domain-name-server information into /etc/resolv.conf. If multiple domain-name-servers are given by DHCP server, they are written in the incorrect format with multiple domain-name-servers in a single line comma-separated. Each domain-name-servers entry should be written in a single line with "nameserver" prefix.

Conditions:
- MCPD is not in the running state.
 - DHCP is enabled.
 - DHCP server has provided multiple domain-name-server entries in the lease.

Impact:
Domain name resolution doesn't work.

Workaround:
Bring up MCPD which would write the resolv.conf in the correct format. Alternatively, user can manually modify /etc/resolv.conf to write multiple nameserver entry one per line.

Fix:
DHCP will now write a single nameserver per line in /etc/resolv.conf when multiple nameservers are configured in DHCP.


560423-3 : VxLAN tunnel IP address modification is not supported

Component: TMOS

Symptoms:
VxLAN tunnel local and remote tunnel IP address change is not supported.

Conditions:
If a user tries to change the local and/or remote tunnel IP address, the configuration handler will fail the configuration change.

Impact:
The user must delete and recreate the VxLAN tunnel in order to change the tunnel local and/or remote address. Tunnel deletion also requires removing references to the tunnel, for example the tunnel self IP address and routes pointing to the tunnel, before the tunnel can be deleted. Those self IP addresses and routes must be re-added after recreating the tunnel with changed IP address parameters. This can be error-prone, especially if the number of tunnels is extremely large.

Workaround:
Delete existing VxLAN tunnel, and add a new tunnel with the modified tunnel IP address parameters.

Fix:
Modifying VxLAN tunnel IP addresses now works. Only tunnels that have been created with a multicast flooding type and have a multicast remote IP address are supported.


560405-7 : Optional target IP address and port in the 'virtual' iRule API is not supported.

Component: Local Traffic Manager

Symptoms:
In certain scenarios there is a need to redirect an HTTP request through a given virtual server to a another virtual server (or remote endpoint). Such an operation is also known as 'vip-to-vip' forwarding. The available iRule API (specifically, the 'virtual' command) does not currently support this functionality.

Conditions:
Using an iRule to forward a request through a given virtual server to another virtual server or remote endpoint.

Impact:
Cannot implement HTTP Forward Proxy plus Transparent redirection to Web-Cache Pool.

Workaround:
None.

Behavior Change:
The 'virtual' iRule API has been changed to support a secondary target IP address and port to redirect the connection to, from a given virtual server. The new signature of the 'virtual' iRule API is:

virtual [<name>] [<ipaddr> [<port>]]

where:

-- <name> = the name of the virtual server to redirect the connection from.
-- <ipaddr> = the target IP address of the remote endpoint to route the connection to, through the specified virtual server; <ipaddr> can also have a route-domain (%).
-- <port> = the port of the remote endpoint to route the connection to, through the specified virtual server.


560231-1 : Pipelined requests may result in a RST if the server disconnects

Component: Local Traffic Manager

Symptoms:
If a HTTP client sends multiple pipelined requests before a full response is received, the HTTP filter will buffer them, and send them one at a time to the server.

If the server ends via a "Connection: Close" the HTTP filter will ignore this, and continue to send the next buffered request.

If the server then sends a FIN packet while that buffered request is in progress, the HTTP filter will send a RST packet to the client.

Conditions:
Multiple concurrent pipelined HTTP requests, and a back-end server that closes a connection while some requests are still buffered.

Oneconnect is not used.

Impact:
The client will receive a RST instead of a FIN packet.

Workaround:
There are two work-arounds.
1) Enable one-connect.
2) via iRule. If a "Connection: close" header exists in the HTTP_RESPONSE event, then HTTP::close may be used to cleanly shut the connection down.

Fix:
The HTTP filter will no longer cause a RST packet to be sent instead of a FIN packet if a back-end server closes a connection while pipelined requests are buffered.


560180-1 : BIND Vulnerability CVE-2015-8000

Vulnerability Solution Article: SOL34250741


559975-6 : Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth

Component: Global Traffic Manager

Symptoms:
HTTP basic authentication uses a base64 encoded string. When an HTTP monitor username or password is changed, the b64 string is regenerated and may become malformed.

Conditions:
When an http monitor username or password is changed, e.g. shortened, then the HTTP basic auth string may be mangled.

Impact:
An HTTP monitor may show its resource as unavailable after changing the username or password.

Workaround:
Restart big3d, or delete then recreate the monitor instead of modifying the existing monitor.

Fix:
HTTP monitors will now correctly handle a username or password change.


559939-1 : Changing hostname on host sometimes causes blade to go RED / HA TABLE offline

Component: TMOS

Symptoms:
If the UI System::Platform screen is used to change the hostname on a Standalone VIPRION, the non-primary blades in the chassis may temporarily report an offline state.

Conditions:
This affects only multi-blade chassis systems in Standalone mode.

Impact:
If the system is hosting vCMP guests, it may cause unexpected failovers, and interruption of traffic.

Workaround:
To change the hostname on the VIPRION, use the tmsh command:
'modify sys global-settings hostname new-host-name'.

Fix:
Changing hostname on Standalone VIPRION no longer causes the non-primary blade to go RED / HA TABLE offline.


559554-1 : CHD congestion control can have erroneous very large cwnd.

Component: Local Traffic Manager

Symptoms:
At times, CHD congestion control can store a very large congestion window, resulting in release of data well beyond that warranted by network conditions.

Conditions:
The client advertises a receive window less than 1 MSS, and CHD tries to decrease the window.

Impact:
Possible network congestion.

Workaround:
Change congestion control algoirhtm from CHD.

Fix:
This fix checks the bounds on the congestion window when CHD congestion control is enabled.


559377 : Empty cookie values in the Set-Cookie/Set-Cookie2 header yield iRule cookie parsing errors

Component: Local Traffic Manager

Symptoms:
An empty value in the first cookie-pair (cookie-name and cookie-value) of the 'Set-Cookie' (or 'Set-Cookie2') HTTP response header produces cookie-parsing errors in server-side iRules using the HTTP::cookie API.

For example, the following server-side HTTP response yields an empty cookie 'expires' attribute by the [HTTP::cookie expires $myCookie] iRule API:

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Content-Length: 0
Set-Cookie: myCookie=; expires=Mon, 11-Oct-1999 22:00:00 GMT; path=/

Conditions:
Server-side iRule using the HTTP::cookie API for parsing cookie attributes for an HTTP response featuring an empty value in the first cookie-pair (cookie-name and cookie-value) of the 'Set-Cookie' (or 'Set-Cookie2') HTTP header.

Impact:
Erroneous cookie-parsing in server-side iRules using the HTTP::cookie API, when the HTTP response has an empty value in the first cookie-pair (cookie-name and cookie-value) of the 'Set-Cookie' (or 'Set-Cookie2') HTTP header.

Workaround:
There is no workaround at this time.

Fix:
This release fixes cookie parsing for empty cookie pair values so there are no iRule cookie parsing errors.


559334 : Network Access fails on Windows platform

Component: Access Policy Manager

Symptoms:
Network Access fails on Windows platform when a Java AppTunnel resource has been assigned in Access Policy.

Conditions:
Windows clients connecting through Network Access VPN, and Java AppTunnel configured with local-ip setting

Impact:
Network Access fails on Windows platform, with the error message "Internal Error".

Fix:
Network Access works as expected on Windows platform even a Java AppTunnel resource has been assigned.


559138-1 : Linux CLI VPN client fails to establish VPN connection on Ubuntu

Component: Access Policy Manager

Symptoms:
Linux client is unable to establish a VPN connection. An error is displayed which says that server certificate verification has failed.

Conditions:
CLI client used on Ubuntu to establish VPN connection.

Impact:
User cannot connect to VPN

Workaround:
Use web client.

Fix:
Fixed bug in certificate verification code.


558870-1 : Protected workspace does not work correctly with third party products

Component: Access Policy Manager

Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines.
2) Microsoft OneDrive does not work correctly inside protected workspace.

Conditions:
Norton Internet Security 22.x is installed on user's desktop.
Protected workspace is used.

Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace.
Files cannot be synced to OneDrive.

Workaround:
There is no workaround.

Fix:
User can now launch Internet Explorer or Firefox inside protected workspace.


558642-2 : Cannot create the same navigation parameter in two different policies

Component: Application Security Manager

Symptoms:
Cannot create the same navigation parameter in two different policies. A validation issue blocks the user from adding a navigation parameter that is already defined in a different security policy.

Conditions:
This occurs after adding navigation parameter X to one policy, and then attempting to add the same parameter to another policy.

Impact:
Cannot add navigation parameter X to another policy after adding it to the first policy.

Workaround:
None.

Fix:
The system now supports adding the same navigation parameter to different security policies.


558631-1 : APM Network Access VPN feature may leak memory

Component: Access Policy Manager

Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.

Conditions:
The APM Network Access feature is configured and VPN connections are being established.

Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.

Workaround:
No workaround short of not using the APM Network Access feature.

Fix:
The APM Network Access VPN feature no longer leaks memory.


558612-1 : System may fail when syncookie mode is activated

Component: Local Traffic Manager

Symptoms:
TMM may core when syncookie mode has been activated when under extreme memory pressure.

Conditions:
L7 VIP with certain TCP profile attributes enabled.
Syncookies have been activated.
System under memory pressure due to heavy load.

Impact:
tmm may core.

Workaround:
Use the default TCP profile for all L7 VIPs.

Fix:
The BIG-IP will not encounter a system failure when syncookie mode has been activated.


558573-1 : MCPD restart on secondary blade after updating Pool via GUI

Component: TMOS

Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster.

When this occurs, errors similar to the following will be logging from the secondary blades:
-- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found.
-- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.

Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.

Impact:
Daemon restarts, disruption of traffic passing on secondary blades.

Workaround:
Perform pool updates via the tmsh command-line utility.

Fix:
Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.


558517-1 : Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.

Component: Local Traffic Manager

Symptoms:
Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.

After upgrading the bigip.conf still has the old #TMSH-VERSION header. This is behavior is an intended behavior in 12.1.0, so it is not a bug; the configuration is still loaded in memory properly. The TMSH-VERSION string will be updated the next time a save sys config command is issued.

Conditions:
This occurs only when upgrading BIG-IP software in the following situations:
-- From 11.6.0 base version, or from 11.6.0 HF1 through 11.6.0 HF5 (or any engHF built on these versions) to final 11.6.0 HF6.
-- From 11.5.3 base version, or from 11.5.3 HF1 or 11.5.3 HF2 (or any engHF for these versions) to 11.5.3 HF2 engHF2 or 11.5.3 HF2 engHF45.

Impact:
Monitors send/recv strings contain extra escape characters, for example: \\r, \\n etc. Post upgrade the monitors containing escaped characters will fail.

Workaround:
Manually/by script remove the additional escaping within the send/recv strings.

Fix:
The system no longer appends extra escape characters to monitor send/receive strings after upgrading.


557675-2 : Failover from PEM to PCRF can cause session lookup inconsistency

Component: Policy Enforcement Manager

Symptoms:
A small number of PEM sessions can be looked up only by their session-ip, but not by their subscriber-id.

Conditions:
Using PEM, failover to PCRF.

Impact:
Fails to find sessions needed for traffic processing.

Workaround:
none

Fix:
The code change provides an internal fixup for incorrect sessions.


557648-2 : AWS pool autoscale functionality does not work

Component: TMOS

Symptoms:
Listing Virtual Edition (VE) pool members on an autoscaled pool does not show members being added or removed. Messages similar to the ones below are seen in /var/log/ltm:
notice admin: ./aws-autoscale-pool-manager.sh : Starting.
notice admin: ./aws-autoscale-pool-manager.sh : Using region us-west-2
notice admin: ./aws-autoscale-pool-manager.sh : Using AutoScaling Url http://autoscaling.us-west-2.amazonaws.com
notice logger: ./aws-autoscale-pool-manager.sh : Updating pool : pool1 with instances from Auto Scale Group :
err logger: ./aws-autoscale-pool-manager.sh : Failed to describe instance i-5556b78f
err logger: ./aws-autoscale-pool-manager.sh : Aborting

Conditions:
1. Boot up a VE instance on AWS using the BYOL marketplace image version 12.0.0.0.2.606.
2. Create autoscale group on AWS based on load requirements.
3. Configure pool autoscaling on VE (i.e., configure autoscale iApp, iCall, etc.).

Impact:
Pool members are no longer automatically added or removed on a VE pool configured to use autoscale.

Workaround:
Create the following symlink in /opt/aws/:
ln -s ec2-api-tools-1.7.5.1 ec2-api-tools-1.6.13.0

Fix:
Include Amazon EC2 web service tools from latest version of the toolset. Included is support for AWS pool autoscale functionality.


557645-4 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Component: Local Traffic Manager

Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.

Multiple devices in an HA configuration.

TMM incorrectly identifies which TMM should handle host connections from an HA peer.

The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.

Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.

Workaround:
None.

Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.


557556-1 : First log message is not sent to remote logger

Component: Application Security Manager

Symptoms:
The first log message is not sent.

Conditions:
A remote logger is connected. A traffic request that should get logged is going through the system.

Impact:
The request doesn't not get logged, the customer may miss that data.

Workaround:
N/A

Fix:
Now the first log message gets logged to a remote logger.


557484 : Setting the cookie expiration to 0 seconds with the 'HTTP::cookie expires' server-side iRule API fails

Component: Local Traffic Manager

Symptoms:
When the cookie expiration time is set to 0 (zero) using a server-side iRule, with the 'HTTP::cookie expires 0 [ relative | absolute ]' iRule API, the invocation fails, yielding the following error log in /var/log/ltm:

TCL error: /Common/test-irule <HTTP_RESPONSE> - Illegal argument. Internal error - NULL argument (line 1) invoked from within 'HTTP::cookie expires <cookie-name> '0' absolute'.

Conditions:
Using server-side iRule (e.g., HTTP_RESPONSE) with 'HTTP::cookie expires 0'.

Impact:
On the client-side, the corresponding cookie entry has no expiration attribute.

Workaround:
To configure 0 cookie expiration value, calculate the corresponding time-stamp and then use the following API to set the cookie expiration:

HTTP::cookie attribute <name> value "expires" <time-stamp>.

For example, to set cookie expiration to 0, specify the current time-stamp (for relative) or the absolute time-stamp corresponding to 0, which is 'Thu, 01-Jan-1970 00:00:00 GMT'.

Fix:
The system now supports cookie parsing to set cookie 'expires' attribute to 0 (for example, through the 'HTTP::cookie expires' iRule API).


557399-1 : Browser could become unresponsive when page with specific script constructions is accessed through Portal Access

Component: Access Policy Manager

Symptoms:
If user application code has an object with toString() method and property names similar to ones from Javascript builtin Location interface, our rewriting may cause an infinite loop while processing such object.

Conditions:
APM with Portal Access configured.

Impact:
Browser hangs or crashes when trying to access page through Portal Access.

Workaround:
None

Fix:
Resolved an issue in Portal Access where certain user-defined Javascript objects could cause a loop in F5 helper code and unresponsiveness of a browser.


557281-1 : The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%

Component: TMOS

Symptoms:
audit_forwarder and mcpd consume almost 100% CPU. When syslog-ng restarts it will start another audit_forwarder process, but it is the orphaned audit_forwarder process that will consume almost 100% CPU. When syslog-ng is restarted and audit_forwarder does not exit cleanly, the mcpd process will also begin consuming high CPU.

Conditions:
syslog-ng is stopped manually or sometimes (rarely) during a normal resstart of syslog-ng.

Impact:
The audit_forwarder and mcpd processes consume excessive CPU.

Workaround:
Stop audit_forwarder manually (kill -9), once the orphaned audit_forwarder process is stopped, mcpd will return to normal CPU consumption.

Fix:
When syslog-ng is stopped manually (or when expected), audit_forwarder also exits, so the audit_forward process no longer consumes increasing CPU.


557273 : Idle Timeout configuration through timer policy does not apply for Performance L4 Virtual Server with Fast L4 profile

Component: Advanced Firewall Manager

Symptoms:
idle-timeout applied through Timer Policy is not getting applied to a flow.

Conditions:
This happens specifically only for flows handled by a Forwarding Virtual Server, with Fast L4 Profile. For other types of Virtual Server and other profiles, the idle-timeout gets applied correctly.

Impact:
The timer policy configuration is ignored. The default profile idle timers will be used instead.

Fix:
Timer Policy idle-timeout values are now honored for Performance L4 Virtual Servers with Fast L4 profiles.


557059-1 : When a virtual server has an Anti-Fraud Profile and a Web Acceleration profile, POST requests to non-protected URLs hang

Component: TMOS

Symptoms:
A POST request to a virtual will timeout and will not immediately return a response. After a timeout occurs, an HTTP 400 response status will be returned.

Conditions:
This issue is encountered when sending a POST request to a virtual server that is configured with an Anti-Fraud Profile and a Web Acceleration profile.

Impact:
The request times out and 400 HTTP response status is returned. The application will break.

Fix:
POST requests no longer time out when sent to a virtual server that has an Anti-Fraud Profile and a Web Acceleration profile.


556774-3 : EdgeClient cannot connect through captive portal

Component: Access Policy Manager

Symptoms:
EdgeClient cannot connect through captive portal.

Conditions:
1) Install EdgeClient on a PC that connects to the APM through a captive portal.
2) Launch EdgeClient and try to connect to the APM.
3) System posts certificate warnings. Accept them.
4) Captive portal is not shown to the user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.

Impact:
No captive portal displayed to the user. EdgeClient UI shows he user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.

Workaround:
None.

Fix:
Install EdgeClient on a PC that connects to the APM through a captive portal now opens as expected.


556597-1 : CertHelper may crash when performing Machine Cert Inspection

Component: Access Policy Manager

Symptoms:
CertHelper may crash while checking of machine certificate.

Conditions:
APM installed

Impact:
Authentication may fail.

Fix:
Fixed crash cause in CertHelper.


556560-3 : DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.

Component: Local Traffic Manager

Symptoms:
DNS messages which contain an OPT record followed by more than one record in the additional section will become malformed when they pass through a virtual with an assigned DNS profile.

Conditions:
A DNS message contains and OPT record in the Additional section, the message is compressed, and more than one record follow the OPT record.

Impact:
This issue impacts all DNS messages that contain an OPT record followed by more than one record. The DNS handling code expects a message containing an OPT record to have 0 or 1 TSIG record following the OPT record in the additional record section of a message.

The RFCs permit the OPT record to be placed anywhere in the additional record section of a DNS message, with the exception of a TSIG record. If a TSIG record is present, it must always be last. If no TSIG record is present, then an OPT record can be last.

The RFCs do not restrict a query from containing records in the additional record section of the message.

When a DNS query or response is passed through the TMM DNS message handler, and that message contains an OPT record followed by more than one record, and those records that follow the OPT record contain compression pointers to other records that also follow the OPT record, then the message becomes mangled.

Workaround:
Disable DNS compression on the resolver, or configure the resolver to place OPT records at the end of the additional section (except TSIG records which must always be last).

Fix:
DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted.

The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers.

The subsequent code paths which depend on the OPT record's position now work as expected.


556417 : GUI and tmsh Interfaces May be Unresponsive While Loading Huge Firewall Rule Configuration

Component: Advanced Firewall Manager

Symptoms:
Users may face slow response times or in some cases unresponsive interfaces (GUI, tmsh, etc.).

Conditions:
The problem exacerbates if the system has a big firewall rule configuration. Especially complex configuration which involve rule-lists, address-lists, etc. may cause additional delays or cause unresponsive behavior.

Impact:
All releases until 12.1.0 except all new hotfixes that are currently in the pipeline (01/06/2016)

Workaround:
GUI no longer allows expand all option for rule-lists when the total count of rules exceeds a pre-determined threshold.

Fix:
The data processing mechanism used for displaying firewall rules has been changed for optimization. New set of GUI optimizations have been implemented.


556357-1 : iRule URLCAT query for URL longer than 256 characters causes crash

Component: Policy Enforcement Manager

Symptoms:
If an URLCAT query originates from iRule and requires a cloud lookup, it may result in a crash.

Conditions:
iRule URLCAT for very long (greater than 256 characters) URL and the URL is not present in local databases.

Impact:
TMM may crash.

Workaround:
Limit the string length of URL in iRule to a maximum of 256 characters.


556284-1 : iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found

Component: TMOS

Symptoms:
GTM/LC config sync fails with error in /var/log/gtm and /var/log/ltm similar to the following:
Monitor /Common/my_http_monitor parent not found

Conditions:
There is a customized GTM monitor on one member of a high availability configuration, but not on others.

Impact:
Config sync fails. On the device that does not have the monitor, the system logs a parent-not-found message into /var/log/gtm.

Workaround:
None.

Fix:
GTM/LC sync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition.


555686-4 : Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers

Component: TMOS

Symptoms:
Some OPT-0015 copper small form-factor pluggable (SFP) transceiver might cause an internal bus to hang.

Conditions:
This happens only when the following conditions are met:
-- 10000-series appliances.
-- At reboot, at a restart of the bcm56xxd daemon, or when a copper SFP is enabled or disabled.
-- There is at least one copper SFP present in the appliance.
-- Interfaces are spread between hardware muxes. That means some SFPs are in ports 1.1-1.8 and other SFPs are in ports 1.9-1.16.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up. Enable and disable of copper SFPs may not work.

Workaround:
None.

Fix:
The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.


555549-1 : 'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline.

Component: Local Traffic Manager

Symptoms:
The command to set the ltm note state to user-down fails to bring pool member state offline.

Running the command results in error messages similar to the following:
01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 1137

Conditions:
This occurs when running the command to set the ltm node state to user-down, for example: tmsh modify ltm node 10.10.10.10 state user-down.

Impact:
Session status fails to update for pool member.

Workaround:
None.

Fix:
The command to set the ltm node state to user-down now successfully brings pool member state offline.


555507-1 : Under certain conditions, SSO plugin can overrun memory not owned by the plugin.

Component: Access Policy Manager

Symptoms:
Under certain conditions, SSO plugin can overrun memory not owned by the plugin. Symptoms could be different based on the owner of overrun memory.

Conditions:
This occurs when the following conditions are met:

1. The BIG-IP system is configured and used as SAML Identity Provider.
2. Single Logout (SLO) protocol is configured on an attached SP connector.
3. At least one user executed SAML WebSSO profile.

Impact:
Symptoms might differ based on the owner of overrun memory.
Potentially, tmm could restart as a result of this issue.

Workaround:
Disable SAML SLO: remove SLO request and SLO response URLs from configuration in appropriate SAML SP connectors.

Fix:
SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues:

The BIG-IP system is configured and used as a SAML Identity Provider.
Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector.
At least one user executed SAML webSSO profile.


555457-1 : Reboot is required, but not prompted after F5 Networks components have been uninstalled

Component: Access Policy Manager

Symptoms:
Attempt to establish a VPN connection from a Windows 10, Windows 8.1, Windows 7, or Vista desktop fails if F5 Networks components have been removed previously and the desktop was not rebooted.

Typically this issue can be identified by these log records:
<snip>
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter (7) <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 155, GetVPNDriverRASDeviceName, found device, F5 Networks VPN Adapter
<snip>
DIALER, 1, \urdialer.cpp, 1573, CURDialer::OnRasCallback(), RAS error (state=RASCS_OpenPort, error=633: The modem (or other connecting device) is already in use or is not configured properly.)

Conditions:
Windows desktop.
Existing F5 components uninstalled.
Reboot was not performed after uninstall.

Impact:
End users cannot establish a VPN connection from Windows-based clients.

Workaround:
Reboot the affected Windows desktop.

Fix:
After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected.


555369-2 : CGNAT memory leak when non-TCP/UDP traffic directed at public addresses

Component: Carrier-Grade NAT

Symptoms:
When rejecting non-TCP/UDP inbound traffic a small amount of memory is leaked with each packet. Depending on the volume of such traffic this may be a slow or fast leak.

Conditions:
CGNAT configured with inbound connections enabled or hairpinning enabled
Non-TCP/UDP traffic with a destination in the LSN Pool address space

Impact:
TMM might eventually run out of available memory. The aggressive mode sweeper might be triggered, causing connections to be killed. Eventually TMM restarts.

Workaround:
None.

Fix:
This release fixes a memory leak that occurred When rejecting non-TCP/UDP inbound traffic.


555272-1 : Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade

Component: Access Policy Manager

Symptoms:
Previously, F5 Client components were signed using SHA1 certificate. SHA1 is now considered insecure and Windows will reject components signed using a SHA1 certificate after March 31st 2016.

To support this new requirement, F5 has changed the client component signing certificates to utilize a higher security validation algorithm.

The result of this change is that clients utilizing client components built prior to these versions:

Big-IP 12.0.0HF1 or earlier
Big-IP 11.6.0 HF6 or earlier
Big-IP 11.5.4 (base release) or earlier

cannot Endpoint Security updates build 431 or greater.

If you require updated Endpoint Security (OPSWAT / EPSEC) builds greater than 431 you must upgrade to these versions:

Big-IP 12.1.0 or later
Big-IP 12.0.0HF2 or later
Big-IP 11.6.1 or later
Big-IP 11.6.0 HF7
Big-IP 11.5.4 HF1 or later

Conditions:
Running incompatible BIG-IP version with EPSEC build 431 or later.

Impact:
User will see certificate warnings and installation of client component updates may fail. The failure may occur multiple times.

Workaround:
Upgrade BIG-IP to the correct version.

Use the BIG-IP Web GUI's Software Management :: Antivirus Check Check Updates section to install an EPSEC build prior to 431.

Fix:
Updated signing certificate to a sha256 certificate. Client components and EPSEC binaries are now signed using the new, higher security certificate. Please note that upgrade to a HF in which client is signed using updated certificate is needed to install updated EPSEC releases. Please review the information carefully.


555184 : BIG-IQ Reporting for Network and Application Firewall does not work with Big-IP 12.0 and 12.0HF1/HF2.

Component: Device Management

Symptoms:
It is not possible to obtain AVR Reports for Network & Application Firewall on a BIG-IQ from BIG-IP systems running versions 12.0.0 or 12.0.0 HF1/HF2.

Conditions:
This occurs when using BIG-IQ to generate reports in Reporting page under Network or Web Application Security from BIG-IP systems running software versions 12.0.0 or 12.0.0 HF1/HF2.

Impact:
AVR Reports do not work.

Workaround:
None.

Fix:
Fixed the communication channel used between BIG-IQ and BIG-IP version 12.0.0 HF3 to create AVR Reports. AVR reports now work as expected.


555057-2 : ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.

Component: Application Security Manager

Symptoms:
When using ASM REST to remove a signature set association from a policy (DELETE), the set is removed from all policies in the system.

Conditions:
ASM REST is used to remove a signature set association from a policy.

 DELETE /mgmt/tm/asm/policies/<ID>/signature-sets/<ID>

Impact:
All policies will lose their association to that signature set. This may leave some policies not enforcing all the Attack Signatures that they are expected to.

Workaround:
A DELETE can be issued to the collection endpoint: /mgmt/tm/asm/policies/<ID>/signature-sets utilizing the $filter parameter to delete only the desired sets.

Ex. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets?$filter=id eq '<ID>'

Fix:
When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.


555020-1 : TCP handshake may fail on layer 7 VIPs in Software syncookiemode

Component: Local Traffic Manager

Symptoms:
As a result of a known issue the BigIP may reset attempts to connect to a L7 VIP when in Software syncookie mode.

Conditions:
- L7 VIP with a TCP profile that allows windowscaling.
- Software syncookies have been activated.

Impact:
Connection will be reset.

Workaround:
Choose or create a TCP profile that has either one of the following:

- "Timestamps Extension for High Performance (RFC 1323)" option in the TCP profile disabled

- Values higher than 65535 in "Receive Window" and "Send Buffer" fields

Fix:
Connections are no longer reset when connecting to a L7 VIP on a BigIP in software Syncookie mode


555006-4 : ASM REST: lastUpdateMicros is not updated when changing a Custom Signature

Component: Application Security Manager

Symptoms:
The lastUpdateMicros field is meant to be updated if a user changes a custom signature, but it is not.

Conditions:
REST client is used to look at/filter the signatures collection (/mgmt/tm/asm/sigantures)

Impact:
Checking for updated signatures does not return the expected result.

Workaround:
None.

Fix:
REST: The lastUpdateMicros field is now correctly updated after updating a user defined signature.


554967-1 : Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets

Component: Local Traffic Manager

Symptoms:
A resolver sending a query with a small EDNS0 UDP buffer limit can lead to packet truncation. These response packets are flagged as truncated in the header, but the OPT record might be cut/missing leading some resolvers to consider the packet malformed.

Conditions:
Primarily via dynamic settings such as iRules on DNS_RESPONSE events adding new records, or DNSSEC record signing with responses over UDP.

Impact:
Some resolvers regard OPT-less truncated packets as malformed and cease follow-up requests via TCP or a larger EDNS0 UDP limit.

Workaround:
none

Fix:
Truncated DNSSEC or iRule DNS packets are RFC-compliant.


554936-1 : Unable to remove peer address of BIG-IP DNS redundant server object

Component: Global Traffic Manager (DNS)

Symptoms:
Attempting to remove the peer address from a server object in has no effect.

Conditions:
BIG-IP DNS redundant server object is configured under DNS :: GSLB : Servers : Server List :: Properties : server_name.

Impact:
Cannot use the GUI to delete peer addresses in BIG-IP DNS redundant server objects.

Workaround:
Use TMSH.

Fix:
You can now use the GUI to delete peer addresses in BIG-IP DNS redundant server objects.


554899-1 : MCPD core with access policy macro during config sync in HA configuration

Component: Access Policy Manager

Symptoms:
In high availability config sync, the destination mcpd might crash if the user does the following steps:
1. Manually edit bigip.conf file at source to remove an access policy item (my-ap-1_mac_mymac1) that calls a macro, from the original access policy (my-ap-1) to another access policy (my-ap-2);
2. Load the modified config into running config;
3. Delete the original access policy (my-ap-1) before manually starting the config sync.

The modified source configuration is sent to the destination during the manual incremental config sync, resulting in destination mcpd logging an error message:

err mcpd[5441]: 01020036:3: The requested access_policy_name (/Common/my-ap-1) was not found.

Immediately following the error message, the destination mcpd will crash and generate a core file.

Conditions:
Config sync is manual incremental, and the user manually edits /config/bigip.conf to modify the source configuration such that an access policy item with a macrocall is removed from the original access policy to another access policy, and then the original access policy is deleted, all before the manual config sync is started.

Impact:
During config sync, the destination BIG-IP system's mcpd crashes and restarts.

Workaround:
After removing the access policy item with a macrocall from the original access policy to another access policy and loading into the source running the configuration, do not delete the original access policy. Instead, start the config sync right away.

After this first config sync is successful, delete the original access policy at the source, and then start the second config sync to finish the operation.

Fix:
MCPD no longer cores with access policy macro during config sync in high availability configuration.


554769-2 : CPM might crash when TCLRULE_HTTP_RESPONSE is triggered.

Component: Local Traffic Manager

Symptoms:
TMM might crash if CONNFLOW_FLAG_L7_POLICY is not set in the connection flow flags, but the system still tries to call Centralized Policy Matching (CPM).

Conditions:
This occurs when TCLRULE_HTTP_RESPONSE is triggered from the server-side, if the server-side does not process the policy, and the connection flow flags do not have CONNFLOW_FLAG_L7_POLICY set.

Impact:
TMM/(CPM Module) might crash.

Workaround:
None.

Fix:
The system now adds the flag check of CONNFLOW_FLAG_L7_POLICY if it is not already set, so there is no crash in TMM or Centralized Policy Matching (CPM).


554761-6 : Unexpected handling of TCP timestamps under syncookie protection.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system experiences intermittent packet drops.

Despite being negotiated during TCP handshake, the BIG-IP system fails to present timestamp option in subsequent segments.

The BIG-IP system calculates invalid round trip time immediately after handshake, which might result in delayed retransmissions.

Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.

- The syncookie mode has been activated.

- Clients that support timestamps.

Impact:
Connection might be reset by remote TCP stack (e.g., NetBSD and FreeBSD), which requires timestamps to be maintained once negotiated.

Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.

Workaround:
Choose or create a TCP profile that has timestamps disabled.

Fix:
TCP Timestamps are now maintained on all negotiated flows.


554690-2 : VPN Server Module generates repeated Error Log "iface eth0 "... every 2 secs

Component: Access Policy Manager

Symptoms:
Chatty log messages seen in svpn.log file

Conditions:
Establish tunnel server and check svpn.log file (VPN server module) to see verbose logs

Impact:
Verbose logging having a general CPU and disk write impact.

Fix:
VPN Server Module doesn't generate repeated Error Log "iface eth0 (4)" every 2 secs


554624-3 : NTP CVE-2015-5300 CVE-2015-7704

Vulnerability Solution Article: SOL10600056 SOL17566


554609-1 : Kernel panics during boot when RAM spans multiple NUMA nodes.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) crashes in the kernel during early boot.

Conditions:
This occurs when the following conditions are met:
* VE is running on Hyper-V.
* VE RAM is configured in a such a way that it spans multiple NUMA nodes.

Impact:
Kernel panic during boot.

Workaround:
No workaround.

Fix:
The kernel now properly aligns memory on multiple NUMA nodes, so there is no kernel panic during boot.


554593-1 : SSL might report a memory leak in a specific configuration.

Component: Local Traffic Manager

Symptoms:
In the output of 'tmsh show sys memory', the 'ssl' and 'work' memory usage is growing and not seen to free memory.

Conditions:
SSL has memory leak when peer sent a certificate chain (Root-Intermediate-Leaf) but the BIG-IP system's SSL configuration has only Root certificate configured as a trusted CA.

Impact:
The memory usage grows, and the system might eventually be out of memory.

Workaround:
To work around this, configure SSL to trust all 'intermediate CAs' and 'root CA' certs, not just 'root CA' certs.

Fix:
This release fixes the SSL memory leak that occurred when the peer sent a certificate chain (Root-Intermediate-Leaf) but the BIG-IP system's SSL configuration has only Root certificate configured as a trusted CA.


554563-4 : Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.

Component: TMOS

Symptoms:
Class of Service Queues (cosq) egress drop statistics are counted against both Drops In and Drops Out interface statistics.

Conditions:
This occurs for all cosq drops in response to excess egress traffic and MMU egress congestion.

Impact:
Any CoS queue egress drop is also counted against ingress drop stats, which could be interpreted incorrectly as doubled total drop stats.

Workaround:
None.

Fix:
The Drops In interface statistics no longer includes Class of Service Queues (cosq) egress drop counts, which is correct behavior.


554295-2 : CMP disabled flows are not properly mirrored

Component: Local Traffic Manager

Symptoms:
A client connection to a virtual server configured for 'cmp-enabled no' and 'mirror enabled' will be dropped if the standby unit is promoted to active.

Conditions:
The virtual server is configured for 'cmp-enabled no' and 'mirror enabled' on multiple BIG-IP appliances peered in a high availability configuration.

Impact:
Mirroring does not work as expected on BIG-IP appliances.

Note: CMP is required on VIPRION chassis, so this expectation applies only to appliances.

Workaround:
Do not disable CMP on virtual servers that are mirrored.

Note: If hardware syn cookie is disabled, CMP-disabled virtual servers still do not mirror connections. This is expected behavior.

Fix:
The system now supports mirroring connections between BIG-IP appliances in a high availability configuration on CMP-disabled virtual servers.

Note: If hardware syn cookie is disabled, CMP-disabled virtual servers still do not mirror connections. This is expected behavior.


554074-2 : If the user cancels a connection attempt, there may be a delay in estabilshing the next connection.

Component: Access Policy Manager

Symptoms:
Clicking on connect button does not trigger start of VPN connection immediately.

Conditions:
User cancelled previous connection attempt

Impact:
User must wait for ten seconds before attempting to reconnect.

Workaround:
None

Fix:
Fixed code to trigger VPN connection immediately even when user clicked cancel before.


554041-1 : No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client loses all connectivity and an option to establish VPN is not available.

Conditions:
All of the following conditions must apply.
1) Edge Client is installed in "Always Connected" mode.
2) The Connectivity profile on server has location DNS list entries.
3) One of the DNS locations matches the DNS suffix set on the local network adapter.

Impact:
Client shows "LAN Detected" in the UI and does not try to connect to VPN.
All traffic to and from the user's machine is blocked.

Workaround:
This issue has no workaround at this time.

Fix:
Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks.


553925-1 : Manual upgrade of Edge Client fails in some cases on Windows

Component: Access Policy Manager

Symptoms:
Manual upgrade of BIG-IP Edge Client for Windows fails and this message displays "Newer version of this product is already installed."

Conditions:
Edge Client version 11.2.0. Version 12.0 is installed.
User tries to upgrade Edge Client by running a newer installer package of Edge Client.

Impact:
Edge Client cannot be upgraded.

Workaround:
Uninstall and reinstall Edge Client or use the installer service component for automatic update of Edge Client.

Fix:
Fixed installer package.


553902-1 : Multiple NTP Vulnerabilities

Vulnerability Solution Article: SOL17516


553735-2 : TMM core on HTTP response with steering action .

Component: Policy Enforcement Manager

Symptoms:
TMM process will crash.

Conditions:
HTTP profile is not attached to a PEM virtual receiving the HTTP response. In this case on receiving a connection request from the client, BIGIP establishes server side connection without waiting for the HTTP request from the client. Meanwhile, a steering policy got installed. The server responds with HTTP request time out message and TMM cores trying to steer the existing connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Attaching an HTTP profile to the PEM virtual in question will avoid this issue.

Fix:
Issue has been fixed.


553734-2 : Issue with assignment of non-string value to Form.action in javascript.

Component: Access Policy Manager

Symptoms:
Exception in javascript code.

Conditions:
Attempt to assign non-string value to a Form.action in javascript code.

Impact:
Web application misfunction.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed for non string value types.


553688-2 : TMM can core due to memory corruption when using SPDY profile.

Component: Local Traffic Manager

Symptoms:
TMM corefiles containing memory corruption within 112-byte memory cache.

Conditions:
Virtual server using a SPDY profile encounters an internal error while processing a SPDY packet.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release contains a fix that prevents a double free on error within the SPDY component.


553686-1 : iControl method Management::LicenseAdministration::get_system_dossier() throws an error when passing multiple registration keys

Component: TMOS

Symptoms:
When calling Management::LicenseAdministration::get_system_dossier() with multiple registration keys, such as a base key and add-on keys, iControl will throw an error and the system will log an error message in /var/log/ltm.

Conditions:
When passing only one registration key, the method works as expected. However, if you pass in multiple add-on keys, the method will throw an error.

Impact:
You cannot get the system dossier using iControl SOAP if you use more than one registration key or add-on keys.

Workaround:
You can go through the GUI if trying to generate a system dossier with multiple keys or add-on keys. iControl SOAP will not work at this time.

Fix:
iControl method Management::LicenseAdministration::get_system_dossier() no longer fails when passing multiple registration keys.


553649-1 : The SNMP daemon might lock up and fail to respond to SNMP requests.

Component: TMOS

Symptoms:
The SNMP daemon might lock up and fail to respond to SNMP requests.

Conditions:
If the SNMP configuration on the BIG-IP changes and the SNMP daemon restarts. This is a timing issue that might appear intermittently.

Impact:
The BIG-IP system stops responding to SNMP requests. You then cannot monitor the BIG-IP system via SNMP.

Workaround:
If the SNMP daemon is locked up, restart it by issuing the following command: bigstart restart snmpd.

Fix:
The SNMP daemon no longer locks up and become unresponsive when it is restarted.


553613-1 : FQDN nodes do not support session user-disable

Component: Local Traffic Manager

Symptoms:
FQDN nodes do not support session user-disable.

Conditions:
Configure a monitor with recv-disable string, and set node to session user-disabled. Monitor does not mark the node down for draining persistent connections.

Impact:
Unable to use session drain.

Workaround:
None.

Fix:
FQDN nodes now support session user-disable


553576-4 : Intermittent 'zero millivolt' reading from FND-850 PSU

Component: TMOS

Symptoms:
In rare instances, certain BIG-IP platforms may erroneously generate power supply error messages that indicate zero milli-voltage.
Specific symptoms include:
- SNMP alert 'bigipSystemCheckAlertMilliVoltageLow' detected.
- Front panel Alarm LED is blinking amber.
- Errors such as the following are logged:
emerg system_check[<#>]: 010d0017:0: Power supply #<x> meas. main outpu: milli-voltage (0) is too low.
[where <x> is the power supply location (either 1 or 2)]
- Errors such as the following may also be logged:
-- err chmand[<#>]: 012a0003:3: Sensor read fault for Power supply #<x> meas. main outpu : File sensor/LopSensSvc.cpp Line 1453.
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).

Note that this condition may affect either PSU 1 or PSU 2.

Conditions:
This may occur intermittently on BIG-IP 10000-/12000-series appliances (including 10000s/10200v, 10050s/10250v, 10055/10255, 10350v and 12250v models) with FND850 model DC power supplies.

Impact:
There is no impact; these error messages are benign.

Workaround:
None.

Fix:
Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.


553516 : Unable to sync events from SharePoint 2010 to local Outlook calendar

Component: Access Policy Manager

Symptoms:
Unable to sync events from SharePoint 2010 to local Outlook calendar.

Conditions:
Steps to Reproduce:
1. Create a portal resource for SharePoint 2010 and assign it to webtop
2. Open VS and go to the SharePoint 2010
3. Create a calendar event
4. Sync the event to your local Outlook calendar

Actual Results:
Event is not synced to local Outlook calendar

Impact:
User unable sync events from SharePoint 2010 to local Outlook calendar.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed.


553497 : [Portal Access][sharepoint 2013] unable to create a new document.

Component: Access Policy Manager

Symptoms:
Connection attempt sent directly to SharePoint server instead of using the VIP.

Conditions:
Steps to Reproduce:

1) In sp2013, Go to "Document" tab
2) Click the "New Document" tab, there will be a pop up windows display to tell user it try to connection to sharepoint server. The address field in that pop-up windows show direct URL instead vip
3) Chose "Yes" to connect, Connect fail because it can not open the direct link

Actual Results:

User can not create new document by using portal access to sharepoint server 2013

Impact:
User is unable to create a new document.

Workaround:
There is no workaround at this time.

Fix:
This issue is fixed.


553470 : An error occurs when creating an item in SharePoint 2010 thru Site Options

Component: Access Policy Manager

Symptoms:
An error occurs when creating an item in SharePoint 2010 thru Site Options.

Conditions:
Steps to Reproduce:
1. Create a portal resource for SharePoint 2010 and assign it to webtop
2. Open VS and go to the SharePoint 2010
3. Click on (top left corner)Site Actions->More Options
4. Select an item to Create (for ex. 'Picture library' or Calendar)
5. Put a name in a text box (to the right)
6. Click on "Create" button

Actual Results:
An error has occurred while processing 'Create' request

Impact:
User unable create an item in SharePoint 2010 thru Site Options.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed.


553330 : Unable to create a new document with SharePoint 2010

Component: Access Policy Manager

Symptoms:
VPN users are unable to create a new document with SharePoint 2010

An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid

Conditions:
Create a new document using the"New Document button".

Impact:
User cannot create a new document with SharePoint 2010.

Workaround:
none

Fix:
You can create a new document with Microsoft SharePoint 2010.


553311-3 : Route pool configuration may cause TMM to produce a core file

Component: Local Traffic Manager

Symptoms:
TMM will produce a core file and take the action defined in configuration.

Conditions:
Client side route pool configuration which configures a route pool to route back and has autolasthop disabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using any route at client side (using auto lasthop or lasthop pool)

Fix:
The tmm crash caused by the route pool configuration is fixed.


553268-1 : Edge client shows "Invalid Cookies" message on third party IdP sites

Component: Access Policy Manager

Symptoms:
While authenticating with a third party IdP site, the site may show a message indicating that the cookie sent from client was invalid.

Conditions:
All of the following conditions should be met.
- User connects using Edge Client, disconnects and then attempts to connect again.
- APM is using SAML authentication with a third party IdP
- IdP uses multiple cookies to identify user session

Impact:
Edge Client is redirected to IdP site and the site displays a message indicating that the cookie was invalid or that there was a problem with the cookie.
User is not prompted for authentication credentials on the IdP.

Workaround:
Restart Edge Client before connecting again.

Fix:
Session cookies are now cleaned up properly when user explicitly disconnects BIG-IP Edge Client.


553174-3 : Unable to query admin IP via SNMP on VCMP guest

Component: TMOS

Symptoms:
The admin IP address is not returned via ipAdEntAddr.

Conditions:
Query admin IP via SNMP on VCMP guest via ipAdEntAddr.

Impact:
Unable to obtain admin IP address via SNMP for VCMP guests.

Workaround:
none

Fix:
ipAdEntAddr will now return the admin IP address on a VCMP guest.


553162-1 : Heavy usage of memory when ASM remote logger destinations are non responsive

Component: Application Security Manager

Symptoms:
Limited but excessive use of memory can occur when there are non responsive remote loggers.

Conditions:
1. ASM remote logger is assigned to the VS.
2. (Optional) the remote logger is non responsive.

Impact:
1. Memory usage is high although there is no traffic.
2. Takes time for the memory usage to decrease after stopping traffic.

Workaround:
Remove non responsive remote loggers.

Fix:
BIG-IP marks non responsive remote loggers, and does not try to send log messages until they become responsive.


553146-1 : BD memory leak

Component: Application Security Manager

Symptoms:
BD memory increases. May reach a kernel OOM killer scenario

Conditions:
Usually a policy with missing content profile on a post request that causes the POST to be parsed wrongly and issue many parameters violations.

Impact:
Bad memory consumption of the system, swap memory usage, crashes.

Workaround:
Apply correct content profiles (XML etc) as usually valid requests should not have that many parameters in them. Otherwise apply the "apply value signature" on big POSTs.

Fix:
We fixed a memory leak in the Enforcer.


553131-1 : ASM CMI: HA Pair returns to PENDING State after receiving a push with a new active policy

Component: Application Security Manager

Symptoms:
When a new active ASM Policy is synchronized across a manual sync device group, the receiving side erroneously marks the device group as needing to be synchronized again afterwards.

Conditions:
ASM Sync is enabled on a Failover device group with manual sync + incremental sync.
A new active policy is created on the active device.
The configuration is pushed to the peer.

Impact:
The device group appears to be out of sync when it is not.

Workaround:
Another push will leave them in a synchronized state.

Fix:
The device group now stays synchronized after the ASM configuration is loaded.


552937-3 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.

Component: Local Traffic Manager

Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.

Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.

Impact:
TMM core.

Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.

Fix:
The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.


552931-3 : Configuration fails to load if DNS Express Zone name contains an underscore

Component: Local Traffic Manager

Symptoms:
A configuration with a DNS Express Zone with an underscore in the name does not load, even though the gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.

Conditions:
-- Configuration setting gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
-- DNS Express Zone exists with an underscore in the name.

Impact:
Cannot load the LTM configuration when restarting BIG-IP system when DNS Express Zones that have an underscore character in the name.

Workaround:
Force the GTM configuration to load by sequentially running the following commands:
tmsh load sys config gtm-only.
tmsh load sys config.

Fix:
All FQDNs may now contain underscore character. The BIG-IP system now correctly load configurations that contain DNS Express Zones with underscores in the name.


552865-3 : SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.

Component: Local Traffic Manager

Symptoms:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, handshake might fail if the client sends an invalid signed Certificate Verify message.

Conditions:
When SSL client certificate mode is request, and the client sends an invalid signed Certificate Verify message to the BIG-IP system.

Impact:
The handshake does not ignore the invalid signed certificate verify message, and handshake might fail. SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. Regardless of whether the Certificate and Certificate Verify message is valid, the handshake should ignore the Certificate Verify signature error and let the handshake continue.

Workaround:
None.

Fix:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.


552585-4 : AAA pool member creation sets the port to 0.

Component: TMOS

Symptoms:
When the AAA server pool member is created (for Radius mode BOTH and for AD), the port is set to 0 (Any) as there are more than one ports for that pool member.

Conditions:
Create AAA pool member while creating an AAA RADIUS server or Active Directory server. The created pool member does not support the ability of having multiple port numbers and for that reason is updated with 0 (Any) as the port number for the pool member. If the user continues to modify using the Admin UI, the port changes made using tmsh will be overwritten again to 0.

Impact:
AAA pool member port is set to 0 (Any) rather than the port specified in the GUI. This is correct as the pool member does not support more and 1 port number.


552566-1 : AFM DoS Profile Sweep vector configured thresholds are per blade instead of being per device

Component: Advanced Firewall Manager

Symptoms:
All the AFM DoS Profile vector configurations are meant to be per device. The issue is that the configured thresholds are instead used as though they apply to each blade separately - hence in a multi-blade system the virtual DoS thresholds will be much larger than configured.

Conditions:
A multi-blade system with AFM and DoS profile configured on a virtual with the Sweep Vector enabled.

Impact:
DoS protection could kick in much later than actually configured by the user.

Workaround:
Take the thresholds that you want to configure for the vector and divide it by the number of blades in the system, and configure those thresholds instead.

Fix:
Fix the bug which considered those numbers to be per blade.


552534-1 : A false 404 response is returned when session hijacking by device ID is turned on

Component: Application Security Manager

Symptoms:
A false 404 server response is returned.

Conditions:
Session hijacking by device ID is turned on.

Impact:
The end user receive unexpected 404 response.

Workaround:
none

Fix:
Fixed a false 404 response that was received when session hijacking by device ID was turned on.


552488-2 : Missing upgrade support for AFM Network DoS reports.

Component: Application Visibility and Reporting

Symptoms:
When upgrading, the statistics of AFM Network DoS reports are not migrated correctly to the new version, leading to loss of data about the Client-IP addresses.

Conditions:
Upgrade from versions 11.4.x or 11.5.x to versions 11.6.x or 12.0.0.

Impact:
The IP Addresses information of AFM Network DoS is lost. However, new activity is collected correctly.

Workaround:
There is no workaround for this issue.

Fix:
This release provides upgrade support for AFM Network DoS reports.


552481-1 : Disk provisioning error after restarting ASM service.

Component: TMOS

Symptoms:
Disk provisioning error after restarting ASM service.
In newer BIG-IP software versions ASM uses a different application volume name. Older BIG-IP software versions identify the application volume as being owned by ASM, and allows ASM to be provisioned and start. However, in the older versions, ASM create the application volume so there will be two ASM application volumes. If ASM is restarted with bigstart or tmsh, or if the BIG-IP system is rebooted, provisioning does not allow ASM to start.

Conditions:
ASM provisioned on both pre-v12.0.0 and post-v12.0.0 versions.

Impact:
ASM does not start, and bigstart status asm indicates a disk provisioning error.

Workaround:
Follow these steps:
1. Boot into the most recent version of BIG-IP software.
2. Run the command: tmsh modify sys provision asm level none.
3. Wait for unprovision to complete (do so by monitoring /var/log/asm).
4. Run the command: tmsh delete sys disk application-volume asmdata1.
5. Run the command: tmsh modify sys provision asm level nominal.

Fix:
ASM starts successfully with no disk provisioning error after restarting ASM service using newer BIG-IP software.


552430 : Expression evaluator in per-request policy VPE might result in system crash

Component: Access Policy Manager

Symptoms:
Expression evaluator in per-request policy VPE might result in system crash and failover.

Conditions:
When the expression evaluation is asynchronous.

Impact:
TMM crash resulting in failover.

Fix:
Handle the asynchronous evaluation of per-request policy agent's expression correctly.


552352-1 : tmsh list display incorrectly for default values of gtm listener translate-address/translate-port

Component: Global Traffic Manager

Symptoms:
tmsh list displays incorrectly for default values of GTM listener translate-address/translate-port settings.

Conditions:
Using the tmsh list command to show translate-address/translate-port for GTM listener.

Impact:
tmsh list gtm listener does not display 'translate-address'/'translate-port' when it is set to enabled, but the command does show the values when it is set to disabled. The tmsh list gtm listener command should not show the default settings. This becomes an issue when used with the TMSH merge command, where the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. This might eventually result in failing traffic.

Workaround:
Use tmsh list with 'all-properties' instead.

Fix:
GTM Listener's translate-address and translate-port field are now always displayed in TMSH commands. This is because there are different defaults in GTM Listeners than the LTM virtual servers. When used with the TMSH merge command, the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. By always displaying this attribute, no matter what the value is, the merge will always be handled appropriately.


552346-1 : Some log messages run together without a new line seprarator.

Component: Access Policy Manager

Symptoms:
Certain log messages do not have a newline character at the end of them, making the resulting output in the log files (/var/log/ltm) difficult to read.

Conditions:
Certain configuration messages when upgrading a system running APM may exhibit this behavior.

Impact:
Difficulty in reading and troubleshooting certain issues due to improper text formatting.

Workaround:
None.

Fix:
Add a newline character to the end of each of the affected log messages.


552342-1 : APMD logging at debug level may log passwords in clear text

Component: Access Policy Manager

Symptoms:
APMD logging at debug level logs all request headers in clear text. Some request types contain passwords in headers resulting in passwords logged in clear text.

Conditions:
APMD logging at debug level.

Impact:
Some passwords may be logged in clear text.

Workaround:
Do not log at debug level unless absolutely necessary.

Fix:
Passwords in headers are logged as asterisks as is done for post data.


552198-1 : APM App Tunnel/AM iSession Connection Memory Leak

Component: Wan Optimization Manager

Symptoms:
A memory leak occurs when APM application tunnels or AM iSession connections are aborted while waiting to be reused.

Conditions:
The iSession profile reuse-connection attribute is true.
A large number of iSession connections are aborted while waiting to be reused.

Impact:
Available memory might be significantly reduced when a large number of iSession connections waiting to be reused are aborted.

Workaround:
Disable the iSession profile reuse-connection attribute. Restart TMM.

Fix:
This release fixes an APM App Tunnel/AM iSession connection memory leak.


552153-1 : Certain profiles may contain profile-fk-class-id attribute in them

Component: TMOS

Symptoms:
On issue a config save through iControl REST, some profiles may contain profile-fk-class-id attribute in them. Such a config will subsequently fail to load.

Conditions:
Issue config save through iControlRest

Impact:
Config saved through iControl REST will fail to load with error

"fatal: (unexpected integer CID, tag:4698 name:profile_class_id) (framework/IntegerNode.cpp, line 215), exiting..."

Workaround:
- issue the config save through tmsh, gui
- Remove profile-fk-class-id references from all config files

ltm virtual /Common/vs1 {
...
    profiles {
        /Common/http {
            profile-fk-class-id 1347 <<< offending config. profile-fk-class-id should not be saved in the config.
                                        <<< It is for internal use only.
        }
        /Common/my1 {
            profile-fk-class-id 23420
        }
        /Common/my_AVR {
            profile-fk-class-id 10511
        }
        /Common/tcp {
            profile-fk-class-id 1177
        }
    }
...
}

Fix:
The profile-fk-class-id will not be saved in the config files. config saved through iCR will load successfully.


552139-1 : ASM limitation in the pattern matching matrix builtup

Component: Application Security Manager

Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.

Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.

Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).

Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.

Fix:
Fixed a limitation in the attack signature engine.


551999-1 : Edge client needs to re-authenticate after lost network connectivity is restored

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client restarts executing access policy after lost connectivity is restored. Usually that means Edge client will try to re-authenticate (if access policy is configured so) after lost network connectivity is restored.

Conditions:
Edge Client for Mac, APM with access policy with authentication configured.

Impact:
User needs to input credentials again.

Workaround:
Access policy can have "Save password" option enabled. In this case Edge Client caches the password based on password caching policy in connectivity profile and will not ask for password if cache is still valid.

Fix:
Edge Client for Mac now tries to restore session after lost network connectivity is restored.


551927-1 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition

Component: TMOS

Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, ltm sends packets to the client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.

Conditions:
fastl4 profile and asymetric routing on client side

Impact:
Return traffic could use the wrong vlan

Workaround:
none

Fix:
Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN


551849-4 : If 1 tmm gets more than 1 Mpps then the 1m stats in dos_stats can be wrong

Component: Advanced Firewall Manager

Symptoms:
If 1 tmm with AFM DoS gets more than 1 Mpps then in the dos_stats, where stats_1m is calculated (previous 60s average pps) can be wrong. This can cause the DoS attack to be detected sooner than it should.

Conditions:
AFM DoS configured and provisioned. Any 1 tmm gets more than 1 Mpps of a certain kind for which we've configured DoS attack detection - and this could cause the 1 minute average stats to be wrong.

Impact:
The state will be wrong and AFM could detect a DoS attack before it actually reaches the configured threshold.

Workaround:
None.

Fix:
Fix the logic which causes the numbers to wrap around.


551819-1 : NTLM Type 1 message no longer sets NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag

Component: Access Policy Manager

Symptoms:
In some NTLM deployment, the NTLMv1 & NTLMv2 SSO will fail, after upgrading to 12.0.0 release.

Conditions:
NTLM server rejects the Type 1 message when NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag is not set.

Impact:
NTLMv1 and NTLMv2 SSO might fail.

Workaround:
None

Fix:
NTLM Type 1 message will set NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag now.


551767-1 : GTM server 'Virtual Server Score' not showing correctly in TMSH stats

Component: Global Traffic Manager

Symptoms:
GTM server 'Virtual Server Score' is not showing correct values in TMSH stats. Instead, stats shows zero value.

Conditions:
You have a virtual server configured with a non-zero score.

Impact:
tmsh show gtm server server-name detail lists 'Virtual Server Score' as zero. Note that there is no impact to actual load balancing decisions. Those decisions take into account the configured score. This is an issue only with showing the correct information and stats.

Workaround:
None.

Fix:
TMSH now shows the correct value for 'Virtual Server Score' when you have a virtual server configured with a non-zero score.


551764-2 : [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform

Component: Access Policy Manager

Symptoms:
Successful execution of an Access Policy will result in the client receiving a HTTP status 500 error response when clientless mode is set. This error response is generated by APMD. This is a regression condition that occurs when the fix for bug 374067 is included.

Conditions:
-- The system has the fix for bug 374067.
-- Clientless mode is enabled.
-- BIG-IP platform is chassis platform.
-- The administrator does not override the Access Policy response with iRule command.

Impact:
Client receives an invalid response.

Workaround:
None.

Fix:
Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.


551661-1 : Monitor with send/receive string containing double-quote may fail to load.

Component: TMOS

Symptoms:
When a monitor string contains backslash double-quote but does not contain a character which requires quoting, one level of escaping is lost each save/load.

Conditions:
If the string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Monitors are marked down due to expected string not matching or incorrect send string. Potential load failure.

Workaround:
You can use either of the following workarounds:
-- Modify the content the BIG-IP system retrieves from the web server for the purposes of health monitoring, so that double quotes are not necessary.
-- Use an external monitor instead.

Fix:
If the monitor send-recv strings contain a double-quote ", character the system now adds quotes to the input.


551622-1 : Untagged interface in Q-in-Q VLAN will cause bcm56xxd crash

Component: TMOS

Symptoms:
Configuring an interface as 'untagged' in a QinQ (double-tagged) VLAN results in a crash of bcm56xxd.

Conditions:
Add an untagged interface into a Q-in-Q (double-tagged) VLAN.

Impact:
bcm56xxd continually crashes.

Workaround:
Remove the untagged interface from the QinQ VLAN.

Fix:
Configuring an interface as 'untagged' in a QinQ (double-tagged) VLAN no longer results in continually bcm56xxd crashes.


551614-3 : MTU Updates should erase all congestion metrics entries

Component: Local Traffic Manager

Symptoms:
MTU updates erase cwnd cache entries, but not ssthresh or RTT, while an MTU update generally indicates a path change, meaning that these values might be invalid.

Conditions:
TCP cached congestion metrics from a previous connection, and subsequently receives an ICMP PMTU message.

Impact:
Connection might use invalid congestion metrics.

Workaround:
Disable cmetrics-cache, accept the suboptimal cached values, or write an iRule to purge the entry after path change.

Fix:
MTU updates now erase all congestion metrics entries, which is correct behavior.


551555-1 : Poor performance for configurations containing a large number of pool member objects

Component: TMOS

Symptoms:
Poor system performance for configurations with a large number (i.e. thousands) of pool member objects

Conditions:
Configuration containing a large number of pool member objects

Impact:
Decreased system performance.

Workaround:
None.

Fix:
Increase system performance when querying the status of pool member objects.


551451-1 : SSL cipher selection and HTTP/2 may not be in sync leading to connection errors

Component: Local Traffic Manager

Symptoms:
SSL performs cipher selection and ALPN protocol selection independently. It is possible that SSL picks a cipher that is not compatible with HTTP/2. This causes an issue where either the client or the BIGIP will refuse a newly established HTTP/2 connection with error INSUFFICIENT_SECURITY.

Conditions:
SSL picks a cipher that is not compatible with HTTP/2, but picks HTTP/2 (h2) as the next protocol.

Impact:
Client or the BIG-IP system refuses a newly established HTTP/2 connection with error INSUFFICIENT_SECURITY.

Workaround:
Make sure HTTP/2 ciphers always come before non HTTP/2 ciphers. This is not the case with the DEFAULT cipher string. HTTP/2 requires TLS 1.2 (or above) Ephemeral keys (EDH/RSA, ECDHE_ECDSA, ECDHE_RSA, DHE/DSS) GCM (AES-GCM).

Fix:
In this release, HTTP/2 ciphers always come before non HTTP/2 ciphers, at the top of the list, so they always in sync and do not result in connection errors.


551303-1 : TMM may core during processing of a CCA-T.

Component: Policy Enforcement Manager

Symptoms:
TMM may core during processing of a CCA-T.

Conditions:
For every session there is Gx context and Main session Context. There are always stitched to same processing unit to have synchronous look ups when a flow arrives for the session. These contexts are mirrored on a different blades for high availability (HA).

The issue occurs when the following events happen.
1. Main session moveds to a new processing unit (Failover) trigger.
2. This session is marked for deletion by RAR from PCRF or RADIUS Stop.
3. Session delete is initiated from main session by sending a local message.
4. Gx context has not yet moved to this processing unit.
5. CCR-T was sent for this session after asynchronous lookup for the Gx context and we freed the local message. This is the bug. (See explanation below)
6. Gx context moved
7. PCRF sends CCA-T came back and tried to look up local message queued to acknowledge to main session.
8. Local message was deleted at step 5 and TMM cored.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release prevents freeing of the Gx context when a CCR-T is sent out even if the Gx session is remote (present on another tmm), which prevents the TMM core.


551260-1 : When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML Service Provider, and IdP-Connectors Single Sign On Service URL contains ampersand (&),
part of the URL may be truncated when user is redirected to IdP for authentication.

Conditions:
All conditions must be true:
- BIG-IP is used as SAML Service Provider
- Single Sign On Service URL property of IdP connector contains ampersand, e.g. https://idp.f5.com/saml/idp/profile/redirectorpost/sso?a=b&foo=bar
- User performs SP initiated SSO

Impact:
The query part of the redirect URL after ampersand will be lost when user is redirected to SSO URL with Authentication Request.

Fix:
Redirect URL is no longer truncated after ampersand sign.


551010-1 : Crash on unexpected WAM storage queue state

Component: WebAccelerator

Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.

Conditions:
WAM configured on virtual with request queuing enabled

Impact:
Crash

Workaround:
none

Fix:
Gracefully recover from unexpected WAM storage queue state


550926-1 : AFM rule with "unknown" source Geo-entity stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule

Component: Advanced Firewall Manager

Symptoms:
When an AFM rule is configured to "unknown" geographic location, the rule stops functioning when another entity (geolocation or IP address) is added to the same list of addresses in the rule.

Conditions:
Configure an address list of AFM rule with "unknown" source Geo-entity and at least one other entity (geolocation or IP address).

Impact:
Confusing, inconsistent, and apparently broken behavior.

Workaround:
Do not configure "unknown" geographic locations as one of the entities in an address list. Known geographic locations work correctly.

Fix:
The code logic is fixed to properly handle the "unknown" geolocation. Now the user can configure "unknown" geolocation as one of the entity in an address list.


550782-3 : Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit

Component: Local Traffic Manager

Symptoms:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache.

Conditions:
If standard DNS requests are made against a Validating Resolver DNS cache that points to a second BIG-IP which in turn contains a wideip in a signed zone

Impact:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache

Workaround:
N/A

Fix:
Update message encoding to depend on client DO bit.


550689-1 : Resolver H.ROOT-SERVERS.NET Address Change

Component: Local Traffic Manager

Symptoms:
The IPv4 and IPv6 addresses for H.ROOT-SERVERS.NET are changing on December 1st 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). The old addresses will be good for 6 months after the change, and then the IPv4 address will go completely offline, and the IPv6 address is subject to go offline as well. More details http://h.root-servers.org/renumber.html

Conditions:
DNS Resolver uses hard-coded root hints for H.ROOT-SERVERS.NET.

Impact:
Incorrect address for a root-server means no response to that query.

Workaround:
There are 12 other root-servers that also provide answers to TLD queries, so this is cosmetic, but the addresses still need to be updated to respond to the change.

Fix:
Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53).

For more information, see H-Root will change its addresses on 1 December 2015, available here: http://h.root-servers.org/renumber.html.


550625-1 : Policy Diff Does Not Display All Differences

Component: Application Security Manager

Symptoms:
Policy Diff does not correctly recognize some differences between two policies.
Known affected area:
* Policy Building Process Settings (ex. Tighten Policy(stabilize))
* Blocking Response Pages

Conditions:
Policy is performed between two policies that have differences in any of:
* Policy Building Process Settings
* Blocking Response Pages

Impact:
The difference is not shown or merged, and the Security Policies may not behave as expected due to this missing information.

Workaround:
Manual inspection will show that these settings are different.

Fix:
Policy Diff now correctly displays all differing settings.


550618 : The BIG-IP Virtual Edition may fail to load the default configuration on the Microsoft Azure cloud service

Component: TMOS

Symptoms:
The BIG-IP Virtual Edition (VE) may fail to load the default configuration on the Microsoft Azure cloud service.

As a result of this issue, you may encounter one or more of the following symptoms:

The BIG-IP VE system fails to load the default configuration and reports an error message similar to the following example:

Loading configuration...
  /defaults/defaults.scf
Syntax Error:(/defaults/defaults.scf at line: 97) "description" may not be specified more than once

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP VE system is deployed on the Microsoft Azure cloud service.
-- You attempt to reset the BIG-IP VE to the default configuration using the tmsh load sys config default command.

Impact:
Cannot reset system configuration defaults.

Workaround:
Delete the VE instance in Azure, and then start a new instance. Move the license registration key to the new instance. Important: F5 Support must release the license (called an 'allow move') to enable license provisioning on the new VE instance.

Fix:
The BIG-IP Virtual Edition now successfully loads the default configuration on the Microsoft Azure cloud service.


550596-4 : RESOLV::lookup iRule command vulnerability CVE-2016-6876

Vulnerability Solution Article: SOL52638558


550537-1 : Need to change 'Fiberlink' to 'IBM Maas360' in UI help

Component: Access Policy Manager

Symptoms:
When you configure an AAA Endpoint Management System in the GUI, the online help specified 'Fiberlink' as one of the system types.

Conditions:
1.Open BIG-IP with licensed APM module.
2.Go to 'Access Policy' tab -> 'AAA Servers'-> 'Endpoint Management Systems'
3.Click Help, expand 'Type' see 'Fiberlink' words

4.Click 'Create'
5.Click 'Help', expand 'Type'
6.Connect to BIG-IP using ssh
7.execute tmsh help apm aaa endpoint-management-system
8.See 'Fiberlink' and 'fiberlink' words

Impact:
See 'Fiberlink' and 'fiberlink' words

Workaround:
none

Fix:
When you configure an AAA Endpoint Management System in the GUI, the online help now specifies IBM Maas360 as one of the system types. If you use tmsh instead of the GUI, the aaa endpoint-management-system command still specifies and displays fiberlink as the corresponding type.


550536-1 : Incorrect information/text (in French) is displayed when the Edge Client is launched

Component: Access Policy Manager

Symptoms:
Incorrect information/text (in French) is displayed when the Edge Client is launched.

Conditions:
Edge client is used in French locale.

Impact:
User sees grammatically incorrect text in French. This is a cosmetic error that has no impact on system functionality.

Workaround:
None.

Fix:
The correct information/text (in French) is now displayed when the Edge Client is launched.


550221-2 : Policy resync failed after removing a policy item with more remaining

Component: Access Policy Manager

Symptoms:
Syncing a policy that has been sync'ed before after removing a policy item fails.

Conditions:
- Sync a policy with more than one policy item/macro
- Remove one of the items/macros
- Sync again

Impact:
Sync function broken

Workaround:
Delete the policy on target device and start a fresh new sync.

Fix:
User can sync a previously sync'ed policy after removing items from it successfully.


550144-1 : A partial UDP SIP message with AFM SIP DoS configured can cause a crash

Component: Advanced Firewall Manager

Symptoms:
A tmm crash can occur.

Conditions:
When AFM SIP DoS is configured and we receive a partial UDP SIP message.

Impact:
A tmm crash can occur.

Workaround:
Don't configure AFM SIP DoS.

Fix:
The crash has been fixed.


550124 : SSL has memory leak when peer sent a certificate chain but BIGIP SSL configured only Root certificate as trust CA.

Component: Local Traffic Manager

Symptoms:
SSL has memory leak if during SSL negotiation peer sent a certificate chain but BIGIP configured only Root certificate as trusted CA.
tmsh show sys memory:
ssl_hs, ssl_hs_m and/or ssl memory usage will get bigger.
The system may eventually out of memory and crash.

Conditions:
If peer sends certificate chain such as Root-Intermediate-Leaf certificates, but BIGIP SSL only configured Root cert as trusted CA, then there is SSL memory leak.
If peer sends certificate chain such as Root-Intermediate-Leaf certificates, but BIGIP SSL configured Root-Intermediate certs as trusted CAs, then there is NOT memory leak.

Impact:
The BIGIP system will run out of memory, and eventually the BIGIP TMM may crash.

Workaround:
The workaround if applicable is to configure Root CA cert and all Intermediate CA certs in the trusted CA certs.

Fix:
The SSL certificate chain verification is now handled correctly, and the memory leak is no longer seen.


549971-6 : Some changes to virtual servers' profile lists may cause secondary blades to restart

Component: TMOS

Symptoms:
If a virtual server's ip-protocol is not set, then some changes to the list of attached profiles may cause a validation error on secondary blades. This will cause those blades to restart.

Conditions:
This may happen in some cases when changing the list of profiles attached to a virtual server, but does not happen if 'ip-protocol' was explicitly set by the user.

Impact:
mcpd will restart on secondary blades. This will cause most other daemons on those blades to restart as well, including the TMM. Traffic will be lost.

Workaround:
You should explicitly set the ip-protocol when changing the profiles of a virtual server. Then this bug will not occur.

Fix:
If a virtual server's ip-protocol was not set, then some changes to the list of attached profiles would cause a validation error on secondary blades. This would cause those blades to restart. This issue has been fixed.


549943 : Remote LDAP Auth with SSL is not working

Component: TMOS

Symptoms:
Remote LDAP Auth with SSL does not work.

Conditions:
Configure "auth ldap system-auth: with SSL enabled,
users fail to authenticate.

Impact:
Users fail to authenticate.

Workaround:
None.

Fix:
Remote users now authenticate when using LDAP Auth with SSL.


549800-1 : Renaming a virtual server with an attached plugin can cause buffer overflow

Component: Local Traffic Manager

Symptoms:
Renaming a virtual server (essentially, moving one virtual server to a new location, which effectively renames it) might cause buffer overflow and potentially result in Failover.

Conditions:
The database variable 'mcpd.mvenabled' must be set to 'true'.
Also, when moving a virtual server, the new name must be longer than the original name.

Impact:
Buffer overflow and potentially failover.

Workaround:
Do not use the move command. Instead, issue a delete followed by a create command in a transaction.

Fix:
Renaming a virtual server now works as expected, and does not results in buffer overflow or failover.


549794-1 : Requests my be dropped when proactive bot defense is on, but Block Suspicious Browsers is off

Component: Advanced Firewall Manager

Symptoms:
When proactive bot defense is on in a DoS profile, but the Block suspicious browsers check box is disabled, some resources as images, CSS files, etc. may be dropped by DoSl7 after grace period has passed.

Conditions:
-proactive bot defense is on
-suspicious browsers box is set to off

Impact:
Page may not be loaded correctly as some of its resources can not be loaded

Workaround:
N/A

Fix:
An issue with renewing the proactive cookie, which caused some resources to be dropped in a specific configuration, was fixed.


549588-1 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it

Component: Access Policy Manager

Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.

Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.

Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.

Workaround:
No Workaround

Fix:
EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.


549406-1 : Destination route-domain specified in the SOCKS profile

Component: Local Traffic Manager

Symptoms:
The SOCKS profile route-domain setting is supposed to control which route domain is used for destination addresses. It is currently used to identify the listener/tunnel interface to use when forwarding the traffic, but does not set the route domain on the destination address used by the proxy to determine how to forward the traffic.

Conditions:
When the virtual server receives a SOCKS request and the route-domain is not the default (0).

Impact:
SOCKS connection fails immediately and the system returns the following message to the client: Results(V5): General SOCKS server failure (1). Traffic is forwarded correctly only when the destination is route-domain 0. Other route domains might result in error messages and possible failed traffic.

Workaround:
Use a destination route-domain of 0 when working with the SOCKS profile.

Fix:
The system now uses the destination route-domain specified in the SOCKS profile. This allows the SOCKS profile to work correctly when the destination is not in route-domain 0.


549393-1 : SWG URL categorization may cause the /var file system to fill.

Component: Application Visibility and Reporting

Symptoms:
Secure Web Gateway (SWG) URL categorization may cause the /var file system to fill. This might manifest in the following ways.

1. The /var file system is full or approaching 100% utilization, as shown in the following example:

# df -h /var
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg--db--vda-app.ASWADB.set.1.mysqldb
                       12G 11G 576M 95% /var/lib/mysql

2. The database and index files for SWG URL categorization have grown very large, as shown in the following example:

-- /var/lib/mysql/AVR/AVR_DIM_APM_SWG_URL.MYD: 8.1G <--- Database!
-- /var/lib/mysql/AVR/AVR_DIM_APM_SWG_URL.MYI: 765M <--- Index!

Conditions:
SWG is provisioned and configured to perform URL classification, and a large amount of web traffic is being proxied by the SWG system.

Impact:
This results in the following impacts: - SWG-related operations dependent on MySQL may fail. - Once the /var file system reaches 100% utilization, other BIG-IP system functions that are dependent on the MySQL system may also experience issues.

Workaround:
The issue can be worked around by resetting the AVR statistics. You can find information on how to reset AVR statistics in SOL14956: Resetting BIG-IP AVR statistics, available at https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14956.html.

Impact of procedure: The procedure removes all Analytics data and resets the MySQL database.

Fix:
Secure Web Gateway (SWG) URL categorization no longer causes the /var file system to fill.


549086-1 : Windows 10 is not detected when Firefox is used

Component: Access Policy Manager

Symptoms:
Windows 10 is not detected when the Firefox browser is used.

Conditions:
Windows 10 and Firefox (at least versions 40 and 41).

Impact:
The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client.

Workaround:
There is no workaround.

Fix:
Now Windows 10 is properly detected with the Firefox browser.


548909 : New EPVA bitstream

Component: TMOS

Symptoms:
Updated bitstream to fix a few issues related to flow hash collisions within the EPVA.

Conditions:
Various

Impact:
Potential idle aging issues or incorrect seq/ack updates from EPVA when flow is evicted due to hash collision.


548796-1 : Avrd is at CPU is 100%

Component: Performance

Symptoms:
When the Application Visibility and Reporting (AVR) module is being used, the avrd daemon can consume all CPU. The avrd log will contain error messages similar to Semaphore DB_Publisher_ready is not set, for xxxx seconds

Conditions:
This can occur when using the AVR module.

Impact:
Avrd gets to 100% CPU and stays there even when no traffic is being passed, which will impact system performance

Workaround:
Restarting tmm will temporarily mitigate this problem

Fix:
Avrd is no longer susceptible to consuming all CPU indefinitely even when traffic is not being passed.


548680-1 : TMM may core when reconfiguring iApps that make use of iRules with procedures.

Component: Local Traffic Manager

Symptoms:
TMM may core when reconfiguring iApps that make extensive use of iRules with procedures.

Conditions:
During the reconfiguration of more than one iApp by switching templates, prior and new templates to contain iRules with procedures of the same name.
After the second or later reconfiguration TMM may core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modify iApp template to generate procedures that have a unique name per iApp.

Fix:
TMM no longer cores when reconfiguring more than one iApp that contains iRule procedures of the same name.


548583-1 : TMM crashes on standby device with re-mirrored SIP monitor flows.

Component: Local Traffic Manager

Symptoms:
Occasionally, the standby system with a SIP monitor crashes in a configuration where the active system contains a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled.

Conditions:
This occurs on an active-standby setup in which there is an L4 forwarding virtual server or SNAT listener configuration with a wildcard IP address and port, and with connection mirroring enabled. Also, the standby has a SIP monitor configured.

Impact:
Packets that are sent by the SIP monitor on the standby get routed back to the active unit (possibly due to a routing loop) and are then sent to the standby because of the wildcard mirrored configuration. tmm on standby might crash. When the crash occurs, the standby system posts the following assert and crashes: tmm failed assertion, non-zero ha_unit required for mirrored flow.

Workaround:
-- If a routing or switching loop is the reason the packets come back to the active unit, then the routing issues can be eliminated.
-- The mirroring of the wildcard virtual server or SNAT listener can be disabled.

Fix:
TMM no longer crashes on standby device with re-mirrored SIP monitor flows.


548563-1 : Transparent Cache Messages Only Updated with DO-bit True

Component: Local Traffic Manager

Symptoms:
When a transparent cache stores a message with DNSSEC OK (DO) bit TRUE and its TTL expires, the message is only updated when a new message arrives with DO-bit TRUE.

Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.

Impact:
When the DO-bit TRUE's cached message TTL expires, the general impact is DO-bit FALSE queries will be proxied until the message cache is updated with DO-bit TRUE.

Workaround:
None.

Fix:
The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.


548361-2 : Performance degradation when adding VDI profile to virtual server

Component: Access Policy Manager

Symptoms:
Performance degradation when adding VDI profile to virtual server

Conditions:
This occurs when using the VDI profile

Impact:
0.3s latency increase comparing with previous result

Workaround:
none

Fix:
Fixed 0.3s latency between client and server SSL hello if VDI profile is added to virtual server.


548268-1 : Disabling an interface on a blade does not change media to NONE

Component: TMOS

Symptoms:
When an interface on a blade in a chassis is disabled, it's media does not get reported as NONE and the link on the other end stays UP.

Conditions:
Disabling an interface on a blade within a chassis.

Impact:
Media on the disabled interface is not reported as NONE and link on partner end is UP.

Workaround:
none

Fix:
fixed


548239-2 : BGP routing using route-maps cannot match route tags

Component: TMOS

Symptoms:
When a route-map is used to redistribute routes into BGP, matching on the route tag fails.

Conditions:
Dynamic routing using BGP, redistribution into BGP using a route-map, route-map matches route tag.

Impact:
BGP may not get all prefixes from other routing protocols.

Workaround:
None.

Fix:
Route-maps used with BGP now correctly match route tags.


548114-2 : RAR for already deleted session returns RAA with 5012 error code

Component: Policy Enforcement Manager

Symptoms:
Session already deleted forcefully by PEM, but when PCRF sends RAR with the same session ID then PEM responds with RAA with error code 5012 (unable to comply) instead of 5002(unknown session ID)

Conditions:
Session Deleted when Gx connection down and tmm.pem.session.endpointDeleteResponse and tmm.pem.session.FinalUsageRecord set to low value to trigger forced delete.

Impact:
PCRF still think session exists giving wrong signal to PCRF

Workaround:
Make sure tmm.pem.session.endpointDeleteResponse is set to high value to make sure session not deleted if Gx connection is down for a short period of time

Fix:
Issue is fixed now. PEM will send RAA with 5002 error code for forcefully deleted session


547815-3 : Potential DNS Transparent Cache Memory Leak

Component: Local Traffic Manager

Symptoms:
When a transparent cache is populated with messages where the DNSSEC OK-bit is true, and a query with that bit true, arrives at or after the expiration of the message TTL, the system leaks all subsequent queries with DNSSEC OK set to false, up through the TTL of that message.

Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.

Impact:
A few hundred bytes can leak on each clientside query, leading to a massive leak over a short period of time.

Workaround:
Disable DNSSEC on all cached messages by disabling DNSSEC on pool members.

Fix:
This release fixes a potential DNS transparent cache memory leak.


547546-1 : Add support for auto-update of MachineCertService

Component: Access Policy Manager

Symptoms:
Auto-update of MachineCertService wasn't implemented. If APM contains newer MachineCertService EdgeClient doesn't pick it up automatically.

Conditions:
Upgrading existing APM install.

Impact:
Since MachineCertService is not auto-updatable service redeployment is required.

Fix:
Added support of auto-update to MachineCertService.


547537-2 : TMM core due to iSession tunnel assertion failure

Component: Wan Optimization Manager

Symptoms:
TMM core due to "valid isession pcb" assertion failure in isession_dedup_admin.c.

Conditions:
Deduplication endpoint recovery occurs on a BIG-IP that has duplication is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none

Fix:
An iSession tunnel initialization defect has been corrected.


547532-1 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades

Component: TMOS

Symptoms:
Error messages similar to this are present in the ltm log:

-- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
-- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.

Conditions:
A chassis-based system with multiple blades. A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).

Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.

Workaround:
Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.

Fix:
Ensured that the complete state for addresses in the default route domain is propagated to secondary blades.


547435-1 : BIG-IQ ASM remote logger: Requests are not be logged.

Component: Application Security Manager

Symptoms:
BIG-IQ ASM does not log requests for the first remote logger configured on the system.

Conditions:
No remote logger has been previously configured for ASM.

Impact:
No requests are sent to remote logger that was just configured.

Workaround:
This issue resolves itself after a few seconds when the remote destination is responsive.

Fix:
An issue with requests not being logged after configuring a new remote logger for BIG-IQ ASM has been fixed.


547367-2 : When adding a Virtual Server and selecting again Virtual Server menu bar, this can lead to an error message in the UI

Component: Global Traffic Manager (DNS)

Symptoms:
If you create a Server object with auto discovery disabled and then click on Virtual Server menu bar and 'Add' to manually add a Virtual Server, clicking on the Virtual Server menu bar again will result in the UI displaying the error "An error has occurred while trying to process your request."

Conditions:
When creating a Server object in the GTM configuration with Autodiscovery disabled.
Clicking on the Virtual Server menu bar a second time.

Impact:
An error appears in the UI: An error has occurred while trying to process your request"

Fix:
The tab menu in the Virtual Server page has been removed.


547047-5 : Older cli-tools unsupported by AWS

Component: TMOS

Symptoms:
Older EC2 tools stopped working in some AWS regions.

Conditions:
This can happen in some AWS regions.

Impact:
BIG-IP high availability configurations may stop working in some AWS regions.

Workaround:
None.

Fix:
F5 Networks added the latest available version (1.7.5.1) of EC2 tools in this release/hotfix.


547000-5 : Enforcer application might crash on XML traffic when out of memory

Component: Application Security Manager

Symptoms:
Enforcer application might crash on XML traffic when out of memory.

Conditions:
This occurs when the system is out of memory.

Impact:
The BIG-IP system might temporarily fail to process traffic.

Workaround:
None.

Fix:
This release fixes a scenario where the system might crash when the XML parser ran out of memory.


546516-2 : PEM: TMM core when deleting sessions not aware to PCRF

Component: Policy Enforcement Manager

Symptoms:
TMM core.

Conditions:
When PCRF sends a CCA-T for a session with error code 5002 (UNKNOWN_SESSION_ID)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If PCRF should just acknowledge CCA-T with success code 2001 even if its not aware of the session.

Fix:
Issue has been fixed now. No more core should be observed under the described circumstances.


546410-3 : Configuration may fail to load when upgrading from version 10.x.

Component: TMOS

Symptoms:
After upgrade from 10.x to 11.5.3 HF2, configuration fails to load with the following error:
01070734:3: Configuration error: Invalid primary key on monitor_param object () - not a full path 2.

Conditions:
Configuration contains a user-created monitor (A) that inherits from user-created monitor (B). Monitor A appears first within the configuration files and monitor B does not have a 'destination' attribute.

Impact:
Configuration fails to load.

Workaround:
Re-order monitors such that Monitor B appears first, or add a 'destination' attribute (i.e., 'destination *:*') to monitor B.

Fix:
10.x upgrade now completes successfully, even when parent monitors appear later in the monitor list, or when there is no destination attribute in the child monitor.


546140-1 : CVE-2015-7759

Vulnerability Solution Article: SOL22843911


546080-6 : Path sanitization for iControl REST worker

Vulnerability Solution Article: SOL99998454


545985-2 : ICAP 2xx response (except 200, 204) is treated as error

Component: Service Provider

Symptoms:
An ICAP status code from the ICAP server of 2xx (other than 200 or 204) is treated as an error, causing the reset of the ICAP connection and the service-down-action to be performed on the parent virtual server (as configured in the requestadapt or responseadapt profile). The RFC 3507 requires the ICAP client (BigIP) to handle the response normally (ie. like 200).

Conditions:
The ICAP server returns a 2xx status code that is not defined explicitly for ICAP.

Impact:
Transsactions involving an ICAP server that returns a non-IACP 2xx response do not work, and the service-down action is performed.

Workaround:
If possible, have the ICAP server return status code 200.

Fix:
An ICAP status code from the ICAP server of 2xx (other than 200 or 204) is treated as a normal 200 status code, thus the encapsulated HTTP request or response is returned to the HTTP client or server.


545786 : Privilege escalation vulnerability CVE-2015-7393

Vulnerability Solution Article: SOL75136237


545783-2 : TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when forwarding an inbound connection and the flow sweeper tries to update the flow before the forwarding operation completes.

Conditions:
A small or over utilized LSN pool that creates inbound entries that require forwarding.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add more IP addresses to the LSN pool.

Fix:
TMM no longer crashes when forwarding inbound connections configured with an LSN pool


545745-4 : Enabling tmm.verbose mode produces messages that can be mistaken for errors.

Component: TMOS

Symptoms:
When tmm first starts, the system logs multiple messages containing the words "error:" and "best_error:" in the tmm log files when tmm.verbose is enabled, and hardware accelerators are present.

Conditions:
Must have an accelerator device, and enable tmm.verbose logging.

Impact:
The system posts messages that could be mistaken for errors. For example: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000. These are not errors, and may be safely ignored.

Workaround:
Ignore the lines with format similar to the following:

 en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000

Fix:
The cosmetic messages containing 'err' and 'best err' are no longer posted on initial tmm startup when tmm.verbose logging on hardware accelerated devices.


545704-1 : TMM might core when using HTTP::header in a serverside event

Component: Local Traffic Manager

Symptoms:
In certain circumstances TMM might core when using an HTTP iRule command in a HTTP_REQUEST_SEND serverside event.

Conditions:
- iRule with an HTTP command in a serverside event prior to the serverside being completely established, such as HTTP_REQUEST_SEND.
- OneConnect configured on the virtual server.

Impact:
The command might either return invalid value or lead to a condition where TMM might core.

Workaround:
Use the {clientside} Tcl command to execute on the client side.

Alternatively, you might use the HTTP_REQUEST_RELEASE event for HTTP inspection/modification on the server-side.

Fix:
TMM no longer cores when using HTTP iRule commands on the server-side of the HTTP_REQUEST_SEND event.


545558-2 : Send RAA when RAR is sent by PCRF and session is deleted immediately after its created.

Component: Policy Enforcement Manager

Symptoms:
BIGIP does not send RAA for certain sessions.

Conditions:
If session is created , CCR-I is send, CCA-I received and session is deleted immediately then RAA for RAR update from the PCRF for the session is not sent.

Impact:
PCRF has no way of knowing why RAA was not received for the session.

Workaround:
No workaround and this is extremely remote scenario where radius start and stop are received almost at the same time.


545214-3 : OSPF distance command does not persist across restarts.

Component: TMOS

Symptoms:
When ospfd is restarted, the value configured for the OSPF distance command is lost.

Conditions:
The distance command is configured in OSPF and the ospfd process is restarted.

Impact:
The distance command does not function as configured, which affects OSPF behavior.

Workaround:
None.

Fix:
OSPF distance command now persists across ospfd restarts.


544989-1 : distance cli command without access name in OSPF posts a memory allocation error.

Component: TMOS

Symptoms:
OSPF distance command gives error and is not effective in changing Open Shortest Path First (OSPF) behavior.

Conditions:
throwing a memory allocation error when the distance command is used without an access list name. The access list name is optional parameter in the following command (WORD represents the optional access list name):
distance <1-255> A.B.C.D/M (WORD|).

Impact:
The distance command does not function correctly and posts a memory allocation error.

Workaround:
None.

Fix:
OSPF distance command no longer gives error and works as expected to modify Open Shortest Path First (OSPF) behavior.


544979 : Changing the LSN pool to an unsupported mode may result in a TMM crash

Component: Carrier-Grade NAT

Symptoms:
Changing the LSN pool mode may result in a TMM core if the BIGIP is processing translations and the resulting config is not supported. When the pool mode changes while a translation is in progress validation checks may be skipped. This can cause a NULL pointer exception.

Conditions:
Vlans configured with default DAG.
A small LSN pool configured with NAPT mode.
Changing the pool mode to PBA while translations are in progress. PBA is not supported with default DAG.

Impact:
Traffic disrupted while tmm restarts.

Fix:
With this fix, tmm no longer crashes when changing the LSN pool to an unsupported mode.


544913-5 : tmm core while logging from TMM during failover

Component: TMOS

Symptoms:
TMM crash and coredump while logging to remote logging server when an HA failover occurs.

Conditions:
The problem might occur when:
1. A log message is created as the result of errors that can occur during log-connection establishment.
2. An error occurs while attempting to connect to the remote logging server.
3. The Primary HA member fails over. The crash occurs on the HA member which was the Primary member prior to the failover.

Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.

Workaround:
Two possible workarounds are available:
1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs.
2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.

Fix:
Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.


544888-6 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.

Component: TMOS

Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.

Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.

Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.

Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.

Fix:
Once the TCP connection reaches established state, the idle timeout is now set to the value found in the associated profile. By default the profile timeout value is 300 seconds.


544531-3 : ConfigSync does not work in Virtual Edition configurations provisioned with a single NIC and single IP.

Component: TMOS

Symptoms:
ConfigSync does not work in Virtual Edition (VE) configurations provisioned with a single NIC and single IP.

Conditions:
This occurs when using BIG-IP VE v12.0.0 for Microsoft Azure and Amazon AWS when provisioned with a single NIC and a single IP address.

Impact:
You will be unable to to enable ConfigSync, or to synchronize configurations among the devices in a Device Group.

Workaround:
None.

Fix:
You can configure ConfigSync Only (there is no support of network failover, but it should be selected and disabled when creating the Device Group), for BIG-IP VE provisioned with a single NIC and a single IP address using the following steps:

Steps to configure ConfigSync in Azure VE provisioned with a single NIC and a single IP address
  - configure configsync-ip in each VE/device
    - run "tmsh modify cm device <bigipX> configsync-ip <self-ip>" in each VE/device
  - in the master VE/device, run the following tmsh cmd-line:
    - to add all other VEs/devices to the trust-domain
      - run "tmsh modify cm trust-domain Root ca-devices add { <peer-mgmt-ip> } name <bigipX> user <user> password <password>" for each VE/device
    - to create a new device group for all VEs/devices
      - run "tmsh create cm device-group <device-group> devices add { <all-device-names-separated-by-space> } type sync-failover auto-sync enabled network-failover disabled
  - run "tmsh run cm config-sync to-group <device-group>" to initially sync-up configs among devices in device-group

- Use version 12.0.0 HF1 EHF14 and later images.
- Use a static private IP address provided by Azure Virtual Network.
- Set db-var 'provision.1nicautoconfig' to be 'disable' before beginning.

* No support of network failover when setting up ConfigSync in Azure.

- A typical setup is as follows:

  - Configure configsync-ip in each VE/device.
    - In each VE/device, run the command: tmsh modify cm device <bigipX> configsync-ip <self-ip>.
  - In the master VE/device, complete the following steps at the tmsh command line:
    - To add all other VEs/devices to the trust-domain, complete the following steps at the tmsh command line for each VE/device:
      - Run the command: tmsh modify cm trust-domain Root ca-devices add { <peer-mgmt-ip> } name <bigipX> user <user> password <password>.
    - To create a new device group for all VEs/devices:
      - Run the command: tmsh create cm device-group <device-group> devices add { <all-device-names-separated-by-space> } type sync-failover auto-sync enabled network-failover disabled.
  - To initially sync-up configs among devices in device-group, run the command: tmsh run cm config-sync to-group <device-group>.


544481-2 : IPSEC Tunnel fails for more than one minute randomly.

Component: TMOS

Symptoms:
IPsec IKEv1: DPD ACK may be dropped when excessive DPD message exchange. This causes the IPsec tunnel to fail.

Conditions:
Excessive DPD message exchange.

Impact:
Connection resets.

Workaround:
None.

Fix:
Excessive DPD message exchange no longer causes the IPsec tunnel to fail.


544028-1 : Verified Accept counter 'verified_accept_connections' might underflow.

Component: Local Traffic Manager

Symptoms:
Verified Accept counter 'verified_accept_connections' might underflow.

Conditions:
When the verified accept setting on a TCP profile is changed for an active virtual server.

Impact:
When the counter underflows, new connections on any verified-accept enabled virtual server are dropped. The counter will never recover.

Workaround:
Avoid changing the verified accept setting on a TCP profile for an active virtual server.

Fix:
This release corrects the issue in which the Verified Accept counter 'verified_accept_connections' might underflow.


543993-2 : Serverside connections may fail to detach when using the HTTP and OneConnect profiles

Component: Local Traffic Manager

Symptoms:
Serverside connection does not detach when using OneConnect profile

Conditions:
An HTTP/1.1 response without Content-Length header is received in response to an HTTP/1.0 HEAD request

Impact:
HTTP requests on the same connection are not LB'ed across pool members.

Workaround:
Remove OneConnect profile

Fix:
Ensure serverside detachment when handling HTTP responses to HEAD requests.


543222-2 : apd may crash if an un-encoded session variable contains "0x"

Component: Access Policy Manager

Symptoms:
when a session variable value contains "0x" (for example 'value0x not encoded'),
apd process treat the value as HEX-encoded and tries to decode it.
decoding the not-encoded string causes apd to crash

Conditions:
session variable contains substring "0x"

Impact:
apd crash

Workaround:
None

Fix:
With this release:
1. Only values starting from 0x are treated as hex-encoded.
2. If hex decoding fails, apd does not crash.


543220-4 : Global traffic statistics does not include PVA statistics

Component: Local Traffic Manager

Symptoms:
Global traffic statistics shown in the GUI and in TMSH are not correct.

Conditions:
Hardware acceleration enabled.

Impact:
Statistics discrepancy in global traffic statistics.

Workaround:
None.

Fix:
Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH.


542898-2 : Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0

Component: TMOS

Symptoms:
After installing a new Virtual Edition software instance and booting into it, disk partition /var shows 100%

Conditions:
Virtual Edition only

Impact:
System is generally un-usable; applications cannot operate without space in /var.

Workaround:
1) reboot into the previous software location

2) delete the new software location that is non-functional

3) remove this file:
/shared/.tmi_config/global_attributes

4) install the new software again.

Fix:
after applying the fix, subsequent operations that install new software will size the /var filesystem appropriately.


542860-2 : TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event

Component: TMOS

Symptoms:
TMM can crash when IPsec SA's are deleted using TMSH or racoonctl utility during HA Active to Standby or vice versa.

Conditions:
During the HA Active to standby or vice versa event, Use of TMSH or racoonctl utility to delete IPsec SA's can cause TMM crash. This is a race condition and can occur rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Running TMSH command or racoonctl utility to delete IPsec SA's during HA Active to Standby or vice versa event does not result in TMM crash and IPsec SA's will be deleted as per the request.


542853-1 : tmm crash

Component: Local Traffic Manager

Symptoms:
The tmm crashes, /var/log/ltm contains the following error message:
"Tcl Object ## is currently on free list"

Conditions:
The issue occurs when there is an LTM policy assigned to a virtual server, the policy actions utilizes Tcl command substitutions, and the command substitution is unsuccessful.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer restarts when there is an LTM policy assigned to a virtual server, the policy actions utilizes Tcl command substitutions, and the command substitution is unsuccessful.


542781-2 : Tmm crash observed during load testing

Component: Policy Enforcement Manager

Symptoms:
TMM crashes, stack trace in logs.

Conditions:
Virtual server has a 0.0.0.0:3868, port 3868 is not disabled and the vlan list is not disabled for the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Block the port 3868 in this case or disable the virtual's vlan list to prevent creation of client side connection.

Fix:
Release the client side ingress data and the client side connection will be aborted later by hud-handler which was existed already.


542640-1 : bigd intentionally cores when it should shutdown cleanly

Component: Local Traffic Manager

Symptoms:
Bigd can core instead of graceful shutdown under certain error conditions where a core is not needed.

Conditions:
Anything that caused bigd to shutdown under abnormal conditions.

Impact:
Bigd crash, core file created. Note that the shutdown scenario was already under error conditions, so this is not a sign that something has broken or failed outside that condition that caused the shutdown.

Fix:
Made bigd more selective about the situations where it self-cores on abnormal shutdown.


542564-1 : bigd detection and logging of load and overload

Component: Local Traffic Manager

Symptoms:
The bigd process cannot detect overload, and does not log its load status. This makes it difficult to determine whether bigd is close to its limits.

Conditions:
The bigd process might reach limits when there is very high load with high probe rate (monitor instances per second).

Impact:
bigd might fail to service monitors in a timely fashion, when under extreme load, which might result in 'flapping' nodes/pool members (where the node/pool member goes down and back up even though the server itself has not gone down).

Workaround:
-- Increase the probe interval for monitors so they probe less often. -- Switch from more 'expensive' monitors (e.g., https) to simpler monitors (e.g., http, tcp, tcp half-open, icmp).

Fix:
This release provides modifications to peak performance to significantly reduce the chance of node flapping. In addition, the ability to monitor bigd load has been added.

Because bigd is not integrated with tmstats, the system logs load stats to the debug log file, /var/log/bigdlog. When debug logging is turned on, stats are mixed with the debug output. Load stats can be emitted independently with the following sys db var: modify sys db bigd.debug.timingstats value enable.

With this db variable enabled, the system emits bigd load data to the debug log periodically (every 15 seconds per bigd process). The columns correspond to these stats:
- load (0-100%) 1-minute mean.
- load (0-100%) 5-minute mean.
- number of monitor instances active for this bigd process.
- number of active file descriptors, 30-second average, this process.
- peak number of active file descriptors past 30 seconds, this process.

In addition, the system logs warning messages to /var/log/ltm when bigd reaches 80%, 90%, and 95% load levels. The system logs an overload error to /var/log/ltm when bigd detects it is overloaded. The load level indicating overload is in the bigd.overload.latency sys db variable, which is set to 98% load, by default.


542314-6 : TCP vulnerability - CVE-2015-8099

Vulnerability Solution Article: SOL35358312


542282 : Portal Access performance is lower for small size payloads

Component: Performance

Symptoms:
Portal Access performance is lower for small size payloads.

Conditions:
Using Portal Access using "resource assign" in access policy.

Impact:
Slower page load by client application when using APM portal access.

Fix:
Improved internal communication between APM modules to address this performance drop.


542009-1 : tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message.

Component: Local Traffic Manager

Symptoms:
tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message. You might notice the following in /var/log/ltm prior to the core:
notice MPI stream: connection to node nodedadress expired for reason: Internal error (bad magic) (mpi_proxy.c:664)

Conditions:
This is an internal condition related to TMMs passing messages between each other. The cause of the invalid internal message is unknown.

Impact:
tmm might loop, using 100% of CPU, and eventually get killed by sod.

Workaround:
None.

Fix:
tmm no longer loops and gets killed by sod when the system tries to process an invalid MPI message.


541978-1 : Using non-existant perflow variables in per-request policy agent's VPE results in system crash

Component: Access Policy Manager

Symptoms:
When using nonexistent per flow variables in per-request policy agent's VPE, TMM core and service failover.

Conditions:
When nonexistent per flow variables in per-request policy agent's VPE are used.

Impact:
TMM crash resulting in failover.

Workaround:
Avoid adding non-published perflow variables in per-request policy VPE.

Fix:
Added check for nonexistent perflow variable and error log for non-existing perflow variables.


541852-2 : ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails

Component: Application Security Manager

Symptoms:
The "validationFiles" is not allowed to be modified via a PATCH call and will fail validation.
Even if validationFiles is passed back in unmodified, the call still fails.

Conditions:
An ASM REST client attempts to PATCH the mgmt/tm/asm/policies/<ID>/xml-profiles/<ID> endpoint using "validationFiles"

Impact:
The XML Profile cannot be modified

Workaround:
The user can PATCH the object without supplying this field.
However if there were Validation Files before, then Bug 541406 will affect them, removing the existing Validation Files. The XML validation file association task would then need to be run again.

Fix:
ASM REST: The system correctly recognizes that the validationFiles field has not changed in value and does not fail the call.


541592-2 : PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions

Component: Policy Enforcement Manager

Symptoms:
Radius Start, Stop does not trigger any diameter traffic except DWR/DWA.

Conditions:
Diameter virtual reconfiguration and possibly any virtual configuration change might trigger this behavior.

Impact:
Subscriber sessions created by radius are not provisioned by the PCRF. Sessions that are deleted are also not reported to PCRF or Usage reports are also not reported.

Workaround:
Restarting TMM is the only work around for now.

Fix:
Issue has been fixed now. Even if diameter configuration is changed there should be no impact on CCR-I/U/T being stopped.


541571-2 : FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, ephemeral nodes that are force-deleted may not repopulate as expected.

Conditions:
Sync group, multiple FQDNs resolving to different IP addresses.
FQDNs deleted and re-created, with IP addresses swapped from deleted nodes to re-created ones.

Impact:
Ephemeral nodes may not repopulate as expected.

Workaround:
None.

Fix:
FQDN ephemeral nodes are now repopulated after being force-deleted and re-created with different IP addresses.


541569-2 : IPsec NAT-T (IKEv1) not working properly

Component: TMOS

Symptoms:
The incorrect source port is chosen for the IPsec/IKE NAT-T UDP encapsulated traffic. When IKE decides to float port when NAT device is detected, it should use port 4500 for both its source port and destination port.

Conditions:
NAT traversal is enabled on the IKE Peer configuration object and NAT device is detected during IKE negotiation.

Impact:
When NAT-T is enabled, IPsec tunnel cannot be established.

Workaround:
None.

Fix:
Now, when NAT-T is enabled, IPsec tunnel can be established as expected.


541406-2 : ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request

Component: Application Security Manager

Symptoms:
Updating an XML Profile via ASM REST with a partial body (ex. just an updated description) removes all attached WSDL validation files as if it had also received:

"validationFiles": []

Conditions:
XML Profiles that utilize validation files are updated via REST

Impact:
If the full validation files structure is not re-iterated in the body, then the entire list of WSDL validation files will be emptied. This will cause the XML Schema to not be validated properly during enforcement.

Workaround:
Run the validation file association task again after updating the XML Profile

Fix:
ASM REST now correctly updates only specified fields on a PATCH request.


541316-4 : Unexpected transition from Forced Offline to Standby to Active

Component: TMOS

Symptoms:
If a BIG-IP configuration is reset to default, and then restored from a saved UCS that was taken while the system was Forced Offline, the system will be restored to the Forced Offline state, but the state may not persist across reboots.

Conditions:
Restore a saved UCS that was created while the BIG-IP system was Forced Offline.

Impact:
System may unexpectedly go Active after a reboot.

Workaround:
None.

Fix:
Device forced offline remains forced offline after restoring a UCS and rebooting.


541156-1 : Network Access clients experience delays when resolving a host

Component: Access Policy Manager

Symptoms:
The DNS Relay proxy for Network Access clients operating in split-tunnel mode intercepts a client's DNS request for a non-matching host and will forward it to the client's local DNS server. If the client contains multiple NICs, one containing a down or invalid DNS server, this could cause a delay in resolving the host.

Conditions:
Network Access with the DNS Relay Proxy configured
A client machine has multiple NICs
One of the NICs has an invalid or down DNS server configured
Client attempts to resolve a host not matching the Network Access policy

Impact:
Clients will experience unusual delays (10+ seconds) when resolving hosts.

Workaround:
Clients can check their system setup and remove the affected interfaces that contain an invalid DNS server (virtual machine network adapters are becoming increasingly common and can exhibit this), or they can ensure that they are mapped only to valid DNS servers that can resolve the host.

Fix:
The DNS Relay proxy will now avoid sending DNS requests to down DNS servers for DNS requests that do not match the Network Access policy while Network Access is connected.


540923-2 : TMSH list node filtering no longer filters correctly.

Component: TMOS

Symptoms:
In some circumstances the use of filters in the 'tmsh list ltm node' command no longer works correctly, returning all values instead.

Conditions:
Use of filter in the 'tmsh list ltm node' command.

Impact:
Filter is not applied, so all results are returned.

Workaround:
None.

Fix:
TMSH now filters correctly when using the tmsh list ltm node command.


540893-4 : Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.

Component: Local Traffic Manager

Symptoms:
Flows for a syncookie-enabled listener might occasionally receive a RST after responding correctly to a syncookie challenge.

Conditions:
-- Fast Flow Forwarding is enabled.

-- At least one tmm thread is heavily loaded but has not reached its syncookie thresholds, while at least one tmm thread is less heavily loaded but has met its syncookie threshold.

Impact:
Occasional clients take an incorrect path and have their valid syncookie ACKs rejected with a TCP RST and must retry.

Workaround:
Set db variable tmm.ffwd.enable = false.

Doing this may modestly reduce peak performance on CPU bound loads.

Fix:
Fixed occasional RST in response to valid syncookie ACKs when under uneven load.


540871-2 : Update/deletion of SNMPv3 user does not work correctly

Component: TMOS

Symptoms:
After creation of an SNMPv3 user via the GUI, SNMP operations for that user do not work if the admin subsequently modifies the user. Deletion of the SNMPv3 user also does not work correctly.

Conditions:
Save (even without modification) an SNMPv3 user after creation, or delete an SNMPv3 user.

Impact:
SNMP operations for that user do not work if the admin subsequently modifies the user. TMSH reports a deleted user as gone, but net-snmp does not process the deletion.

Workaround:
None.

Fix:
Using the GUI to update/delete SNMPv3 users now works as expected.


540849-6 : BIND vulnerability CVE-2015-5986

Vulnerability Solution Article: SOL17227


540846-6 : BIND vulnerability CVE-2015-5722

Vulnerability Solution Article: SOL17181


540767-3 : SNMP vulnerability CVE-2015-5621

Vulnerability Solution Article: SOL17378


540568-1 : TMM core due to SIGSEGV

Component: Local Traffic Manager

Symptoms:
TMM may core due to a SIGSEGV.

Conditions:
Occurs rarely. Specific conditions unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed an intermittent tmm core related to Bug 540571.


540484-1 : "show sys pptp-call-info" command can cause tmm crash

Component: Carrier-Grade NAT

Symptoms:
Core when "show sys pptp-call-info" is called.

Conditions:
On BIGIP with fastl4 virtual server forwarding PPTP GRE traffic, TMSH "show sys pptp-call-info" command can cause crash in TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not issue "show sys pptp-call-info" command on BIGIP forwarding PPTP GRE traffic.

Fix:
Fixed crash from incorrectly matching PPTP ALG traffic in forwarding fastl4 virtual server.


540473-3 : peer/clientside/serverside script with parking command may cause tmm to core.

Component: Local Traffic Manager

Symptoms:
When the peer/clientside/serverside iRule contains parking commands, tmm might core upon connection reuse.

Conditions:
1. The iRule used in peer/clientside/serverside contains a parking command.

2. The connection is reused. This might occur in OneConnect configurations, for example.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use parking commands in cases where the system might reuse the connection.

Fix:
When the peer/clientside/serverside iRule contains parking commands, tmm no longer cores upon connection reuse.


540456-1 : Policy deployment fails when deploying to a non-source device

Component: TMOS

Symptoms:
When deploying to a non-source device policy objects maybe deleted resulting in deployment errors.

Conditions:
When a large policy is added to a source device and deployed to a non-source device then the policy is removed from the source and deployment is run again, deployment errors will occur.

Impact:
Failed policy deployment

Workaround:
N/A

Fix:
Fix policy handler to prevent exception.


540390-3 : ASM REST: Attack Signature Update cannot roll back to older attack signatures

Component: Application Security Manager

Symptoms:
There is no way to roll back to an older attack signature update using the REST interface

Conditions:
REST is used to manage Attack Signature Updates on a BIG-IP device, and an older version than the currently installed file is desired to be installed.

Impact:
REST clients have no way to fully manage Attack Signature Updates for the BIG-IP

Workaround:
The GUI can be used to roll back to an earlier version

Fix:
The REST API now includes support for the "allowOlderTimestamp" field to the update-signatures task in order to allow rolling back to an older attack signature update using the REST interface.

POST https://<host>/mgmt/tm/asm/tasks/update-signatures/
{
  "allowOlderTimestamp": true,
  <Rest of body as usual>
}


540328-1 : SSL key/certificate/csr file renewal/overwrite fails silently.

Component: TMOS

Symptoms:
When renew/overwrite the SSL key/cert/csr files using GUI/iControl, the file names are updated, however the contents of the files remain the same. It fails to replace the files but doesn't throw any error to notify the users.

Conditions:
When renew/overwrite the SSL key/cert/csr files using GUI/iControl.

Impact:
The users could use unsuccessfully updated key/cert/csr without notifying that they are still using the old key/cert/csr until it really causes issues, for example, expired.

Workaround:
Delete the key/cert/csr and create them again using the same name, instead of using renewal/overwrite option in GUI/iControl to replace the existing key/cert/csr files.

Fix:
With the fix, the key/cert/csr files can be successfully replaced using renewal/overwrite option in GUI/iControl.


540213-1 : mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary

Component: Local Traffic Manager

Symptoms:
When a secondary blade's mcpd starts up, it may continually restart, failing to load, when the primary blade has a certain configuration. The easiest way to reproduce this is to insert a new blade into an existing running cluster.

This will happen when a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default).

It is not possible to create such self IPs unless the DB variable is first enabled, the object is created, and then the DB variable is disabled.

In certain scenarios a secondary blade mcpd may go into a restart loop when receiving the configuration from the primary blade if ipv4 link local SelfIP addresses are in use enabled by DBKey config.allow.rfc3927.

Conditions:
This happens only on MCP startup on secondary blades, when a link local IPv4 self IP is configured, and when the DB variable config.allow.rfc3927 is set to disabled (which is the default).

Impact:
Secondary blade will not become part of the cluster and will not be able to process traffic. Continual log messages will show up on existing blades announcing that mcpd is continually restarting.

Workaround:
Enable the config.allow.rfc3927 DB variable on the primary to suspend this validation.

Fix:
When a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default), mcpd would previously fail to start on a newly inserted secondary blade. This no longer occurs.


540174-1 : CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1623.html

Vulnerability Solution Article: SOL17307 SOL17309


540018-1 : Multiple Linux Kernel Vulnerabilities

Vulnerability Solution Article: SOL16429 SOL15685 SOL15912


539923 : BIG-IP APM access logs vulnerability CVE-2016-1497

Vulnerability Solution Article: SOL31925518


539822 : tmm may leak connflow and memory on vCMP guest.

Component: TMOS

Symptoms:
tmm may leak connflow and memory on vCMP guests.

Conditions:
This occurs on a vCMP guest when only one tmm is provisioned on the blade.

Impact:
tmm leaks memory and might eventually crash from an out-of-memory condition.

Workaround:
Provision more than one tmm.

Fix:
tmm no longer leaks connflows and memory on vCMP guests when only one tmm is provisioned.


539784-3 : HA daemon_heartbeat mcpd fails on load sys config

Component: TMOS

Symptoms:
A particular stage of validation can take longer than the ha-daemon heartbeat interval, and while nothing is actually wrong, the system responds as if there is an unresponsive daemon, so the system restarts it.

Conditions:
iRules must be present in the configuration that the system is loading.

Impact:
MCPd restarts.

Workaround:
On the BIG-IP system, run the command: tmsh mod sys daemon-ha mcpd heartbeat disabled.

Fix:
Added additional heartbeats during validation, so HA daemon_heartbeat mcpd no longer fails on load sys config.


539336-1 : Missing Setting in Security Policy XML Export

Component: Application Security Manager

Symptoms:
The option to choose whether updated signatures start in staging on a policy moved from being system wide to per policy.
This option was not included in the XML export of the policy and will therefore not be persisted across export/import if changed from the default.

Conditions:
The option to place updated signatures in staging is enabled and the policy is exported/imported via XML.

Impact:
The value for placing updated signatures in staging will revert to the disabled state.

This also affects Policy Templates if such a setting is desired to be a new custom template, since this is based on XML export/import.

Workaround:
The setting can be changed again after the XML policy is imported.

Fix:
Policies that have selected to put updated signatures in staging will correctly persist this value across XML export/import.


539270 : A specific NTLM client fails to authenticate with BIG-IP

Component: Access Policy Manager

Symptoms:
Specific NTLM client (such as Android Lync 2013) fails to authenticate with BIG-IP as it sends a particular NTLMSSP_NEGOTIATE which BIG-IP was not able to parse properly and throws an error. This effectively stops the authentication process, and this particular client never completes the authentication.

Conditions:
Specific NTLM client. It is not clear whether this issues affect a particular version of Android Lync 2013 or a particular Android version.

Impact:
Cannot complete the authentication, hence, not allowed to access protected resources.

Workaround:
No workaround exists for the affected clients.

Fix:
The BIG-IP system now processes NTLM requests for affected Lync clients, and users of the client are able to authenticate.


539229-2 : EAM core while using Oracle Access Manager

Component: Access Policy Manager

Symptoms:
Authentication with Oracle Access Manager can result in an exception while checking whether authentication is required. This is an intermittent issue.

Conditions:
This event can be triggered while using the Oracle Access Manager.

Impact:
An unhandled exception will cause EAM to core and possible access outage.

Workaround:
No workaround

Fix:
EAM handles exceptions gracefully during the authentication process when Oracle Access Manager is used.


539201-1 : Endpoint Management System type 'Fiberlink' is now called 'IBM MaaS360'

Component: Access Policy Manager

Symptoms:
'Fiberlink option' shows in dropdown instead of 'IBM MaaS360 option'

Conditions:
Open BIG-IP with licensed APM module. Go to 'Access Policy' tab -> 'AAA Servers'-> 'End Point Management Systems'and check the Type dropdown.

Impact:
shows 'Fiberlink option' instead of 'IBM MaaS360 option'

Workaround:
n/a

Fix:
APM now refers to IBM's Endpoint Management System by its correct name 'IBM MaaS360'.


539130-1 : bigd may crash due to a heartbeat timeout

Component: Local Traffic Manager

Symptoms:
bigd crashes and generates a core file.

The system logs entries in /var/log/ltm that are similar to the following: sod[5853]: 01140029:5: HA daemon_heartbeat bigd fails action is restart.

This issue is more likely to occur if /var/log/ltm contains entries similar to the following: info bigd[5947]: reap_child: child process PID = 9198 exited with signal = 9.

Conditions:
External monitors that run for a long time and are killed by the next iteration of the monitor. For example, the LTM external monitor 'sample_monitor' contains logic to kill a running monitor if it runs too long.

Impact:
bigd crashes and generates a core file. Monitoring is interrupted.

Workaround:
None.

Fix:
External monitors that run for a long time and are killed by the next iteration of the monitor now recover without bigd crashing and generating a core file.

Behavior Change:
bigd now logs child process exit messages in /var/log/bigdlog (so bigd.debug must be enabled) rather than in /var/log/ltm. This allows the logging to be controllable.

Successful command exits are also logged for completeness since this the log messages only appears when debugging is enabled.


539125-3 : SNMP: ifXTable walk should produce the available counter values instead of zero

Component: TMOS

Symptoms:
The SNMP ifXTable is presenting zeros for attributes hc_in_multicast_pkts and hc_out_multicast_pkts. However, this data is available on the Big-IP and should be presented.

Conditions:
snmpwalk the ifTable and the ifXTable. The ifTable shows Counter32 values for attributes in_multicast_pkts and out_multicast_pkts, but the ifXTable shows zeros for the Counter64 equivalent attributes hc_in_multicast_pkts and hc_out_multicast_pkts (except for vlans, which are correct).

Impact:
Inability to characterize/view counts for the above-referenced multicast packets via SNMP.

Fix:
The snmp walk described in the Symptom/Known issues field gives meaningful results after application of this hotfix.


539018-4 : TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file.

Component: Access Policy Manager

Symptoms:
TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file instead of looping TMM thread log file.

Conditions:
TMM stuck in a loop and aborted by monitor process.

Impact:
Unclear which TMM thread was looping and resulted in crash and failover.

Fix:
Register all TMM threads with Monitor process and monitor process signal the right TMM thread if looping and TMM stack trace comes to the right TMM thread log file.


539013-1 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution stops working on a Windows 10 desktop when the VPN connection is established.

Conditions:
This occurs when the client system meets all of the following conditions:
- Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.47.167-HF1-ENG.iso.
- Running Microsoft Windows version 10.
- Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.

Impact:
User cannot access resources by DNS name.

Workaround:
Disable disconnected NICs that have a statically assigned IPv4 configuration.

Fix:
After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration.


538837-2 : REST: Filtering login pages or parameters by their associated URL does not work

Component: Application Security Manager

Symptoms:
When attempting to filter the collection of configured login pages by their URL, the full list is returned instead of the desired results.
The same problem exists for URL level Parameters.

Conditions:
The login-pages or parameters collection endpoints are queried with the following $filter: $filter=url/name eq '<URL NAME>'

Impact:
Incorrect results are returned to the REST client

Workaround:
None.

Fix:
REST $filter for associated URLs on login-pages and parameters endpoints now works correctly.


538827-2 : Getting error when trying to update collection of gwt-profiles with override metacharacters

Component: Application Security Manager

Symptoms:
If we try to update collection of gwt-profiles with override metacharacters, then we get error message.

Conditions:
1)Create default policy "policy1";
2)Create default gwt profile;
3)Send RESTAPI request:
PATCH https://172.29.69.226/mgmt/tm/asm/policies/6224t7jz2UltQZsOfifTog/gwt-profiles HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/json
Accept: application/json
Content-Length: 114
Host: 172.29.69.226
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Authorization: Basic YWRtaW46YWRtaW4=

{
"metacharElementCheck": true,
"metacharOverrides": [{
      "isAllowed": false,
      "metachar": "0x9"
   }]
}

Impact:
Unable to update collection of gwt-profiles with override metacharacters

Workaround:
We can update one gwt-profile with override metacharacters each time.

Fix:
REST API: The system can update a collection of GWT/JSON/XML profiles with override metacharacters.


538784-2 : ICAP implementation incorrect when HTTP request or response is missing a payload

Component: Service Provider

Symptoms:
The ICAP request sent to the ICAP server always contains a payload even if the HTTP request or response to be modified does not contain one.

Conditions:
HTTP request or response does not contain a payload.

Impact:
If an HTTP request or response to be modified does not contain a payload, the ICAP client sends a zero-byte HTTP payload instead.

Workaround:
None.

Fix:
The system now correctly identifies an empty HTTP payload and sends the appropriate ICAP header, identifying that there is no HTTP payload included.


538761-2 : scriptd may core when MCP connection is lost

Component: TMOS

Symptoms:
Scriptd loses MCP connection may cause scriptd to core.

Conditions:
Unknown, Only known to reproduce in an F5 internal test.

Impact:
None known.

Fix:
A possible case of scriptd dumping core has been fixed.


538663-2 : SSO token login does not work due to remote role update failures.

Component: TMOS

Symptoms:
SSO token login does not work due to remote role update failures.

Conditions:
SSO between Enterprise Manager (EM) and a BIG-IP system using a third party authentication system, such as LDAP.

Impact:
Incorrect role assignment causing SSO login to not work. The system posts messages similar to the following:

-- notice mcpd[6165]: 01070829:5: Input error: Remote user message dropped (adm184789 in [All]) because duplicate partition.
-- err mcpd[6165]: 01070827:3: User login disallowed: User (adm184789) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.

Workaround:
Login using remote user credentials on the BIG-IP system. This properly updates the role for the remote user.

Fix:
SSO token login now works with the correct role assignments to a remote user.


538639-2 : P-256 ECDH performance improvements

Component: Local Traffic Manager

Symptoms:
Recent changes in the TLS clients to only use perfect forward secrecy (PFS) ciphersuites in default configuration may degrade TLS handshake rate on BIG-IP, may cause higher CPU utilization on the BIG-IP, or both.

An example of a recent change is Apple iOS's App Transport Security changes to only enable ECDH ephemeral ciphersuites (the ciphersuites with the ECDHE suffix).

Conditions:
Large portion of TLS client only offers *ECDHE* ciphersuites in their TLS CLientHello, the average size of the TLS session is small (e.g. in kilobytes), and the TLS session resumption is not used. In other words, the conditions such that the TLS handshakes likely negotiate ECDHE ciphersuites with short sessions.

Impact:
With this improvement, the TLS handshake rate with a ciphersuite ECDHE-RSA-AES128-GCM-SHA256 is expected to be ~50% higher on hardware platforms without Intel Cave Creek acceleration (released in 2015 and earlier). Internal testing has shown variations in the improvement between 20% and 80% with this enhancement. The comparison is against the current 12.0.x (or 11.6.x) release.

The performance of ECDSA with P-256 was also improved.

Conversely, previous versions of the BIG-IP will have correspondingly lower performance, or worse for older releases.

Workaround:
Order ciphersuite selection so that ECDH ciphersuites are least preferred.

One method to accomplish this is to ensure that the clientssl profile's cipherstring contains 'ecdhe:ecdhe_ecdsa' at the end of the list. This will only matter/needed when non-PFS cipherssuites are allowed in the profile and are offered by the client.

Fix:
Performance improvements for P-256 ECDH and ECDSA algorithms.


538603 : TMM core file on pool member down with rate limit configured

Component: Local Traffic Manager

Symptoms:
TMM may produce a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.

Conditions:
This occurs when the following conditions are met:
- service-down-action reselect.
- rate limit specified.
- traffic load balanced to pool members.
- traffic is over the rate for all pool members.
- all pool members go down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove rate-limit configuration.

Fix:
TMM no longer produces a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.


538566-1 : Timer policy rule with "unspecified" idle-timeout

Component: Advanced Firewall Manager

Symptoms:
If a timer policy has a protocol or port specific rule, with idle-timeout configured as "unspecified" and "all-other" rule as well, the timeout applied to the flow must be the Idle Timeout as configured in default "Protocol Profiles" configuration.

Conditions:
1. If a timer policy configuration has a protocol or destination port specific rule with idle-timeout configured as "unspecified" and if there is an "all-other" rule as well configured in the same policy and
2. A connection that matches timer policy rule with "unspecified" idle-timeout value.

Impact:
The idle timeout policy enforcement does not happen as expected with this specific rule combination.

Workaround:
It is recommended not to have any Timer Policy Rule with "unspecified" timeout value.


538255-5 : SSL handshakes on 4200/2200 can cause TMM cores.

Component: Local Traffic Manager

Symptoms:
When processing SSL handshakes in the crypto acceleration hardware, a BIG-IP 2000 or 4000 platform might experience a TMM core.

Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware. The issue is very unlikely to be seen other than on BIG-IP version 11.6.0 HF5 or on version 12.0.0 base install.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.


538198-1 : Security warning popup on tunnel establishment

Component: Access Policy Manager

Symptoms:
User may see additional security warning during launch of Java Application Tunnel: "This web site is requesting access and control of the Java application shown above. Allow access only if you trust the web site and know that the application is intended to run on this site."

Conditions:
This problem occurs when Java AppTunnel Applets tries to call javascript function on a web page to provide additional information about established tunnels.

Impact:
APM + Java AppTunnels

Workaround:
none

Fix:
Web page requests information from Applet instead of calling JavaScript function by Applet.


538195-2 : Incremental Manual sync does not allow overwrite of 'newer' ASM config

Component: Application Security Manager

Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration.
This precluded the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.

Conditions:
Devices are set up in an Incremental Manual Sync ASM-enabled group.

Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.

Workaround:
Make a spurious change on the device that has an older configuration and then push the changes to the peer.

Fix:
Older ASM configurations can now be pushed to a peer in an incremental sync manual device group.


538192-1 : Response for sesstimeout.js contains two cache-control http headers.

Component: Access Policy Manager

Symptoms:
Response for sesstimeout.js contains two cache-control http headers.

Conditions:
Always.

Impact:
Browser potentially may use any of headers supplied.

Workaround:
none

Fix:
Second cache-control header was removed.


538133-3 : Only one action per sensor is displayed in sensor_limit_table and system_check

Component: TMOS

Symptoms:
A list of sensors is displayed in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit. On the affected versions, each sensor item is displayed only once, even if multiple limits and actions are defined for the sensor. Additional limits and actions defined for the sensor are not displayed.

Conditions:
This problem occurs when the affected version of the BIG-IP software is running on the following hardware platforms:
BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances and VIPRION B2100, B2150, B2250 blades.

Impact:
The system does not show the complete set of defined sensor limits and corresponding BIG-IP system actions when there are multiple limits and actions defined. Only one action is displayed for each sensor.
The system_check utility will only evaluate sensor measurements against limits that appear in its sensor limit tables. Missing sensor limits will not be evaluated, and corresponding alerts will not be issued.

Workaround:
None.

Fix:
The system now shows a list of sensors in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit.


538024-2 : Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load

Component: TMOS

Symptoms:
Configuration fails to load with an error similar to the following: A port number or service name is missing for '/Common/any6%2.0'. Please specify a port number or service name using the syntax '/Common/any6%2.0:<port>'.

Conditions:
Configuration contains a virtual with destination address in the form of: any6%<route domain>.<port>.

Impact:
Configuration load failure.

Workaround:
None.

Fix:
The BIG-IP system now uses the correct port delimiter when parsing destination addresses containing a named wildcard service and non-default route domain.


537964-6 : Monitor instances may not get deleted during configuration merge load

Component: Local Traffic Manager

Symptoms:
After performing a configuration merge load (for example, "tmsh load sys config merge ...") that changes an existing pool's monitor, old monitor instances may not get deleted.

This can result in a system generating monitor requests that are no longer part of the configuration. It can also result in the system logging messages such as the following:

err mcpd[8793]: 01070712:3: Caught configuration exception (0), Can't find monitor rule: 42.

Conditions:
Pools with monitors configured must exist. The merge load must replace the pool's monitor.

Impact:
Multiple monitor instances may be active on some pool members. This may result in incorrect monitoring status.

Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following:

1. Save and re-load the configuration to correct the incorrect information in mcpd:

    tmsh save sys config partitions all && tmsh load sys config partitions all

2. Restart bigd:

    On an appliance:
    bigstart restart bigd

    On a chassis:
    clsh bigstart restart bigd

Fix:
Ensure that all relevant monitor instances are deleted when replacing a pool's monitor.


537614-3 : Machine certificate checker fails to use Machine cert check service if Windows has certain display languages

Component: Access Policy Manager

Symptoms:
Machine certificate checker agent fails to use machine certificate checker service for Windows if it has certain display language, for example Polish.

In failed case logs contain:
2015-08-04,18:37:59:042, 924,756,, 1, , 330, CCertCheckCtrl::CheckPrivateKey, EXCEPTION caught: CCertCheckCtrl::CheckPrivateKey - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 85, UCredMgrService::RpcConnect, EXCEPTION - Failed to set binding handle's authentication, authorization and security QOS info (RPC_STATUS: 1332)
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 88, RPCConnector::Connect, EXCEPTION caught: UCredMgrService::RpcConnect - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \MCClient.h, 86, MCClient::Verify, Failed to perform PRC-call:error=1702

Conditions:
Windows with non-english display language
Machine certificate checker is supposed to use Machine Certificate Checker service

Impact:
Machine certificate checker cannot be passed using Machine cert service.

Workaround:
Switch display language to English.

Fix:
Machine certificate checker service works now with a display language other than English.


537498 : Oracle Access Manager SSO with client certificates authentication may fail

Component: Local Traffic Manager

Symptoms:
The External Access Manager (eam) plugin may be unable to read a client certificate in a Single Sign On (SSO) configuration.

Conditions:
BIG-IP v12.0.0 with APM provisioned. A virtual IP is configured with clientssl profile (client certficate setting is 'require'). OAM support enabled, which activates the EAM plug-in.

Impact:
A properly configured BIG-IP with OAM SSO will not accept a valid client certificate.

Workaround:
Use another authentication mechanism besides client certificate.

Fix:
TMM properly passes client certificate data to EAM plug-in.


537435-2 : Monpd might core if asking for export report by email while monpd is terminating

Component: Application Visibility and Reporting

Symptoms:
Core file is created by monpd if you try to export a report by email while monpd is terminating.

Conditions:
Very rare case that can happen if user asks to export report by email in the middle of monpd's graceful termination (due to restart or other reason) will cause core dump (not graceful termination).

Impact:
None

Workaround:
Fixed to code to avoid this behavior.

Fix:
Exporting a report by email in the middle of monpd's graceful termination (due to restart or other reason) will no longer cause a core dump.


537326-3 : NAT available in DNS section but config load fails with standalone license

Component: Local Traffic Manager

Symptoms:
config load fails with error:
01070356:3: NAT feature not licensed.
Unexpected Error: Loading configuration process failed.

Conditions:
A NAT object is created for GTM/LC standalone license box.

Impact:
config fails to load.

Workaround:
none.

Fix:
Configuration loading no longer fails with a NAT in DNS section.


537034-2 : PEM: CPU spike seen when irule is used to update non existent sessions

Component: Policy Enforcement Manager

Symptoms:
CPU spikes seen and remains high which will lead to TMM core eventually.

Conditions:
Irule is used to update session with policies for a session which are non existent.

Impact:
CPU Spike, TMM going down will cause service down time.

Workaround:
Make sure Irule are not used to update session for which session not existent.

Fix:
Issue is fixed now. No more CPU spike seen even if irule exists to update non existent sessions.


537000-1 : Installation of Edge Client can cause Windows 10 crash in some cases

Component: Access Policy Manager

Symptoms:
connecting to an APM box which has support for Windows 10 can cause the OS to crash. After reboot the next attempt will be successful

Conditions:
- Windows 10
- APM box supporting Windows 10
- user installed F5 VPN driver from an APM box, not supporting Windows 10

Impact:
User can lose some data

Workaround:
Before connecting old VPN driver instances must be manually removed using Device Manager

Fix:
Installation of BIG-IP Edge Client on Windows 10 does not cause system crash anymore.


536932-1 : Under heavy load, BIGIP may crash due to some operations not exiting properly

Component: Service Provider

Symptoms:
Under extreme load, as the BIGIP runs out of memory resources, some code does not properly exit when it fails to receive the memory requested. This can cause the system to crash.

Conditions:
Processing and routing SIP messages on an overloaded system which is running out of memory may cause the TMOS software to crash.

Impact:
Processing and routing SIP messages on an overloaded system which is running out of memory may cause the TMOS software to crash.

Workaround:
None.

Fix:
Crashes should hot happen under extreme load.


536191-1 : Transparent inherited TCP monitors may fail on loading configuration

Component: Local Traffic Manager

Symptoms:
LTM monitor configuration may fail to reload from disk if the monitor name occurs alphabetically prior to the inherited-from monitor.

Conditions:
Monitor A inheriting from Monitor B, where both monitors are of type 'transparent'.

Impact:
Configuration from disk fails to load. System posts an error message similar to the following: 1070045:3: Monitor /Common/test1 type cannot have transparent attribute.
Unexpected Error: Loading configuration process failed.

Workaround:
Rename monitors so they occur in the required alphabetical order to support inheritance.

Fix:
Transparent inherited TCP monitors no longer fail on loading configuration.


535759-2 : SMTP monitor might mark the server down even if the server answers the HELO message.

Component: Local Traffic Manager

Symptoms:
The SMTP monitor marks a server down even when the server responds with a 250 message to the HELO command.

Monitor debug output might show the following error messages:

-- ERROR: failed to complete the transfer, error code: 28 error message: Time-out. -- ERROR: failed to complete the transfer, error code: 56 error message: Recv failure: Connection reset by peer.

Conditions:
This occurs under any of the following conditions:

-- The monitored server does not close the TCP connection (does not send a FIN) after receiving a QUIT command from the client.

-- The server does not include the word 'Bye' in the 221 message in response to the 'quit' sent by the BIG-IP system.

-- The server issues a RST for any reason after the BIG-IP system has successfully received the 250 response to the HELO message.

Impact:
The monitored server is marked down when it is not.

Workaround:
None.

Fix:
SMTP monitor now considers the server up if it receives a successful response to the HELO command.


535246-3 : Table values are not correctly cleaned and can occupy entire disk space.

Component: Application Visibility and Reporting

Symptoms:
AVR data in MySQL might grow to fill all disk space.

Conditions:
This might occur when DNS table receives a large number of entries that are not being evicted when they are no longer needed.

Impact:
MySQL stops responding. Site might experience down time due to full disk.

Workaround:
If monitoring disk space and AVR data takes more than 70% of the space, reset AVR data by running the following commands sequentially: -- touch /var/avr/init_avrdb. -- bigstart restart monpd.

Fix:
In this release, the system handles AVR data in MySQL so that database size no longer grows beyond a certain point.


535188-4 : Response Pages custom content with \n instead of \r\n on policy import.

Component: Application Security Manager

Symptoms:
After importing policy with custom content on the Default Response Page, new lines are changed from \r\n to \n and it shouldn’t.

Conditions:
1. Create New Policy.
2. Go to Security : Application Security : Policy : Response Pages
3. On Default Response Page, change Response Type to 'Custom Response'.
4. Add 'Enters' to the 'Response Body' and save it.
(for example:
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected.
 Please consult with your administrator.<br><br>Your support



 ID is: <%TS.request.ID()%></body></html>).
5. View the REST state of the response page and see that the new lines presented by '\r\n'.
6. Export the policy to XML.
7. Import the policy back (replace the old policy).
8. Now the 'new lines' in the content of the response page presented by '\n' instead of '\r\n'.

Impact:
After importing policy with custom content on Default Response Page, new lines are changed from \r\n to \n and it shouldn’t.

Workaround:
In GUI, Go to Security : Application Security : Policy : Response Pages, remove and add the 'Enters' and
click on 'Save' for the default response page.

Fix:
After importing a policy with custom content on the Default Response Page, new lines are no longer changed from \r\n.


535101-2 : Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile.

Component: Carrier-Grade NAT

Symptoms:
LSN configured in PBA mode can cause tmm to core if a connection needs to obtain resources from a remote tmm process. This occurs most frequently during heavy load or when there is a small translation space(low number of translation addresses) configured on the PBA lsnpool.

Conditions:
- LSN with PBA mode configured.
- udp_gtm_dns profile configured on the virtual server handling traffic.
- Heavy traffic or small translation space.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove udp_gtm_dns profile from the virtual server, and replace it with fast L4.

Fix:
LSN pool configured with PBA mode no longer crashes with heavy load and udp_gtm_dns profile configured.


534901-2 : VMware View HTML5 client may load/initialize with delays

Component: Access Policy Manager

Symptoms:
When HTML5 client is used to access VMware View remote desktops, it may sometimes take about 30 seconds to initialize.

Conditions:
APM Webtop with a VMware View remote desktop assigned available for HTML5 client launch.

Impact:
Slow HTML5 client initialization.

Workaround:
- Go to admin UI -> Local Traffic -> Profiles: Services: HTTP and create new http profile.
- Set Unchunk (or Rechunk) for "Response Chunking" option and save it.
- Assign this http profile to the Virtual Server.

Fix:
Fixed the handling of chunked responses coming during the HTML5 client load.


534633-4 : OpenSSH vulnerability CVE-2015-5600

Vulnerability Solution Article: SOL17113


534582-5 : HA configuration may fail over when standby has only base configuration loaded.

Component: TMOS

Symptoms:
The active unit may fail over when only the base configuration is loaded on a standby system, and HA communications in the HA configuration is interrupted.

Conditions:
Only base configuration loaded on standby and HA communications are disrupted.

Impact:
Potential site outage.

Workaround:
Configure HA to use multiple network interfaces. Avoid loading only the base configuration on HA configurations.

Fix:
HA configuration no longer fails over when a standby system has only the base configuration loaded.


534555-1 : BIG-IP APM SAML and RSA v1.5 encryption key transport algorithm

Component: Access Policy Manager

Symptoms:
The BIG-IP APM SAML implementation by default does not support the deprecated RSA v1.5 key transport algorithm. F5 recommends against using this protocol, unless SAML interoperability is required for legacy 3rd party applications. Instead, RSA-OAEP should be used for key transport.

Symptoms differ based on BIG-IP APM usage:
1. When BIG-IP is used as SP, encrypted assertions with key transport algorithm 'RSA v1.5' will be rejected.

2. When BIG-IP is used as IdP, encrypted assertions will always use RSA-OAEP as key transport algorithm.

Conditions:
For BIG-IP as IdP:
- External SP requires use of RSA 1.5 as key transport algorithm for encrypted assertion or encrypted elements within assertion.

For BIG-IP as SP:
- External IdP generates assertion or encrypted elements within assertion using RSA 1.5 as key transport algorithm.

Impact:
SAML interoperability will fail with peers attempting to use RSA v1.5 key transport algorithm.

Workaround:
For BIG-IP used as SP - configure external IdP to use RSA-OAEP as encryption key transport algorithm.

There is no workaround for BIG-IP as IdP to generate encrypted assertion
using RSA v1.5 as key transport algorithm.

Fix:
Due to customer demand, starting with BIG-IP v12.1.0, the RSA v1.5 algorithm can be enabled on BIG-IP as IdP manually via console to TMSH, using this command:

modify apm sso saml <saml IdP object name> key-transport-algorithm rsa-v1.5

NOTE: Be sure to save the configuration after changes are made via TMSH.

Starting with BIG-IP v12.1.0, support for RSA v1.5 on BIG-IP as SP is enabled by default with no required configuration.


534458 : SIP monitor marks down member if response has different whitespace in header fields.

Component: Local Traffic Manager

Symptoms:
In certain circumstances the SIP monitor may incorrectly mark a SIP pool member down. This is due to the comparison the monitor makes of the standard header fields in the SIP monitor request to the response.

Conditions:
SIP monitor and response differ in the use of whitespace in the header fields, for example, 'field:value' and 'field: value'.

Impact:
Unable to monitor the SIP pool member accurately using the standard SIP monitor because the pool member will be marked down.

Workaround:
Use other types of monitors, e.g., UDP.

Fix:
SIP monitor now correctly processes monitor responses when the use of whitespace in header fields differ.


534374-1 : IdP Support pipe-separated session variables ( | a | b | c | ) as multi-valued attributes in SAML assertion

Component: Access Policy Manager

Symptoms:
SAML Assertions generated by BIG-IP as SAML IdP may include attributes with pipe-separated values (e.g. '| a | b | c |') if multi-valued attributes are stored in session database, e.g. :

<saml2:Attribute Name="name">
    <saml2:AttributeValue>| a | b | c |</saml2:AttributeValue></saml2:Attribute>

Conditions:
BIG-IP is used as IdP, and configured SAML attribute contains multiple pipe-separated values, e.g. AD group membership.

Impact:
Receiver of SAML assertion may not be able to parse pipe-separated values.

Workaround:
none

Fix:
Pipe-separated session variables are now separated into multiple values of assertion attribute. For example, given session variable value '| a | b | c |', assertion attribute will look similar to this:

<saml2:Attribute Name="name">
    <saml2:AttributeValue>a</saml2:AttributeValue>
    <saml2:AttributeValue>b</saml2:AttributeValue>
    <saml2:AttributeValue>c</saml2:AttributeValue
</saml2:Attribute>


534373-3 : Some Text on French Localized Edge client on windows has grammatical error

Component: Access Policy Manager

Symptoms:
Grammatically incorrect text is displayed in Edge Client UI localized for French language.

Conditions:
French Localized version of Edge Client is used.

Impact:
Branding.

Workaround:
None.

Fix:
Fixed grammar.


534358 : Node.js vulnerability CVE-2015-5380

Vulnerability Solution Article: SOL17238


534323-2 : Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.

Component: Policy Enforcement Manager

Symptoms:
Session will be deleted and re-created when we update a new IP addr along with the original IP addr in the session.

Conditions:
It happens when we try to update a new IP addr with the existing IP addr for an existing session.

Impact:
Session replaced when updating a new IP along with the existing IP address.

Fix:
Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.


534246-3 : rest_uuid should be calculated from the actual values inserted to the entity

Component: Application Security Manager

Symptoms:
BIG-IP computes the case-sensitive rest_uuid values for HTTP headers but stores the headers as case-insensitive.

Conditions:
This is an example:
1. Go to Security>>Application Security>>Headers>>HTTP Headers.
2. Choose 'Custom...' for the name of the header.
3. Create a custom header as follows use name 'Abc' with Capital letter.
4. Remember the ID generated in the JSON element.
5. Delete the header.
6. Create a new custom header and use the name 'abc'.

Actual Results:
The ID of 'abc' and the ID of 'Abc' are different.

Impact:
Two identical normalized values may have different rest_uuid.

Workaround:
N/A

Fix:
The REST "id" field is now calculated from the actual values inserted to the entity, and not on the user-input values.


533826-7 : SNMP Memory Leak on a VIPRION system.

Component: TMOS

Symptoms:
The snmpd image increases in size on a VIPRION system.

Conditions:
Run continuous snmpbulkwalk operations.

Impact:
The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building.

Workaround:
To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.

Fix:
The snmpd image no longer increases in size on a VIPRION system processor.


533820-6 : DNS Cache response missing additional section

Component: Local Traffic Manager

Symptoms:
Resolver cache lookups are missing authority and additional sections.

Conditions:
Resolver cache lookups could be missing the authority and additional sections for A and AAAA queries if the DO bit is also not set.

Impact:
If the requesting client needs the information that would normally be included in the authority or additional sections, it would have to make additional queries to acquire that data.

Workaround:
none

Fix:
The resolver cache now correctly includes the information available for the authority and additional sections if the information is available.


533790-3 : Creating multiple address entries in data-group might result in records being incorrectly deleted

Component: TMOS

Symptoms:
Using the GUI to create multiple address entries in data-group might result in records being incorrectly deleted

Conditions:
Creating multiple address entries in data-group

Impact:
Cannot add/remove IP addresses from existing data groups without affecting existing IP addresses through GUI.

Workaround:
Use TMSH to add/remove IP addresses from existing data groups.

Fix:
You can now use the GUI to add/remove IP addresses from a data-group IP address list without affecting other IP addresses.


533723-5 : [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.

Component: Access Policy Manager

Symptoms:
The client-side HTML rewriter rewrites content within the "textarea" tag.

Conditions:
Web-application dynamically creates HTML content on the client side that contains the textarea tag.

Impact:
Web-application misfunction is possible.

Workaround:
There is no workaround at this time

Fix:
Content rewriting is suppressed on the client side for the textarea tag.


533566-2 : Support for View HTML5 client v3.5 shipped with VCS 6.2

Component: Access Policy Manager

Symptoms:
The upcoming release of VMware Horizon View Connection Server 6.2 introduces a few changes to the View HTML5 client.
This fix catches up with those changes to provide seamless support at APM side.

Conditions:
BIG-IP APM configured as PCoIP proxy and set up against VMware VCS 6.2 with HTML5 client installed.

Impact:
Launching View HTML5 client from APM webtop may not work properly.

Fix:
Added support for View HTML5 client v3.5 shipped with View Connection Server 6.2.


533458-6 : Insufficient data for determining cause of HSB lockup.

Component: TMOS

Symptoms:
When an HSB lockup occurs only the HSB registers are dumped into the TMM log files for diagnosing the failure. There is no core file containing stats and the state of the HSB driver when the failure occurred to help diagnose the failure.

Conditions:
When an HSB lockup occurs.

Impact:
There is limited data is available for root cause analysis.

Workaround:
None.

Fix:
On HSB lockup, the system now generate a core file, which contains stats and the state of the HSB driver when the failure occurred to help diagnose the failure.


533413-2 : CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1221.html

Vulnerability Solution Article: SOL51518670


533114-1 : All DNS requests are sent to NA DNS server if local clients manually change their dns setting

Component: Access Policy Manager

Symptoms:
If a Network Access-connected client changes their local dns setting while connected, all DNS requests end up going to the Network Access DNS server

Conditions:
Network Access DNS Relay installed on the client
APM has a DNS network access resource configured which uses some address space
End user manually changes their resolver.

Impact:
Client DNS requests will always go through the Network Access DNS servers.

Workaround:
There are two workarounds:
1) In DHCP client environments, if a DHCP lease expires and changes their local DNS settings, this works properly. This only happens if manual changes are made on the client machine.

2) The client can be rebooted, which will clear the problem.

Fix:
If a client manually changes their local DNS settings while connected via Network Access, DNS requests that do not match the Network Access policy will not be routed to the Network Access DNS server.


532685-3 : PAC file download errors disconnect the tunnel

Component: Access Policy Manager

Symptoms:
Any failure to download PAC file is treated as fatal error. If edge client fails to download PAC file VPN connection cannot be established.

Conditions:
-PAC file cannot be downloaded by edge client

Impact:
Tunnel disconnects in case of PAC file download errors.

Workaround:
Fix infrastructure issues that result in PAC file download failure

Fix:
PAC file download and merging issues were considered critical before and Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.

Behavior Change:
PAC file download and merging issues were considered critical before and BIG-IP Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.


532522-2 : CVE-2015-1793

Vulnerability Solution Article: SOL16937


532394-3 : Client to log value of "SearchList" registry key.

Component: Access Policy Manager

Symptoms:
n/a

Conditions:
Windows user connecting and disconnecting network access connection to BIG-IP APM server.

Impact:
n/a

Workaround:
n/a

Fix:
To provide better traceability, APM client creates log entry each time F5 software reads or writes "SearchList" or "SearchList_F5_BACKUP_VALUE" registry keys.


532365-2 : lsndb cores with "Assertion `size < bin_key_size' failed"

Component: Carrier-Grade NAT

Symptoms:
When there are many entries in the session database and a user attempts to delete them with "lsndb del all", this can cause lsndb to core with "Assertion 'size < bin_key_size' failed".

The user may see lots of "Error: Connection to internal DB failed (err: Cannot assign requested address [99])" messages displayed to the console. In addition not all of the session database entries will be deleted.

Conditions:
- LSN is configured with persistence, inbound-connections automatic, or PBA enabled.
- There are over 100,000+ Session database entries (e.g. persistence, inbound, or PBA entries).
- User attempts to manually delete all entries with "lsndb del all"

Impact:
- Session database cannot be properly cleared using the lsndb util.

Fix:
lsndb no longer cores while deleting large amounts of session database entries.


531983-3 : [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added

Component: Access Policy Manager

Symptoms:
Routing table is not updated correctly in connected state when new adapter is added to the system.

Conditions:
SSL VPN tunnel is established and new adapter is added to the system. For example, Wi-Fi connected when tunnel is established already over Ethernet adapter.

Impact:
Routing table might be corrupted.

Workaround:
Restart OS X.

Fix:
Routing table now updates correctly when new adapter is added to the system while SSL VPN tunnel is already established over an network adapter.


531883-1 : Windows 10 App Store VPN Client must be detected by BIG-IP APM

Component: Access Policy Manager

Symptoms:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box via client type agent

Conditions:
Windows 10 App Store VPN Client, BIG-IP APM , client type agent

Impact:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box

Fix:
Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box using the Client Type agent.


531809-3 : FTP/SMTP traffic related bd crash

Component: Application Security Manager

Symptoms:
Protocol Security: The Enforcer may crash upon FTP or SMTP traffic using remote logging.

Conditions:
FTP/SMTP traffic and remote logging assigned. Crash happens on a rare occasion.

Impact:
bd crash, traffic disturbance.

Workaround:
Remove the remote logging from FTP/SMTP.

Fix:
Protocol Security: The Enforcer no longer crashes upon FTP or SMTP traffic using remote logging.


531483-3 : Copy profile might end up with error

Component: Access Policy Manager

Symptoms:
Copy profile might end up with error about two items are sharing the same agent

Conditions:
Very rare - long policy names, similar name parts

Impact:
Minor - you would need to choose different name for new policy

Fix:
Issue resolved.


530812-6 : Legacy DAG algorithm reuses high source port numbers frequently

Component: Local Traffic Manager

Symptoms:
A service on a pool member will receive connections frequently with a source port number above 65400, especially when the incoming connections to the Virtual IP listener are generated by test tools that increment their source port numbers sequentially. This could lead to premature SNAT port exhaustion, if SNAT is also being used.

Conditions:
The issue appears to be limited to the legacy DAG algorithm on the VIPRION PB100 and PB200 blades. All supported versions of BIG-IP will exhibit this issue on this hardware when this DAG algorithm is used. The problem is not exhibited when the incoming sessions' source port numbers have a reasonable amount of entropy (as one would normally see with real Internet traffic); however, the use of test tools, or even intentional malicious traffic may cause this issue to be seen.

Impact:
The issue could result in resource contention (such as SNAT pool port exhaustion), or problems with the pool member services distinguishing between sessions. A notable exception: Port reuse before TIME_WAIT expires is specifically NOT an impact of this issue.

Workaround:
To work around SNAT pool port exhaustion, increase the pool size, or change to auto-map. An iRule may be used to help pool member services better distinguish incoming sessions.

Fix:
The software emulation of the legacy DAG algorithm used on VIPRION PB100 and PB200 has been updated to more evenly distribute the source port numbers of sessions arriving at pool member services.


530800-2 : Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use.

Component: Access Policy Manager

Symptoms:
OWA displays error message when trying to send new email.
POST request size is more than 300Kb and POST data contains large "SCRIPT id=F5_helperDataStringsId" tag.
Due to this issue request data becomes large enough to be affected by Bug502269 in SSOv2. Therefore if SSOv2 is enabled in this Access Policy, request content will be corrupted and OWA server will respond with '400 Bad Request' code instead of sending email.

Impact:
Users can't send messages in some versions of OWA.

Fix:
Fixed an issue where extra data was added to some OWA2010 requests making it impossible to send messages in configuration with Form-based SSOv2.


530795-4 : In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may send ICMP messages that contain an incorrect tcp seq ack number in the embedded msg body.

Conditions:
FastL4 TCP virtual servers. Syncookie mode.

Impact:
The TCP connflow might be aborted if an ICMP message (such as More fragment) is received.

Workaround:
None.

Fix:
The BIG-IP system sends correct SEQ and ACK number in ICMP messages.


530242-2 : SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs

Component: TMOS

Symptoms:
When SPDAG is turned on VIPRION B2250 blades, the traffic imbalance among TMMs might be observed.

Conditions:
Enable SPDAG on VIPRION B2250 blades.

Impact:
The traffic imbalance can lower the throughput of VIPRION B2250 blades.

Workaround:
Adding or removing B2250 blades might mitigate the imbalance.

Fix:
A new DAG hash is added for SPDAG on VIPRION B2250 blades, which can resolve the SPDAG traffic imbalance. The new DAG hash can be turned on by setting tmm tcl variable, dag::use_p8_sp_hash, to yes.

Add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes.


529627-2 : LDAP StartTLS may fail on serverside when persistence is configured

Component: Local Traffic Manager

Symptoms:
In some circumstances LDAP may fail to setup StartTLS on the server-side when instructed by a LDAP client when the LDAP virtual server is in use with a persistence profile.

Conditions:
- LDAP virtual server with client and server profiles.
- LDAP profiles with STARTTLS Activation Mode set to Allow.
- Persistence profile (for example, src addr persistence).

Impact:
Serverside does not upgrade to TLS.

Workaround:
Do not use LDAP virtual server in conjunction with persistence.

Fix:
The BIG-IP system now correctly upgrades the serverside connection of a LDAP virtual server to TLS.


529610-7 : On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db

Component: Application Security Manager

Symptoms:
When session tracking actions are enabled in ASM policy, an HTTP request may be blocked based on HTTP session or username and illegal traffic that has been sent from this session. The blocked request is reported in the security events log, but there is no option to release the username using the Configuration utility.

Conditions:
High availability (HA) setup, and ASM with Session tracking actions enabled.

Impact:
Usernames and HTTP sessions are blocked by ASM without an option to release them from the Configuration utility.

Workaround:
Stop and start tmm on all devices in the HA group by running the following commands:
-- bigstart stop tmm
-- bigstart start tmm

Fix:
Using the Configuration utility, BIG-IP system administrators can now release blocked usernames and sessions. This is done on the Session Tracking Status screen.


528971-1 : 'Force to Standby' button greyed out when using 'Select All' for traffic groups.

Component: TMOS

Symptoms:
Selecting the 'Select All' check-box on the Traffic Groups page in the GUI does not enable the 'Force to Standby' button.

Conditions:
User checks the 'Select All' check box on the traffic groups page.

Impact:
Cannot force all traffic groups to standby when using the select all check box.

Workaround:
Select each traffic group individually to enable the 'Force Standby' button.

Fix:
Selecting the 'Select All' check-box on the Traffic Groups page in the GUI now enables the 'Force to Standby' button. This allows setting all traffic groups to standby when using the select all check box.


528808-4 : Source NAT translation doesn't work when APM is disabled using iRule

Component: Access Policy Manager

Symptoms:
Source NAT translation does not happen and server-side connection fails.

Conditions:
ACCESS::disable iRule is added to the virtual server.

Impact:
Proxy's server-side connection fails.

Workaround:
Do not use the ACCESS::disable iRule command.

Fix:
Restore the source address translation correctly even if an iRule has disabled APM.


528616-1 : Failure to add a custom bot signature

Component: Advanced Firewall Manager

Symptoms:
Adding a bot signature doesn't get actually added in some cases. The print " notice ACY: acy_create_Rdas rkm->g MALLOC_ACY failed" will appear in /var/log/tmm

Conditions:
Traffic running for long time. The tmm memory got fragmented.

Impact:
New added signatures are not enforced.

Workaround:
none

Fix:
We fixed an issue where you could not add new bot signatures into fragmented memory.


528407-7 : TMM may core with invalid lasthop pool configuration

Component: Local Traffic Manager

Symptoms:
In certain circumstances, TMM may core if the unit is configured with an invalid, non-local lasthop pool,

Conditions:
1) BIG-IP system with VIP and lasthop pool with non-local pool member.
2) Sys db tm.lhpnomemberaction set to 2.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure lasthop pool to use local members/addresses.

Fix:
TMM no longer cores with an invalid lasthop pool configuration.


528310-2 : Upgrade failure when CertKeyChain exists in non-Common partition

Component: TMOS

Symptoms:
Pre-11.6.0 configuration may fail to load on a BIG-IP system running version 11.6.0 (or greater).

Conditions:
Configuration contains a SSL profile with an explicit Certificate Key Chain in a non-Common partition.

Impact:
This issue leads to a configuration load failure.

Workaround:
This issue has no workaround at this time.

Fix:
Certificate Key Chain will inherit its partition from the parent SSL profile on creation.


528276-1 : The device management daemon can crash with a malloc error

Component: TMOS

Symptoms:
The device management daemon can core if a timeout condition occurs during an iControl query. The daemon recovers and proceeds with the operation.

Conditions:
A timeout can occur during an iControl query and in some instances this can cause a core.

Impact:
The daemon crashes and recovers.

Workaround:
This issue has no workaround at this time.

Fix:
The device management daemon no longer causes a crash when a timeout condition occurs during an iControl query.


528247-2 : PEM: New Requested units empty for when used units matches granted service units

Component: Policy Enforcement Manager

Symptoms:
Requested Service Units field in CCR-U message in Gy will be empty for certain rating group requests in MSCC AVP

Conditions:
If used Service units matches exactly with granted service units. (Extremely rare!)

Impact:
RSU being empty might trigger OCS allocating incorrect granted service unit for the rating group

Workaround:
Work around is to ignore Requested service Unit AVP if zero by the OCS or just use used service units AVP since RSU is empty.

Fix:
This issue is fixed now. RSU will be not be empty even if used service units matches Granted service units AVP.


528238-2 : Quota Policy Added multiple times will lead to reset of Subscriber flows

Component: Policy Enforcement Manager

Symptoms:
Subscriber flows getting reset when session is provisioned to do Gy quota management.

Conditions:
If a same policy with quota management action is added multiple times to the session through RAR (or CCA-u) then after 32 installs, any flow for the session is reset.

Impact:
Flows getting reset means subscribers having issue with using service.

Workaround:
PCRF should make sure that for the session same policy is not being added to multiple times.

Fix:
Issue has been fixed now. Even is same Policy is added multiple Times for the subscriber, flows are not reset.


528139-2 : Windows 8 client may not be able to renew DHCP lease

Component: Access Policy Manager

Symptoms:
VPN disconnects after the DHCP lease expires.

Conditions:
BIG-IP Edge Client is running on Windows 8.
"Allow access to local DHCP servers" is checked in Network Access settings.

Impact:
VPN may disconnect and user must connect to VPN again.
ipconfig /renew will not work.

Workaround:
DCHP Lease timeout is automatic and works properly. Also, end users can first run ipconfig /release and then ipconfig /renew to manually renew a lease.

Fix:
DHCP lease can now be renewed correctly.


527364-1 : GNU C Library (glibc) vulnerability CVE-2015-1781 & CVE-2013-7423

Vulnerability Solution Article: SOL16865


527149-1 : FQDN template node transitions to 'unknown' after configuration reload

Component: Local Traffic Manager

Symptoms:
A FQDN node that was available becomes 'unknown' after configuration load or reload.

Conditions:
This occurs in configurations containing FQDN nodes.

Impact:
An FQDN node template stays 'unknown' after configuration load or reload. This does not affect resolution or generation of ephemeral nodes.

Workaround:
None needed. This is cosmetic only.

Fix:
A FQDN node that was available now stays available after configuration load or reload.


527027-2 : DNSSEC Unsigned Delegations Respond with Parent Zone Information

Component: Local Traffic Manager

Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Workaround:
None

Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.


527024-4 : DNSSEC Unsigned Delegations Respond with Parent Zone Information

Component: Local Traffic Manager

Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Workaround:
None

Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.


527011-5 : Intermittent lost connections with no errors on external interfaces

Component: Local Traffic Manager

Symptoms:
Intermittent lost connections to virtual servers or pool nodes with no observable errors on external interfaces.
Errors are observed on internal interfaces using 'tmos show net interface -hidden'

Conditions:
Normal operation. This can occur on BIG-IP 8950, 11000, and 11050 platforms.

Impact:
Lost connections

Workaround:
None.

Fix:
An issue with intermittent lost connections with no errors on the external interface has been corrected.


526786-2 : Session lookup fails

Component: Policy Enforcement Manager

Symptoms:
1. Existing session S1 is created with IP1 and IP2

2. Session get replaced by S2 with IP1 and IP2 address. Delete being called for S1.

3. IP1 will be master so IP2 will be forwarded to remote TMM to set mapping.

4. Remote TMM will lookup for existing mapping for IP2, find session S2. Tries to lookup for Session S2.

5. Before lookup is complete, S2 gets deleted

6.Now callback for S2 lookup will be a failure

Conditions:
Remote TMM will lookup for existing mapping for IP2, find session S2. Tries to lookup for Session S2.

Impact:
Callback fails

Workaround:
N/A

Fix:
Fix IP mapping set when session being replaced gets deleted


526677-5 : VMware Horizon HTML5 View access client can not connect when using View Connection Server running version 6.1.1

Component: Access Policy Manager

Symptoms:
When an APM & Horizon v6.1.1 deployment is configured to use an APM Full Webtop, the HTML5 client will not correctly launch. A new tab will open and the user will see a HTTP 405 error on that page.

Conditions:
View Connection Server backend is running version 6.1.1.

Impact:
HTML5 Client access will stop working.

Fix:
Starting with the 6.1.1 release of View Connection Server, the communication protocol used by the View HTML5 client has changed.
 
This change breaks BIG-IP APM's HTML5 View client implementation. As such, APM users cannot use this client to access their View Desktop.

This fix implements the new View communication protocol to support launching of the View HTML5 client from an APM Full Webtop.


526637-3 : tmm crash with APM clientless mode

Component: Access Policy Manager

Symptoms:
A condition that occurs when using APM in clientless mode can cause a rare tmm crash

Conditions:
Only occurs on 11.5 and later, and while using clientless mode 3. This crash has been very difficult to reproduce.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none

Fix:
tmm will no longer crash in APM clientless mode; it now sends a reset.


525708-6 : AVR reports of last year are missing the last month data

Component: Application Visibility and Reporting

Symptoms:
Reports are missing the latest data collected for them. Each report-type is missing a different portion of the data which is relative to the report-type. This issue becomes very noticeable when creating long-term reports. For example, a 'last-year' report might omit the last month data, 'last-month' report might omit the last week data, and so on.

Conditions:
Every report that is done on a long history time range.

Impact:
The presented data can be confusing and misleading.

Fix:
A new data aggregation mechanism was inserted, so that all reports include activity up to the last hour.
There is an option to make it available even for the last 5 minutes, although that might lead to too much CPU and disk load every 5 minutes.
There is also an option to turn off this new aggregation mechanism if you are not interested in accurate long-history reports, and the aggregation task that takes place once an hour is too heavy for this machine.


525633-2 : Configurable behavior if PCRF returns unknown session ID in middle of session.

Component: Policy Enforcement Manager

Symptoms:
If PEM sends CCR-U, and PCRF responds with CCA-U (PCRF lost session), PEM ignores the response and sends CCR-U.

Conditions:
PCRF lost session (reboot/failover) and responds to session update requests with unknown session ID.

Impact:
Session remains for a long period of time with PCRF not acknowledging.

Workaround:
To enable PCRF can get the context back, it is recommended that you delete the session on the PEM end (configurable), and also recreate the same session (configurable).

When PCRF indicates that the session ID unknown, set the following Sys db variable to TRUE to have PEM delete the session: tmm.pem.diameter.application.trigger.delete.onPeer.failure.

To have PEM recreate the session, set the following Sys db variable to TRUE: tmm.pem.session.ppe.recreate.afterPeerFailure.

Fix:
PCRF no longer returns unknown session ID in middle of session.


525557-2 : FQDN ephemeral nodes not re-populated after deleted and re-created

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, ephemeral nodes that are force deleted may not repopulate as expected.

Conditions:
This issue occurs when there is a Sync group and multiple FQDNs resolve to the same IP address.

Impact:
Ephemeral nodes may not repopulate as expected.

Workaround:
This issue has no workaround at this time.

Fix:
FQDN ephemeral nodes are now repopulated after force deletion.


523874-5 : CVE-2013-1961

Vulnerability Solution Article: SOL16715


523873-5 : CVE-2013-1960

Vulnerability Solution Article: SOL16715


523854-2 : TCP reset with RTSP Too Big error when streaming interleaved data

Component: Service Provider

Symptoms:
RTSP connection containing interleaved streams is aborted mid-stream, causing loss of data. This occurs when there is packet loss and retransmission due to an unrelaible connection. A RST is sent by BigIP with cause "Too big".

There is an RTSP profile parameter Maximum Header Size. When the RTSP filter receives a burst of reassembled stream data that exceeds this size, it aborts with that RST cause. When this parameter is raised above the value of parameter Maximum Queued Data, that parameter is exceeded and the RST cause is "Hudfilter abort". When both parameters are raised much higher, an abort is less likely, but can still occur with cause "Out of memory" (which is a false report as the system is not out of memory).

Conditions:
RTSP profile configured.
Interleaved stream.
Packet retransmissions due to an unreliable connection.

Impact:
RTSP traffic is interrupted or dropped
TCP session is reset with a cause of "Too Big" or "Hudfilter abort".

Workaround:
Set both the Maximum Header Size and Maximum Queued Data values to a value greater than 64K. This reduces the likelihood of failure, but is only a partial workaround.

Fix:
RTSP interleaved traffic passes reliably, even over an unreliable connection experiencing packet retransmission.


522871-5 : [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)

Component: TMOS

Symptoms:
Nested wildcard deletion deletes all of the objects (matched or not matched).

Conditions:
Use deletion in a nested TMSH command. For example:

tmsh modify gtm server GTM1 virtual-servers delete {f*}

This deletes all virtual servers even if none of the servers match. The same issue applies to pool members.

Impact:
All objects are deleted, instead of those targeted for delete.

Workaround:
None.

Fix:
Nested wildcard deletion now deletes matched objects only.


521336-3 : pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core

Component: Local Traffic Manager

Symptoms:
The retry of pkcs11d initialization might post misleading error messages and eventually result in a pkcs11d core.

Conditions:
When pkcs11d retries to wait for other services such as tmm or mcpd.

Impact:
After the system reboots, the /var/log/ltm shows initialize errors and the /var/log/daemon.log shows pkcs11_initialize messages: -- err pkcs11d[6247]: 01680002:3: Pkcs11 Initialize error (this is misleading; pkcs11d is actually retrying). -- err pkcs11d[6247]: Nethsm: pkcs11_initialize C_GetSlotList error 0x00000000, number of slots 0.

Workaround:
Retry pkcs11d restart when tmm and mcpd are both ready.

Fix:
The retry of pkcs11d initialization no longer posts misleading error messages when pkcs11d retries to wait for other services such as tmm or mcpd.


520924-1 : Restricted roles for custom monitor creation

Vulnerability Solution Article: SOL00265182


520380-7 : save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory

Component: TMOS

Symptoms:
Unit demonstrates behaviors consistent with out-of-memory condition. 'top' and 'ps' may show multiple tmsh processes waiting to run.

Conditions:
Enable auto-sync and save-on-auto-sync.

Impact:
Low memory condition may result in system instability.

Workaround:
None.

Fix:
Enabled auto-sync and save-on-auto-sync no longer causes out-of-memory condition.


519059-4 : [PA] - Failing to properly patch webapp link, link not working

Component: Access Policy Manager

Symptoms:
Any attribute URL in a HTML content is rewritten as "javascript:location=..." if is <base> tag is situated before the tag with the attribute, a content hint is not set in the HTML rules for the attribute and it's not the cookieless mode.

Conditions:
Webapp link is not properly patched.

Impact:
Rewritten links are not accessible.

Fix:
WebApp links are now properly rewritten.


519012-1 : Support launching RDS pool with HTML5 client from APM Full Webtop

Component: Access Policy Manager

Symptoms:
An attempt to launch RDS pool from APM Webtop using View HTML5 client caused an error.

Conditions:
VMware View RDS pool assigned to the APM webtop.

Impact:
User is presented with an option for launching RDS pool with HTML5 client but effectively cannot do it.

Workaround:
n/a

Fix:
APM side handling has been fixed to work properly with VMware View RDS desktops.


518550-2 : Incorrect value of form action attribute inside 'onsubmit' event handler in some cases

Component: Access Policy Manager

Symptoms:
Incorrect value of 'action' form attribute may be used inside 'onsubmit' event handlers if original 'action' is an absolute path.

Conditions:
HTML form with absolute path in 'action' attribute;
'onsubmit' event handler for this form.

Impact:
Web application may work incorrectly.

Workaround:
There is no general workaround. But if 'action' value can be converted to relative path or to full URL (with host), this can be done using iRule.

Fix:
Now value of form 'action' attribute is correct inside event handlers.


517590-3 : Pool member not turning 'blue' when monitor removed from pool

Component: Local Traffic Manager

Symptoms:
Pool member's status does not update when a monitor is removed from the pool.

Conditions:
Must have a pool configured with a monitor and pool members

Impact:
Traffic may be routed incorrectly

Workaround:
One may be able to update the pool member status by toggling the pool member's state down and then up again.

Fix:
The pool member's status updates when the pool's monitor is removed.


517020-6 : SNMP requests fail and subsnmpd reports that it has been terminated.

Component: TMOS

Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.

Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.

Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.

Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.

Fix:
SNMP requests handling has been improved to ensure that requests no longer fail after a number of days.


516219-1 : User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled

Component: Access Policy Manager

Symptoms:
Connection is reset when user tries to log on to an APM virtual server. APM log shows ERR_NOT_FOUND while getting profile license.

Conditions:
The issue happens if slot 1 in a VIPRION 4800 chassis is not occupied or is occupied but not enabled.

Impact:
User logon failure.

Workaround:
Detach APM access profile from the virtual server and then reattach it.

Fix:
Access policies now work properly in VIPRION 4800 with no slot1.


515690 : BD crash on stratup due to memory corruption

Component: Application Security Manager

Symptoms:
BD process doesn't start up - it goes down while starting up with or without a timeout message.

If a core doesn't exist, the user may see the following messages:

BD_MISC|NOTICE|Mar 16 10:38:00.262|16027|temp_func.c:0904|CONFIG_TYPE_XML_PROFILES table was read successfully. ack num = 15
BD_MISC|CRIT |Mar 16 10:39:00.963|15983|main.c:0267|Timeout detected while waiting for configuration. time since last config: 60 BD aborting

Also, there is a glibc error in ts_debug.log file.

Conditions:
A JSON profile exists on the system.

Impact:
System doesn't start up and remains offline (or starts up for a very short time and goes down again).

Workaround:
Remove the JSON profiles from all the policies.

Fix:
Fixed a memory corruption related to JSON configuration.


514287 : Deleting a policy-item and its associated agent via IControl Rest transaction fails

Component: Access Policy Manager

Symptoms:
Deleting a policy-item and its associated agent via IControl Rest transaction fails due to unsorted order of deletions in transaction

Conditions:
Deleting a policy-item and its associated agent via IControl Rest within one transaction

Impact:
Deleting a policy-item and its associated agent via IControl Rest transaction fails

Workaround:
Transaction fails, no work around

Fix:
Trigger discrete join deletion from policy item upon its own deletion.


512130-3 : Remote role group authentication fails with a space in LDAP attribute group name

Component: TMOS

Symptoms:
Remote role group authentication fails if there is a space in attribute name of remote-role role-info.

Conditions:
This occurs when the auth remote-role role-info attribute name contains a space character.

Impact:
LDAP authentication fails.

Workaround:
Remove space characters from LDAP attribute group name.

Another option is to use '\20' in place of spaces in the remote-role's role-info member-of attribute, for example:

memberOf=CN=Some Big Group,CN=Users,DC=DOMAIN,DC=COM

becomes:

memberOf=CN=Some\20Big\20Group,CN=Users,DC=DOMAIN,DC=COM

Fix:
Remote role group authentication now succeeds as expected with a space in LDAP attribute group name.


511782-7 : The HTTP_DISABLED event does not trigger in some cases

Component: Local Traffic Manager

Symptoms:
HTTP_DISABLED is not triggered by the HTTP::disable iRule command, requests using the CONNECT method, and Web-sockets traffic.

Conditions:
If the HTTP filter is switched into pass-through mode by the HTTP::disable command, CONNECT requests, or via Web-sockets traffic.

Impact:
The HTTP_DISABLED event does not trigger.

Workaround:
This issue has the following workaround: -- For HTTP::disable, add the logging code within HTTP_DISABLED after that iRule command. -- For CONNECT, use an iRule to match the method in HTTP_REQUEST, and check that 200 Connected is returned as the status in HTTP_RESPONSE. If so, invoke the logging code within HTTP_DISABLED. -- For Web-sockets, use an iRule to match the 101 Switching Protocols status code in HTTP_RESPONSE. If this happens invoke the logging code that is also within HTTP_DISABLED.

Fix:
The iRule HTTP_DISABLED is now triggered as expected when using HTTP::disable iRule command, requests using the CONNECT method, and Web-sockets traffic.


510951-1 : Status of connection limited pool is reported incorrectly

Component: Local Traffic Manager

Symptoms:
Status of connection limited pool or member is shown as available, even if the nodes have a connection limit and the limit has been met or exceeded.

Conditions:
Node connection limit is reached on all nodes

Impact:
Misleading status indicator - virtual server and pool reports UP and nodes report DOWN

Fix:
The status query of a pool or pool member now utilizes the current connection counts and configured connection limits when calculating availability.


510728-2 : Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.

Component: Advanced Firewall Manager

Symptoms:
Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.

Conditions:
User with role of Firewall Manager and accessing
Security :: Protocol Security : Security Profiles : DNS

Impact:
Firewall Manager has extra abilities not considered in scope for the role. Therefore a validation error will be thrown similar to the following: "01070822:3: Access Denied: user (username) does not have create access to object (dns_security)"


507321-4 : JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields

Component: Access Policy Manager

Symptoms:
If JavaScript application uses user-defined object which contains 'origin', 'source' and 'data' fields with NULL values, any attempt to get these values fires an error.

Conditions:
User-defined JavaScript object with 'origin', 'source' and 'data' fields and with NULL value in any of these fields, for example:

var a = { origin: null , data:null , source:null };

Any attempt to read these values leads to JavaScript error in Portal Access scripts.

Impact:
Web application does not work correctly.

Fix:
Now user-defined JavaScript objects with 'origin', 'source' and 'data' fields may contain any values in these fields.


503257-11 : Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST

Component: Local Traffic Manager

Symptoms:
Client connections to a virtual server with persistence, connection limits, and an iRule that issues an HTTP response may receive a RST with a cause of "pmbr enqueue failed" even though connection queuing is not enabled.

Conditions:
This can happen if the connection makes an HTTP request and an iRule directly responds to the first request on the connection. A future request on that TCP connection would be reset if it is persisted to a pool member that is at its connection limit. The iRule would use HTTP::respond (without "connection close") or HTTP::redirect.

Impact:
Clients may receive a RST and fail to connect to an available pool member under some traffic patterns.

Workaround:
If using HTTP::respond or HTTP::redirect in an iRule, change to HTTP::respond with the "Connection close" option in order to force the connection to terminate and the client to start a new connection after the redirect is sent.

Fix:
Persistence, connection limits and HTTP::respond or HTTP::redirect no longer result in RST.


502928-1 : TMM core in AWS and Azure Enviroments

Component: TMOS

Symptoms:
TMM may core when under memory pressure on Virtual Edition (VE) instances running in AWS and Azure

Conditions:
Big-IP VE version 12.0 running in AWS and Azure environments. 12.0 VE images in AWS and Azure have been modified to use the 'sockets' data plane interface. The core may be observed when the sweeper is in aggressive mode, indicating that TMM is under memory pressure.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
to switch from the 'sockets' dataplane interface to the 'unic' dataplane interface uncomment the 'modprobe unic' line in /etc/sysconfig/modules/unic.modules.

The following command enables the VE 'unic' TMM dataplane interface. You must reboot to make this change take effect.
 ~$ sed -i 's/^#modprobe unic/modprobe unic/' /etc/sysconfig/modules/unic.modules
 ~$ reboot

Fix:
This release properly handles memory allocation failures on Virtual Edition (VE) instances running in AWS and Azure, so no TMM cores occur.


500786-3 : Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile

Component: Local Traffic Manager

Symptoms:
When a FastL4/BIGTCP virtual with HTTP profile is used, certain kinds of traffic may cause huge memory growth and result in out-of-memory situation.

Conditions:
If the FastL4 virtual with HTTP profile handles HTTP cloaking traffic, that starts up as HTTP and then switches over to non-HTTP data, memory growth could grow unbounded due to lack of flow control. This may lead to out of memory conditions eventually.

Impact:
Out of memory conditions affecting the availability/stability of the BIG-IP system.

Workaround:
1.) Avoid using FastL4 with HTTP profile, unnecessarily.
2.) If it could not be avoided, use FastL4 + HTTP-Transparent profile combination instead AND set http-transparent profile attribute enforcement.pipeline to "pass-through". This would allow HTTP filter to run in "passthrough" mode. Hence avoid the excessive memory consumption.

Fix:
Use FastL4 + HTTP-Transparent profile combination AND set http-transparent.enforcement.pipeline to "pass-through". This enables HTTP filter to run in "passthrough" mode. Hence avoid the excessive memory consumption.


499615-2 : RAM cache serves zero length documents.

Component: Local Traffic Manager

Symptoms:
RAM cache serves zero length documents.

Conditions:
Forcing caching in an iRule.

Impact:
RAM Cache will cache a HEAD response, if an iRule is configured to force it to do so. This causes RAM cache to serve zero length documents.

Workaround:
If the HTTP operation is a HEAD request, do not cache the response.


496679-1 : Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.

Component: TMOS

Symptoms:
After renaming a CM device object, or performing an upgrade from a version prior to 11.4.0, configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.

Conditions:
This issue occurs when one of the following conditions is met:

-- You load the BIG-IP configuration.
-- You upgrade the BIG-IP system software.
-- You perform a configuration synchronization (ConfigSync) operation for the device group.

The 'default-device' attribute has been deprecated beginning in 11.4.0 in favor of new functionality. Prior to 11.4.0, default-device was used to specify the device-group member that failback tries to make active.

From 11.4.0 and later, when auto-failback is enabled, the system uses the first member of the 'Failover Order' ('ha-order' in tmsh).

In 11.4.0 and later, this field is not used, but will fail validation if it contains a value that does not reference the name of an existing device-group member, or the value 'none'.

Impact:
Although the configuration can be saved, it fails when being loaded (for example, in response to a ConfigSync operation, during software upgrade, or when running the command: 'tmsh load sys config').

Workaround:
Modify any traffic-group default-device attributes that refer to the now-deprecated, default-device name.

Note: The system does not use this value, regardless of how you set it.

To work around this issue, you can modify the traffic-group default-device attribute to refer to default-device none. To do so, perform the following procedure:

1. Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh

2. To list the configured default device for a traffic group, use the following command syntax:
list /cm traffic-group <traffic group name>

For example, to list the configured default device for traffic-group-1, type the following command:

list /cm traffic-group traffic-group-1

3. Use none as the default device for your traffic group using the following command syntax:
modify cm traffic-group <traffic group name> default-device <default device name>.

For example, to modify your default device to none for traffic-group-1, type the following command:

modify cm traffic-group traffic-group-1 default-device none

4. Save the configuration changes by typing the following command:
save /sys config

Fix:
Renaming a device also renames the associated traffic-group's default device, so configuration load now completes successfully.


493743 : TCP4 filter allows non-SYN packet to create new connflow after sending RST.

Component: Local Traffic Manager

Symptoms:
TCP4 filter allows non-SYN packet to create new connflow after sending RST.

Conditions:
BIG-IP series 5000, 7000, 10000, and 12000 platforms and VIPRION B2100, B2200, and B4300 blades, which have hardware SYN cookie protection enabled by default.

Impact:
New connflow might be created after RST is sent. Possible data being treated as valid SYN-Cookie by FPGA.

Workaround:
Change the sys db variable connection.syncookies.algorithm to 'software'.

Fix:
BIG-IP series 5000, 7000, 10000, and 12000 platforms and VIPRION B2100, B2200, and B4300 blades with hardware SYN cookie protection enabled by default no longer allow new connflow to be created after RST is sent.


493053-3 : Route domains' firewall policies may be removed after sync

Component: TMOS

Symptoms:
If you modify the firewall policy of a route domain, and then sync, then it may be removed rather than changed on devices receiving the sync.

Conditions:
This affects full load sync (full load checkbox is enabled, or the 'Overwrite Configuration' option was selected), but not incremental sync.

Impact:
Firewall rules may be removed.

Workaround:
Set the policy to none, sync, then set it to the desired value and sync again.

Fix:
If you modify the firewall policy of a route domain, and then sync, then it could be removed rather than changed on devices receiving the sync. This no longer happens.


492460-4 : Virtual deletion failure possible when using sFlow

Component: TMOS

Symptoms:
This error message might occur intermittently when trying to delete a virtual server:

01070265:3: The Virtual Server (vs_name) cannot be deleted because it is in use by a sflow http data source (ds_name).

Conditions:
sFlow is in use.

Impact:
Virtual may fail to be deleted.

Workaround:
None.

Fix:
This error message used to occur intermittently when trying to delete a virtual and using sFlow: 01070265:3: The Virtual Server (vs_name) cannot be deleted because it is in use by a sflow http data source (ds_name). This no longer occurs.


490801-1 : mod_ssl: missing support for TLSv1.1 and TLSv1.2

Component: TMOS

Symptoms:
This is due to using older versions of httpd
(which includes mod_ssl ...). Newer versions
of httpd as of 2.2.15-39 include the necessary
support for TLSv1.1 and TLSv1.2.

Conditions:
Any older versions of httpd which are not
upgraded to 2.2.15-39 or selectively patched
for the mod_ssl component will not be able
to provide support for TLSv1.1 and TLSv1.2.

Note that in older releases, there is
a dependency on openssl 1.0.1 for a backport
of the mod_ssl changes to actually support
TLSv1.1 and TLSv1.2.

Impact:
No support is provided for TLSv1.1 and TLSv1.2.

Workaround:
Upgrade to one of the following:

12.0.0-hf1 - includes changes to mod_ssl
12.1.0 - includes update to httpd 2.2.15-39

Fix:
Upgrade to httpd 2.2.15-39 (from el6.6)
provides the needed changes to mod_ssl
to support TLSv1.1 and TLSv1.2.


488866-1 : Added support of NLA to Always connect mode of EdgeClient

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client in always connect mode doesn't respect network location awareness (NLA) settings.

Conditions:
Edge Client is configured to be in AlwaysConnected mode.
Connectivity profile has Enterprise LAN suffixes configured.

Impact:
Edge Client always tries to establish VPN connection, even inside the enterprise network.

Fix:
Now BIG-IP Edge Client respects network location awareness (NLA) settings from connectivity profile: disconnects VPN when inside enterprise network,
establishes VPN when outside of enterprise network. Edge Client has no button in this mode.

To achieve that Edge Client should be configured in this way:
1 .'Enable Always connected mode' checked.
2. 'Traffic flow when VPN is disconnected' set to 'Allow only in enterprise LAN'.
3. Connectivity profile should have suffixes configured.


488581-2 : The TMM process may restart and produce a core file when using the SSL::disable clientside iRule command within a HTTP_REQUEST event

Component: Local Traffic Manager

Symptoms:
The Traffic Management Microkernel (TMM) process may restart and produce a core file when using the SSL::disable client-side iRule command within an HTTP_REQUEST event.

Symptoms

As a result of this issue, you may encounter one or more of the following symptoms:

The BIG-IP system fails over to another host in the device group.
The BIG-IP system generates a TMM core file to the /shared/core directory.
The BIG-IP system temporarily fails to process traffic.

Conditions:
This issue occurs when the following conditions are met:

You have configured a virtual server that uses an iRule.
The iRule contains the SSL::disable client-side iRule command within an HTTP_REQUEST event.
The virtual server processes traffic that triggers the HTTP_REQUEST event while processing encrypted traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not put 'SSL::disable clientside' inside HTTP_REQUEST.

Fix:
The Traffic Management Microkernel (TMM) process no longer restarts and produces a core file when using the SSL::disable client-side iRule command within an HTTP_REQUEST event.


488417-1 : Config load failure with 'Input error: can't create user' after upgrade

Component: TMOS

Symptoms:
Unable to load config after upgrade or reboot if the admin account is disabled and replaced with a custom user. The system posts the message:

01070829:5: Input error: can't create user, role partition mapping, user does not exist, username, Unexpected Error: Loading configuration process failed.

On single-NIC virtual deployments, if the admin account is disabled and replaced with a custom user, the system will experience this issue any time the system is rebooted.

Logs similar to the following may appear in /var/log/ltm:

notice sod[6214]: 010c005e:5: Waiting for mcpd to reach phase base, current phase is platform.
notice mcpd[4672]: 01070829:5: Input error: can't create user, role partition mapping, user does not exist, security
err tmsh[7444]: 01420006:3: Loading configuration process failed.
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all base" - failed. --
  01070829:5: Input error: can't create user, role partition mapping, user does not exist, security
  Unexpected Error: Loading configuration process failed.
err mcpd[4672]: 01070422:3: Base configuration load failed.

Conditions:
This occurs when upgrading or rebooting a system on which the root admin account is disabled and replaced with a custom admin user account.

This occurs on single-NIC virtual deployments in version 12.0.0, when a system on which the root admin account is disabled and replaced with a custom admin user account is rebooted.

To verify single-NIC is enabled:
tmsh list sys db provision.1nic.

To verify a custom administrator has been defined:
tmsh list sys db systemauth.primaryadminuser.

Impact:
You cannot upgrade if the root admin account is disabled.

On single-NIC virtual deployment configurations in version 12.0.0, the system fails to load the configuration after a reboot.

Workaround:
There is no workaround for this issue. To resolve this issue, you can reboot the BIG-IP system back to the previous working boot location that has the admin user disabled. For single-NIC virtual deployments, you can re-enable the default admin user account. To do so, perform one of the following procedures:

Impact of workaround: Since the BIG-IP System is already in the inoperative state, performing the following procedure should not have a negative impact on your system.

Rebooting the BIG-IP system back to the previous working boot location:

Log in to the Traffic Management shell (tmsh) by typing the following command:
tmsh

To reboot the BIG-IP system to the desired boot location, type the following command syntax:
reboot volume <boot_location>

Re-enabling the default admin user account on BIG-IP system (for single-NIC virtual deployments):

Azure BIG-IP Virtual Edition (VE):

Log in to tmshby typing the following command:
tmsh

Re-enable the default admin user account by typing the following command:
modify /sys db systemauth.primaryadminuser value admin

Re-load BIG-IP configuration by typing the following command:
load /sys config

Amazon Web Services BIG-IP VE:

Log in to tmshby typing the following command:
tmsh

Re-enable the default admin user account by typing the following command:
modify /sys db systemauth.primaryadminuser value admin

Update the password for the default admin user by typing the following command syntax:
modify /auth user admin password <password>

Re-load BIG-IP configuration by typing the following command:
load /sys config

Fix:
Can now successfully load the configuration after upgrade if the admin account is disabled and replaced with a custom user, and no 'Input error: can't create user' error occurs.


487625-1 : Qkview might hang

Component: TMOS

Symptoms:
A corrupted filestore causes qkview to hang.

Conditions:
This occurs due to filestore mapping issues. This might also occur when there are files listed in the filestore are missing.

Impact:
Qkview hangs and sync attempts silently fail due to filestore mapping issue. The system might post error messages similar to the following: err mcpd[4596]: 0107134e:3: Failed while making snapshot: (Failed to link files existing(/config/ssl/ssl.crt/ca-bundle.crt) new(/config/.snapshots_d/certificate_d/1389867940_:Common:ca-bundle.crt_1) errno(2)(No such file or directory).) errno(2) errstr(No such file or directory).

Workaround:
None.

Fix:
A corrupted filestore no longer causes qkview to hang.


485293-2 : unmounting file systems fail during Reboots or Halt

Component: TMOS

Symptoms:
When shutting down / rebooting a system, the console may show that certain mount points failed to be unmounted. It may also display an error that the command "xargs" was not found.

Conditions:
This problem occurs if there is a remnant handle to the filesystem on a mount point during a shutdown or reboot sequence. This is a common occurrence, but the shutdown sequence should be able to take care of these appropriately.

Impact:
Any BIGIP.

Workaround:
none

Fix:
Cleaned up shutdown mechanics for unmounting drives.


481162-7 : vs-index is set differently on each blade in a chassis

Component: Local Traffic Manager

Symptoms:
The vs-index field on virtual servers differs on each blade in a chassis.

Conditions:
This occurs on chassis systems when creating a virtual server on a multi-blade VIPRION and on multi-blade vCMP guests.

Impact:
The recently created virtual server holds different vs_index across blades (typically, the virtual servers differ by one, when compared with the active blade). From that point on, every newly created virtual server carries that inconsistency, so that vs-index is set differently on each blade in a chassis.

Workaround:
Follow the procedure in SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) to clear the configuration cache and reload configuration after reboot.

Fix:
The vs-index is now the same on each blade in a chassis on a multi-blade VIPRION and on multi-blade vCMP guests.


476460-1 : WAM Range HTTP header limited to 8 ranges

Component: WebAccelerator

Symptoms:
When doing a request with multiple ranges, depending on the current state of the document in the cache (due to previous requests), WAM responds with 'HTTP 416 Requested range not satisfiable'.

Conditions:
Client requesting more than 8 ranges in a single HTTP Range request for a document that has an active cache record.

Impact:
Document is not possible retrieve, even with valid range values.

Workaround:
Force the document to not be cached in the Policy and to be always proxied to the OWS.

Fix:
Use db variable Wam.Cache.Range.MaxRanges to increase the number of max allowed sub-ranges in a HTTP range request. It defaults to a maximum of 8 sub-ranges, however it can be increased up to 32.


473163-8 : RAID disk failure and alert.conf log message mismatch results in no trap

Component: TMOS

Symptoms:
Due to a mismatch between the definition of an alert for RAID disk failure in alert.conf, and the actual log message syntax, the appropriate SNMP traps are not issued when a disk is failing.

Conditions:
This happens when there is a RAID disk failure and the definition RAID disk failure in alert.conf is similar to the following: alert BIGIP_RAID_DISK_FAILURE "raid[0-9]: Disk failure .*?" {
   snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.96";
   lcdwarn description="RAID disk failure." priority="3"
  }

Impact:
Actual log message syntax matches the following: 'alert kernel: md/raid1:md12: Disk failure on dm-29, disabling device.' As a result, there is no SNMP trap for a failing disk, so no SNMP trap is issued, and the LCD message is not displayed.

Workaround:
For information about configuring custom traps, see SOL3727: Configuring custom SNMP traps, available here: https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html.

Fix:
RAID disk failure and alert.conf log message now match, so appropriate SNMP traps are now issued when a disk is failing.


472446-1 : Customization group template file might cause mcpd to restart

Component: Access Policy Manager

Symptoms:
A config sync or tmsh transaction might fail and make mcpd restart if the config sync or tmsh transaction includes a misconfigured object and simultaneously includes a customization group template file.

If strict updates are enabled on iApp and Adv Customization is performed that MCPd could crash tpp.

Conditions:
The config sync or tmsh transaction includes a misconfigured object and includes a customization group template file.

Impact:
The config sync or tmsh transaction fails, and mcpd exits. Note: Avoid configurations that put customization group template file objects through a config sync or tmsh transaction, when that transaction might contain an object configured with an invalid value. This results in a configuration error.
Here is one example of the types of messages that may be displayed when this occurs:

-- info mcpd[12395]: 01071528:6: Device group '/Common/f5omb' sync inconsistent, Incremental config sync may not be complete on one or more devices in this devicegroup, Sync status may not be consistent until incremental config sync is complete.
-- err mcpd[12395]: 01070734:3: Configuration error: Cannot apply template as cache path for (customization template file logon.inc customization group /Common/ap_deptSharePt_act_logon_page_ag) cannot be empty.
-- err mcpd[12395]: 01070596:3: An unexpected failure has occurred, - apm/validation/APMCustomizationFileObject.cpp, line 1825, exiting...
-- info sod[5467]: 010c0009:6: Lost connection to mcpd - reestablishing.
-- err zxfrd[12033]: 0153e0f7:3: Lost connection to mcpd.

Workaround:
None.

Fix:
This release corrects the configuration error that occurred in the config sync or tmsh transaction whose configuration included a misconfigured object and a customization group template file.


469033-16 : Large big3d memory footprint.

Component: Global Traffic Manager

Symptoms:
The big3d process might take up a large amount of memory.

Conditions:
Using GTM in various configurations.

Impact:
Large big3d memory footprint. This is a configuration- and usage-dependent issue.

Workaround:
None.

Fix:
Reduced big3d memory footprint.


462598-6 : Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.

Component: Access Policy Manager

Symptoms:
When the APM Access renderer or renderer pool (used for serving internal pages) goes down for an unknown reason, tmm goes into retry loop and sod kills the tmm.

Conditions:
For the problem to occur, at the very least, APM must be in use. The problem showed up in the past with a mangled iRule in place.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This has only been observed with an incorrectly formed iRule. So it is likely that fixing an associated iRule to operate as intended will resolve the problem. If this occurs without an associated iRule, there is no workaround.

Fix:
Now when an APM renderer or renderer pool (used for serving internal pages) goes down, APM detects the unavailability and sends a TCP Reset to the client.


461084-1 : Kerberos Auth might fail if client request contains Authorization header

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header prior to the "HTTP 401" challenge, authentication fails.

Conditions:
An auth request to the BIG-IP systems contains Authorization header; Kerberos Auth is configured.

Impact:
Authentication can fail and the client might see a login prompt again when the IP address changes.

Workaround:
None

Fix:
Client's Kerberos auth will succeed now.


453649-1 : Added Enforce Autoconnection Mode to Edge Client

Component: Access Policy Manager

Symptoms:
There is no way to configure BIG-IP Edge Client in enforce autoconnection mode when user has no control over Edge Client.

Conditions:
Edge Client is configured to be in AlwaysConnected mode.
Connectivity profile has Enterprise LAN suffixes configured.

Impact:
Edge Client always has three buttons, user can override Edge Client behavior.

Fix:
The BIG-IP Edge Client can be configured to respect network location awareness (NLA) settings from the connectivity profile, and disconnects the VPN when inside enterprise network, and establishes VPN when outside of enterprise network. Edge Client has no button when operating in this mode.

To configure network location awareness, Edge Client should be configured as follows:
1. 'Enable Always connected mode' checked.
2. 'Traffic flow when VPN is disconnected' set to 'Allow only in enterprise LAN' or 'Always'.
3. Connectivity profile should have suffixes configured.

Behavior Change:
The BIG-IP Edge Client can be configured to respect network location awareness (NLA) settings from the connectivity profile, and disconnects the VPN when inside enterprise network, and establishes VPN when outside of enterprise network. Edge Client has no button when operating in this mode.

To configure network location awareness, Edge Client should be configured as follows:
1. 'Enable Always connected mode' checked.
2. 'Traffic flow when VPN is disconnected' set to 'Allow only in enterprise LAN' or 'Always'.
3. Connectivity profile should have suffixes configured.


447958-1 : Slow client side SSL connection can be prematurely reset.

Component: Local Traffic Manager

Symptoms:
A slow clientside SSL connection may result in a timeout due to the default SSL timeout of 10 seconds.

tm.rstcause may indicate 'SSL alert timeout exceeded'.

Conditions:
Clientside is clientssl, and the connection is such that it may require longer than 10 seconds to establish the connection.

Impact:
Data transfer might be interrupted.

Workaround:
Increase the alert timeout value in the configuration.

Fix:
A slow clientside SSL connection no longer results in a timeout, because the default SSL timeout is now indefinite.


446860-2 : APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348

Component: Access Policy Manager

Symptoms:
APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 (ActiveSync client fails to login to APM with large POST body)

Conditions:
ActiveSync client large POST body tries to log into APM.

Impact:
ActiveSync client with large POST body cannot log in even when tmm.access.maxrequestbodysize DB variable is configured

Workaround:
This issue has no workaround at this time.

Fix:
Now APM Exchange Proxy honors the tmm.access.maxrequestbodysize DB variable.

Modify the tmm.access.maxrequestbodysize DB variable with a value larger than the maximum email body size you would like to support.
The maximum supported value is 25000000 (25MB).


442139-4 : Some iRules can result in stuck UDP connections

Component: Local Traffic Manager

Symptoms:
When using an iRule on a UDP virtual server, it is possible for a connection flow to get stuck and remain allocated until it times out. The connection flow will appear via the tmsh (using "tmsh sys conn show") but will no longer pass packets. As new packets arrive, the flow timeout will be extended causing an outage.

Conditions:
The connection flow must be aborted (e.g. ICMP/Reachable received from serverside) while the iRule is parked due to an asynchronous command.

Impact:
Incoming packets matching the stuck connection are dropped.

Workaround:
The error can only be cleared if the connection is allowed to timeout or the tmm is restarted.

Fix:
Aborted UDP connections with parked iRules will be cleaned up normally and no longer match incoming packets.


441058-4 : TMM can crash when a large number of SSL objects are created

Component: Local Traffic Manager

Symptoms:
Administrative operations which trigger a full reload of SSL cert, key, or CRL files can cause TMM to abort. TMM will miss its heartbeat, at which time it will be killed by sod daemon via SIGABRT.

Conditions:
Configuration contains a large number of SSL certs, keys and/or CRLs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove any unused SSL objects from configuration.

Fix:
The system now loads the virtual IP addresses and associated SSL Certs/Keys in batches, so that TMM config load no longer exceeds its allowed CPU time.


440895-1 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable

Component: TMOS

Symptoms:
Under a high load of failed authentication requests, it is possible for there to be contention for the user lockout file. This results in users failing to authenticate correctly.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent authentication failure results in users not being able to login. You might see the message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Workaround:
Since this could be an intermittent authentication failure, wait a few seconds and then attempt to log in again.


433897-2 : Data group elements must contain fewer than 65535 bytes each

Component: Local Traffic Manager

Symptoms:
If a datagroup contains entries that are longer than the maximum length allowed by a Tcl object, the datagroup can fail to load the element without warning.

Conditions:
This occurs when an external datagroup loads strings that exceed Tcl-imposed limits.

Impact:
Incorrect datagroup. TMM might core if the non-loaded element is referenced.

Workaround:
Use individual datagroup entries that are fewer than 65000 characters in length.

Fix:
This release contains validation that prevents datagroup elements that are longer than 65535 bytes each, so no TMM core occurs, and the correct datagroup is used.


433466-3 : Disabling bundled interfaces affects first member of associated unbundled interfaces

Component: TMOS

Symptoms:
When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1).

Conditions:
Disabling bundled interfaces affects first member of associated unbundled interfaces.

Impact:
Traffic unable to pass due to ports 'Down' status.

Workaround:
Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.

Fix:
Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces.


431467-2 : Mac OS X support for nslookup and dig utilities to use VPN DNS

Component: Access Policy Manager

Symptoms:
Network access from browser or Edge Client on Mac does not change system DNS configuration the way that the nslookup and dig utilities expect. Once network access is established, the nslookup and dig utilities do not utilize DNS servers and DNS search suffixes set by SSL VPN.

Conditions:
NA access with DNS servers and DNS search suffixes, NA from browser or Edge Client on Mac OS X.

Impact:
The system should behave as expected except for the nslookup, dig, and host utilites.

Fix:
The nslookup, host and dig utilities are now able to use DNS server and DNS search suffixes set by SSL-VPN.


429075-1 : GetCPUInfo for F5.IsHandler.dll throws an exception when IIS is running on a virtual machine

Component: Local Traffic Manager

Symptoms:
The F5.IsHandler.dll throws an exception when IIS is running on a virtual machine.

Conditions:
A Windows Server running IIS on a virtual machine with the F5.IsHandler.dll installed.

Impact:
Unable to use the WMI monitor to monitor a pool of IIS servers.

Workaround:
This issue has no workaround at this time.

Fix:
The F5.IsHandler.dll does not throw an exception when IIS is running on a virtual machine.


424831-5 : State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover

Component: Local Traffic Manager

Symptoms:
Failovers between devices in a HA pair might result in an unexpected disruption of traffic (for instance, if virtual servers are configured for mirroring).

Persistence / session table information would similarly be missing on the newly-active system.

Conditions:
Platform that supports hardwired failover, configured for hardwired failover. (Note: this excludes chassis-based platforms, as well as VCMP guests and VEs)

Network failover disabled.

Impact:
- Failovers may result in unexpected disruption of traffic that failed to be mirrored.

   - Session database (SessionDB things, iRule session table, persistence table, etc) will not be mirrored, as expected, which may result in unknown unexpected traffic failures.

Workaround:
Enable network failover, then restart all TMMs.

Note: workaround will temporarily disrupt traffic.

Fix:
State Mirroring now works for HA configurations that use only hardwired (serial) failover, without network failover.


418890-3 : OpenSSL bug can prevent RSA keys from rolling forward

Component: Local Traffic Manager

Symptoms:
When trying to upgrade from version 10.x to version 11.x, SSL keys can fail to roll forward. The roll-forward process does not handle what appears to be an OpenSSL bug (tested through OpenSSL 1.0.1c).

Conditions:
This occurs when rolling forward RSA keys from version 10.x to 11.x.

Impact:
Rather than receiving the expected decrypt failure unable to load Private Key with a bad decrypt, approximately 0.3% respond differently, where the return is non-zero and does not contain 'bad decrypt'. In this case, the system considers the key bad even though it is fine.

Workaround:
None.

Fix:
All SSL keys from version 10.x can be loaded correctly using the UCS file.


413708-8 : BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.

Component: TMOS

Symptoms:
When SNMP IPv6 UDP queries are directed from client to self-ip, response from the BIG-IP system does not preserve source port. An ephemeral source port will be used, instead of the source port 161.

Conditions:
SNMP IPv6 UDP query only.

Impact:
SNMP query fails.

Fix:
A problem of SNMP IPv6 UDP response from the BIG-IP system with an ephemeral source port has been solved.


406001-4 : Host-originated traffic cannot use a nexthop in a different route domain

Component: Local Traffic Manager

Symptoms:
If a route uses a nexthop in a different route domain, traffic originating from the host will not be forwarded to that nexthop.

Conditions:
Multiple route domains, gateway route that matches traffic using a nexthop in a different route domain.

Impact:
Nodes reached by the route cannot be monitored.

Workaround:
none

Fix:
Host-originated traffic can now use a nexthop in a different route domain.


405635-1 : Using the restart cm trust-domain command to recreate certificates required by device trust.

Component: TMOS

Symptoms:
The device trust manages the certificates and keys SSL connections require between devices used for configuration synchronization. You should always have the necessary certificates and keys. If they are not present, device trust fails.

Conditions:
This might occur after manually removing the 'cm' stanzas from the config file, and reloading the configuration.

Impact:
No certificates and keys exist. If there are no certificates and keys, device trust cannot be set up, and the system cannot complete the SSL connections necessary for config synchronization.

Workaround:
To recreate the certs and keys, run the command: restart cm trust-domain.

Fix:
This release contains a new tmsh command 'restart cm trust-domain' to restart device trust in this circumstances.


401893-4 : Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies

Component: TMOS

Symptoms:
You will be unable to use the tilde (~) character in the fields Response Headers Allowed and Encrypt Cookies when using the GUI.

Conditions:
Attempting to use the tilde character in HTTP Profile fields Response Headers Allowed and Encrypt Cookies in HTTP Profiles.

Impact:
The GUI errors out with an error: Bad Characters. Only the following special characters are allowed: period, dash and underscore (.-_). Multiple arguments should be separated by spaces."

Workaround:
Use tmsh to create/update HTTP Profile fields Response Headers Allowed and Encrypt Cookies that need a tilde character.

Fix:
The tilde character can now be used in HTTP Profile fields Response Headers Allowed and Encrypt Cookies.


401324-1 : qpdf cores when processing a document with no pages

Component: WebAccelerator

Symptoms:
When linearizing a PDF, qpdf cores when processing a document with no pages.

Conditions:
This likely occurs when the PDF contains no content, or invalid content.

Impact:
The qpdf process attempts to refer to the first page without checking whether it exists, and produces a Segfault and core file when the file has no first page.

Workaround:
Although there is no formal workaround, the core is small and happens infrequently, in most cases, so you can safely ignore it, unless it is happening so frequently and impacts performance. As long as the PDF contains valid content, linearization works as expected. If the content is invalid and qpdf cores, the system serves the original PDF.

Fix:
When linearizing a PDF, qpdf no longer cores when processing a document with no pages.


388274-4 : LTM pool member link in a route domain is wrong in Network Map.

Component: TMOS

Symptoms:
Pool member link in a route domain in Network Map is broken.

Conditions:
This occurs for pool members that exist in a route domain.

Impact:
System cannot correctly read the % used with route domains.

Workaround:
None.

Fix:
LTM pool member link in a route domain is now in the correct Network Map.


381238-2 : APM fails to verify Java applets signed with Mozilla NSS Signtool

Component: Access Policy Manager

Symptoms:
If Java applet is signed with Mozilla NSS Signtool (a rare case), it's signature won't be verified by APM JavaPatcher and hence the entire applet won't be patched.

Conditions:
APM with Portal Access, Java patching enabled.
Java applet signed with Mozilla NSS Signtool

Impact:
The functionality of the Java applet may be broken.

Workaround:
If possible, resign with Java jarsigner utility (recommended).

Fix:
Enhance Java applet manifest file parsing to support manifests generated by Mozilla NSS Signtool.


373949-5 : Network failover without a management address causes active-active after unit1 reboot

Component: TMOS

Symptoms:
A device in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.

Conditions:
If a Device Service Cluster is configured with only self-IPs for unicast network failover communication, or if the management network between the peers is unavailable, the device may not detect that the peer is active when it is starting up. When using only self-IPs, communication with the peers is disrupted while the TMM is starting up.

Impact:
Unexpected failover may cause traffic interruption.

Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.

Fix:
The failover daemon has been fixed to recognize that the self-IP communication paths are non-functional while the TMM is starting up, and will not go Active until sufficient time has elapsed to conclude that the peer is not present. Since the device cannot successfully process traffic until the TMM is functional, this does not result in a delay in restoring service.


372473-1 : mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes

Component: Local Traffic Manager

Symptoms:
A message beginning with 'mcp error: 0x1020003' may be logged to /var/log/tmm when TMM crashes.

Conditions:
TMM crashes.

Impact:
This is an MCP error that is logged erroneously upon TMM shutdown, and does not indicate an issue with MCP.

Workaround:
None.

Fix:
The message is no longer logged when TMM crashes.


365219-1 : Trust upgrade fails when upgrading from version 10.x to version 11.x.

Component: TMOS

Symptoms:
Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log:

-- com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:425): Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:200)}.

-- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust.

Conditions:
Upgrading high availability version 10.x configurations that use the factory default admin password.

Impact:
Trust upgrade for version 10.x high availability configuration fails.

Workaround:
Change the default admin password in the 10.x configuration before upgrading to 11.0.0.

Fix:
Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment.


364994-12 : TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.

Component: Local Traffic Manager

Symptoms:
Version 11.3.0 and earlier, TMM may restart.
Version 11.4.0 and later, disabled connections may be reused.

Conditions:
A virtual server with an associated OneConnect profile.
A server side connection is disabled on the client side by the iRule ONECONNECT::reuse disable command.

Impact:
Version 11.3.0 and earlier, tmm can crash.
Version 11.4.0 and later, disabled connections may be reused.

Workaround:
Version 11.3.0 and earlier:

If HTTP::disable is being called in a client-side event, OneConnect must be disabled in a server-side event. This can be done by including 'ONECONNECT::reuse disable' in the client-side event (so a new connection is created), setting a variable, and then invoking ONECONNECT::reuse disable in SERVER_CONNECTED

Example:

  set oc_reuse_ss_disable 1
  ONECONNECT::reuse disable
  CACHE::disable
  COMPRESS::disable
  HTTP::disable

Add this (or merge with an existing SERVER_CONNECTED event in the iRule):

when SERVER_CONNECTED {
  if { [info exists oc_reuse_ss_disable] } {
    ONECONNECT::reuse disable
    ONECONNECT::detach disable
  }
}

11.4.0 and later:

Replace "ONECONNECT::reuse disable" with "set oc_reuse_ss_disable 1" in the iRule client-side event.

Add this (or merge with an existing SERVER_CONNECTED event in the iRule):

when SERVER_CONNECTED {
  if { [info exists oc_reuse_ss_disable] } {
    ONECONNECT::reuse disable
  }
}

Fix:
TMM no longer restarts when a OneConnect profile is applied to a virtual server and OneConnect reuse is disabled on the server side by an iRule.



Known Issues in BIG-IP v12.0.x


TMOS Issues

ID Number Severity Description
614865-3 2-Critical Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
613542-3 2-Critical tmm core while running the iRule STATS:: command
613536-3 2-Critical tmm core while running the iRule STATS:: command
609335 2-Critical IPsec tmm devbuf memory leak.
604211-5 2-Critical License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.
600894-2 2-Critical In certain situations, the MCPD process can leak memory
593536-1 2-Critical Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations
591104-2 2-Critical ospfd cores due to an incorrect debug statement.
588140-1 2-Critical Pool licensing fails in some KVM/OpenStack environments
583936-4 2-Critical Removing ECMP route from BGP does not clear route from NSM
583516-1 2-Critical tmm ASSERT's "valid node" on Active, after timer fire..
574116-4 2-Critical MCP may crash when syncing configuration between device groups
572788-1 2-Critical Dynamic routing does not function on interfaces with names longer than 15 characters.
570881-2 2-Critical IPsec configuration mismatch in IKEv2 causes TMM crash in isakmp_parse_proposal ()
570663-1 2-Critical Using iControl get_certificate_bundle_v2 causes a memory leak
568889-3 2-Critical Some ZebOS daemons do not start on blade transition secondary to primary.
563064-6 2-Critical Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
562959-5 2-Critical In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
562427-2 2-Critical Trust domain changes do not persist on reboot.
561814-5 2-Critical TMM Core on Multi-Blade Chassis
560683-2 2-Critical HA IPSEC: tmm core/crash on standby in function ikev2_child_delete_outbound()
559034-2 2-Critical Mcpd core dump in the sync secondary during config sync
557144-4 2-Critical Dynamic route flapping may lead to tmm crash
556380-1 2-Critical mcpd can assert on active connection deletion
555444 2-Critical iControl REST API through tmsh mgmt module
546760-1 2-Critical snmpd will crash when performing snmp query on ifXTable of ifMIB.
515764-5 2-Critical PVA stats only being reported on virtual-server and system-level basis.
449402-7 2-Critical Pre-11.5.0 to 11.5.0 upgrades might fail to properly set ha-group reference in traffic-groups
442231-3 2-Critical Pendsect log entries have an unexpected severity
611487-1 3-Major vCMP: VLAN failsafe does not trigger on guest
610417-2 3-Major Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
610307-1 3-Major Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
610273-1 3-Major Not possible to do targeted failover with HA Group configured
609200 3-Major Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.
609186-3 3-Major TMM or MCP might core while getting connections via iControl.
609119-6 3-Major Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
607961-3 3-Major Secondary blades restart when modifying a virtual server's route domain in a different partition.
606540 3-Major DB variable changed via GUI does not sync across HA group
606330-3 3-Major The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
605894-2 3-Major Remote authentication for BIG-IP users can fail
605521 3-Major Request log profiles added to some virtual servers might result in tmm cores.
604931 3-Major bgpd might core on restarting process with BGP debug enabled.
602566-2 3-Major sod daemon may crash during start-up
602193-3 3-Major iControl REST call to get certificate fails if
601709-3 3-Major I2C error recovery for BIGIP 4340N/4300 blades
601414-2 3-Major Combined use of session and table irule commands can result in intermittent session lookup failures
600944-2 3-Major tmsh does not reset route domain to 0 after cd /Common and loading bash
600558-4 3-Major Errors logged after deleting user in GUI
598085 3-Major Expected telemetry is not transmitted by sFlow on the standby-mode unit.
598039-4 3-Major MCP memory may leak when performing a wildcard query
597972 3-Major Inconsistent settings between CLI and GUI for sFlow configuration.
597729-4 3-Major Errors logged after deleting user in GUI
597564-2 3-Major 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items
597303-2 3-Major "tmsh create net trunk" may fail
597291 3-Major Upgrade and subsequent config sync fails if there is an ASM policy with empty name.
596826-4 3-Major Don't set the mirroring address to a floating self IP address
596067-4 3-Major GUI on VIPRION hangs on secondary blade reboot
594346 3-Major Config roll forward failure when upgrading from 11.6.1 to 12.0.0 or its hotfix rollups
590904-6 3-Major New HA Pair created using serial cable failover only will remain Active/Active
589083-1 3-Major TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
587668-2 3-Major LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
586878-3 3-Major During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.
585833 3-Major Qkview will abort if /shared partition has less than 2GB free space
585485-1 3-Major inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP
584603 3-Major TMSH allows readdition of a device already in the trust
584583-4 3-Major Timeout error when attempting to retrieve large dataset.
583754-6 3-Major When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
583285-1 3-Major BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
582084-3 3-Major BWC policy in device sync groups.
580602-2 3-Major Configuration containing LTM nodes with IPv6 link-local addresses fail to load.
579760-1 3-Major HSL::send may fail to resume after log server pool member goes down/up
579694-1 3-Major Monitors may create invalid configuration files
578036 3-Major incorrect crontab can cause large number of email alerts
577440-2 3-Major audit logs may show connection to hagel.mnet
576305-4 3-Major Potential MCPd leak in IPSEC SPD stats query code
575919 3-Major Running concurrent TMSH instances can result in error in access to history file
575735-3 3-Major Potential MCPd leak in global CPU info stats code
575726-3 3-Major MCPd might leak memory in vCMP interface stats.
575716-3 3-Major MCPd might leak memory in VCMP base stats.
575708-3 3-Major MCPd might leak memory in CPU info stats.
575671-3 3-Major MCPd might leak memory in host info stats.
575660-3 3-Major Potential MCPd leak in TMM rollup stats stats
575649-3 3-Major MCPd might leak memory in IPFIX destination stats query
575619-3 3-Major Potential MCPd leak in pool member stats query code
575608-3 3-Major MCPd might leak memory in virtual server stats query.
575595-2 3-Major Potential MCPd leak in eviction policy stats.
575591-3 3-Major Potential MCPd leak in IKE message stats query code
575589-2 3-Major Potential MCPd leak in IKE event stats query code
575587-3 3-Major Potential MCPd leak in BWC policy class stats query code
575027-1 3-Major Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
574045-4 3-Major BGP may not accept attributes using extended length
572255-1 3-Major HA/DSC configuration requires communication on TCP port 443
571344 3-Major SSL Certificate with special characters might cause exception when GUI retrieves items list page.
571333-4 3-Major fastL4 tcp handshake timeout not honored for offloaded flows
571019-1 3-Major Topology records can be ordered incorrectly.
570818-3 3-Major Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
570058-1 3-Major [IPsec] tmm crash 'invalid racoon2 block header prefix' at informational_initiator_transmit_post_process
570053-3 3-Major HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
569356-4 3-Major BGP ECMP learned routes may use incorrect vlan for nexthop
569280-3 3-Major BIG-IP does not delete the SA on peer box after erase/modify ike-peer
569236-3 3-Major BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
568182-3 3-Major IPsec does not send phase 2 delete.
567836-1 3-Major IPsec GUI 'General database error' setting KBLifetime to max value
567105 3-Major LDAP attributes not fetched for Remote Role Group matching
566507-3 3-Major Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
565137-2 3-Major Pool licensing fails in some KVM/OpenStack environments.
565136-1 3-Major Merged may core on startup of tmm/bcm56xxd due to temporarily invalid statistics
563760-1 3-Major iControl call certificate_add_pem_to_bundle fails with the message that the certificate file already exists in the partition
561444-4 3-Major LCD might display incorrect output.
559584-3 3-Major tmsh list/save configuration takes a long time when config contains nested objects.
559080-4 3-Major High Speed Logging to specific destinations stops from individual TMMs
558779-7 3-Major SNMP dot3 stats occassionally unavailable
557155-6 3-Major BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
555905-2 3-Major sod health logging inconsistent when device removed from failover group or device trust
555039-3 3-Major VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
553795-5 3-Major Differing certificate/key after successful config-sync
553776-1 3-Major BGP may advertise default route with bad parameters
553446-1 3-Major Interface bfd session does not appear in configuration file or in show running-config
553056-1 3-Major Azure: boot diagnostics fills up the partition
552524 3-Major Autoscaling of BIG-IP VE fails when multiple private IP addresses are attached to eth0.
550694-1 3-Major LCD display stops updating and Status LED turns/blinks Amber
549543-1 3-Major DSR rejects return traffic for monitoring the server
548385-2 3-Major iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results
548175-1 3-Major Idle timeout may be tcp handshake timeout on CMP demoted Fast L4 virtual servers.
546145-3 3-Major Creating local user for previously remote user results in incomplete user definition.
546085-1 3-Major On shutdown, SOD and other daemons very infrequently cores due to an internal processing error during the shutdown.
545946-1 3-Major Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load
545314-1 3-Major vCMP guest BIG-IP and VE BIG-IP systems fails to boot after increasing disk image size
544963-1 3-Major Upgrades of vCMP guests with the default-sized 100GB vdisk image and with SWG plus any of AFM, AM, APM, AVR, ASM, PEM, FPS provisioned will fail due to insufficient disk space
542742-1 3-Major SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
542664-2 3-Major No default boot volume is set when installing a vCMP guest from a hotfix iso.
542191-1 3-Major Snmpd V1 and V2c view based access.
540996-3 3-Major Monitors with a send attribute set to 'none' are lost on save
539832-1 3-Major Zebos: extended community attributes are exchanged incorrectly in BGP updates.
538292 3-Major Asynchronous Task supports only version 12.0.0.
538014-2 3-Major EVAL shown in CLI Mode even after purchasing subscription license for SWG.
534021-4 3-Major HA on AWS uses default AWS endpoint (EC2_URL).
533813-4 3-Major Internal Virtual Server in partition fails to load from saved config
532559-5 3-Major Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.
528295-5 3-Major Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
528083-1 3-Major On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
527206-2 3-Major Management interface may flap due to LOP sync error
526708-3 3-Major system_check shows fan=good on removed PSU of 4000 platform
524839-1 3-Major Dynamic routing may not properly handle moving a self IP between VLANs
524193-5 3-Major Multiple Source addresses are not allowed on a TMSH SNMP community
524123-2 3-Major iRule ISTATS::remove does not work
523985-3 3-Major Certificate bundle summary information does not propagate to device group peers
512954-3 3-Major ospf6d might leak memory distribute-list is used
474149-5 3-Major SOD posts error message: Config digest module error: Traffic group device not found
472308-4 3-Major Management IP address change interaction with HA heartbeat / failover traffic
460176-5 3-Major Hardwired failover asserts active even when standalone
452660-5 3-Major SNMP trap engineID should not be configsynced between HA-pairs
441482-1 3-Major SWG is seen on platforms with less than 8 GB of memory
425980-4 3-Major Blade number not displayed in CPU status alerts
424542-6 3-Major tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
384995-5 3-Major Management IP changes are not synced to the device group.
375434-5 3-Major HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
372118-2 3-Major import_all_from_archive_file and import_all_from_archive_stream does not create file objects.


Local Traffic Manager Issues

ID Number Severity Description
545596-1 1-Blocking Dynamic routing on Viprion chassis interrupted on HA or blade failover
616215-3 2-Critical TMM can core when using LB::detach and TCP::notify commands in an iRule
607724-3 2-Critical TMM may crash when in Fallback state.
605865-3 2-Critical Debug TMM produces core on certain ICMP PMTUD packets
588959-1 2-Critical Standby box may crash or behave abnormally
588351-1 2-Critical IPv6 fragments are dropped when packet filtering is enabled.
581746-5 2-Critical MPTCP traffic handling may cause a BIG-IP outage
578045-1 2-Critical The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks
576897-1 2-Critical Using snat/snatpool in related-rule results in crash
576314-3 2-Critical SNMP traps for FIPS device fault inconsistent among versions.
575011-5 2-Critical Fix memory leak.
574153-1 2-Critical If an ssl client disconnects during the handshake, the SSL flow may stall.
567167-1 2-Critical HTTP Fallback with complex iRules may cause the TMM to crash
565409-6 2-Critical Invalid MSS with HW syncookies and flow forwarding
559973-3 2-Critical Nitrox can hang on RSA verification
558534-1 2-Critical The TMM may crash if http url rewrite is used with APM
555156-1 2-Critical Changing monitoring configuration stops health checks for FQDN nodes.
552151-5 2-Critical Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
549868-5 2-Critical 10G interoperability issues reported following Cisco Nexus switch version upgrade.
549782-2 2-Critical XFV driver can leak memory
549059-1 2-Critical HTTP Cookie Persistence corruption
545810-2 2-Critical ASSERT in CSP in packet_reuse
544375-4 2-Critical Unable to load certificate/key pair
537073 2-Critical If table command in SERVER/CLIENT_CLOSED is aborted while INPROGRESS, next table command may use old result
503125-1 2-Critical Excessive MPI net traffic can cause tmm panics on chassis systems
488686-2 2-Critical Large file transfer hangs when HTTP is in passthrough mode
464437-1 2-Critical Quickly repeated external datagroup loads might cause TMM crash.
459671-3 2-Critical iRules source different procs from different partitions and executes the incorrect proc.
613673 3-Major UDP monitors might not be marked up and/or there might be a slight delay in monitors
613429-1 3-Major Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
613326 3-Major SASP monitor improvements
613079-3 3-Major Diameter monitor watchdog timeout fires after only 3 seconds
612694-2 3-Major TCP::close with no pool member results in zombie flows
611652-1 3-Major iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.
611320-2 3-Major Mirrored connection on Active unit of HA pair may be unexpectedly torndown
610609-5 3-Major Total connections in bigtop, SNMP are incorrect
610429-4 3-Major X509::cert_fields iRule command may memory with subpubkey argument
609244-2 3-Major tmsh show ltm persistence persist-records leaks memory
607304-3 3-Major TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606940-2 3-Major Clustered Multiprocessing (CMP) peer connection may not be removed
606575-4 3-Major Request-oriented OneConnect load balancing ends when the server returns an error status code.
605983-3 3-Major tmrouted may crash when being restarted in debug mode
604133-3 3-Major Ramcache may leave the HTTP Cookie Cache in an inconsistent state
603979-1 3-Major Data transfer from the BIG-IP system self IP might be slow
603550-2 3-Major Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
602358-3 3-Major Some sites need the SSL/TLS ClientHello version sent after receiving the HelloRequest to match the first ClientHello Version
602136-4 3-Major iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
602040-1 3-Major Truncated support ID for HTTP protocol security logging profile
601178-2 3-Major HTTP cookie persistence 'preferred' encryption
600614-3 3-Major External crypto offload fails when SSL connection is renegotiated
600593-3 3-Major Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
598874-7 3-Major GTM Resolver sends FIN after SYN retransmission timeout
597708-2 3-Major Stats are unavailable and VCMP state and status is incorrect
597532-6 3-Major iRule: RADIUS avp command returns a signed integer
597089-6 3-Major Connections are terminated after 5 seconds when using ePVA full acceleration
593530-2 3-Major In rare cases, connections may fail to expire
593390-3 3-Major Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
592784-3 3-Major Compression stalls, does not recover, and compression facilities cease.
591659-4 3-Major Server shutdown is propagated to client after X-Cnection: close transformation.
591476-1 3-Major Stuck nitrox crypto queue can erroneously be reported
591343-3 3-Major SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
589400-2 3-Major With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
589223-2 3-Major TMM crash and core dump when processing SSL protocol alert.
588442-2 3-Major TMM can core in a specific set of conditions.
588115-2 3-Major TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
588089-2 3-Major SSL resumed connections may fail during mirroring
587705-4 3-Major Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
586621-4 3-Major SQL monitors 'count' config value does not work as expected.
585412-3 3-Major SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
584948-2 3-Major Safenet HSM integration failing after it completes.
584310-3 3-Major TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-3 3-Major Fragmented packets may cause tmm to core under heavy load
583957-5 3-Major The TMM may hang handling pipelined HTTP requests with certain iRule commands.
582487 3-Major 'merged.method' set to 'slow_merge,' does not update system stats
582234-1 3-Major When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
582207-5 3-Major MSS may exceed MTU when using HW syncookies
580303-4 3-Major When going from active to offline, tmm might send a GARP for a floating address.
579843-2 3-Major tmrouted may not re-announce routes after a specific succession of failover states
579371-3 3-Major BigIP may generate ARPs after transition to standby
577683-2 3-Major L4 connection mirroring may not re-mirror correctly after HA channel flap and failover.
576296-3 3-Major MCPd might leak memory in SCTP profile stats query.
575626-4 3-Major Minor memory leak in DNS Express stats error conditions
575612-1 3-Major Potential MCPd leak in policy action stats query code
575347-4 3-Major Unexpected backslashes remain in monitor 'username' attribute after upgrade
573782 3-Major csyncd may dump core when a VCMP guest is disabled and then restarted
573366-3 3-Major parking command used in the nesting script of clientside and serverside command can cause tmm core
572680-4 3-Major Standby TMM might overflow send buffer if out of sync with Active TMM
572142 3-Major Config sync peer may fail to monitor newly added pool member after it is added via sync
571573-1 3-Major Persistence may override node/pmbr connection limit
571183-1 3-Major Bundle-certificates Not Accessible via iControl REST.
570575-1 3-Major RESOLV::lookup against a TCP virtual will cause tmm core
569718-1 3-Major Traffic not sent to default pool after pool selection from rule
569642-5 3-Major Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
569349-1 3-Major Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled
569288-3 3-Major Different LACP key may be used in different blades in a chassis system causing trunking failures
568229-1 3-Major [LTM][DNS] save-on-auto-sync with partitions fails for LTM DNS partition objects
568078-1 3-Major HTTP Fallback may adversely impact other profiles
565799-5 3-Major CPU Usage increases when using masquerade addresses
563933-1 3-Major [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
560685-2 3-Major TMM may crash with 'tmsh show sys conn'.
559933-3 3-Major tmm might leak memory on vCMP guest in SSL forward proxy
557358-3 3-Major TMM SIGSEGV and crash when memory allocation fails.
556568-3 3-Major TMM can crash with ssl persistence and fragmented ssl records
550739-1 3-Major TMSH mv virtual command will cause iRules on the virtual to be dis-associated
550669-2 3-Major Monitors stop working - throttling monitor instance probe because file descriptor limit 65436 reached
547732-2 3-Major TMM may core on using SSL::disable on an already established serverside connection
542724-2 3-Major If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash
542104-1 3-Major In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
537553-2 3-Major tmm might crash after modifying virtual server SSL profiles in SNI configuration under load
537209-4 3-Major Fastl4 profile sends RST packet when idle timeout value set to 'immediate'
536563-1 3-Major Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.
536505-1 3-Major DHCPv6 - pool member not selected if it returns from DOWN state
534457-1 3-Major Dynamically discovered routes might fail to remirror connections.
531979-5 3-Major SSL version in the record layer of ClientHello is not set to be the lowest supported version.
530266-3 3-Major Rate limit configured on a node can be exceeded
529400-1 3-Major An SSL handshake can show `no ciphers selected' in some circumstances
528734-3 3-Major TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.
524641-5 3-Major Wildcard NAPTR record after deleting the NAPTR records
520604-9 3-Major Route domain creation may fail if simultaneously creating and modifying a route domain
518086-4 3-Major Safenet HSM Traffic failure after system reboot/switchover
511324-9 3-Major HTTP::disable does not work after the first request/response.
506543-4 3-Major Disabled ephemeral pool members continue to receive new connections
502129-2 3-Major Hash Cookie Persistence interacts poorly with persistence iRules
499404-4 3-Major FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
476524-1 3-Major SSL handshake delay when SSL mirroring enabled or mirrored connection fails to recover after failover.
464801-4 3-Major Intermittent tmm core
434517-14 3-Major HTTP::retry doesn't work in an early server response
433323-1 3-Major Ramcache handling of Cache-Control: no-cache directive in Response
424228-2 3-Major Parking iRules in CLIENT_DATA on virtual without assigned pool may not return
423392-3 3-Major tcl_platform is no longer in the static:: namespace
389857-2 3-Major The bigd process may core and restart when using an snmp_dca_base monitor
374067-9 3-Major Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections


Performance Issues

ID Number Severity Description
588879-1 2-Critical apmd crash under rare conditions with LDAP in BIGIP 12.0 and beyond


Global Traffic Manager Issues

ID Number Severity Description
587617-2 2-Critical While adding GTM server, failure to configure new IP on existing server leads to gtmd core
569972-1 2-Critical Unable to create gtm topology records using iControl REST
569521-3 2-Critical Invalid WideIP name without dots crashes gtmd.
539466-1 2-Critical Cannot use self-link URI in iControl REST calls with gtm topology
613045-3 3-Major Interaction between GTM and 10.x LTM results in some virtual servers marked down
602300-3 3-Major Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
589256-2 3-Major DNSSEC NSEC3 records with different type bitmap for same name.
588289-3 3-Major GTM is Re-ordering pools when adding pool including order designation
584623-1 3-Major Response to -list iRules command gets truncated when dealing with MX type wide IP
569472-1 3-Major TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled
370131-3 3-Major Loading UCS with low GTM Autoconf Delay drops pool Members from config


Application Security Manager Issues

ID Number Severity Description
591113-1 2-Critical CSRF injection leading to blank page
587629-1 2-Critical IP exceptions may have issues with route domain
585352-1 2-Critical bruteForce record selfLink gets corrupted by change to brute force settings in GUI
582003-1 2-Critical BD crash on startup or on XML configuration change
578334-1 2-Critical Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy.
568347-1 2-Critical BD Memory corruption
566758-1 2-Critical Manual changes to policy imported as XML may introduce corruption for Login Pages
474252-3 2-Critical Applying ASM security policy repeatedly fills disk partition on a chassis
602221-1 3-Major Wrong parsing of redirect Domain
590851-3 3-Major "never log" IPs are still reported to AVR
589606-1 3-Major CSRF enabled within iframe request causes to unpredictable behavior on a website.
584103-1 3-Major FPS periodic updates (cron) write errors to log
583686-1 3-Major High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
582683-4 3-Major xpath parser doesn't reset a namespace hash value between each and every scan
580168-1 3-Major Information missing from ASM event logs after a switchboot and switchboot back
579524-3 3-Major DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name'
577664-3 3-Major Policy import, to inactive policies list, results in different policies on the sync-failover peers
576591-5 3-Major Support for some future credit card number ranges
574451-1 3-Major ASM chassis sync occasionally fails to load on secondary slot
574113-1 3-Major Block All - Session Tracking Status is not persisted across an auto-sync device group
573406-4 3-Major ASU cannot be completed if license was last activated more than 18 months before
572922-1 3-Major Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.
571246-1 3-Major Enforcement Readiness Summary incorrect for Signatures
568670-1 3-Major ASM fails to start with error - ndefined subroutine &F5::CRC::get_crc32
564324-1 3-Major ASM scripts can break applications
561595-3 3-Major Guest user cannot see Event Correlation details
559541-1 3-Major ICAP anti virus tests are not initiated on XML with when should
554324-2 3-Major Signatures cannot be updated after Signature Systems have become corrupted in database
537213-1 3-Major Second push is required after deactivating Active Security Policy and Sync flag indicates "In Sync" status
535904-1 3-Major BD crashes when attempting to access a closed connection
531566-1 3-Major A partial response arrives to the client when response logging is turned on
530102-1 3-Major Illegal meta characters on XML tags -
529535-1 3-Major MCP validation error while deactivating a policy that is assigned to a virtual server
521370-2 3-Major Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
518201-3 3-Major ASM policy creation fails with after upgrading
513887-4 3-Major The audit logs report that there is an unsuccessful attempt to install a mysql user on the system


Application Visibility and Reporting Issues

ID Number Severity Description
579049-2 2-Critical TMM core due to wrong assert
578353-2 2-Critical Statistics data aggregation process is not optimized
575170-4 2-Critical Analytics reports may not identify virtual servers correctly
529900-3 2-Critical AVR missing some configuration changes in multiblade system
601536-2 3-Major Analytics load error stops load of configuration
600760 3-Major Process CPU Statistics in UI do not display when ASM is not provisioned
597161-2 3-Major Upgrading from BIG-IP v11.6.1 to BIG-IP v12.0.0 will fail if AVR is provisioned (or has been provisioned), and the configuration will fail to load in the new software boot location
582029-2 3-Major AVR might report incorrect statistics when used together with other modules.
574160-5 3-Major Publishing DNS statistics if only Global Traffic and AVR are provisioned
569958-1 3-Major Upgrade for application security anomalies
565412-2 3-Major AVR reports device-level mitigation as "Device Level" and not as "Aggregated"
560114-1 3-Major Monpd is being affected by an I/O issue which makes some of its threads freeze
560014 3-Major Error written to monpd log if upgrade and there is traffic capture data in database
559060-2 3-Major AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration.
557062-1 3-Major The BIG-IP ASM configuration fails to load after an upgrade.
528031-2 3-Major AVR not reporting the activity of standby systems.


Access Policy Manager Issues

ID Number Severity Description
608424-1 2-Critical Dynamic ACL agent error log message contains garbage data
608408-3 2-Critical TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
592868-5 2-Critical Rewrite may crash processing HTML tag with HTML entity in attribute value
588686-3 2-Critical High-speed logging to remote logging node stops sending logs after all logging nodes go down
582440-3 2-Critical Linux client does not restore route to the default GW on Ubuntu 15.10
580225-2 2-Critical WEBSSO::select may crash tmm.
575609-1 2-Critical Zlib accelerated compression can result in a dropped flow.
571556-1 2-Critical RBA may generate a core file when shutting down
604767-3 3-Major Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601905-3 3-Major POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600119-5 3-Major DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
597431-3 3-Major VPN establishment may fail when computer wakes up from sleep
591268-2 3-Major VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
586006-2 3-Major Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-2 3-Major VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
580893-4 3-Major Support for Single FQDN usage with Citrix Storefront Integration mode
562636-1 3-Major Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
561348-5 3-Major krb5.conf file is not synchronized between blades and not backed up
555983 3-Major [Portal Access][sp 2013][office 2013] Can not open Excel file from office 2013 with windows 10
554963 3-Major Portal Access. When creating an item in SharePoint 2010 thru Site Options, we go directly to the SharePoint
554123 3-Major Sync to Sharepoint workstation fails with could not connect to server
554094 3-Major [OWA2013] Help doesn't open up
551454-1 3-Major Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server
541622-2 3-Major APD/APMD Crashes While Verifying CAPTCHA
540775-1 3-Major URLDecoder: Illegal hex characters in escape (%) pattern..
540245 3-Major ACCESS::respond command with one argument could cause a false warning message in log file
528424-1 3-Major IE11 on Windows 10 doesn't show tooltips/toast notifications when Network Access changes state
522124-2 3-Major Secondary MCPD restarts when SAML IdP or SP Connector is created
483570-1 3-Major TMM/APMD fail to communicate when handling a large amount of data under high load conditions.
372139-1 3-Major Manage Sessions are not showing correct current sessions on VIPRION chassis.


WebAccelerator Issues

ID Number Severity Description
575631-4 3-Major Potential MCPd leak in WAM stats query code
562644-5 3-Major TMM may crash when AAM receives a pipelining HTTP request while shutting down the connection
553741-2 3-Major Restore WAM image optimization color profile handling


Service Provider Issues

ID Number Severity Description
613297-2 2-Critical Default generic message routing profile settings may core
612135-2 2-Critical Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
612143-1 3-Major Potential tmm core when two connections add the same persistence record simultaneously.
609575-3 3-Major BIG-IP drops ACKs containing no max-forwards header
601255-2 3-Major RTSP response to SETUP request has incorrect client_port attribute
599521-3 3-Major Persistence entries not added if message is routed via an iRule
598854-2 3-Major sipdb tool incorrectly displays persistence records without a pool name
598700-3 3-Major MRF SIP Bidirectional Persistence does not work with multiple virtual servers
597835-2 3-Major Branch parameter in inserted VIA header not consistent as per spec
590091-2 3-Major Single-line Via headers separated by single comma result in first character second header being stripped.
583010-3 3-Major Sending a SIP invite with "tel" URI fails with a reset
578564-2 3-Major ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-3 3-Major ADAPT recursive loop when handling successive iRule events
572224-1 3-Major Buffer error due to RADIUS::avp command when vendor IDs do not match
570363-1 3-Major Potential segfault when MRF messages cross from one TMM to another.
566576-1 3-Major ICAP/OneConnect reuses connection while previous response is in progress
550434-6 3-Major Diameter connection may stall if server closes connection before CER/CEA handshake completes


Advanced Firewall Manager Issues

ID Number Severity Description
594152 2-Critical TMM crash upon a specific scenario
547550-2 2-Critical avrd reports incorrect stat values
594869-3 3-Major AFM can log DoS attack against the internal mpi interface and not the actual interface
592113-2 3-Major tmm core on the standby unit with dos vectors configured
590805-2 3-Major Active Rules page displays a different time zone.
575582-3 3-Major MCPd might leak memory in FW network attack stats.
575571-3 3-Major MCPd might leak memory in FW DOS SIP attack stats query.
575569-3 3-Major MCPd might leak memory in FW DOS DNS stats query.
575565-3 3-Major MCPd might leak memory in FW policy rule stats query.
575564-3 3-Major MCPd might leak memory in FW rule stats query.
575559-2 3-Major MCPd might leak memory in FW rule user ID validation stats.
575557-3 3-Major MCPd might leak memory in FW rule stats.
575321-3 3-Major MCPd might leak memory in firewall stats.
569337-3 3-Major TCP events are logged twice in a HA setup
565621 3-Major Adding an option to raise a violation due to proactive bot defense instead of resetting
561433-4 3-Major TMM Packets can be dropped indiscriminately while under DOS attack
556694-1 3-Major DoS Whitelist IPv6 addresses may "overmatch"
540054-1 3-Major tmm crash when DoS protection and behavior analysis enabled on virtual server
539687-2 3-Major No logs for Proactive Bot Defense drops.
431840 3-Major Cannot add vlans to whitelist if they contain a hyphen


Policy Enforcement Manager Issues

ID Number Severity Description
593070-3 2-Critical TMM may crash with multiple IP addresses per session
527992-3 2-Critical tmm might crash with 'DHCP:dhcp_server_flow_connect' error when the server flow is already connected to a different client.
472860-4 2-Critical RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
608742-5 3-Major DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode.
592070-4 3-Major DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
588456-2 3-Major PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
577863-3 3-Major DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime
577814-5 3-Major MCPd might leak memory in PEM stats queries.
568722-2 3-Major Gy quota and end of session reporting does not work under certain conditions.
566061-2 3-Major Subscriber info missing in flow report after subscriber has been deleted
565765-2 3-Major Flow reporting does not occur for unclassified flows.
559382-2 3-Major Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
553499-1 3-Major PEM subscriber create iRule 'PEM::subscriber create' does not use subscriber-id-type correctly
549283-2 3-Major Add a log message to indicate transition in the state of Gx and Gy sessions.
528787-2 3-Major PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code.
522934-1 3-Major Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy


Carrier-Grade NAT Issues

ID Number Severity Description
608865-1 2-Critical CGNAT: LSN retries ignored in deterministic mode.
561962-1 3-Major The incorrect address is being logged in the 'postNATDestinationIPv4Address' field of NAT64 outbound IPFIX logs
545986-2 3-Major dnatutil aborts when encountering parse errors
471835-2 3-Major Invalid port blocks are incorrectly counted as active zombie blocks.


Device Management Issues

ID Number Severity Description
554659 3-Major Configurable maximum message size limit for restjavad

 

Known Issue details for BIG-IP v12.0.x

616215-3 : TMM can core when using LB::detach and TCP::notify commands in an iRule

Component: Local Traffic Manager

Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.

Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.


614865-3 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()

Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.

Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.

Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.

- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.


613673 : UDP monitors might not be marked up and/or there might be a slight delay in monitors

Component: Local Traffic Manager

Symptoms:
A UDP monitor might fail to mark a pool member up even when the pool member is up.

A slight delay (less than 0.1 seconds) might be noticed in monitor traffic sent by the BIG-IP.

Conditions:
To experience the UDP monitor issue, there is generally some other monitor on the system that is perpetually down.

To experience the delay, run an affected version. The issue has been observed with tcp, http and https monitors.

Impact:
Incorrect pool member status for UDP monitors.

Connections to monitored pool members might last slightly longer than necessary.

Workaround:
None.


613542-3 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED


613536-3 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED


613429-1 : Unable to assign wildcard wide IPs to various BIG-IP DNS objects.

Component: Local Traffic Manager

Symptoms:
Assigning a wide IP with wildcard characters in the name to a DHS distributed application may not work properly when done via tmsh, and such configurations created via the GUI will result in configuration files that fail to load.

Conditions:
A wide IP with a wildcard character in its name.

Impact:
Unable to assign wide IP to BIG-IP DNS distributed-app.

Workaround:
None.


613326 : SASP monitor improvements

Component: Local Traffic Manager

Symptoms:
A SASP monitor created in versions earlier than 13.0.0 might exhibit problems in certain situations, such as:
-- Attempting to connect multiple times with GWM pairs.
-- Dropping and reconnecting frequently with GWM pairs.
-- Problematic behavior with mixed Push/Pull workgroups on the same GWM.
-- Overly-chatty use of the SASP protocol when establishing/reestablishing connections.
-- Marking pool members down during GWM switch-over.
.-- Inability to handle many hundreds of workgroups/workloads

Conditions:
Using versions of the SASP monitor created in versions earlier than 13.0.0.

Impact:
Might cause flapping pool members or unstable pools.

Workaround:
None.


613297-2 : Default generic message routing profile settings may core

Component: Service Provider

Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.

Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.

Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.

Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.


613079-3 : Diameter monitor watchdog timeout fires after only 3 seconds

Component: Local Traffic Manager

Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.

Conditions:
A Diameter monitor must be configured.

Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.

Workaround:
None.


613045-3 : Interaction between GTM and 10.x LTM results in some virtual servers marked down

Component: Global Traffic Manager

Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.

Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.

Impact:
On the GTM side, that LTM virtual server will never get marked up.

Workaround:
None.


612694-2 : TCP::close with no pool member results in zombie flows

Component: Local Traffic Manager

Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.

Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).

Impact:
Connection does not tear itself down.

Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.


612143-1 : Potential tmm core when two connections add the same persistence record simultaneously.

Component: Service Provider

Symptoms:
If two messages processed on different connections with the same persistence key add a persistence record at the same time, one add operation is returned a non-fatal error, stating the 'a' record exists. The error might cause the message to be sent to both the destination and the originator, which fails.

Conditions:
Two messages processed on different connections with the same persistence key add a persistence record at the same time.

Impact:
A potential core occurs. The error might cause the message to be sent to both the destination and the originator, which fails. Traffic disrupted while tmm restarts.

Workaround:
None.


612135-2 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic

Component: Service Provider

Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.

Conditions:
Configuring a virtual server with generic message profile without message routing profile.

Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.

Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.


611652-1 : iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.

Component: Local Traffic Manager

Symptoms:
While saving an iRule containing HTTP::cookie without the value parameter, you get a validation warning: 'warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. 'unexpected end of arguments;expected argument spec:COOKIE_NAME"160 25][HTTP::cookie $cookie_name]'.

The offending iRule command looks similar to this:
[HTTP::cookie $cookie_name]

Conditions:
iRules containing HTTP::cookie, but missing the optional value parameter, e.g. [HTTP::cookie $cookie_name].

Impact:
Validation warning incorrectly occurs if the optional 'value' parameter is left off. Note that the iRule is still loaded into the configuration.

Workaround:
Use the 'value' parameter in the HTTP::cookie command:
[HTTP::cookie value $cookie_name].


611487-1 : vCMP: VLAN failsafe does not trigger on guest

Component: TMOS

Symptoms:
vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host.

Conditions:
vCMP host configured, VLAN failsafe enabled on a VLAN, one or more VCMP guests enabled that use that VLAN

Impact:
Since the heartbeat messages going over IPv6 link-local addresses continue to be successfully passed from host to guest, VLAN failsafe does not trigger if a downstream router or switch goes down that's connected to the VLAN.

Workaround:
If you are able to, disabling IPv6 on the host will allow VLAN failsafe to work as expected.


611320-2 : Mirrored connection on Active unit of HA pair may be unexpectedly torndown

Component: Local Traffic Manager

Symptoms:
Mirrored connection on Active unit is torn down. TCP connection is RST with cause of 'HA Expire flow'.

Conditions:
Mirrored connection on Standby unit times out due state mismatch with connection on Active unit.

Impact:
Traffic loss.

Workaround:
Disable mirroring.


610609-5 : Total connections in bigtop, SNMP are incorrect

Component: Local Traffic Manager

Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.

Conditions:
This occurs on PVA-enabled hardware platforms.

Impact:
The total connection count statistic is incorrect.


610429-4 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields


610417-2 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.

Component: TMOS

Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2

Conditions:
This exists when configuring devices in a device cluster.

Impact:
Unable to configure stronger ciphers for device trust.

Workaround:
None.


610307-1 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber

Component: TMOS

Symptoms:
This error message may be generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.

Impact:
None. This can be ignored.

Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.


610273-1 : Not possible to do targeted failover with HA Group configured

Component: TMOS

Symptoms:
With a traffic-group configured to use HA Group, it is not possible to disable the HA Group to perform targeted failover. Running tmsh run sys failover standby traffic-group traffic-group-1 produces an error:
"Unexpected Error: SOD command standby may not be issued for traffic group /Common/traffic-group-1 because it is configured to use HA group."

Conditions:
Traffic-group configured to use HA Group. Versions prior to 12.0.0 allowed you to disable the HA Group to do targeted failover.

Impact:
Unable to force the traffic-group to standby if HA Group is configured. You would need to change it to use a different mode, such as HA Order.


609575-3 : BIG-IP drops ACKs containing no max-forwards header

Component: Service Provider

Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.

Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.

Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".


609335 : IPsec tmm devbuf memory leak.

Component: TMOS

Symptoms:
A small memory leak was discovered during internal testing of IPsec tunnels. Over time tmm might run out of memory and crash.

Conditions:
It is not known exactly what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


609244-2 : tmsh show ltm persistence persist-records leaks memory

Component: Local Traffic Manager

Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.

Conditions:
This occurs when running tmsh show ltm persistence persist-records.

Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.

Workaround:
None.


609200 : Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.

Component: TMOS

Symptoms:
Hotfix installation fails using certain version 11.x software to host incremental hotfix application of version 12.x software.

Conditions:
This issue occurs when the following conditions are met:
-- Active software is v11.x.
-- Target software is v12.x.
-- This is the first attempt install a hotfix to the installation target.

Impact:
Cannot install hotfix.

Workaround:
Delete the target location, and perform the hotfix installation again.

Subsequent attempts to install the hotfix will automatically install the base release first, which includes the needed DB hash type, and the hotfix will succeed.


609186-3 : TMM or MCP might core while getting connections via iControl.

Component: TMOS

Symptoms:
When getting the connections list over iControl using System.Connections.get_list(), TMM or MCP cores or exits.

Conditions:
Using iControl to view all connections, and there is a very large number of connections (1 million or more) in the list.

Impact:
TMM or MCP may core or exit. Traffic disrupted while tmm restarts.

Workaround:
None.


609119-6 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:

Component: TMOS

Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:

-- err mcpd[19114]: 01070711:3:

For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.

Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.

Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.

Workaround:
None. The problem corrects automatically when the system rewrites the log.


608865-1 : CGNAT: LSN retries ignored in deterministic mode.

Component: Carrier-Grade NAT

Symptoms:
You see CPU spikes on BIG-IP when LSN is enabled an set to deterministic mode with the sys db tm.lsn.retries variable.

Conditions:
LSN enabled

Impact:
BIG-IP will try all endpoints before failing regardless of the tm.lsn.retries setting.


608742-5 : DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode.

Component: Policy Enforcement Manager

Symptoms:
When BIGIP is configured in Forwarding mode, renewal ack message from server in response to unicast renewal message from DHCP clients is getting dropped.

Conditions:
BIG IP in forwarding mode. DHCP clients sending unicast renewal message to DHCP server

Impact:
Unicast DHCP renewal requests are not acked. DHCP clients will send broadcast renewal messages and will be acked by servers.

Workaround:
After unable to receive acks from DHCP servers for unicast DHCP renewal messages, DHCP client will send broadcast DHCP renewal messages and will be acked by DHCP server and acks forwarded by BIGIP and received by DHCP clients.


608424-1 : Dynamic ACL agent error log message contains garbage data

Component: Access Policy Manager

Symptoms:
Starting in BIG-IP version 12.0.0, Dynamic ACL error log messages might contain garbage data.

Conditions:
This occurs when Dynamic ACL detects incorrect syntax of an ACL entry.

Impact:
The system logs garbage data.

Workaround:
Make sure the ACL entry is correct.


608408-3 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library

Component: Access Policy Manager

Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.

Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.

Impact:
TMM may restart.

Workaround:
None.


607961-3 : Secondary blades restart when modifying a virtual server's route domain in a different partition.

Component: TMOS

Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).

Conditions:
- Multiple blades of vCMP guests in a sync-failover group.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.

Impact:
Traffic disrupted while secondary blades restart.

Workaround:
None.


607724-3 : TMM may crash when in Fallback state.

Component: Local Traffic Manager

Symptoms:
There is a chance, when HTTP in Fallback mode, HTTP filter sends Abort event to TCP filter (causing tear down) prematurely while the Aborting triggered by upper filter/proxy is in flight.

TMM may crash when this happens.

Conditions:
It is not known exactly what conditions need to exist to trigger this, but it has been known to trigger when issuing HTTP::respond in the LB_FAILED event in an iRule, and it has been seen only rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
no work around


607304-3 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Conditions:
This can occur under normal operation, while running the geo_update command.

Impact:
Traffic disrupted while tmm restarts.


606940-2 : Clustered Multiprocessing (CMP) peer connection may not be removed

Component: Local Traffic Manager

Symptoms:
- High memory usage due to connflow allocations
 - conn_remove_cf_not_found stat is non-zero

Conditions:
CMP with multiple TMMs. CMP peer connection is removed before it has been established.

Impact:
Low memory may lead to allocation failures that may lead to tmm core


606575-4 : Request-oriented OneConnect load balancing ends when the server returns an error status code.

Component: Local Traffic Manager

Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.

Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.

Impact:
The client remains connected to the server, and no further load-balancing decisions are made.

Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.

To do so, use an iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 200 } { return }
    if { [HTTP::status] == 401 } {
        set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
        if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
            # Connection-oriented auth. System should already be doing the right thing
            unset auth_header
            return
        }

        unset auth_header
    }

    catch { ONECONNECT::detach enable }
}.

Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).


606540 : DB variable changed via GUI does not sync across HA group

Component: TMOS

Symptoms:
If a configuration change is made in the BIG-IP GUI which is backed by a DB variable, the change is not synced to other devices in the same sync-failover device group.
If the same db variable change is made using the Traffic Management Shell (tmsh), the db variable change will be synced to other devices in the same sync-failover device group.

Note that db variable changes are never synced to devices in sync-only device groups.

Conditions:
1. BIG-IP systems in HA group, provisioned with modules (in addition to LTM) which create their own device groups (for example, ASM).
2. Original sync-failover device group replaced by a different sync-failover device group.
3. Using the GUI to change a configuration item which is backed by a DB variable.
Examples include:
failover.standby.linkdowntime (GUI: Device Management :: Device Groups : <fodg_name> : Failover : Link Down Time on Failover )
statemirror.clustermirroring (GUI: Device Management :: Devices : <device_name> : Cluster Options )

Impact:
Configuration of devices within a sync-failover device group may not be synchronized as expected.

Workaround:
To force synchronization of a db variable change made via the GUI, a tmsh command of the following form may be used:

tmsh modify cm device-group <sync-failover device group name> devices modify { <device name> { set-sync-leader } }

If the sync-failover device group is not automatically synced, manually sync the device group:

tmsh run cm config-sync to-group <sync-failover device group name>


To avoid creating a db variable change that will not be synchronized across sync-failover device group members, change the configuration or db variable using tmsh:

tmsh modify sys db <variable name> value <new value>

If the sync-failover device group is not automatically synced, manually sync the device group:

tmsh run cm config-sync to-group <sync-failover device group name>


606330-3 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.

Component: TMOS

Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.

Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.

Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.

Workaround:
Clear the BGP neighbor after changing the configuration.


605983-3 : tmrouted may crash when being restarted in debug mode

Component: Local Traffic Manager

Symptoms:
tmrouted may restart after it being manually restarted with debug level equal or higher than 2.

Conditions:
tmrouted is manually restarted with debug level equal or higher than 2.
Multi route-domain setup with independent routing processes enabled on several route-domains.

Impact:
tmrouted may restart additional times which can add delay to getting back to service after manually restarting tmrouted.
Any restart of tmrouted already causes loss of dynamic routing sessions.

Workaround:
Do not use equal or higher than 2 debug level for tmrouted. This should be carried out only under recommendation from F5 Support.


605894-2 : Remote authentication for BIG-IP users can fail

Component: TMOS

Symptoms:
While trying to log into the command line of BIG-IP as a remotely authenticated user, login will intermittently fail. You may see the following in /var/log/secure: "err httpd[19596]: pam_ldap: ldap_simple_bind Can't contact LDAP server" but the LDAP server is up and is accessible by the BIG-IP

Conditions:
Remote authentication configured, users configured to use remote authentication, and ssl-check-peer is enabled.

Impact:
The remote authentication service will fail to initiate a connection to the LDAP server with the ssl-check-peer setting enabled, even if the ssl-ca-cert-file is valid. It will terminate the connection and remote authentication will fail.

Workaround:
Disabling ssl-check-peer can work around this issue.


605865-3 : Debug TMM produces core on certain ICMP PMTUD packets

Component: Local Traffic Manager

Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.

Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.

Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.

Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.


605521 : Request log profiles added to some virtual servers might result in tmm cores.

Component: TMOS

Symptoms:
As a result of a configuration mistake, request log profiles added to some virtual servers might result in tmm cores. For example: a request log profile with an incorrectly attached SIP profile might core because request-log expects http_data in HUDEVT_REQUEST and instead receives sip_msg from SIP.

Conditions:
Using a log profile without an http profile

Impact:
Traffic disrupted while tmm restarts.


604931 : bgpd might core on restarting process with BGP debug enabled.

Component: TMOS

Symptoms:
On a BIG-IP system configured with dynamic routing using the BGP routing protocol, when BGP debugging is enabled, the bgpd daemon may crash.

Conditions:
- BGP configured and peering established.
- BGP debugging enabled.
- BGP process is restarted gracefully.

Impact:
bgpd may crash.

Workaround:
Disable BGP debug.


604767-3 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.

Component: Access Policy Manager

Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.

Conditions:
BIG-IP is used as SAML SP.

Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.

Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.


604211-5 : License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.

Component: TMOS

Symptoms:
On Azure, after upgrading to any version other than 12.0.0 HF1-EHF14 or 12.1.0-HF1-EHF22, the system boots up as Not Licensed and Inoperative.

Although certain cloud-specific 12.x EHFs such as BIG-IP Virtual Edition 12.1.0 HF1 EHF1 is intended for AWS only, BIG-IP does not prevent you from accidentally downloading and installing it into Azure environments. If you upgrade Azure from BIG-IP Virtual Edition 12.0.0 HF1 EHF14 to the 12.1.0 HF1 EHF1 or 12.0.0-hf4 or 12.1.1, the Azure license becomes nonoperational and gets invalidated.

Conditions:
Upgrading a BYOL instance on Azure to 12.1.0 HF1 EHF1 or 12.1.1. The Azure-specific versions are as follows:
- 12.0.0-HF1-EHF14.
- 12.1.0-HF1-EHF22.

Impact:
License becomes unusable. Re-licensing the instance gets an invalid license.

Workaround:
The workaround for this issue is to boot back into previous boot volume, and then upgrade to 12.1.0-HF1-EHF22 in Azure.

To change default boot volume, choose one of the following methods:
1. tmsh reboot volume volume-name.
2. switchboot utility (interactive mode by default).
3. Admin UI.

For more information about the switchboot utility, see SOL5658: Overview of the switchboot utility, available here: https://support.f5.com/kb/en-us/solutions/public/5000/600/sol5658.html.


604133-3 : Ramcache may leave the HTTP Cookie Cache in an inconsistent state

Component: Local Traffic Manager

Symptoms:
Ramcache may re-use internal HTTP data without clearing the cookie cache. If other filters later inspect that cache they may read corrupted cookie information, or cause a TMM crash.

Conditions:
Ramcache + another filter or iRule inspecting/modifying cookies in a Ramcache response.

Impact:
The modifications of the corrupt cookie cache may cause HTTP headers to be malformed. Inspecting the cookie cache may cause the TMM to crash with an assert. Traffic disrupted while tmm restarts.


603979-1 : Data transfer from the BIG-IP system self IP might be slow

Component: Local Traffic Manager

Symptoms:
When a large amount of data needs to be transferred using a selp IP address, the BIG-IP system might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput

Conditions:
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set.

Impact:
Data transfer from the BIG-IP system's self IP might be slow.

Workaround:
Run the following command: ethtool -K tmm tso off.

Note: To persist the effect of this command across reboots, use the solution specified in SOL14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14397.html


603550-2 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.

Component: Local Traffic Manager

Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.

As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.

-- Virtual stats 'Current SYN Cache' does not decrease.

Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).

Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.

Workaround:
None.


602566-2 : sod daemon may crash during start-up

Component: TMOS

Symptoms:
sod daemon produces core file during start-up

Conditions:
sod encounters an error during start-up and attempts to recover.

Impact:
sod restarts


602358-3 : Some sites need the SSL/TLS ClientHello version sent after receiving the HelloRequest to match the first ClientHello Version

Component: Local Traffic Manager

Symptoms:
Some sites need the SSL/TLS version (both in the Record layer and Handshake Protocol) in the 2nd ClientHello after receiving the HelloRequest to be exactly the same as the SSL/TLS version of the 1st ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************

The BIG-IP system default behavior is to set the SSL/TLS ClientHello version to be the negotiated version in only the first round ServerHello.

Conditions:
This occurs when using virtual servers configured with one or more SSL profiles

Impact:
The SSL renegotiation after receiving the HelloRequest will fail.

Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.


602300-3 : Zone Runner entries cannot be modified when sys DNS starts with IPv6 address

Component: Global Traffic Manager

Symptoms:
Zone Runner entries cannot be modified if an IPv6 DNS name server is listed first. This can happen when a user runs the tmsh command
tmsh modify sys dns name-servers add { <IPv6> }

as the first dns name-server.
This will show in the /etc/resolv.conf file (an example)
nameserver 2001::1
nameserver 192.168.100.1

Conditions:
When an IPv6 nameserver is the first server defined.

Impact:
ZoneRunner records cannot be modified.

Workaround:
Do not use DNS server with IPv6 address or add IPv4 server at top of the list.


602221-1 : Wrong parsing of redirect Domain

Component: Application Security Manager

Symptoms:
ASM learns wrong domain names

Conditions:
no '/' after domain name in the redirect domain

Impact:
wrong learning suggestion can lead to wrong policy

Workaround:
N/A


602193-3 : iControl REST call to get certificate fails if

Component: TMOS

Symptoms:
While using the iControl REST API, a call to /mgmt/tm/sys/crypto/cert results in a 400 or 500 error. The call to /mgmt/tm/sys/crypto/key works.

Conditions:
This can occur if any of the certificates contain non utf-8 characters.

Impact:
iControl REST API call will fail.

Workaround:
If possible, generate the certificate to only contain utf-8 characters.


602136-4 : iRule drop command causes tmm segfault or still sends 3-way handshake to the server.

Component: Local Traffic Manager

Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.

Conditions:
Client-side iRule that drops a connection.

Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server.

Workaround:
None.


602040-1 : Truncated support ID for HTTP protocol security logging profile

Component: Local Traffic Manager

Symptoms:
The HTTP Protocol Security logging profile yields to incomplete support ID published in the local storage.

Conditions:
Configuration: LTM with Protocol Security Module provisioned, LTM virtual server with HTTP Protocol Security and local-storage logging profile attached. The log-db entries created by the HTTP Protocol Security logging profile have a truncated support ID.

Impact:
The support ID presented to the user does not match the one in the logs because the log entry is truncated (missing a few digits)

Workaround:
There is no workaround


601905-3 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server

Component: Access Policy Manager

Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.

Conditions:
Most likely, the POST request contains large post data.

Impact:
The POST request will fail.

Workaround:
The following iRule will workaround the issue:

 when HTTP_REQUEST {

  if {[HTTP::method] eq "POST"}{
    # Trigger collection for up to $max_collect of data
    set max_collect 1000000
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
      set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length $max_collect
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
  }


601709-3 : I2C error recovery for BIGIP 4340N/4300 blades

Component: TMOS

Symptoms:
The I2C internal bus for the front switch may not work. The fix recovers from the problem when it happens.

Conditions:
This rarely happens.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.

Workaround:
bigstart restart bcm56xxd


601536-2 : Analytics load error stops load of configuration

Component: Application Visibility and Reporting

Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.

Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.

Impact:
Configuration fails to load, will not pass traffic.

Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.


601414-2 : Combined use of session and table irule commands can result in intermittent session lookup failures

Component: TMOS

Symptoms:
[session lookup] commands do not return the expected result.

Conditions:
An iRule which combines use of [table] and [session lookup] commands.

Impact:
Intermittent session functionality.

Workaround:
If possible, use table commands in lieu of session commands.


601255-2 : RTSP response to SETUP request has incorrect client_port attribute

Component: Service Provider

Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)

Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection

Impact:
Unicast media may forwarded to incorrect UDP port (0).


601178-2 : HTTP cookie persistence 'preferred' encryption

Component: Local Traffic Manager

Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.

Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.

Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.


600944-2 : tmsh does not reset route domain to 0 after cd /Common and loading bash

Component: TMOS

Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common

Conditions:
Attempting to see the route table from the /Common partition after leaving another parition

Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.

Workaround:
Quit tmsh and restart.


600894-2 : In certain situations, the MCPD process can leak memory

Component: TMOS

Symptoms:
In certain situations, the MCPD process can leak memory. This has been observed, for example, while updating large external data-group file objects. Each time an external data-group file is updated, MCPD's memory utilization grows a little bit. Once enough iterations have occurred, the system may no longer be able to update the external data-group file, but instead return the following error message:

err mcpd[xxxx]: 01070711:3: Caught runtime exception, std::bad_alloc.

Conditions:
So far, this issue has only been observed while updating a large external data-group file object.

Impact:
The system may no longer be able to update the external data-group file object. It is also possible for MCPD to crash, or be killed by the Linux OOM killer, as a result of the memory leak.


600760 : Process CPU Statistics in UI do not display when ASM is not provisioned

Component: Application Visibility and Reporting

Symptoms:
Process CPU Statistics is very useful for all LTM administrators, and this capability is available when AVR is provisioned.
However, ASM also needs to be provisioned in order to see this information.

Conditions:
AVR is provisioned but ASM is not provisioned.

Impact:
Statistical charts of processes use of CPU are not available if you do not have ASM provisioned.

Workaround:
edit file /etc/avr/monpd/monp_modules.cfg
change:
[proc_cpu_info]
entities=/etc/avr/monpd/monp_process_cpu_info_entities.cfg
measures=/etc/avr/monpd/monp_process_cpu_info_measures.cfg
tmsh_display_name=proc-cpu
display_name=Processes CPU Info
loader_subdirectory_name=proc_cpu_info
provisioning=asm
primary_only=1


to:
[proc_cpu_info]
entities=/etc/avr/monpd/monp_process_cpu_info_entities.cfg
measures=/etc/avr/monpd/monp_process_cpu_info_measures.cfg
tmsh_display_name=proc-cpu
display_name=Processes CPU Info
loader_subdirectory_name=proc_cpu_info
provisioning=ltm <--------THIS IS THE ONLY CHANGE!!!
primary_only=1


bigstart restart monpd.

You will see all the statistic.


600614-3 : External crypto offload fails when SSL connection is renegotiated

Component: Local Traffic Manager

Symptoms:
If and external crypto offload client is configured with an SSL profile and renegotiation is enabled for the SSL profile, the crypto client connection will fail when the SSL connection is renegotiated.

Conditions:
External crypto offload client configured with an SSL profile with renegotiation enabled.

Impact:
Crypto client connection to the crypto server will fail.

Workaround:
Disable renegotiation on the SSL profile.


600593-3 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests

Component: Local Traffic Manager

Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.

Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.

Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.

Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:

when HTTP_PROXY_REQUEST {
   if { [HTTP::method] equals "CONNECT" } {
      ONECONNECT::reuse disable
   }
   else {
      ONECONNECT::reuse enable
   }
}


600558-4 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:

1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.


600119-5 : DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions

Component: Access Policy Manager

Symptoms:
When connected to the vpn and wifi adapter is enabled (not connected to any wlan) access to websites outside the vpn is very slow.
Access is fine when wifi interface is disabled.

Conditions:
- number of DNS servers configured for active network adapters matches the number of DNS servers configured in Network Access resource

Impact:
User experience while navigating servers outside of VPN scope is impacted by increased connection time

Workaround:
Disable unused adapters or change the number of configured DNS servers


599521-3 : Persistence entries not added if message is routed via an iRule

Component: Service Provider

Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.

Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.

Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.

Workaround:
An iRule could be used to route messages directed towards the original client.


598874-7 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.


598854-2 : sipdb tool incorrectly displays persistence records without a pool name

Component: Service Provider

Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb

Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.

Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.


598700-3 : MRF SIP Bidirectional Persistence does not work with multiple virtual servers

Component: Service Provider

Symptoms:
Messages received by different virtual servers (sharing the same router) are not able to be properly routed using the call-id persistence.

Conditions:
A router with multiple virtual servers bridging between networks are not able to use the same call-id persistence entry for routing messages. Messages trying to use a persistence entry created by a different virtual server may be routed to the wrong device.

Impact:
Messages received on another virtual server trying to use the persistence entry will be routed to the wrong device.


598085 : Expected telemetry is not transmitted by sFlow on the standby-mode unit.

Component: TMOS

Symptoms:
The expected telemetry is not transmitted by sFlow on the standby-mode unit. In a high-availability (HA)/redundant BIG-IP configuration, standby BIG-IP units are failing to generate sFlow telemetry packets containing unit-specific data.

Conditions:
In a high-availability/redundant BIG-IP configuration with sFlow configured.

Impact:
The sFlow data being transmitted by the standby unit consists of packet samples of the HA Heartbeat traffic, and no other telemetry information.

Workaround:
None.


598039-4 : MCP memory may leak when performing a wildcard query

Component: TMOS

Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.

Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).

Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).

Workaround:
Do not perform wildcard queries.


597972 : Inconsistent settings between CLI and GUI for sFlow configuration.

Component: TMOS

Symptoms:
Inconsistent settings between CLI and GUI for sFlow configuration. The values shown in the GUI screens may not be the values set using the tmsh CLI. The ways in which sFlow settings are either sync'ed or not sync'ed between devices might differ.

Conditions:
Viewing and modifying sFlow configuration settings in the GUI and CLI.

Impact:
The values shown in the GUI screens may not be the values set using the tmsh CLI.

Workaround:
None.


597835-2 : Branch parameter in inserted VIA header not consistent as per spec

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.

Conditions:
Enabling SIP Via header insertion on the BIGIP on SIP MRF profile and need to cancel an INVITE

Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.


597729-4 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:

1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.


597708-2 : Stats are unavailable and VCMP state and status is incorrect

Component: Local Traffic Manager

Symptoms:
Unable to retrieve statistics or statistics are all 0 (zero) when they should not be zero.

This is VCMP related.

Guest Virtual-disk always show in-use even when guest not in the running state.

When the guest OS is shut down, the GUI and TMSH do not show accurate information about status.

Conditions:
If a directory is removed from /shared/tmstat/snapshots merged might run at 100% CPU utilization and become unresponsive.

Impact:
No statistics are available. Some statistics, such as traffic stats from TMM, will not be updated, though they may be non-zero. Others, such as system CPU stats that are calculated by merged, will be zero. This will be evident through all management interfaces such as TMSH, TMUI, SNMP, etc.

VCMP guest O/S status is reportedly incorrectly.

Workaround:
If merged is hung, restart the daemon using the following command:
bigstart restart merged.

To prevent the issue from occurring, disable tmstat snapshots using the following command:
tmsh modify sys db merged.snapshots value false.


597564-2 : 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items

Component: TMOS

Symptoms:
The 'tmsh load sys config' command incorrectly allows users to manually remove the 'app-service' statement from configuration items. For example, if a user is manually editing the bigip.conf file, and they remove the 'app-service' statement from a virtual server, 'tmsh load sys config' will not fail to load the config, which is incorrect.

Conditions:
A user manually edits a BIG-IP configuration file and improperly removes the 'app-service' statement from an object.

Impact:
The lack of the 'app-service' statement effectively disassociates the object from its Application Service. This can lead to further issues down the line. For example, if the object is then updated on a multi-blade VIPRION system, secondary blades will restart with an error similar to the following example:

May 6 08:18:27 slot2/VIP2400-R16-S10 err mcpd[32420]: 01070734:3: Configuration error: Configuration from primary failed validation: 010715bd:3: The parent folder is owned by application service (/Common/dummy.app/dummy), the object ownership cannot be changed to ().... failed validation with error 17241533.

Workaround:
Exercise caution when manually editing BIG-IP configuration files.


597532-6 : iRule: RADIUS avp command returns a signed integer

Component: Local Traffic Manager

Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.

Conditions:
iRules using RADIUS::avp to retrieve data

Impact:
iRules using the RADIUS::avp command will not work as expected.

Workaround:
The result can be casted to an unsigned integer after obtaining the value, as follows:

ltm rule radius_avp_integer {
    when CLIENT_DATA {
                set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
                set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}

Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.


597431-3 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.


597303-2 : "tmsh create net trunk" may fail

Component: TMOS

Symptoms:
When a trunk is created with "tmsh create net trunk", with LACP enabled or disabled, the addition of a trunk member may fail. When it fails, there will be log in /var/log/ltm like

Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: bs_trunk_addr_set: unit=0 Invalid parameter bs_trunk.cpp(2406)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: Trouble setting trunk 1, unit 0 bs_trunk.cpp(2591)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: SDK error Invalid parameter bs_trunk.cpp(2592)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble setting trunk: unit=0, trunk=testTrunk bs_trunk.cpp(1886)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble adding interface to trunk=testTrunk bsx.c(3109)

Conditions:
The problem tends to happen when a trunk is created right after it is deleted. If you wait for over 30 seconds, it is unlikely to happen.

Impact:
A trunk can't be created, and no trunk members can be added.

Workaround:
Wait for over 30 seconds before adding back the same trunk.


597291 : Upgrade and subsequent config sync fails if there is an ASM policy with empty name.

Component: TMOS

Symptoms:
After upgrading, to 12.0.0 or higher ASM shows as not ready in the GUI. /var/log/ltm has this signature: err asm_tables_dump.pl[20647]: gave up waiting for ASM to start, please try again later.

Conditions:
This occurs on upgrading, when one or more ASM policies contains no name. It is not known what causes an ASM policy to have no name.

Impact:
System upgrades, but ASM reports as not ready and config sync fails.

Workaround:
If you cannot find the policy in the GUI with no name, the following mysql command can help with detection:

mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_POLICIES WHERE name = ""\G'

The policy can be removed from the GUI, and at that point restarting the system should succeed as expected.


597161-2 : Upgrading from BIG-IP v11.6.1 to BIG-IP v12.0.0 will fail if AVR is provisioned (or has been provisioned), and the configuration will fail to load in the new software boot location

Component: Application Visibility and Reporting

Symptoms:
After an upgrade from BIG-IP v11.6.1 to BIG-IP v12.0.0, the system fails to load the configuration, and logs these messages to /var/log/ltm:

crit tmsh[8585]: 01420001:2: Can't load keyword definition (analytics-report.device_group) : framework/SchemaCmd.cpp, line 810
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. --
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. --


Running "tmsh load sys config" will report an error:
fatal: (Can't load keyword definition (analytics-report.device_group)) (framework/SchemaCmd.cpp, line 810), exiting...


This will also occur if restoring a UCS archive from a v11.6.1 system on a BIG-IP v12.0.0 system.

Conditions:
An upgrade is performed from BIG-IP v11.6.1 to BIG-IP v12.0.0, and AVR is provisioned.

Even if AVR is provisioned and then un-provisioned, if the configuration file contains "analytics" objects, this issue will also occur. This happens even if AVR was never configured.

Impact:
Config load fails after upgrade.

Workaround:
This only occurs on upgrade from 11.6.1 to 12.0.0. Upgrading from 11.6.1 to 12.1.0 does not exhibit this. If you encountered this when upgrading to 12.0.0, you can manually remove the analytics objects from the bigip.conf file and reload the configuration, then rebuild your analytics profiles.


597089-6 : Connections are terminated after 5 seconds when using ePVA full acceleration

Component: Local Traffic Manager

Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second handshake timeout is not being updated to the idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.

Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full

Impact:
High number of connections get reset, performance issue

Workaround:
Disabling the pva resolves the issue.


596826-4 : Don't set the mirroring address to a floating self IP address

Component: TMOS

Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address

It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address.

Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.

Impact:
Mirroring does not work in this case.

Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.

For more information about mirroring, see SOL13478: Overview of connection and persistence mirroring at https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13478.html


596067-4 : GUI on VIPRION hangs on secondary blade reboot

Component: TMOS

Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.

Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.

Impact:
GUI becomes unresponsive

Workaround:
bigstart restart httpd will clear this condition if it occurs.


594869-3 : AFM can log DoS attack against the internal mpi interface and not the actual interface

Component: Advanced Firewall Manager

Symptoms:
While under an attack that matches a DoS profile, BIG-IP may indicate that the interface is the internal mpi interface and not the interface that the attack is happening on.

Conditions:
This can occur in CMP-enabled systems.

Impact:
A valid DoS attack will be misreported


594346 : Config roll forward failure when upgrading from 11.6.1 to 12.0.0 or its hotfix rollups

Component: TMOS

Symptoms:
If the 11.6.0 configuration contains an apm access policy item objects, the config fails to roll-forward to 12.0.0 and its hotfix roll-ups.

apm policy access-policy test-policy {
    default-ending test-policy_end_deny
    items {
        test-policy_end_allow { }
        test-policy_end_deny { }
        test-policy_ent { }
    }
    macros { /Common/empty }
    start-item test-policy_ent
}

Conditions:
Configuration contains apm policy access-policy objects. This can be encountered when upgrading from 11.6.0 or 11.6.1 to 12.0.0 or beyond.

Impact:
Failure to load configuration. The error below will be present in /var/log/ltm. The error will also be present on stderr

May 18 06:02:58 bigip3 crit tmsh[8574]: 01420001:2: Can't create association (access-policy.items) parser not found (apm::access_pol_access_pol_item) : framework/SchemaCmd.cpp, line 642

Workaround:
Upgrade to 12.1.0.


594152 : TMM crash upon a specific scenario

Component: Advanced Firewall Manager

Symptoms:
A tmm crash.

Conditions:
Suspicious browsers check is turned on.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable suspicious browser check.


593536-1 : Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being "In Sync".

Conditions:
Device Service Cluster Device Group with incremental sync enabled. A ConfigSync occurred where a configuration transaction failed validation, and then a subsequent (or the final) configuration transaction was successful.

Impact:
BIG-IP incorrectly reports configuration is in-sync, despite the fact that it is not in sync. All sorts of failures or odd behavior or traffic impact can result from this.

Workaround:
Turn off incremental sync (by enabling "Full Sync" / "full load on sync") for affected device groups.


593530-2 : In rare cases, connections may fail to expire

Component: Local Traffic Manager

Symptoms:
Connections have an idle timeout of 4294967295 seconds.

Conditions:
Any IP (ipother) profile is assigned to virtual server.

Impact:
Connections may linger.

Workaround:
None.


593390-3 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.

Component: Local Traffic Manager

Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.

Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.

Impact:
Higher memory usage than necessary.

Workaround:
Always have iRules select profiles using the complete path.


593070-3 : TMM may crash with multiple IP addresses per session

Component: Policy Enforcement Manager

Symptoms:
TMM crash

Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.

Impact:
Traffic disrupted while tmm restarts.


592868-5 : Rewrite may crash processing HTML tag with HTML entity in attribute value

Component: Access Policy Manager

Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.

Conditions:
HTML tag like this:
<script src="&#10;" type="text/javascript"></script>

Impact:
Web application may not work correctly.

Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.


592784-3 : Compression stalls, does not recover, and compression facilities cease.

Component: Local Traffic Manager

Symptoms:
Compression stalls, does not recover, and compression facilities may cease.

Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).

Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.

Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.


592113-2 : tmm core on the standby unit with dos vectors configured

Component: Advanced Firewall Manager

Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump

Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured

Impact:
Traffic disrupted while tmm restarts.


592070-4 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied

Component: Policy Enforcement Manager

Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.

Conditions:
DHCP virtual created in a non-local traffic group.

Impact:
Variable sharing in the TCL context will not work.

Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.


591659-4 : Server shutdown is propagated to client after X-Cnection: close transformation.

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
None.


591476-1 : Stuck nitrox crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Device error: crypto codec cn-crypto-0 queue is stuck." will appear in the ltm log file.

Conditions:
Nitrox based system performing SSL under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.


591343-3 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.

Component: Local Traffic Manager

Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.

Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.

Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.

Workaround:
None.


591268-2 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions

Component: Access Policy Manager

Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns

Conditions:
Specific client machine configuration

Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue

Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service


591113-1 : CSRF injection leading to blank page

Component: Application Security Manager

Symptoms:
When CSRF JS is injected, a blank page is seen.

Conditions:
When CSRF JS is injected.
This page has has lots of iframes with the query parameters.

Impact:
Viewing the site causes some pages to show up blank.

Workaround:
Bypassing or disabling ASM for URL /apps/consumer/ITS/its_Lite/UpperFrame_Lite.jsp appears to fix the issue.


591104-2 : ospfd cores due to an incorrect debug statement.

Component: TMOS

Symptoms:
ospfd cores due to an incorrect debug statement.

Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.

Impact:
ospfd might crash, interrupting dynamic routing.

Workaround:
Do not enable debugging in ospf that includes 'route ase'.


590904-6 : New HA Pair created using serial cable failover only will remain Active/Active

Component: TMOS

Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.

Conditions:
Create a new sync-failover device-group without enabling network failover.

Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.

Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.


590851-3 : "never log" IPs are still reported to AVR

Component: Application Security Manager

Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag

Conditions:
Always

Impact:
Extra, unwanted logging for IP addresses flagged as "never log"

Workaround:
N/A


590805-2 : Active Rules page displays a different time zone.

Component: Advanced Firewall Manager

Symptoms:
Active Rules page displays a different time zone.

Conditions:
When Active Rules page is loaded after the BIG-IP system timezone has changed.

Impact:
GUI shows incorrect timezone.

Workaround:
Run the following command after changing BIG-IP timezone: bigstart restart tomcat.


590091-2 : Single-line Via headers separated by single comma result in first character second header being stripped.

Component: Service Provider

Symptoms:
Removing the first Via header strips the leading character from the second Via when headers are separated by a comma (',').

Conditions:
Multiple Via headers on single-line separated by a single comma (',').

Impact:
Leading character of 2nd Via header will be stripped e.g. 'SIP/2.0/TCP' becomes 'IP/2.0/TCP'.

Workaround:
None.


589606-1 : CSRF enabled within iframe request causes to unpredictable behavior on a website.

Component: Application Security Manager

Symptoms:
The csrf script changes the frame/iframe source attribute. When it happens the browser issue a request, as a result for each frame on a page 2 requests are being sent, the first is the original request when the frame is loaded and the second is when the csrf script changes the frame source attribute.

Conditions:
Enable ASM CSRF
Request a page with an iframe or frameset

Impact:
Viewing the site causes some pages to show up blank.

Workaround:
Bypassing or disabling ASM for URL appears to fix the issue.


589400-2 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Component: Local Traffic Manager

Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.

Impact:
Additional connection latency.

Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.

If init-cwnd is low, raising it might also help.

Disabling abc can also reduce the problem, but might have other negative network implications.


589256-2 : DNSSEC NSEC3 records with different type bitmap for same name.

Component: Global Traffic Manager

Symptoms:
For a delegation from a secure zone to an insecure zone, BIG-IP returns different type bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.

Conditions:
For insecure delegations, our DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which we dynamically sign.

Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.

Workaround:
None.


589223-2 : TMM crash and core dump when processing SSL protocol alert.

Component: Local Traffic Manager

Symptoms:
TMM crash and core dump when processing SSL protocol alert.

Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


589083-1 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.


588959-1 : Standby box may crash or behave abnormally

Component: Local Traffic Manager

Symptoms:
TMM crashes on the standby unit

Conditions:
It is not known the conditions that cause this, and has been seen very rarely.

Impact:
Tmm on the standby device crashes. Memory utilization before the crash can appear to be unusually high.


588879-1 : apmd crash under rare conditions with LDAP in BIGIP 12.0 and beyond

Component: Performance

Symptoms:
APM crashes during periods of high Active Directory lookups.

Conditions:
APM configured to use ldap. This was seen during stress testing of AD queries.

Impact:
APM crashes, clients unable to connect


588686-3 : High-speed logging to remote logging node stops sending logs after all logging nodes go down

Component: Access Policy Manager

Symptoms:
All logging to external logging nodes (such as BIG-IQ) suddenly stop.

Conditions:
This occurs when all of the configured logging nodes go down. Even when they are brought back up, tmm will not send logs to the remote servers.

Impact:
Remote logging stops and will only resume if tmm is restarted.


588456-2 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).

Component: Policy Enforcement Manager

Symptoms:
When the BigIp is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP(giaddr) instead of ciaddr. Bigip DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.

Conditions:
1)BigIP in forwarding mode
2)giaddr field in unicast DHCP renewal packet is set to
IP address of relay agent(Typically, it is set to 0 by DHCP client)

Impact:
PEM Subscriber Session will age out


588442-2 : TMM can core in a specific set of conditions.

Component: Local Traffic Manager

Symptoms:
TMM can core and assert: 'ifc not set'.

Conditions:
This occurs under the following conditions:
  - A unit with license that ratelimits throughput performance to something other than max or 1.
  - One or more virtual IP addresses configured with DNS profiles with rapid-response enabled.
  - Something causing the listener to be disabled or a listener to not be found.
  - A DNS request sent to the disabled listener.

Impact:
TMM might core and assert: 'ifc not set'.

Workaround:
None.


588351-1 : IPv6 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
IPv6 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.


588289-3 : GTM is Re-ordering pools when adding pool including order designation

Component: Global Traffic Manager

Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.

Conditions:
This occurs when adding pools with a specified order.

Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.


588140-1 : Pool licensing fails in some KVM/OpenStack environments

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.


588115-2 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw

Component: Local Traffic Manager

Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.

Conditions:
- Unit configured with a floating self-IP and allow-service != none.
  - More specific route exists via GW to the self-IP.
  - Configured gateway for the overlapping route is unreachable.
  - Ingress traffic to the floating self-IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.


588089-2 : SSL resumed connections may fail during mirroring

Component: Local Traffic Manager

Symptoms:
SSL resumed connections when using SSL mirroring may fail during mirroring. This could result in SSL connections being unable to recover after failover.

Conditions:
Mirroring enabled on virtual with an associated client-ssl profile.

Impact:
SSL connections unable to recover after failover.

Workaround:
Disable session cache to prevent connections from resuming.


587705-4 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.

Component: Local Traffic Manager

Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.

Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.

Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.

Workaround:
None.


587668-2 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.

Component: TMOS

Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.

Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.

Impact:
Cannot clear the alert using the LCD.

Workaround:
Press the checkmark button followed by the left or right arrow buttons.


587629-1 : IP exceptions may have issues with route domain

Component: Application Security Manager

Symptoms:
The IP exception feature doesn't work as expected.

Conditions:
There are many defined same IPs but with different route domain.
There were config changes to these IPs regarding their exception properties.

Impact:
An ignored IP is not ignored etc.

Workaround:
bigstart restart asm


587617-2 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core

Component: Global Traffic Manager

Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.

Conditions:
No GTM server object configured with existent selfip.

Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.

Workaround:
Configure the GTM server object with an existent selfip. For more information, see SOL15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15671.html


586878-3 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.

Component: TMOS

Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.

The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.

Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).

Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.

Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
    For example, it might look similar to the following:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            "" { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }

   Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            default { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.


586621-4 : SQL monitors 'count' config value does not work as expected.

Component: Local Traffic Manager

Symptoms:
SQL monitors 'count' config value does not work as expected.

Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.

Impact:
SQL monitor might use a 'count' value that is incorrect.

Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.


586006-2 : Failed to retrieve CRLDP list from client certificate if DirName type is present

Component: Access Policy Manager

Symptoms:
Client certification revocation check will fail.

Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.


585833 : Qkview will abort if /shared partition has less than 2GB free space

Component: TMOS

Symptoms:
In order to inform the user that the /shared partition needed to be cleaned up, qkview was checking for at least 2GB of free space. This isn't a hard requirement to build a qkview which potentially could use much less than the 2GB limit. Additionally, some F5 VE systems are shipped with less than 2GB in /shared, thus qkviews cannot be produced.

Conditions:
The /shared partition is smaller than 2GB or has less than 2GB free.

Impact:
User is unable to create a qkview despite having enough room to build one.

Workaround:
Increase the size of /shared so that it has at least 2GB of free space. See https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14952.html for detailed instructions on resizing volumes.


585562-2 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari

Component: Access Policy Manager

Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.

Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.

Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.

Workaround:
when HTTP_REQUEST {
   if { [HTTP::header "Origin"] ne "" } {
        HTTP::header remove "Origin"
    }
     if { [ HTTP::method ] == "POST" && [ HTTP::uri ] == "/broker/xml" } {
        set BROKER_REQUEST 1
        HTTP::collect [HTTP::header Content-Length]
    }
}

when HTTP_REQUEST_DATA {
    if { [ info exists BROKER_REQUEST ] && [ regexp {<have-authentication-types[ \t\r\n]*>[ \t\r\n]*<name[ \t\r\n]*>[ \t\r\n]*saml[ \t\r\n]*</name>[ \t\r\n]*</have-authentication-types>} [HTTP::payload] ] } {
        HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8"?><broker version="11.0"><set-locale><result>ok</result></set-locale><configuration><result>ok</result><broker-guid>1</broker-guid><authentication><screen><name>saml</name><params></params></screen></authentication></configuration></broker>} Content-Type text/xml
    }
}

when HTTP_RESPONSE {
    if { ! [ IP::addr [ IP::remote_addr ] equals 127.0.0.0/8 ] } { return }
    set BROKER_RESPONSE 1
    set content_length 0
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
        set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length 1048576
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
}

when HTTP_RESPONSE_DATA {
    if { ! [ info exists BROKER_REQUEST ] || ! [ info exists BROKER_RESPONSE ] } { return }
    regsub "<broker version=\"9.0\">" [HTTP::payload] "<broker version=\"11.0\">" payload
    HTTP::payload replace 0 [HTTP::payload length] $payload
    HTTP::release
}


585485-1 : inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP

Component: TMOS

Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.

BIG-IP sends and expect messages with two SPI's inside.

Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.

Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.

Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:

(tmos)# delete net ipsec ipsec-sa ?
Properties:
  "{" Optional delimiter
  dst-addr Specifies the destination address of the security associations
  spi Specifies the SPI of the security associations
  src-addr Specifies the source address of the security associations
  traffic-selector Specifies the name of the traffic selector


585412-3 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines

Component: Local Traffic Manager

Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'

Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.

8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.

Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.

Workaround:
None.


585352-1 : bruteForce record selfLink gets corrupted by change to brute force settings in GUI

Component: Application Security Manager

Symptoms:
If you update the brute force settings in the GUI, rest_uuid is updated as well, which breaks the self-link in the iControl REST API

Conditions:
Update brute force settings in GUI

Impact:
Unique record part updated

Workaround:
Update brute force settings using the REST API


584948-2 : Safenet HSM integration failing after it completes.

Component: Local Traffic Manager

Symptoms:
tmm cannot load the Safenet library, and the following log entry is found in /var/log/auditd/audit.log:

denied { read } for pid=4936 comm="tmm" name="libCryptoki2_64.so" dev=dm-1 ino=1441838 scontext=system_u:system_r:tmm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file.

Conditions:
This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory.

The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions.

Impact:
Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM.

Workaround:
Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly.

For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so.


584623-1 : Response to -list iRules command gets truncated when dealing with MX type wide IP

Component: Global Traffic Manager

Symptoms:
GTM iRule "members" with the "-list" flag will truncate MX-type WideIP pool members when printed out to a log.

Conditions:
Use the GTM iRule "members" with the "-list" flag to print out the members of an MX WideIP pool during a DNS event.

Impact:
WideIP MX-type pool members are truncated in the log.

Workaround:
None


584603 : TMSH allows readdition of a device already in the trust

Component: TMOS

Symptoms:
A device that is already in the device trust can be re-added by repeating the TMSH command. This can be a 'back door' way to rename the device in the trust and may cause errors in the trust if the rename assigns a duplicate name.

Conditions:
Use of the TMSH command 'modify cm trust-domain' to rename a device already in the trust.

Impact:
Can disrupt connections in the trust over which configuration is synchronized.

Workaround:
Don't use the 'modify cm trust-domain' command as a way to rename the device. To rename a device, use the 'mv cm device' command.


584583-4 : Timeout error when attempting to retrieve large dataset.

Component: TMOS

Symptoms:
The Rest API can timeout when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API looks like "errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET "

Conditions:
Configuration containing a large number of GTM pools and pool members (thousands).

Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.


584310-3 : TCP:Collect ignores the 'skip' parameter when used in serverside events

Component: Local Traffic Manager

Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.

Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.

Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.

Workaround:
None.


584103-1 : FPS periodic updates (cron) write errors to log

Component: Application Security Manager

Symptoms:
FPS periodic updates (run via cron) write errors to log when FPS is not provisioned.

Conditions:
FPS is not provisioned.

Impact:
Errors appears in FPS logs.


584029-3 : Fragmented packets may cause tmm to core under heavy load

Component: Local Traffic Manager

Symptoms:
tmm core due to assertion

Conditions:
tmm offloads a fragmented packet via ffwd'ing

Impact:
Traffic disrupted while tmm restarts.


583957-5 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.

Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.

Impact:
The TMM will be restarted by SOD.


583936-4 : Removing ECMP route from BGP does not clear route from NSM

Component: TMOS

Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.

Conditions:
ECMP routing must be enabled and in-use.

Impact:
ECMP routes are not properly removed from the main routing table.


583754-6 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.

Component: TMOS

Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.

Conditions:
TMM must be down.

Impact:
Non-obvious / unhelpful error message is generated, leading to customer confusion.

Workaround:
N/A


583686-1 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import

Component: Application Security Manager

Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.

Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.

Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered


583516-1 : tmm ASSERT's "valid node" on Active, after timer fire..

Component: TMOS

Symptoms:
TMM crashes on ASSERT's "valid node".

Conditions:
The cause is unknown, and this happens rarely.

Impact:
tmm crash

Workaround:
no


583285-1 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the second part of a fix provided for this issue. See fixes for bug 569236 for the first part.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system.


583010-3 : Sending a SIP invite with "tel" URI fails with a reset

Component: Service Provider

Symptoms:
Using a "INVITE tel:" URI results in SIP error (Illegal value).

Conditions:
Sending a SIP "INVITE tel:" to BIG-IP does not work.

Impact:
"INVITE tel:" messages are not accepted by BIG-IP.

Workaround:
None


582683-4 : xpath parser doesn't reset a namespace hash value between each and every scan

Component: Application Security Manager

Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.

Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.

Impact:
XML content based routing does not work dependably.

Workaround:
N/A


582487 : 'merged.method' set to 'slow_merge,' does not update system stats

Component: Local Traffic Manager

Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats is not updated and remains zero.

Conditions:
Merged.method is set to slow_merge.

Impact:
System stats such as overall CPU usage remain at zero.

Workaround:
Set Merged.method to fast_merge.


582440-3 : Linux client does not restore route to the default GW on Ubuntu 15.10

Component: Access Policy Manager

Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.

Conditions:
Ubuntu 15.0, network access tunnel connect and then disconnect

Impact:
User will not be able to reach internet after disconnecting from network access.

Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.


582234-1 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Component: Local Traffic Manager

Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it

Impact:
Monitoring does not resume when pool member is re-enabled via config merge.

Workaround:
You can re-enable monitoring by running the following commands:

tmsh save sys config
tmsh load sys config


582207-5 : MSS may exceed MTU when using HW syncookies

Component: Local Traffic Manager

Symptoms:
Packets larger than the interface's MTU can be transmitted.

Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.

Impact:
Potential packet loss.

Workaround:
Disable HW syncookie mode.


582084-3 : BWC policy in device sync groups.

Component: TMOS

Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.

Conditions:
If BWC policy is created both in global sync and local.

Impact:
Configuration error, BWC policies will not be synced due to errors.

Workaround:
Ensure that BWC policy is in global sync only.


582029-2 : AVR might report incorrect statistics when used together with other modules.

Component: Application Visibility and Reporting

Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.

Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.

Impact:
AVR reports incorrect statistics: unexpectedly large numbers.

Workaround:
None.


582003-1 : BD crash on startup or on XML configuration change

Component: Application Security Manager

Symptoms:
BD crash.
out of memory XML message in the bd.log.
The BD doesn't startup and keeps crashing upon startup.

Conditions:
Many XML profiles and relatively large XML configuration.

Impact:
ASM down, machine is offline.

Workaround:
Increase the XML available memory.


581746-5 : MPTCP traffic handling may cause a BIG-IP outage

Component: Local Traffic Manager

Symptoms:
Occasional BIG-IP outages may occur when MPTCP traffic is being handled by a Virtual server.

Conditions:
MPTCP has been enabled on a TCP profile on a Virtual Server.

Impact:
A System outage may occur.

Workaround:
Do not enable MPTCP on any TCP profile


580893-4 : Support for Single FQDN usage with Citrix Storefront Integration mode

Component: Access Policy Manager

Symptoms:
Adding a new login account onto citrix receiver could enumerate the applications and desktop. But after logging off and trying to reconnect to the same account will start failing.

Conditions:
Citrix storefront integration mode with APM and using same FQDN for both accessing Storefront as well as APM virtual

Impact:
Clients are unable to connect.

Workaround:
No workaround other than using different FQDNs


580602-2 : Configuration containing LTM nodes with IPv6 link-local addresses fail to load.

Component: TMOS

Symptoms:
As a result of a known issue a configuration containing LTM nodes with IPv6 link-local addresses may fail to load.

Conditions:
Attempt to load a configuration containing a LTM node with a IPv6 link-local address.

Impact:
Configuration fails to load.

Workaround:
Use IPv6 global addresses instead.


580303-4 : When going from active to offline, tmm might send a GARP for a floating address.

Component: Local Traffic Manager

Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.

Conditions:
Using high availability, and switching a device from active to offline.

Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.

Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.


580225-2 : WEBSSO::select may crash tmm.

Component: Access Policy Manager

Symptoms:
The WEBSSO::select iRule command can cause TMM to crash if no arguments are passed in.

Conditions:
This occurs the command is used with no arguments.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
See the following DevCentral page related to WEBSSO::select - https://devcentral.f5.com/wiki/irules.websso__select.ashx


580168-1 : Information missing from ASM event logs after a switchboot and switchboot back

Component: Application Security Manager

Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back

Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone

Impact:
Information missing from ASM event logs after a switchboot and switchboot back

Workaround:
N/A


579843-2 : tmrouted may not re-announce routes after a specific succession of failover states

Component: Local Traffic Manager

Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.

Conditions:
- Active/Standby HA pair set up
 - Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
 - Active unit has the following succession of failover states:
   Active->Offline->Online->Standby->Active

Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.

Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.


579760-1 : HSL::send may fail to resume after log server pool member goes down/up

Component: TMOS

Symptoms:
High speed logging: asymmetric bandwidth loss might result in no bandwidth tracking.

Conditions:
This will occur if the log server pool only has a single member in it, and that member goes down and up while HSL::send is occurring during traffic processing. For a period of time after the logging node comes back up, logging events will fail to be sent. Sometimes it never recovers and tmm needs to be restarted.

Impact:
While this condition occurs, HSL::send events will not be sent to the log server.

Workaround:
If possible, configure log server pools with multiple members to avoid this condition.


579694-1 : Monitors may create invalid configuration files

Component: TMOS

Symptoms:
Under certain conditions monitors created or edited in the GUI may save an invalid configuration to disk, causing errors when the configuration is reloaded.

Conditions:
Using the GUI to create/edit monitors.

Impact:
tmsh load sys config will fail.

Workaround:
Use tmsh to create or edit monitors.
If your configuration file already has an offending backlash, please manually remove the backlash.


579524-3 : DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name'

Component: Application Security Manager

Symptoms:
Policy Import via iControl REST in an HA pair occasionally fails on the Standby device with - DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name'

Conditions:
Active/Standby pair configured
ASM provisioned
Import a security policy, via iControl REST

Impact:
Policy import fails

Workaround:
n/a


579371-3 : BigIP may generate ARPs after transition to standby

Component: Local Traffic Manager

Symptoms:
tmm generates unexpected ARPs after entering standby

Conditions:
HA pair with a vlangroup with bridge-in-standby disabled
ARP is received just before transition to standby

Impact:
Unexpected ARP requests that may result in packet loops


579049-2 : TMM core due to wrong assert

Component: Application Visibility and Reporting

Symptoms:
Under stress traffic we can get TMM core with the following backtraces:
frame 3:
in *__GI___assert_fail
frame 4 will look like this:
.... avr_alloc_segmempool_with_id .. mempool.c:278

Conditions:
AVR provision and collecting statistic.

Impact:
We can get TMM core.


578564-2 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response

Component: Service Provider

Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"

Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.

Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.


578353-2 : Statistics data aggregation process is not optimized

Component: Application Visibility and Reporting

Symptoms:
CPU spikes may occur every 5 minutes

Conditions:
Occurs all the time

Impact:
High CPU usage may be observed every 5 minutes

Workaround:
For versions based on 11.5.4 and 11.6.0 take the following steps:

1. Edit the entry 'AggregationMode' under the /etc/avr/monpd/monpd.cfg file and set it to be 'low' instead of 'medium' or 'high'.

2.Restart Monpd afterwards.

For 12.0.0 and on:
tmsh modify sys db avr.stats.aggregation value low


578334-1 : Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy.

Component: Application Security Manager

Symptoms:
These errors are visible in asm log:
--------------------
Mar 3 20:18:33 Bip_102 crit g_server.pl[29381]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ImportExportPolicy::Base::fatal_error): no such file '/ts/var/sync/admin~t6jsI8OQtyjKrbs2Djpjng'
Mar 3 20:18:33 Bip_102 info perl[29340]: 01310053:6: ASMConfig change: Import Policy Task Import Policy Task (1457029113.860000) [update]: Status was set to FAILURE. End Time was set to 1457029114. Message was set to Exported policy file not found!.. { audit: username = admin, client IP = 172.18.185.226 }
--------------------

The policy created on the peer device is a stub - default policy.

Conditions:
ASM provisioned
HA pair (CMI)
Policy Import (REST, inline XML import)

Impact:
Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy on the peer device.

Workaround:
n/a


578045-1 : The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks

Component: Local Traffic Manager

Symptoms:
The TMM crashes while resuming from a HTTP_PROXY_REQUEST event.

Conditions:
A HTTP_PROXY_REQUEST iRule event parks. Pipelined ingress occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't use parking iRule commands within the HTTP_PROXY_REQUEST event.

If a parking command must be used, the following may work:

Try using TCP::collect to disable ingress while a potentially parking iRule command executes. TCP::release can be used after the command completes to restore normal behavior.

Another work-around is to set max-requests to 1. (Disabling pipelining.)


578036 : incorrect crontab can cause large number of email alerts

Component: TMOS

Symptoms:
There is an incorrect crontab entry in /etc/cron.usbflush for /sbin/lsusb

Conditions:
This occurs for the usbflush entry.

Impact:
usbflush does not run, alert email is generated once per minute.

Workaround:
change /etc/cron.usbflush to use /usr/bin/lsusb


577863-3 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime

Component: Policy Enforcement Manager

Symptoms:
If routing table on DHCP server is mis-configured, so that DHCP server know how to send packets to BigIP selfIP(used by BigIP DHCP relay), but does not know how to send packets to DHCP clients, DCHP client will not receive DHCP reply for unicast request and will start to broadcast DHCP renewal. After a while, BigIP will stop to relay DHCPOFFER and DHCPACK back to DHCP clients all together.

Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets(with client's IP as source IP).

Impact:
BigIP will stop to relay DHCPOFFER and DHCPACK back
to DHCP clients

Workaround:
Fix the DHCP server routing table, so that DHCP server can deliver DHCP reply packet back to client successfully.


577814-5 : MCPd might leak memory in PEM stats queries.

Component: Policy Enforcement Manager

Symptoms:
System may be unresponsive or crash due to being out of memory.

Conditions:
Can occur when a PEM stats query is processed.

Impact:
System may be unresponsive or crash due to being out of memory.

Workaround:
None.


577683-2 : L4 connection mirroring may not re-mirror correctly after HA channel flap and failover.

Component: Local Traffic Manager

Symptoms:
As a result of a known issue connection mirroring for long lasting connections may not recover correctly after the HA mirroring channel flaps and a failover occurs.
The new standby unit after the failover may expire the flow after the idle timeout.

Conditions:
L4 connection mirroring with long lasting connections during for the entire event as follows:
 - A working HA channel flaps due to some event.
 - After recovery of the HA channel there is a failover of the active unit to standby, without loss of the mirroring connection (e.g., administrative failover).

Impact:
The new standby unit may expire the pre-existing flow.


577664-3 : Policy import, to inactive policies list, results in different policies on the sync-failover peers

Component: Application Security Manager

Symptoms:
Having a standard Active/Standby setup, with a single Sync-Failover DG, Auto-Sync, with ASM enabled.
When importing an ASM policy (named "ddddd") into the inactive policies list, the following results in GUI at -
"Security ›› Application Security : Security Policies : Inactive Policies"

On active device:
Security Policy Name - Version
ddddd - 2016-02-25 10:39:49
ddddd_2 - 2016-03-01 00:11:46

On standby device:
Security Policy Name - Version
ddddd - 2016-03-01 00:11:41
ddddd_2 - 2016-02-25 10:39:49

According to the "Version" field (time stamps), the "ddddd" on active is actually "ddddd_2" on standby and then the other two policies are not the same.

The group ends up with three different policies on the two devices.

Conditions:
Active/Standby pair
ASM provisioned
Import security policy to the inactive policies list

Impact:
Three different policies are created on the two devices.

Workaround:
n/a


577440-2 : audit logs may show connection to hagel.mnet

Component: TMOS

Symptoms:
An iControl host header is improperly formatted with the name hagal.mnet

The request is properly delivered to the correct host but contains a badly addressed host header that is ignored.

If the authorization fails for the icontrol query then the audit log will contain this destination information which may be confusing.

Conditions:
Setting up device trust exercises this code path.

Impact:
No impact to functionality but is confusing for log interpretation.

Workaround:
There is not workaround


576897-1 : Using snat/snatpool in related-rule results in crash

Component: Local Traffic Manager

Symptoms:
TMM crash resulting in failover.

Conditions:
Using snat/snatpool command in related-rule.

Impact:
TMM crash resulting in failover.

Workaround:
Do not use snat/snatpool commands in related rule.


576591-5 : Support for some future credit card number ranges

Component: Application Security Manager

Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.

Impact:
The traffic passes unmasked or unblocked to the end client.

Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.


576314-3 : SNMP traps for FIPS device fault inconsistent among versions.

Component: Local Traffic Manager

Symptoms:
The snmp traps bigipFipsDeviceError and bigipFipsFault are inconsistent among versions.

Conditions:
This trap is raised if the FIPS device firmware has stopped responding to requests and is no longer functional. The trap is different on the BIG-IP 10350 FIPS platform.

Impact:
The meaning of the trap is that the system is not able to perform any FIPS operations and process FIPS related traffic. You will need to be mindful of which version you are on to interpret the OIDs correctly.


576305-4 : Potential MCPd leak in IPSEC SPD stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IPSEC SPD stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


576296-3 : MCPd might leak memory in SCTP profile stats query.

Component: Local Traffic Manager

Symptoms:
The memory allocation for mcpd might grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.

Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.

Impact:
Performance may be degraded.

Workaround:
None.


575919 : Running concurrent TMSH instances can result in error in access to history file

Component: TMOS

Symptoms:
TMSH writes to the ~/.tmsh-history-username file whenever a command is issued. Running concurrent instances of TMSH can result in a race condition in writing this file.

Conditions:
Running multiple instances can cause one instance of TMSH to lock the history file while the other is trying to access it, resulting in an error.

Impact:
Updating the history file fails, so the file does not reflect the actual history of the commands that have been issued.

Workaround:
Only run a single instance of TMSH.


575735-3 : Potential MCPd leak in global CPU info stats code

Component: TMOS

Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.

Conditions:
In some cases, querying global CPU information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575726-3 : MCPd might leak memory in vCMP interface stats.

Component: TMOS

Symptoms:
MCPd might leak memory in vCMP interface stats.

Conditions:
The memory leak occurs when viewing VCMP interface statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.

Workaround:
None.


575716-3 : MCPd might leak memory in VCMP base stats.

Component: TMOS

Symptoms:
MCPd might leak memory in VCMP base stats.

Conditions:
This occurs when looking at VCMP base statistics.

Impact:
Over time this might cause MCPd to run out of memory and core.

Workaround:
None.


575708-3 : MCPd might leak memory in CPU info stats.

Component: TMOS

Symptoms:
MCPd might leak memory in CPU info stats.

Conditions:
In some cases, querying CPU information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575671-3 : MCPd might leak memory in host info stats.

Component: TMOS

Symptoms:
MCPd might leak memory in host info stats.

Conditions:
In some cases, querying host information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575660-3 : Potential MCPd leak in TMM rollup stats stats

Component: TMOS

Symptoms:
MCPd leaks memory so the amount of used memory will grow over time.

Conditions:
In rare cases, such as immediately after a reboot before system performance stats are populated, querying system performance stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575649-3 : MCPd might leak memory in IPFIX destination stats query

Component: TMOS

Symptoms:
MCPd might leak memory in IPFIX destination stats query.

Conditions:
In some cases, querying IPFIX destination stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575631-4 : Potential MCPd leak in WAM stats query code

Component: WebAccelerator

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying WAM stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575626-4 : Minor memory leak in DNS Express stats error conditions

Component: Local Traffic Manager

Symptoms:
A minor memory leak might occur in certain error conditions relating to DNS Express statistics.

Conditions:
There are no known DNS Express configurations that lead to this issue. The problem was detected through standard code review practices.

Impact:
Memory leaks might eventually lead to system reboots.

Workaround:
None.


575619-3 : Potential MCPd leak in pool member stats query code

Component: TMOS

Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.

Conditions:
In some cases, querying pool member stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575612-1 : Potential MCPd leak in policy action stats query code

Component: Local Traffic Manager

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying policy action stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575609-1 : Zlib accelerated compression can result in a dropped flow.

Component: Access Policy Manager

Symptoms:
Some compression requests would fail when the estimated compression output block was too small. Such errors deposit an error in the log similar to: Device error: n3-compress0 Zip engine ctx eviction (comp_code=2): ctx dropped.

Conditions:
A block that will not compress can generate a compression output that exceeds the estimated output block size.

Impact:
The flow that encounters the error is dropped.

Workaround:
Disable hardware accelerated compression.


575608-3 : MCPd might leak memory in virtual server stats query.

Component: TMOS

Symptoms:
MCPd might leak memory in virtual server stats query.

Conditions:
In some cases, querying virtual server stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575595-2 : Potential MCPd leak in eviction policy stats.

Component: TMOS

Symptoms:
The memory allocation for mcpd will grow by a small amount if a eviction policy stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.

Conditions:
An eviction policy is configured, and the stats are displayed in TMSH or the GUI.

Impact:
Performance may be degraded.


575591-3 : Potential MCPd leak in IKE message stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE message stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575589-2 : Potential MCPd leak in IKE event stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE event stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575587-3 : Potential MCPd leak in BWC policy class stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying BWC policy stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575582-3 : MCPd might leak memory in FW network attack stats.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW network attack stats.

Conditions:
This occurs when looking at firewall network attack statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575571-3 : MCPd might leak memory in FW DOS SIP attack stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW DOS SIP attack stats query.

Conditions:
This occurs when looking at firewall DOS SIP stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575569-3 : MCPd might leak memory in FW DOS DNS stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW DOS DNS stats query.

Conditions:
This occurs when looking at firewall DOS DNS statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575565-3 : MCPd might leak memory in FW policy rule stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW policy rule stats query.

Conditions:
This occurs when looking at firewall policy rule stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575564-3 : MCPd might leak memory in FW rule stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW rule stats query.

Conditions:
This occurs when looking at firewall rule statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575559-2 : MCPd might leak memory in FW rule user ID validation stats.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW rule user ID validation stats.

Conditions:
This occurs when querying for user ID validation stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575557-3 : MCPd might leak memory in FW rule stats.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW rule stats.

Conditions:
This occurs when looking at firewall rule statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575347-4 : Unexpected backslashes remain in monitor 'username' attribute after upgrade

Component: Local Traffic Manager

Symptoms:
The monitor 'username' attribute contains unexpected backslashes.

Conditions:
Upgrading from an earlier version with a configuration that contains a monitor 'username' attribute with at least one escaped backslash ('\\').

Impact:
Monitor probes contain excess backslashes which can lead to monitor failures.

Workaround:
Un-escape backslashes after upgrade by transforming '\\' sequences to '\'.


575321-3 : MCPd might leak memory in firewall stats.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in firewall stats.

Conditions:
This occurs when looking at firewall stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575170-4 : Analytics reports may not identify virtual servers correctly

Component: Application Visibility and Reporting

Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.

Conditions:
This occurs for virtual servers that are configured in one of these ways:

1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.

2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).

Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.

Workaround:
None.


575027-1 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Component: TMOS

Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.

Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)

Workaround:
Use untagged VLANs and hypervisor side tagging.


575011-5 : Fix memory leak.

Component: Local Traffic Manager

Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".

Conditions:
Compression device unavailable during creation of a new context.

Impact:
System can run out of memory.

Workaround:
Disable hardware compression using tmsh:

% tmsh modify sys db compression.strategy softwareonly


574451-1 : ASM chassis sync occasionally fails to load on secondary slot

Component: Application Security Manager

Symptoms:
ASM chassis sync occasionally fails to load on secondary slot when a new policy is created after a series of other configuration changes in quick succession.

Conditions:
A new policy is created after a series of other configuration changes in quick succession

Impact:
ASM chassis sync fails to load on secondary slot.

Workaround:
Make another system-wide configuration change, such as creating a user-defined signature, or wait until the hourly sync occurs.


574160-5 : Publishing DNS statistics if only Global Traffic and AVR are provisioned

Component: Application Visibility and Reporting

Symptoms:
AVR does not publish DNS statistics if LTM is not provisioned.

Conditions:
LTM is not provisioned.

Impact:
The DNS chart does not show statistics.


574153-1 : If an ssl client disconnects during the handshake, the SSL flow may stall.

Component: Local Traffic Manager

Symptoms:
If the TCP connection shuts down while SSL has offloaded a request to the Nitrox, the connection will stall until the flow expires. This can use excessive memory causing crashes elsewhere.

Conditions:
SSL must be configured on an interface, and a client must connect, begin the handshake, then disconnect while Nitrox requests are outstanding.

Impact:
Other parts of the TMM might crash causing service disruption.


574116-4 : MCP may crash when syncing configuration between device groups

Component: TMOS

Symptoms:
mcpd on the sync target crashes when syncing configuration.

Conditions:
This can occur when a local non-synced object references an object that is synced (such as a local-only virtual server referencing a synced iRule), and a non-synced object on the target machine happens to be referencing the same synced object. In this condition, mcpd could crash if objects in a sync group are deleted and synced.

Impact:
Outage due to mcp crash which causes tmm to restart.

Workaround:
When you have devices with local-only resources that are referencing objects contained in a sync/failover group, avoid deleting any objects (such as iRules) that might be referenced by other local-only resources on other devices. Instead of a "this object is in use error", mcpd on the target machine will crash.


574113-1 : Block All - Session Tracking Status is not persisted across an auto-sync device group

Component: Application Security Manager

Symptoms:
Users, IP addresses, and Sessions that are meant to be blocked due to their traffic patterns, are not being synchronized to the peer device in an auto-sync device group with ASM sync enabled.

This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.

Conditions:
1) Devices are in an auto-sync device group with ASM sync enabled.
2) Session Tracking is enabled.

Impact:
This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.

Workaround:
Force a full sync to propagate the session tracking information.


574045-4 : BGP may not accept attributes using extended length

Component: TMOS

Symptoms:
If a BGP peer sends a path attribute using the "extended length" flag and field, the attribute may be rejected and the BGP connection terminated.

Conditions:
Neighbor sends path attributes using extended length.

Impact:
The BGP adacency will repeatedly bounce and the RIB will never converge.


573782 : csyncd may dump core when a VCMP guest is disabled and then restarted

Component: Local Traffic Manager

Symptoms:
csyncd may dump core.

Conditions:
This is rarely encountered, and happens rarely when a VCMP guest is disabled and then restarted.

Impact:
This occurs at a non-critical time with no visible effects.

Workaround:
None.


573406-4 : ASU cannot be completed if license was last activated more than 18 months before

Component: Application Security Manager

Symptoms:
Attack Signature Update (ASU) if license was last activated more than 18 months before.

Conditions:
The license was last activated more than 18 months before.

Impact:
Attack SIgnature Update (ASU) cannot be performed.

Workaround:
The license must be re-activated.


573366-3 : parking command used in the nesting script of clientside and serverside command can cause tmm core

Component: Local Traffic Manager

Symptoms:
tmm cores in configuration using certain iRules

Conditions:
An iRule that parks the interpreter is used in the nesting script of clientside and serverside command. (e.g. when doing a table lookup).

For more information on iRule commands that park, see SOL12962: Some iRule commands temporarily suspend iRule processing, https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html

Impact:
Traffic disrupted while tmm restarts.

Workaround:
move the parking command outside the nesting script.


573075-3 : ADAPT recursive loop when handling successive iRule events

Component: Service Provider

Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause "ADAPT unexpected state transition".
The adapt profile statistic "records adapted" reaches a very high number as it counts every attempt.

Conditions:
A requestadapt or responseadapt profile is configured.
An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.

Impact:
The connection is aborted with RST cause "ADAPT unexpected state transition".
The statistic "records adapted" reaches a very high number.
Eventually the TMM crashes and the Big-IP fails over.

Workaround:
If possible, arrange the iRules to avoid the conditions above.
In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.


572922-1 : Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.

Component: Application Security Manager

Symptoms:
The following error is produced in ASM log during upgrade:
-----------
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
-----------

Conditions:
ASM provisioned

Impact:
Different portions of the security policy may be incorrectly upgraded.

Workaround:
N/A


572788-1 : Dynamic routing does not function on interfaces with names longer than 15 characters.

Component: TMOS

Symptoms:
If a vlan, vlangroup, or tunnel has a name with more than 15 characters, dynamic routing does not function properly on that interface.

Conditions:
Dynamic routing in use, interface name greater than 15 characters.

Impact:
Dynamic routing functionality diminished.

Workaround:
Rename the interface using 15 or fewer characters.


572680-4 : Standby TMM might overflow send buffer if out of sync with Active TMM

Component: Local Traffic Manager

Symptoms:
Send buffer size is unlimited on a standby TMM. If sync is lost with the active TMM while a TCP client is advertising a zero receive buffer, the standby TMM might continue to use a zero send buffer indefinitely. This eventually leads to the send buffer overflowing on the standby TMM.

Conditions:
Standby TMM loses sync with active TMM while a TCP client's advertised receive window is zero.

Impact:
Standby TMM can accumulate too much data in the send buffer and overflow.

Workaround:
This issue is less likely with a low zero-window-timeout value in the TCP profile.


572255-1 : HA/DSC configuration requires communication on TCP port 443

Component: TMOS

Symptoms:
The configuration of HA/DSC is done over an iControl connection between two BigIPs that is initiated by the devmgmtd daemon. The daemon is hard coded to use port 443 for this communication.

Conditions:
Devices that do not have connections over port 443

Impact:
A device trust cannot be configured

Workaround:
N/A


572224-1 : Buffer error due to RADIUS::avp command when vendor IDs do not match

Component: Service Provider

Symptoms:
Errors similar to the following in the ltm log:

err tmm3[21915]: 01220001:3: TCL error: /Common/RadiusTest CLIENT_DATA - Buffer error (line 1) (line 1) invoked from within 'RADIUS::avp 26 ip4 index 0 vendor-id 12345 vendor-type 6'.

Conditions:
The issue happens when there is a RADIUS::avp command for a vendor specific AVP and there's a RADIUS request that contains a different vendor-id than what was specified in the iRule command.

Impact:
Customers are unable to use vendor-specific RADIUS AVP commands.

Workaround:
None.


572142 : Config sync peer may fail to monitor newly added pool member after it is added via sync

Component: Local Traffic Manager

Symptoms:
If a pool member in a sync group is removed and another member added and then synced to the peer, the monitor state on the peer may be erroneous.

Conditions:
2 or more devices in a device group
A pool member is deleted, and another is added, then a full config sync is performed

Impact:
Monitoring does not happen. If the pool member should be marked down by the monitor, it may indicate as being up. You may need to do a system restart to get monitoring to resume properly.


571573-1 : Persistence may override node/pmbr connection limit

Component: Local Traffic Manager

Symptoms:
In certain circumstances the Big-IP may load balance connections to a node or poolmember over the configured connection limit.

Conditions:
- Pool member or node configured with connection limit.
- L4 or L7 virtual server.
- Persistence configured on the Virtual Server.
- Very high load on unit.

Impact:
Big-IP may load balance connections to a node or pool-member over the configured connection limit.

Workaround:
Remove persistence or use another method of limiting the connections (rate limiting or connection limit on the Virtual Server).


571556-1 : RBA may generate a core file when shutting down

Component: Access Policy Manager

Symptoms:
RBA core file is generated.

Conditions:
When RBA plugin is shutting down, which may be related to configuration changes, system instability, or Admin actions.

Impact:
No service impact except a core file is generated

Workaround:
None


571344 : SSL Certificate with special characters might cause exception when GUI retrieves items list page.

Component: TMOS

Symptoms:
After upgrading, unable to view certain certs from gui. Catalina.out file could contain the signature MalformedByteSequenceException: Invalid byte 2 of 3-byte UTF-8 sequence.

iControl SOAP methods
====================
Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 will return an exception if returning a certificate with special characters.

Conditions:
SSL Certificate with special characters might cause exception when GUI retrieves items list page. This has been observed on upgrades to BIG-IP version 11.5.4 through 12.0.0.

Impact:
The GUI does not display the page containing certificate information. iControl SOAP cannot return a list of certificates if they contain information with special characters.

Workaround:
None.


571333-4 : fastL4 tcp handshake timeout not honored for offloaded flows

Component: TMOS

Symptoms:
When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead.

Conditions:
1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS
2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN
3. Send over SYN packet from client to server via VS

Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.

Workaround:
Set the offload state to "established"


571246-1 : Enforcement Readiness Summary incorrect for Signatures

Component: Application Security Manager

Symptoms:
Staged Signatures are reported as ready to be enforced even when there are pending Traffic Learning Suggestions on them.

Conditions:
An Attack Signature has been in staging longer than the Enforcement Readiness Period, and a pending Traffic Learning Suggestion exists on it. (Violating traffic for that Signature was encountered).

Impact:
A user may remove a signature from staging mistakenly causing false positives to be blocked.

Workaround:
None


571183-1 : Bundle-certificates Not Accessible via iControl REST.

Component: Local Traffic Manager

Symptoms:
Bundle-certificates Not Accessible via iControl REST.

Conditions:
This occurs when using iControl REST to look at bundle certificates via /mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt/bundle-certificates

Impact:
Unable to get data from the command. In the case of BIG-IQ, BIG-IQ is unable to alert on certificates that are about to expire.

Workaround:
If you do not need to do it via iControl REST, you can view bundle certificates using the tmsh command tmsh list sys file ssl-cert ca-bundle.crt bundle-certificates


571019-1 : Topology records can be ordered incorrectly.

Component: TMOS

Symptoms:
Topology records can contain missing order numbers, duplicate order numbers, and differences in the ordering of topology records on BIG-IP's in a sync group.

Conditions:
When adding or deleting topology records or modifying the order of existing topology records, the resulting ordering of the topology records can be inconsistent. This can lead to ordering issues including differences in the ordering of topology records on BIG-IP's in a sync group.

Impact:
It is difficult to manage the order of topology records. Topology records are evaluated in different orders on different BIG-IP's in a sync group.

Workaround:
None.


570881-2 : IPsec configuration mismatch in IKEv2 causes TMM crash in isakmp_parse_proposal ()

Component: TMOS

Symptoms:
crash (NULL pointer access)

Conditions:
IPsec configuration mismatch in IKEv2 (for initiator and responder)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
use correct configuration


570818-3 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.

Component: TMOS

Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.

Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.

Impact:
Failure in establishing IPsec SA.

Workaround:
None.


570663-1 : Using iControl get_certificate_bundle_v2 causes a memory leak

Component: TMOS

Symptoms:
Using iControl call get_certificate_bundle_v2() causes a memory leak. iControlPortal memory use grows unbounded every time the method is called.

Conditions:
This occurs anytime the method is invoked; BIG-IP devices managed by Enterprise Manager can be especially impacted.

Impact:
Eventually iControlPortal will run out of memory and crash.


570575-1 : RESOLV::lookup against a TCP virtual will cause tmm core

Component: Local Traffic Manager

Symptoms:
tmm cores when RESOLV::lookup hitting a TCP dns listener.

Conditions:
RESOLV::lookup points to a TCP virtual.

Impact:
tmm might crash with assert: 'Must be syncookie'. Traffic is interrupted.


570363-1 : Potential segfault when MRF messages cross from one TMM to another.

Component: Service Provider

Symptoms:
Potential segfault when Message Routing Framework (MRF) messages cross from one TMM to another.

Conditions:
This issue occurs when MRF messages travel from one TMM to another, and an asynchronous operation also occurs (like persistence).

Impact:
It is possible for the message object to be removed before the asynchronous operation completes. If this occurs, a segfault may occur and the system might restart.

Workaround:
None.


570058-1 : [IPsec] tmm crash 'invalid racoon2 block header prefix' at informational_initiator_transmit_post_process

Component: TMOS

Symptoms:
During IPsec configuration changes, an IKEv2 message may fail to be sent to the peer, and the packet memory could be release twice that causes segmentation fault crash in TMM.

Conditions:
IPsec configuration changes, and IKEv2 tries to send message to the disconnected remote peer.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The situation is rare, and mostly caused by rapid IPsec configuration changes to traffic-selectors or ipsec-policies. Pacing the configuration changes apart in time will help avoid the situation.


570053-3 : HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.

Component: TMOS

Symptoms:
HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.

Conditions:
The issue is seen when all the below conditions are met.
1. When more than one certkeychains are configured in the clientSSL profile.
2. When the content of a certkeychain of the clientSSL profile is modified. For example, "modify ltm profile client-ssl a4 cert-key-chain modify { default { cert rsa.crt key rsa.key } }".
3. Performs config sync in HA setup.

Impact:
Missing certkeychain of a clientSSL profile can result in its inability to handle some kind of SSL traffic. For example, if the clientSSL originally has EC key/cert but loses it, then it is no longer able to handle SSL connection using EC cipher suites.

Workaround:
Basically reconfigure certkeychain but avoid modifying the content.
1. In any bigip box, leave only the RSA certkeychain in the clientSSL profile, just like the default configuration.
2. Config sync, so that both boxes only have RSA certkeychain
3. In any bigip box, add certkeychains for other types (EC or DSA) you need. You can "add" or "delete" but do not "modify" any existing certkeychain.
4. Do config sync, so that both boxes have the same certkeychains in the clientSSL profile.


569972-1 : Unable to create gtm topology records using iControl REST

Component: Global Traffic Manager

Symptoms:
The user is unable to create gtm topology records using iControl REST.

Conditions:
This occurs when a user issues an iControl REST POST command for a gtm topology record.

Impact:
The iControl REST POST command fails with the following error: 'Topologies must specify both regions: ldns: server:'.

Workaround:
Use TMSH, iControl SOAP, or the GUI to create gtm topology records.


569958-1 : Upgrade for application security anomalies

Component: Application Visibility and Reporting

Symptoms:
If upgrading to newer version, old statistics for application security anomalies are not shown.

Conditions:
Upgrade from BIG-IP version older than 12.1.0 to newer version

Impact:
Losing old statistics for application security anomalies


569718-1 : Traffic not sent to default pool after pool selection from rule

Component: Local Traffic Manager

Symptoms:
If you have an iRule configured to match a pattern in the HTTP::uri and send it to a non-default pool, subsequent requests in the HTTP keep-alive session will also be sent to the non-default pool even though they do not match the iRule.

Conditions:
This occurs after upgrading from 11.5.3 HF1 to 11.5.3 HF2.

Impact:
If the pool members are not configured to accept traffic that doesn't match the uri criterial, the server will not respond properly.


569642-5 : Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core

Component: Local Traffic Manager

Symptoms:
In certain circumstances TMM may core if an HA pair configured with mirroring has all the routes to the server pool removed.

Conditions:
- HA pair.
 - FastL4 VIP with mirroring.
 - default route to pool via an intermediate router.
 - The active unit is handling traffic.
 - Active unit fails over and loses its mirroring connection.
 - Prior active unit comes back and HA connection is reestablished.
 - During the loss of HA and its recovery the now active unit loses its only route to the pool member.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not remove all routes to poolmembers. If this is needed please create other backup routes prior to the deletion.


569521-3 : Invalid WideIP name without dots crashes gtmd.

Component: Global Traffic Manager

Symptoms:
If a user creates a WideIP or WideIP Alias with a name that does not contain a dot, gtmd crashes.

The symptom is a crash and core dump from gtmd.

Conditions:
This occurs when the following conditions are met:
-- FQDN validation is suppressed by the following setting: gtm global-settings general domain-name-check == 'none'.
-- User attempts to create a WideIP with a name that does not contain a dot.

Impact:
gtmd crashes and WideIPs do not function.

Workaround:
When creating a WideIP or WideIP Alias while FQDN validation has been disabled (by setting gtm global-settings general domain-name-check == 'none'), make sure that the WideIP or WideIP Alias name contains at least one dot, and follows these rules:
-- The name must not end with a dot.
-- The name must not begin with a dot, unless '.' is the entire name.
-- The name contains no consecutive dots.


569472-1 : TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled

Component: Global Traffic Manager

Symptoms:
tmm cores with sigsegv within lb_why_pmbr_str.

Conditions:
1. Disable a GTM/BIG-IP DNS pool or pool member;
2. pool-member-selection is enabled for load-balancing-decision-log-verbosity.

Impact:
tmm cores.

Workaround:
Disable pool-member-selection for load-balancing-decision-log-verbosity.


569356-4 : BGP ECMP learned routes may use incorrect vlan for nexthop

Component: TMOS

Symptoms:
BGP with ECMP may result in learned routes using an incorrect next-hop vlan if there are more than 1 vlan configured with global IPv6 addresses in the same RD where the routing protocol is running.

Conditions:
BIGIP with 2+ vlans configured with ipv6 global addresses and BGP with ECMP is peered with an active ipv6 bgp neighbor. The BGP is also configured with max-paths.

Impact:
The traffic randomly gets black-holed.


569349-1 : Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled

Component: Local Traffic Manager

Symptoms:
When net cos (class of Service) feature is enabled, vlan priority for those cmp redirected packets are not being preserved from ingress to egress.

Conditions:
1. net cos feature is enabled
2. packet is being cmp redirected from one tmm to another tmm for processing.

Impact:
Egress packets are not being processed according to the ingress vlan priority by BIG-IP and down stream router. Certain packets will be dropped by downstream router due to the wrong mark of vlan priority.

Workaround:
None.


569337-3 : TCP events are logged twice in a HA setup

Component: Advanced Firewall Manager

Symptoms:
TCP log events are logged twice (if enabled in security log profile) with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).

Conditions:
When there's a HA setup (Active/Standby) or both client side and server side connection flow.

Impact:
TCP log events are logged twice (duplicate events from active unit and standby unit or from both client side and server side of the connection flow).

Workaround:
N/A


569288-3 : Different LACP key may be used in different blades in a chassis system causing trunking failures

Component: Local Traffic Manager

Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.

Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.

Impact:
Non aggregated trunk members won't be able to pass traffic.

Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"


569280-3 : BIG-IP does not delete the SA on peer box after erase/modify ike-peer

Component: TMOS

Symptoms:
After erase/modify ike-peer command, phase 1-2 SA is deleted on one system, but is not deleted on the peer.

Conditions:
Run an erase/modify ike-peer command on one system in a peer configuration.

Impact:
Possible lost of connectivity (if initiator has SA but receiver does not).

Workaround:
To work around this issue, delete SA manually on the peer system.


569236-3 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the first part of a fix provided for this issue. See fixes for bug 569236 for the second part.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system.


568889-3 : Some ZebOS daemons do not start on blade transition secondary to primary.

Component: TMOS

Symptoms:
In some specific cases the standby unit's secondary blade ZebOS daemons might not get started when it becomes active.

Conditions:
If the failover occurs as a result of the primary blade's mcpd restarting

Impact:
The new primary blade does not start some ZebOS daemons resulting in ospf not working as expected on the standby unit.

Workaround:
Run the following tmsh command on the new active unit: bigstart restart tmrouted.


568722-2 : Gy quota and end of session reporting does not work under certain conditions.

Component: Policy Enforcement Manager

Symptoms:
Gy quota and end of session reports are not sent for a session under certain conditions. The conditions include scenarios when classification is disabled on the virtual that handles the session or classification is enabled and no actions or classification filters under a session's policy. The other condition can be that classification is Enabled and there is no policy against a session.

Conditions:
1. Classification Disabled on the virtual that handles the session
2. Classification Enabled AND no actions or classification filters under a session's policy
3. Classification Enabled AND no policy against a session

Impact:
Lack of Gy quota and end of session reports for a session

Workaround:
To workaround this, for the first two conditions, disable optimization where based on policies or actions and certain HUD nodes are removed.


568670-1 : ASM fails to start with error - ndefined subroutine &F5::CRC::get_crc32

Component: Application Security Manager

Symptoms:
ASM fails to start with error in ts_debug.log -

Undefined subroutine &F5::CRC::get_crc32 called at /usr/local/share/perl5/F5/RamCache.pm line 69

Conditions:
asm provisioned

Impact:
asm fails to start

Workaround:
n/a


568347-1 : BD Memory corruption

Component: Application Security Manager

Symptoms:
An Enforcer crash occurs and UMU errors may appear in the bd.log file.

Conditions:
N/A

Impact:
Traffic goes down while the Enforcer goes back up.


568229-1 : [LTM][DNS] save-on-auto-sync with partitions fails for LTM DNS partition objects

Component: Local Traffic Manager

Symptoms:
Even though 'auto-sync enabled' and 'save-on-auto-sync true' are set on a device group which has a partition assigned to it, creating an LTM DNS object in the partition is successfully transmitted to the running configuration of the peer device, but not written to bigip.conf.

Conditions:
1. auto-sync and save-on-auto-sync enabled for device group.
2. The device group has a partition assigned to it.
3. Creating a ltm dns partition object.

Impact:
Changes are not written to conf files as expected.

Workaround:
Save configuration manually at regular intervals on peer box.


568182-3 : IPsec does not send phase 2 delete.

Component: TMOS

Symptoms:
IPsec does not remove IKE-SA on change traffic selector.
As result there are uneven SA status between IPsec devices and it can cause significant delay in communication.

Conditions:
Change traffic selector on one device, and force delete SA on the same device, but do not propagate to the other one.

Impact:
This might result in significant delays in communication.

Workaround:
Delete SA manually.

Note: This workaround might not be possible.


568078-1 : HTTP Fallback may adversely impact other profiles

Component: Local Traffic Manager

Symptoms:
When HTTP enters Fallback mode it may trigger aborts when it encounters unexpected events. Other profiles expect to be aborted once, not more than once. If enough unexpected conditions occur in the same flow it is possible to confuse other filters below HTTP.

Conditions:
HTTP enters Fallback mode. Complex iRules or other profiles cause unexpected events to occur in the HTTP filter. These events cause more than one abort to be processed at the same time.

Impact:
Unknown


567836-1 : IPsec GUI 'General database error' setting KBLifetime to max value

Component: TMOS

Symptoms:
Using the GUI, setting the Network : IPsec : IPsec Polices : KBLifetime attribute of a policy might trigger a 'General database error' for any KBLifetime value from 2147483648 to 4294967295.

Conditions:
Using the GUI and setting KBLifetime values 2147483648 to 4294967295.

Impact:
Unable to set KBLifetime values 2147483648 to 4294967295 from the GUI.

Workaround:
Set the KBLifetime value using tmsh.


567167-1 : HTTP Fallback with complex iRules may cause the TMM to crash

Component: Local Traffic Manager

Symptoms:
When HTTP goes into fallback mode, and multiple iRule events are running it is possible that HTTP aborts due to unexpected state transitions. If more than one abort occurs for the same flow, it is possible that the TMM may crash.

Conditions:
HTTP Fallback is triggered and outstanding iRules or other Profiles cause unexpected conditions to happen to the HTTP filter. The unexpected events happen more than once for a given flow.

Impact:
Traffic disrupted while tmm restarts.


567105 : LDAP attributes not fetched for Remote Role Group matching

Component: TMOS

Symptoms:
Remote role group matching does not function when used with LDAP authentication. Inspection of traffic to the LDAP server shows that attributes needed for matching are not fetched.

Conditions:
When using remote auth with LDAP, Cert-LDAP, or Active Directory, with a remote role group using the 'memberOf' attribute or other LDAP attributes.

Impact:
Remote Role Group matching does not work as expected, specifically, less specific groups may match, or nothing may match, and the default remote role will be used.

Workaround:
None.


566758-1 : Manual changes to policy imported as XML may introduce corruption for Login Pages

Component: Application Security Manager

Symptoms:
Manual changes to policy imported as XML may introduce corruption for Login Pages. If the expiration period is omitted, the Login Page will be inaccessible.

Conditions:
Expiration period is omitted in hand-crafted XML policy file.

Impact:
The Login Page created as a result is inaccessible in GUI and REST.

Workaround:
Ensure that expiration period exists in XML policy file before import.


566576-1 : ICAP/OneConnect reuses connection while previous response is in progress

Component: Service Provider

Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.

Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.

Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.

Workaround:
Remove OneConnect.


566507-3 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.


566061-2 : Subscriber info missing in flow report after subscriber has been deleted

Component: Policy Enforcement Manager

Symptoms:
If we have a subscriber flow during which the subscriber gets deleted, then the flow reports begin to report subscriber id as "unknown". It becomes difficult to map the flow to that specific subscriber.

Conditions:
Flow reporting is enabled for a subscriber. And the subscriber gets deleted in the middle of a flow.

Impact:
If the customer is looking for subscriber id to match the flows, then they would miss out on these flows that get reported with unknown subscriber.


565799-5 : CPU Usage increases when using masquerade addresses

Component: Local Traffic Manager

Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.

Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.

Impact:
Possible performance degradation or reduction in capacity


565765-2 : Flow reporting does not occur for unclassified flows.

Component: Policy Enforcement Manager

Symptoms:
Flow reports are missing for some of the flows.

Conditions:
Flow reporting action has been configured with no classification filter. This was observed for flows that remained unclassified until the very end.

Impact:
If you are using flow reports to track the data usage of the subscriber, the usage will not be accurate.

Workaround:
None.


565621 : Adding an option to raise a violation due to proactive bot defense instead of resetting

Component: Advanced Firewall Manager

Symptoms:
When proactive defense aborts a connection there is no indication in ASM event logs. In addition, no blocking page is shown (since connection is aborted).

Conditions:
Proactive bot defense abort a connection

Impact:
Reset the transaction without blocking page

Workaround:
N/A


565412-2 : AVR reports device-level mitigation as "Device Level" and not as "Aggregated"

Component: Application Visibility and Reporting

Symptoms:
When AVR gets a report on device-level mitigation, it reports it as "Aggregated" instead of "Device Level".

Conditions:
When AVR gets a report on device-level mitigation.

Impact:
The network reports was not clear or detailed enough.


565409-6 : Invalid MSS with HW syncookies and flow forwarding

Component: Local Traffic Manager

Symptoms:
A packet may have an MSS set to 65536 when using HW syncookies and flow forwarding.

Conditions:
The conditions which cause this are not fully known.

Impact:
TMM core/reboot.

Workaround:
Disable HW syncookies or TSO.


565137-2 : Pool licensing fails in some KVM/OpenStack environments.

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Workaround:
There is no workaround.


565136-1 : Merged may core on startup of tmm/bcm56xxd due to temporarily invalid statistics

Component: TMOS

Symptoms:
Merged may core on startup of tmm and/or bcm56xxd due to temporarily invalid statistics published by those services.

Conditions:
The core is seen rarely on startup of tmm and/or bcm56xxd, which can happen during a system startup from an upgrade or reboot, execution of the 'bigstart restart' command, or a re-license event. The exact conditions that cause the core on startup of these services are unknown.

Impact:
There is no impact to the system or the statistics. The invalid statistics are cleaned up automatically, and merged recovers successfully on its own.

Workaround:
No mitigation is required, as the system recovers automatically.


564324-1 : ASM scripts can break applications

Component: Application Security Manager

Symptoms:
ASM originated scripts are injected into places where they are not supposed to be, causing the script not to work and/or the application to break.

Conditions:
ASM is in front of a single page application, where injection is possible only for the main page. \
ASM has the CSRF or web scraping feature enabled.

Impact:
Application malfunctions, shows javascrip errors

Workaround:
Turn off the relevant feature that causes the injection.


563933-1 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs

Component: Local Traffic Manager

Symptoms:
A and AAAA RRsets in the additional section are dropped.

Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.

Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.

Workaround:
Set dns64-additional-section-rewrite is 'any'.


563760-1 : iControl call certificate_add_pem_to_bundle fails with the message that the certificate file already exists in the partition

Component: TMOS

Symptoms:
When certificate_add_pem_to_bundle() is called to modify a certificate bundle to add certificates to it, it fails and ltm logs a message that the certificate file already exists in the partition.

The log signature looks as follows:
err mcpd[6590]: 01020066:3: The requested Certificate File (/Common/ca1.crt) already exists in partition Common.

The soap faultstring signature looks as follows:
<faultstring
        xsi:type="xsd:string">Exception caught in Management::urn:iControl:Management/KeyCertificate::certificate_add_pem_to_bundle()
Exception: Common::OperationFailed
        primary_error_code : 16908390 (0x01020066)
        secondary_error_code : 0
        error_string : Unknown error 16908390</faultstring>

Conditions:
This occurs when invoking certificate_add_pem_to_bundle using iControl.

Impact:
Unable to add a certificate


563064-6 : Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory

Component: TMOS

Symptoms:
Cipher memory initialized when an IPsec tunnel is created is not cleaned up when IPsec tunnel is removed.

Conditions:
Every time an IPsec tunnel is established and then removed will leave the allocated cipher memory in the system.

Impact:
Slowly leak TMM memory


562959-5 : In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.

Component: TMOS

Symptoms:
In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.

Conditions:
This occurs when there is some issue processing the packet going through IPsec tunnel.

Impact:
Tmm restart without core due to internal connection timeout.

Workaround:
None.


562644-5 : TMM may crash when AAM receives a pipelining HTTP request while shutting down the connection

Component: WebAccelerator

Symptoms:
In rare conditions when a client sends pipelining HTTP requests and AAM is configured it may incorrectly process a consequent request resulting in crashing of TMM.

Conditions:
AAM and ASM licensed and provisioned
HTTP compression profile configured on a virtual server

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


562636-1 : Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.

Component: Access Policy Manager

Symptoms:
When certain end user interface pages (e.g. 401 response) are served by the APM, these include a unique parameter in the URL. This results in the leak of objects representing caches for these pages, because their unique parameter renders caching ineffective.

Conditions:
This occurs when the following conditions are met:
-- Use of SWG in Transparent mode.
-- One of the following:
+ Use a logon page agent, an external logon page agent, or a 401 agent in the access policy.
+ Trigger an access policy evaluation when one is already in progress or when accessing a page that requires an established session.

Impact:
A memory leak in the TMM.

Workaround:
None (when the triggering conditions are encountered).


562427-2 : Trust domain changes do not persist on reboot.

Component: TMOS

Symptoms:
Some earlier releases saved only the internal binary database for trust domain changes (generally, changes to device group objects and device objects), rather than saving the text-based authoritative configuration in '/config/bigip*.conf'.

Conditions:
This occurs when making changes to devices via the Device Management UI.

Impact:
Device Group configuration may not be correct after a reboot.

Workaround:
Explicitly run a command to save the configuration before rebooting devices.


561962-1 : The incorrect address is being logged in the 'postNATDestinationIPv4Address' field of NAT64 outbound IPFIX logs

Component: Carrier-Grade NAT

Symptoms:
In outbound NAT64 IPFIX logging messages, the subscriber's IPv4 address is being logged instead of destination's IPv4 address in the 'postNATDestinationIPv4Address' field.

Conditions:
The incorrect address occurs in IPFIX NAT64 outbound logging messages that have destination logging enabled.

Impact:
The correct address is not logged for the 'postNATDestinationIPv4Address' field of NAT64 IPFIX outbound logging messages.

Workaround:
None.


561814-5 : TMM Core on Multi-Blade Chassis

Component: TMOS

Symptoms:
TMM core.

Conditions:
On a multi-blade chassis with WAM caching in use, where the datastor daemon is stopped and restarted, and where traffic is being cached by datastor.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


561595-3 : Guest user cannot see Event Correlation details

Component: Application Security Manager

Symptoms:
Guest user cannot see Event Correlation details.

Conditions:
Log in as Guest

Impact:
Limited read access for guest users.

Workaround:
For guest user - there is no workaround, but if it is possible to log in as another user - then everything works.


561444-4 : LCD might display incorrect output.

Component: TMOS

Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.

Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.

Impact:
LCD may display incorrect data.

Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.


561433-4 : TMM Packets can be dropped indiscriminately while under DOS attack

Component: Advanced Firewall Manager

Symptoms:
When we have a loaded tmm which cannot consume packets fast enough, then packets could be dropped while DMAing from the HW.

Conditions:
This could happen for a variety of reasons which cause tmm to be loaded.

Impact:
Packets will be dropped indiscriminately.

Workaround:
none


561348-5 : krb5.conf file is not synchronized between blades and not backed up

Component: Access Policy Manager

Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected

Conditions:
when administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade

Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades

Workaround:
manually copy krb5.conf file to all blades


560685-2 : TMM may crash with 'tmsh show sys conn'.

Component: Local Traffic Manager

Symptoms:
Although unlikely, the 'tmsh show sys conn' command may cause the tmm process to crash when displaying connections.

Conditions:
Although the conditions under which this occurs are not well understood, this is a rarely occurring issue.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The only workaround is to not issue the command: tmsh show sys conn.


560683-2 : HA IPSEC: tmm core/crash on standby in function ikev2_child_delete_outbound()

Component: TMOS

Symptoms:
tmm crash after a number of failovers (approximately two to four).

Conditions:
This occurs in a high availability (HA) configuration with IPSEC traffic and multiple failovers. This is an intermittent issue.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


560114-1 : Monpd is being affected by an I/O issue which makes some of its threads freeze

Component: Application Visibility and Reporting

Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T

Conditions:
A system I/O issue (maybe caused by /var/log being full).

Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.

Workaround:
Run the following:

find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd


560014 : Error written to monpd log if upgrade and there is traffic capture data in database

Component: Application Visibility and Reporting

Symptoms:
You will see this error in the monpd log if you upgrade and there is traffic capture data in the database:
... [DB::mysql_query_safe, query failed] Error (error number 1064) executing SQL string : CALL AddPartition('AVR_STAT_TRAFFIC_CAPTURE_T', NULL, NULL, 'T') Because : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'NULL' at line 1

Conditions:
Upgrading after collecting traffic capture data.

Impact:
No impact other than this error written to log.

Workaround:
You can safely ignore this error [related to AddPartition('AVR_STAT_TRAFFIC_CAPTURE_T ...].


559973-3 : Nitrox can hang on RSA verification

Component: Local Traffic Manager

Symptoms:
With certain signatures, RSA verification can hang the Nitrox crypto accelerator chip. Errors in the ltm log show crit tmm[11041]: 01010260:2: Hardware Error(Co-Processor): n3-crypto2 request queue stuck

Conditions:
RSA verification with certain signatures.

Impact:
Nitrox crypto accelerator can hang.


559933-3 : tmm might leak memory on vCMP guest in SSL forward proxy

Component: Local Traffic Manager

Symptoms:
In SSL forward proxy configuration on vCMP guest tmm might slowly leak memory when subjected to SSL Hello messages containing server name extension (SNI) that is not configured on the virtual server.

Conditions:
This occurs with the following conditions are met:
-- SSL forward proxy configuration.
-- SSL hello with SNI extension.

Impact:
tmm might leak memory

Workaround:
None.


559584-3 : tmsh list/save configuration takes a long time when config contains nested objects.

Component: TMOS

Symptoms:
A configuration containing a number of nested objects takes a long time to list or save. For example, the tmsh listing time for a ~2 MB config can exceed 30 seconds.

Conditions:
Following is an example of nested objects in a config. If the config contains thousands of such virtual servers, it might take longer than 30 seconds to run either of the following commands: -- tmsh list ltm virtual. -- tmsh save config.

ltm virtual vs {
    destination 10.10.10.10:http
    ip-protocol tcp
    mask 255.255.255.255
    profiles { ::: nested object
        http { }
        http_security { }
        tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 26
}
.

Impact:
When commands take longer than 30 seconds to complete, iControlREST times out.

Workaround:
None.


559541-1 : ICAP anti virus tests are not initiated on XML with when should

Component: Application Security Manager

Symptoms:
ICAP anti virus tests are not performed on XML with sensitive data.

Conditions:
ICAP and XML profile are configured on the policy, the ICAP configured to inspect the XML.
The XML has sensitive data configured.
The XML request contained sensitive data.
The expectation was that XML with sensitive data would initiate ICAP tests.

Impact:
Virus tests will not be enabled on this request if the only reason for testing the ICAP was the existence of the sensitive XML data.


559382-2 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers

Component: Policy Enforcement Manager

Symptoms:
CCR-I requests from PEM to PCRF contain subscriber ID type is set to 6 (UNKNOWN) for DHCP subscribers instead of NAI.

Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.

Impact:
Might impact the way policies are provided from the PCRF.

Workaround:
None.


559080-4 : High Speed Logging to specific destinations stops from individual TMMs

Component: TMOS

Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.

Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.

Impact:
Logs are silently lost.

Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.


559060-2 : AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration.

Component: Application Visibility and Reporting

Symptoms:
AVR presents incorrect data in the GUI statistics (for example, unexpected pool members, and so on, with hitcount 0).

Conditions:
Multiple BIG-IP systems are configured, one is acting as server for the other and both have 'collect client latency' enabled.

Impact:
Invalid data is presented in the statistics.

Workaround:
Turn off 'collect client latency' in the AVR profile on the BIG-IP system that is acting as the server.


559034-2 : Mcpd core dump in the sync secondary during config sync

Component: TMOS

Symptoms:
mcpd will crash if certain files are missing from the file store during sync operations.

Conditions:
This can happen when files associated with file objects are removed from the file store. Users are not permitted to directly modify the contents of the file store.

Impact:
mcpd will crash

Workaround:
Users are not permitted to directly modify the contents of the file store. Use tmsh or the Configuration Utility to manage BIG-IP objects such certificates.


558779-7 : SNMP dot3 stats occassionally unavailable

Component: TMOS

Symptoms:
SNMP would not provide values for some dot3 stats.

Conditions:
Not conditional.

Impact:
SNMP would not provide values for some dot3 stats.

Workaround:
None


558534-1 : The TMM may crash if http url rewrite is used with APM

Component: Local Traffic Manager

Symptoms:
The HTTP uri rewrite feature depends on having a client-side to determine the ip address of that client. However, APM may use the HTTP filter without having a client-side. This can cause a TMM crash when the missing ip address is used by the HTTP uri rewrite feature.

Conditions:
APM + HTTP uri rewrite feature. (This is different to the "rewrite" profile.)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the HTTP uri rewrite feature when using APM. An iRule may be used to safely implement its transformations.


557358-3 : TMM SIGSEGV and crash when memory allocation fails.

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV and crash when memory allocation fails.

Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.

Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.

Workaround:
None known at this time.


557155-6 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Conditions:
Sustained high packet rate with a very small payload.

Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.

Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
   sysctl vm.panic_on_oom=1


557144-4 : Dynamic route flapping may lead to tmm crash

Component: TMOS

Symptoms:
When dynamic routing is in use and routes are being actively added and removed, tmm may crash.

Conditions:
Virtual Server configured with Dynamic Routing

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


557062-1 : The BIG-IP ASM configuration fails to load after an upgrade.

Component: Application Visibility and Reporting

Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version - (11.3 or 11.4) and upgrading to a version prior to 12.1.0.

Conditions:
Define scheduled report with 'predefined-report-name: '/Common/Top alerted URLs' on version 11.3 or 11.4 upgrade the version.

Impact:
Version upgrade fails (the BIG-IP system becomes unusable).

Workaround:
Manually change predefined-report-name '/Common/Top alerted URLs' to predefined-report-name '/Common/Top alarmed URLs'.


556694-1 : DoS Whitelist IPv6 addresses may "overmatch"

Component: Advanced Firewall Manager

Symptoms:
When using the 8-entry "rich" DoS whitelist with IPv6 addresses, the HW matches only 32 bits of an incoming IPv6 address against the whitelist entry, meaning that if an incoming IPv6 address matches those 32 bits, the whitelist will result in "match", even if other bits of the IPv6 address do not match.
Note that the configuration can select which set of bits (there are 4 choices -- 127:96, 95:64, 63:32, 31:0) to match against, via the db.tunable dos.wlipv6addrsel.
Also, note that IPv4 matches are always perfect, and are not affected by this issue.

Conditions:
Occurs when the 8-entry AFM DoS Whitelist is used to match against IPv6 addresses.

Impact:
In some cases, the Whitelist may overmatch, meaning some IPv6 addresses will be considered whitelist matches, when they do not match the whitelist.


556568-3 : TMM can crash with ssl persistence and fragmented ssl records

Component: Local Traffic Manager

Symptoms:
Unusual fragmented ssl records may be handled incorrectly resulting in tmm crash.

Conditions:
Ssl persistence and fragemented ssl records.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Possibly switch to different persistence type.


556380-1 : mcpd can assert on active connection deletion

Component: TMOS

Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.

Conditions:
Removal of all peers while a connection is handling a transaction.

Impact:
MCPD asserts and restarts.

Workaround:
No workaround is necessary. MCPD restarts.


555983 : [Portal Access][sp 2013][office 2013] Can not open Excel file from office 2013 with windows 10

Component: Access Policy Manager

Symptoms:
[Portal Access][sp 2013][office 2013] Can not open Excel file from office 2013 with windows 10

Conditions:
Steps to Reproduce:

1) In sp2013, Go to "Document" tab
2) Upload a Excel document
3) Open the new excel file just upload in excel application.
4) Open action got error, access is deny

Impact:
Portal Access User can't open Excel file from office 2013 with windows 10

Workaround:
There is no workaround at this time.


555905-2 : sod health logging inconsistent when device removed from failover group or device trust

Component: TMOS

Symptoms:
When a device is in a failover group, sod logs the state change messages indicating the reachability of other devices in the group. For example:

Nov 2 11:34:54 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Online).
Nov 2 11:31:19 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Offline).
Nov 2 11:31:43 BIGIP-1 notice sod[5716]: 010c007e:5: Not receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Disconnected).

If a reachable device is removed from the failover group, no "Disconnected" message is issued, so the last reported status will be inaccurate.

When a device is part of a trust, sod logs messages indicating what unicast addresses it is monitoring on remote devices:

Nov 2 11:34:29 BIGIP-1 info sod[5716]: 010c007a:6: Added unicast failover address 10.145.192.5 port 1026 for device /Common/BIGIP-3.localdomain.

If devices are removed from the trust, sod does not log a message that those unicast addresses are no longer in use.

Conditions:
When a device is removed from a failover device group, or removed from a device trust.

Impact:
Inaccurate state reporting.


555444 : iControl REST API through tmsh mgmt module

Component: TMOS

Symptoms:
Introduction of mgmt module to allow access to REST framework resources opened up two ways to do the same thing by exposing public modules registered by iControl REST.

Conditions:
This was introduced on version 12.0

Impact:
Having two ways to do the same thing is confusing. iControl REST modules should not be exposed by mgmt module (As it already exposed in tmsh directly - ltm, gtm, apm, sys, cm, etc)

Workaround:
None


555156-1 : Changing monitoring configuration stops health checks for FQDN nodes.

Component: Local Traffic Manager

Symptoms:
When changing the monitoring configuration, the health checks never resume for FQDN node types.

Conditions:
Create a custom monitor, apply it to an FQDN node type. Change the monitor configuration, and health checks never resume.

Impact:
No health checking. (member status remains static as prior to change).

  - Traffic may be sent to unavailable pool members.

Workaround:
Restart bigd to force the change using the following command:

bigstart restart bigd


555039-3 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration

Component: TMOS

Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop

Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.

Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.

Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.

Workaround:
None.


554963 : Portal Access. When creating an item in SharePoint 2010 thru Site Options, we go directly to the SharePoint

Component: Access Policy Manager

Symptoms:
Clients connected Sharepoint 2010 via the APM portal are unable to create items on the SharePoint site.

Conditions:
SharePoint URLs are not rewritten when new items are created in SharePoint 2010.

Steps to Reproduce:
1. Create a portal resource for SharePoint 2010 and assign it to webtop
2. Open VS and go to the SharePoint 2010
3. Click on (top left corner)Site Actions->More Options
4. Select an item to Create (for ex. 'Picture library' or Calendar)
5. Put a name in a text box (to the right)
6. Click on "Create" button

Impact:
User can't create items using Site Options.

Workaround:
There is no workaround at this time.


554659 : Configurable maximum message size limit for restjavad

Component: Device Management

Symptoms:
if the client issues a requests to iControl REST that results in a large amount of data (approx 200 MB), restjavad goes into an out-of-memory condition when attempting to serialize the response prior to returning it to the client.

Conditions:
A message is received by restjavad that is larger than the total free heap space. The most common cause is that the system sends a board query to icrd, which returns a very large response (approx 200 MB).

Impact:
restjavad becomes unresponsive until it is rebooted.

Workaround:
This fix exposes the maximum message size limit and allows a Network operator to change it by posting to a new configuration worker. An example is included below. The actual value varies by installation - load, average message size etc. Set it too low and the clients will receive 5xx errors even though there is sufficient memory. Set it too high and dangerously-large messages do not get dropped and might cause an out-of-memory exception. 5 MB is a recommended starting value.

An example of setting the maximum message body size to 5kB (5000 bytes) on a machine called 'green.' The password needs to be changed appropriately.

curl -s -k -u admin:PASSWORD -H "Content-Type: application/json" -H
'Connection: keep-alive' -X PUT
"https://green/mgmt/shared/server/messaging/settings/8100" -d
'{"maxMessageBodySize": "5000" }'.


554324-2 : Signatures cannot be updated after Signature Systems have become corrupted in database

Component: Application Security Manager

Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database.

Conditions:
Signature systems are corrupted in configuration database. This can occur after upgrading to 11.6.0 or 11.6.1.

Impact:
Signatures cannot be updated.

Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:

mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"


554123 : Sync to Sharepoint workstation fails with could not connect to server

Component: Access Policy Manager

Symptoms:
Sync to Sharepoint workstation fails with could not connect to server

Conditions:
Steps to Reproduce:

1) Login to sharepoint 2013 via portal access
2) Click "SYNC" button to create a synchronized copy on your local workstation
3) Sync fail due to could not connect to server

Impact:
Portal Access user can't use SharePoint2013 Sync workstation function.

Workaround:
There is no workaround at this time.


554094 : [OWA2013] Help doesn't open up

Component: Access Policy Manager

Symptoms:
[OWA2013] Help doesn't open up

Conditions:
Steps to Reproduce:

1) Create portal access for owa2013, connectivity profile, webtop, access profile, rewrite profile
2) Create VS and use above with client and server ssl profile
3) Open OWA through reverse proxy
4) Try to open help
5) It doesn't display

Actual Results:
Help doesn't display

Impact:
User unable use online help.

Workaround:
To fix this issue set HTTP profile default Maximum Header Count to 128, for example.


553795-5 : Differing certificate/key after successful config-sync

Component: TMOS

Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.

2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.

Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.

2) High Availability failover systems configured with Manual Sync.

Impact:
1) An abandoned FIPS key is left behind.

2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.

Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Delete the FIPS key by-handle on the peer system(s).

2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).


553776-1 : BGP may advertise default route with bad parameters

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
Dynamic routing using BGP configured, BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command: clear ip bgp <affected neighbor address>.


553741-2 : Restore WAM image optimization color profile handling

Component: WebAccelerator

Symptoms:
In version 12.0, a component of WAM's image optimization software accidentally built without the color management library.

Conditions:
WAM image optimization enabled with format conversion or the jpeg option "apply color profile, then strip EXIF" enabled.

Impact:
The color profile would be removed but color values would not be adjusted accordingly. Depending on the color profile and the image, this may or may not result in visible differences.

Workaround:
Don't let WAM's image optimization convert image formats (including to browser-specific formats WebP and JPEGXR) and use "strip EXIF if safe" instead of "apply color profile, then strip EXIF".


553499-1 : PEM subscriber create iRule 'PEM::subscriber create' does not use subscriber-id-type correctly

Component: Policy Enforcement Manager

Symptoms:
PEM::subscriber create iRule command allows 'subscriber-id-type' as the keyword to input the subscriber type. However, this keyword does not work in iRule commands. When using the 'subscriber-id-type' keyword, the iRule sometimes does not create the subscriber as expected.

Conditions:
Using PEM::subscriber create iRule command, and then add the subscriber type using the 'subscriber-id-type' keyword, for example: PEM::subscriber create 2345678910 subscriber-id-type imsi ip-address 192.168.145.10.

Impact:
Subscriber is not created as expected.

Workaround:
Instead of using 'subscriber=id-type' as keyword in the command, using 'subscriber-type', For example: PEM::subscriber create 2345678910 subscriber-type imsi ip-address 192.168.145.10.


553446-1 : Interface bfd session does not appear in configuration file or in show running-config

Component: TMOS

Symptoms:
When a Bi-Directional Forwarding Detection (BFD) session is configured for an interface, the bfd session command does not appear in the show running config or in the configuration file. However, running show bfd session command shows that a session is configured.

Conditions:
Interface bfd session between two nodes.

Impact:
Cannot determine whether a bfd session is configured. Further, because it is not save in the configuration file, the bfd session configuration is lost when the system restarts the protocol.

Workaround:
None.


553056-1 : Azure: boot diagnostics fills up the partition

Component: TMOS

Symptoms:
After deploying Virtual Edition in Azure Resource Manager, the root partition is full. Running tmsh commands always produces the error:

exception: (Can't update command history file (/home/f5_remoteuser/.tmsh-history-sfdc), No space left on device)

Conditions:
Deploying Virtual Edition in Azure with monitoring Diagnostics enabled.

Impact:
Root partition is full which can cause unpredictable and undefined behavior.

Workaround:
When deploying Virtual Edition using Azure Resource Manager, make sure that monitoring diagnostics is disabled.


552524 : Autoscaling of BIG-IP VE fails when multiple private IP addresses are attached to eth0.

Component: TMOS

Symptoms:
Autoscaling of BIG-IP VE has been designed to work with single NIC and single IP address as it works in tandem with AWS Elastic Load Balancer(ELB). Attaching multiple private-ip to eth0 breaks auto-scaling of BIG-IP VE.

Conditions:
1. Create an AWS autoscale group and attach multiple private IP addresses to the instance that is started.
2. Configure autoscale on BigIP (add all the required configs via tmsh, GUI, iApp, iCall, etc).

Impact:
Auto-scaling of BIG-IP VE fails.

Workaround:
Remove the secondary private-ip from the interface in AWS and keep the instance with a single NIC and single IP address.


552151-5 : Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected

Component: Local Traffic Manager

Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3.

Conditions:
This occurs when the system encounters errors during hardware compression handling. This occurs on the BIG-IP 5000-, 7000-, 10000-, and 12000-series platforms, and on VIPRION B22xx blades.

Impact:
Compression is (eventually) performed by software. This can result in high CPU utilization.

Workaround:
Disable compression if CPU usage is too high.


551454-1 : Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server

Component: Access Policy Manager

Symptoms:
Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server. This has no functional impact on end user.

Conditions:
End user specifies incorrect VPN server URL in edge client

Impact:
None. This has no functional impact on end user.

Workaround:
Specify correct server URL in edge client


550739-1 : TMSH mv virtual command will cause iRules on the virtual to be dis-associated

Component: Local Traffic Manager

Symptoms:
After renaming a virtual server that has attached iRules, the resulting virtual server configuration in tmm no longer has the iRules attached. The configuration in mcpd does not match the running configuration in tmm.

Conditions:
Must use the 'mv' command on an ltm virtual with iRules.

Impact:
Configuration is not as expected.

Workaround:
After moving the virtual, remove the iRules on it and re-add them.


550694-1 : LCD display stops updating and Status LED turns/blinks Amber

Component: TMOS

Symptoms:
The LCD display may stop updating and the Status LED may turn Amber and begin blinking on BIG-IP 2000, 4000, 5000, 7000, or 10000-series appliances.

Conditions:
The Status LED turns Amber if the LED/LCD module stops receiving updates from the BIG-IP host, and begins blinking Amber if the LED/LCD module does not receive updates from the BIG-IP host for three minutes or longer.
This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled.
Due to changes in BIG-IP v11.5.0 and later, the frequency and likelihood of this condition is greatly reduced, but may still occur under rare conditions.

Impact:
When this condition occurs, the front-panel LCD display does not display the current BIG-IP host status, and the Status LED blinks Amber. There is no impact to BIG-IP host operations, and no disruption to traffic.

Workaround:
This condition can be cleared by either of the following actions:
1. Press one of the buttons on the LCD display to navigate the LCD menus.
2. Issue the following command at the BIG-IP host console:
/sbin/lsusb -v -d 0451:3410.

Either action generates USB traffic, which triggers recovery from the USB stalled transfer condition.


550669-2 : Monitors stop working - throttling monitor instance probe because file descriptor limit 65436 reached

Component: Local Traffic Manager

Symptoms:
Monitor checks stop working.

The ltm log file contains error messages similar to the following: 01060154:4: Bigd PID 7147, instance 0, throttling monitor instance probe because file descriptor limit 65436 reached.

Conditions:
A Tcl monitor must be configured, or monitor logging must be enabled.

Impact:
Monitoring stops working; pool members are marked down when they are not.

Workaround:
None.


550434-6 : Diameter connection may stall if server closes connection before CER/CEA handshake completes

Component: Service Provider

Symptoms:
Serverside connection stalls. Connection is not torn down and packets are not forwarded to serverside.

Conditions:
Selected pool member closes (via FIN) connection before sending CEA as part of Diameter handshake.

Impact:
Connection stalls until handshake timeout and then it is reset.

Workaround:
none


549868-5 : 10G interoperability issues reported following Cisco Nexus switch version upgrade.

Component: Local Traffic Manager

Symptoms:
10G link issues reported with VIPRION B2250, B4300 blades and BIG-IP 10x00 appliances connected to Cisco Nexus switches.

Conditions:
Issues reported after version upgrade on Cisco switch to version 7.0(5)N1(1).

Impact:
The links might not come up.

Workaround:
Toggling the SFP+ interfaces reportedly usually restores link.


549782-2 : XFV driver can leak memory

Component: Local Traffic Manager

Symptoms:
When the interface goes down, memory is not correctly freed.

Conditions:
the leak happens when the interface goes down

Impact:
Over a long enough period of time the BIGIP can go out of memory and TMM needs to be restarted.

Workaround:
none


549543-1 : DSR rejects return traffic for monitoring the server

Component: TMOS

Symptoms:
System DB variable 'tm.monitorencap' controls whether the server monitor traffic is encapsulated inside DSR tunnel. If it is set to 'enable', monitor traffic is encapsulated, and return traffic is without the tunnel encapsulation. In such a case, the return traffic is not mapped to the original monitor flow, and gets rejected/lost.

Conditions:
System DB variable 'tm.monitorencap' is set to 'enable', and DSR server pool is monitored.

Impact:
Monitor traffic gets lost, and server pool is marked down.

Workaround:
None.


549283-2 : Add a log message to indicate transition in the state of Gx and Gy sessions.

Component: Policy Enforcement Manager

Symptoms:
Without a state transition indicator, it is difficult to determine if the Gx and Gy session is active and UP on the BIG-IP device.

Conditions:
Gx or Gy state transitions need to occur.

Impact:
Difficult to identify and debug issues related to Gx and Gy state transitions.

Workaround:
None needed. This is an improvement.


549059-1 : HTTP Cookie Persistence corruption

Component: Local Traffic Manager

Symptoms:
Memory could be corrupted when HTTP cookie persistence is used.

Conditions:
HTTP cookie persistence is used.

Impact:
TMM instability or data corruption.


548385-2 : iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results

Component: TMOS

Symptoms:
If the active folder is not same as the folder in which the query is being run, and the corresponding key/cert extension is not present in the name of the key/certificate file, the query result returns incorrect results.

Conditions:
This occurs when iControl calls that query key/cert from parent folder, and the name is missing the extension.

Impact:
The query result returns incorrect results.

Workaround:
You can use one of the following workarounds:
-- Change the filename to include the extension.
-- Change to the folder containing the iControl call you are executing.


548175-1 : Idle timeout may be tcp handshake timeout on CMP demoted Fast L4 virtual servers.

Component: TMOS

Symptoms:
In certain circumstances, CMP demoted Fast L4 virtual servers may intermittently and incorrectly use the tcp handshake timeout instead of the configured idle timeout.

Conditions:
- CMP demoted Fast L4 virtual servers.

Impact:
Connections may be reset earlier or closed at an unexpected time.

Workaround:
Ensure that the virtual server is not CMP demoted. To do so, do one of the following:
-- CMP-enable the virtual server.
-- Ensure that any iRules that CMP-demotes the virtual server are corrected. See SOL13033: Constructing CMP-compatible iRules at https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13033.html


547732-2 : TMM may core on using SSL::disable on an already established serverside connection

Component: Local Traffic Manager

Symptoms:
TMM process may crash if the SSL::disable iRule command is used on a serverside with a connection that has already established SSL.

Conditions:
Use of the 'SSL::disable serverside' iRule command on a serverside connection that has already established SSL

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use SSL::disable on an event where the serverside SSL connection is already established.


547550-2 : avrd reports incorrect stat values

Component: Advanced Firewall Manager

Symptoms:
AVR has some uint32 counters for DoS statistics both in HW and SW. And these counters were getting overflowed with time.

Conditions:
When the box is running under heavy DoS traffic for few hours, DoS counters can overflow.

Impact:
Impact would only be seen on some DoS stats but functionality wise everything works fine without any issue.

Workaround:
There was no workaround.


546760-1 : snmpd will crash when performing snmp query on ifXTable of ifMIB.

Component: TMOS

Symptoms:
snmpd will crash when performing snmp query on ifXTable of ifMIB.

Conditions:
Perform snmp query on ifXTable of ifMIB.

Impact:
snmpd crashes.

Workaround:
When problem occurs, snmpd automatically restarts.


546145-3 : Creating local user for previously remote user results in incomplete user definition.

Component: TMOS

Symptoms:
Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI.

Conditions:
Configure remote system authentication. Create a local user for remotely authenticated user.

Impact:
User cannot authenticate. User name does not appear in User List.

Workaround:
After initial creation, modify local user via tmsh to include appropriate partition-access.


546085-1 : On shutdown, SOD and other daemons very infrequently cores due to an internal processing error during the shutdown.

Component: TMOS

Symptoms:
On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Conditions:
System shutdown. Unable to reproduce the issue reliably, so conditions for the crash are unknown

Impact:
Since the core happens on shutdown, operation on the device is not affected, but a core file may be generated.

Workaround:
None.


545986-2 : dnatutil aborts when encountering parse errors

Component: Carrier-Grade NAT

Symptoms:
dnatutil abort further processing of logs when it encounters a recoverable parse error.

Conditions:
Using dnatutil on log entries that resemble parseable logs, but failed to be processed by dnatutil

Impact:
Usage of dnatutil

Workaround:
Filter out questionable log entries as reported by dnatutil


545946-1 : Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load

Component: TMOS

Symptoms:
Transparent/translucent Vlangroup may have its MAC address set to 02:00:00:00:00 on either the first configuration load after an upgrade or on a manual mcpd db clear/reload.

Conditions:
Transparent/Translucent vlangroup configured.
Upgrade to later version (11.3.0 through 12.1.0) or manually delete mcpd DB binary.

Impact:
Vlangroup MAC address is incorrect and can adversely affect traffic transversing the vlangroup.

Workaround:
Reload configuration or alter vlangroup configuration: e.g: set back and forth between transparency modes.


545810-2 : ASSERT in CSP in packet_reuse

Component: Local Traffic Manager

Symptoms:
Causes TMM to crash

Conditions:
This crash will happen on LTM virtuals that meet the following two configuration criteria:
- the virtual is configured with fasthttp profile.
- the virtual's enabled VLAN is mapped to the _loopback interface.

Impact:
Crash and restart of TMM

Workaround:
None


545596-1 : Dynamic routing on Viprion chassis interrupted on HA or blade failover

Component: Local Traffic Manager

Symptoms:
TMM may lose dynamic routing information when failover occurs between either chassis in an HA pair or blades within a chassis. Only TMM is affected: the routing database in ZebOS and tmrouted are not affected. The "tmsh show net route lookup <destination>" must be used to determine if TMM has a route to a particular destination.

Conditions:
Dynamic routing enabled on a chassis.

Impact:
Destinations learned via dynamic routing may not be reachable.

Workaround:
After failover, restart tmrouted with "bigstart restart tmrouted".


545314-1 : vCMP guest BIG-IP and VE BIG-IP systems fails to boot after increasing disk image size

Component: TMOS

Symptoms:
When increasing the size of the disk image for a vCMP guest BIG-IP or VE BIG-IP, the system will fail to boot the next time it is deployed. Specifically, the system will not be reachable via SSH, and logging in via the serial console is rendered impossible due to the faulty boot.

Conditions:
This only happens to vCMP guest BIG-IPs and VE BIG-IPs whose disk image size has been increased.

Impact:
The BIG-IP system remains inoperative until the workaround steps are executed.

Workaround:
To work around this issue, first allow the BIG-IP system to finish its failed boot. Then un-deploy and re-deploy the BIG-IP from its hypervisor. The BIG-IP system's second boot attempt will work, and the system comes up fully operational and with the additional disk space accounted for.


544963-1 : Upgrades of vCMP guests with the default-sized 100GB vdisk image and with SWG plus any of AFM, AM, APM, AVR, ASM, PEM, FPS provisioned will fail due to insufficient disk space

Component: TMOS

Symptoms:
When a user provisions certain module combinations on a vCMP guest with the default-sized 100 GB virtual disk image, upgrading the guest to a second software volume and migrating the configuration forward may cause provisioning to fail due to insufficient disk space once the guest boots into the newly install software volume.

Conditions:
A vCMP guest has a certain module combination provisioned (one that includes the SWG module along with any one of the following: AFM, AAM, APM, AVR, ASM, PEM, or FPS), that requires a large amount of disk space, and the guest boots into a newly installed second software volume with the configuration migrated. The issue might also occur with other module combinations, for example, APM-ASM-AVR-LTM.

Impact:
Module provisioning fails in the guest after it boots into the newly installed volume due to insufficient disk space. The guest remains inoperative until the issue has been resolved.

Workaround:
The workaround involves creating a new virtual disk image for the guest and installing onto it the desired upgrade version. Please follow these steps:

1) Create and back up a UCS from the guest.

2) Move the guest to the 'configured' state to stop the guest's VM.

3) Once the guest's VM has been stopped, specify a new name for the guest's virtual disk image in the guest's 'virtual-disk' property.

4) Set the guest's 'initial-image' property to the name of the ISO, for example, initial-image BIGIP-12.0.0.0.0.606.iso.

5) Set the guest back to the 'deployed' state and wait for the guest VM to install and boot up.

6) Install the saved UCS onto the guest.

Note: If you are installing TMOS v12.0.0, TMOS v11.6.1, TMOS v11.6.0, or any version of 11.5.x, you will encounter this same issue the next time you try to upgrade. So, ideally, you should upgrade to a version where this bug is fixed.


544375-4 : Unable to load certificate/key pair

Component: Local Traffic Manager

Symptoms:
After creating SSL profile, 'could not load key/certificate file' appears in /var/log/ltm with profile name. Unable to connect to virtual with SSL profile.

Conditions:
Certificate uses sha1WithRSA or dsaWithSHA1_2 signature algorithm.

Impact:
Unable to load certificate.

Workaround:
None.


542742-1 : SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).

Component: TMOS

Symptoms:
SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).

Conditions:
Querying the OIDs.

Impact:
Unable to monitor the moving averages of the current connection counts as they return 0.

Workaround:
There is no known workaround.


542724-2 : If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash

Component: Local Traffic Manager

Symptoms:
If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash.

Conditions:
This occurs when the following conditions are met:
  - There is an OCSP request in progress.
  - There is a configuration change.
  - The handshake is aborted.
  - The HTTP response for the OCSP request indicates a status code that is not 200.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


542664-2 : No default boot volume is set when installing a vCMP guest from a hotfix iso.

Component: TMOS

Symptoms:
When creating a vCMP guest using both an initial-image and initial-hotfix, the default boot volume is not set. This causes any future software installation performed inside that guest to automatically become the default boot volume.

Conditions:
This issue occurs when a vCMP guest is created from a hotfix build of BIG-IP.

Impact:
The default boot location is not set, which causes subsequent software installations inside the guest to be automatically marked default. Upon a reboot of an affected guest, the system boots into a newly installed volume, which might not be the desired behavior.

Workaround:
Once the vCMP guest is running perform the following steps:

1. Login to the guest via ssh or the vconsole utility.
2. Run the switchboot utility.
3. Select the appropriate volume to be the default boot location (there might be only one option in this list).
4. Press enter.

If the selected boot location is the current or only volume, it is marked as the default boot volume and the guest does not reboot.
If the selected boot location is not the currently booted volume, the guest immediately reboots into the selected volume.

Verify the operation was successful by issuing the command: grub_default -l.
The output of the command should resemble this:
-- config # grub_default -l
HD1.1 active yes default yes title BIG-IP 11.6.0 Build 5.0.429
As long as the appropriate volume is marked 'default yes', the operation is complete.


542191-1 : Snmpd V1 and V2c view based access.

Component: TMOS

Symptoms:
SNMP v3 allows for 'views' to be created. These views can be a union of multiple sub-branch OID access config statements. Users/groups can then be assigned to a view.

Conditions:
If more that one snmpd view is specified per community string the second view is not accessible. Note: A view is a portion of a MIB tree defined by an OID.

Impact:
The BIG-IP system does not support view configuration. If multiple views are created using the lines: rouser USER [noauth|auth|priv [OID]], the system adds only one of them to the snmpd.conf file.

Workaround:
Multiple views with the same community string are not supported.


542104-1 : In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

Component: Local Traffic Manager

Symptoms:
In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

TCP monitors may fail because the server fails to respond to the initial TCP SYN.

TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN.

Conditions:
A server with tcp_tw_recycle enabled.

A multi-blade BIG-IP chassis.

Impact:
Monitor failures or traffic disruption.

Workaround:
After confirming that the time is properly synchronized across the chassis, reboot the chassis.

Alternatively, if your servers do not require tcp_tw_recycle to be enabled, it is recommended that you disable this setting on your servers.


541622-2 : APD/APMD Crashes While Verifying CAPTCHA

Component: Access Policy Manager

Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA

Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.

Impact:
Authentication service will be disrupted until APD/APMD is up again.


540996-3 : Monitors with a send attribute set to 'none' are lost on save

Component: TMOS

Symptoms:
Monitors that have a send, recv, or recv-disable attribute set to 'none' are lost on configuration save.

Impact:
Monitor may send unexpected string.

Workaround:
None.


540775-1 : URLDecoder: Illegal hex characters in escape (%) pattern..

Component: Access Policy Manager

Symptoms:
APM Session Variable Report fails with error 'URLDecoder: Illegal hex characters in escape (%) pattern..' when session is active.

Conditions:
This issue occurs when session is active and session variable value contains character '%'.

Impact:
Session Variable Report reports an error; unable to view the report.

Workaround:
To see session variable details, use one of the following workarounds:
-- Run the following command: sessiondump.
-- Go to Manage Sessions.


540245 : ACCESS::respond command with one argument could cause a false warning message in log file

Component: Access Policy Manager

Symptoms:
An ACCESS::respond command with one argument could cause a false warning message in the LTM log.

Conditions:
This occurs when using the ACCESS::respond command in an iRule that contains only one argument, such as specifying only the response code.

Impact:
The warning message in the log starts with "The following errors were not caught before. Please correct the script in order to avoid future disruption."

Workaround:
The message can be ignored.


540054-1 : tmm crash when DoS protection and behavior analysis enabled on virtual server

Component: Advanced Firewall Manager

Symptoms:
tmm crash when DoS protection and behavior analysis enabled on virtual server.

Conditions:
This occurs when the following conditions are met:
1) Provision AFM and LTM.
2) Enable DoS protection, Behavior Analysis in DoS profiles.
3) DoS profile is associated on a virtual server
4) Bad packets are sent to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
DoS-network behavioral analysis should be never configured since it does not provide any needed functionality.

If any security dos profiles contain 'behavioral-analysis enabled', these should be changed to 'behavioral-analysis disabled.


539832-1 : Zebos: extended community attributes are exchanged incorrectly in BGP updates.

Component: TMOS

Symptoms:
1. BGP is not sending extended community attributes in BGP Updates to its neighbors in versions prior to 11.6.0.
2. BGP is unable to accept new BGP UPDATE messages that contain extended communities from its neighbors in version 11.6.0 and later.
3. On the sending neighbor, the route-map is reapplied to the prefix every time the connection is torn down by the neighbor, resulting in an ever increasing extended community list.

Conditions:
Configure BGP extended community attribute.

Impact:
Loss of/incorrect info related to extended community attribute.

Workaround:
None.


539687-2 : No logs for Proactive Bot Defense drops.

Component: Advanced Firewall Manager

Symptoms:
A RST happens upon a request. There are no loggings or indication regarding this reset.

Conditions:
The VS has application dos attached with the proactive bot defense turned on.

Impact:
A connection terminates. The logging absence causes confusion.

Workaround:
N/A


539466-1 : Cannot use self-link URI in iControl REST calls with gtm topology

Component: Global Traffic Manager

Symptoms:
The self-link URI cannot be used in iControl REST calls with gtm topology.

Conditions:
User issues iControl REST commands for gtm topology that include the self-link URI.

Impact:
The given command is not executed and the system posts the following error message: "Topologies must specify both regions: ldns: server:".

Workaround:
Do not use the self-link in iControl REST commands with gtm topology.


538292 : Asynchronous Task supports only version 12.0.0.

Component: TMOS

Symptoms:
When using asynchronous task in iControl REST, specifying any version other than 12.0.0 will cause the API to become unstable in some cases.

Conditions:
Specify any version below 12.0.0 for asynchronous task requests.

Impact:
In some cases, user may experience iControl REST to hang or become unresponsive.

Workaround:
When making requests through iControl REST using asynchronous task, specify only version 12.0.0 in the request URI.


538014-2 : EVAL shown in CLI Mode even after purchasing subscription license for SWG.

Component: TMOS

Symptoms:
EVAL shown in CLI Mode even after purchasing subscription license for SWG.

Conditions:
Users have a subscription license for SWG.

Impact:
The user will see EVAL in the CLI.

Workaround:
Ignore EVAL as seen in the CLI.


537553-2 : tmm might crash after modifying virtual server SSL profiles in SNI configuration under load

Component: Local Traffic Manager

Symptoms:
Making configuration changes to SSL profiles for the virtual server configured for SSL SNI might crash tmm under load.

Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. The BIG-IP system is under traffic load.
3. A change is made to any of the SSL profiles configured on the virtual server, or SSL profiles are added or removed from the virtual server profile list.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


537213-1 : Second push is required after deactivating Active Security Policy and Sync flag indicates "In Sync" status

Component: Application Security Manager

Symptoms:
Changes made to security policies are not synced to peer. The sync status says "In sync" but the policy changes have not been made.

Conditions:
This occurs when making changes to security policies with policies on each device in a sync-only ASM device group.

Impact:
Changes are not propagated to the other devices in the sync-only device group, yet the sync status says it is in sync (the sync-failover group will say changes are pending). If you perform a second sync, the changes are pushed to the other devices.

Workaround:
Performing a second sync will push the changes to the other devices.


537209-4 : Fastl4 profile sends RST packet when idle timeout value set to 'immediate'

Component: Local Traffic Manager

Symptoms:
When a virtual is configured with a Fastl4 profile and the idle timeout value is set to 'immediate', traffic is handled improperly and a RST is issued.

Conditions:
A virtual is processing traffic that contains a Fastl4 profile with idle timeout set to 'immediate'.

Impact:
Traffic is Reset on a virtual where it should properly handle the traffic.

Workaround:
Avoid using the 'immediate' setting for the idle timeout value on a Fastl4 profile.


537073 : If table command in SERVER/CLIENT_CLOSED is aborted while INPROGRESS, next table command may use old result

Component: Local Traffic Manager

Symptoms:
This leaves the rule expecting the result of the *prior* table command instead. When that result arrives, it is treated as the result for the CLIENT/SERVER_CLOSED's iRule.

This has the effect of both not actually executing the requested table command *and* supplying the wrong result.

Conditions:
Table command does an asynch operation in an iRule on a flow which is aborted.

Impact:
Incorrect iRule operation.

Workaround:
None.


536563-1 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.

Component: Local Traffic Manager

Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.

Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.

Impact:
Unexpected RSTs (Clientside).

Workaround:
None.


536505-1 : DHCPv6 - pool member not selected if it returns from DOWN state

Component: Local Traffic Manager

Symptoms:
A DHCP relay that has more than one poolmember configured, forwards requests to all of them as expected. However, if there is a constant flow of DHCP traffic from the client, and monitors change the state of these poolmembers, a poolmember that was down, does not get traffic when it comes up, and a poolmember that goes down, still receives forwarded DHCP traffic.

Conditions:
Pool members states are changed after sessions are created.

Impact:
Pool members are not used if they become active after sessions are created, or remain in use when they are inactive.

Workaround:
After pool members state are changed, delete all the sessions and re-create them.


535904-1 : BD crashes when attempting to access a closed connection

Component: Application Security Manager

Symptoms:
The Enforcer Application system generates a BD core file to the /shared/core directory.

Conditions:
One or more of these features is turned on - Session tracking, web scraping, ICAP, ASM irules. The client side or the server side pre-maturely closes the connection.
Some load happens on this traffic.

Impact:
The Enforcer Application system may temporarily fail to process traffic.

Workaround:
N/A


534457-1 : Dynamically discovered routes might fail to remirror connections.

Component: Local Traffic Manager

Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.

Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.

Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.

Workaround:
Provide a static route instead of dynamic routes.


534021-4 : HA on AWS uses default AWS endpoint (EC2_URL).

Component: TMOS

Symptoms:
HA doesn't work on Government clouds on AWS.

Conditions:
AWS endpoints for government clouds are different compared to their public offerings. Amazon recommendation is to construct the end-point (EC2_URL) dynamically based on: [<service name>.<region>.<services/domain>] construct.

Impact:
HA doesn't work on Government clouds on AWS.

Workaround:
EC2 endpoint can be constructed dynamically by:
 - Query EC2 Metadata service for <DOMAIN> name (curl http://169.254.169.254/latest/meta-data/services/domain)
 - Read the instance <REGION> from /shared/vadc/aws/iid-document
 - Declare global variable EC2_URL by using above two values in following format:
   export EC2_URL="http://ec2.<REGION>.<DOMAIN>"


533813-4 : Internal Virtual Server in partition fails to load from saved config

Component: TMOS

Symptoms:
Loading a successfully configured internal Virtual Server from the config fails with the following message:

-- 01070712:3: Values (/part2/0.0.0.0%2) specified for Virtual Server (/part2/ICAP_request): foreign key index (name_FK) do not point at an item that exists in the database.

Conditions:
This occurs when the following conditions are met:
-- You are running a BIG-IP system with no configuration.
-- You have created an external VLAN with an interface.
-- You have created a non-default route domain, and associated it with a newly created VLAN.
-- You have created a virtual server, and configured a pool in a partition other than /Common.
-- You have saved the configuration.

Here is an example of how this might occur. Run the following commands.

- tmsh
- create net vlan external interfaces add { 1.2 }
- create net route-domain 2 vlans add { external }
- create auth partition part2 default-route-domain 2
- cd ../part2
- create ltm pool icap_pool members add { 10.10.10.10:8080 }
- create ltm virtual ICAP_request destination 0.0.0.0:0 mask 0.0.0.0 internal ip-protocol tcp profiles add { tcp } pool icap_pool
- save sys config
- load sys config partitions all verify.

Impact:
The operation creates a virtual server but cannot load it from saved config.

Workaround:
To work around this issue, you can use the Common partition to complete the configuration.


532559-5 : Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.

Component: TMOS

Symptoms:
If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'.

Conditions:
This condition could be caused by executing the following command when generating the configuration.

'tmsh modify ltm profile client-ssl clientssl defaults-from none'

Impact:
The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile.

Workaround:
Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile.


531979-5 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Component: Local Traffic Manager

Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.

Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:

SSL Record:
    Content Type: Handshake (22)
    Version: $LOWEST_VERSION
    Handshake Record:
        Handshake Type: Client Hello (1)
        Version: $HIGHEST_VERSION

The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.

Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.

For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.

Impact:
SSL handshake fails.

Workaround:
There is no workaround for this issue.


531566-1 : A partial response arrives to the client when response logging is turned on

Component: Application Security Manager

Symptoms:
When response logging is turned on, the client receives only a partial response.

Conditions:
Response logging is turned on.
The response is chunked.

Impact:
The response arrives as chunked, but not all the chunks arriving, causing the client to wait for the traffic continuation.

Workaround:
N/A


530266-3 : Rate limit configured on a node can be exceeded

Component: Local Traffic Manager

Symptoms:
Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10.

Conditions:
More than 1 tmm needs to be there. Rate limit needs to be configured on the node.

Impact:
Node rate limit feature does not work as intended.

Workaround:
Rate limit can be shifted from the node to pool member and it works.


530102-1 : Illegal meta characters on XML tags -

Component: Application Security Manager

Symptoms:
After upgrading from 11.4.1 to 11.6.0, 11.6.1 or 12.0.0, you see a lot of "Illegal meta character in value" false positives on your XML content. The flagged character are valid within XML (<, >, /, :, etc.) and the affected URLs are associated with legitimate XML profiles via header-based content profiles.
From the security event report, one can see that the invalid characters are for the global UNNAMED wildcard parameter and that the request is a multipart POST.

Conditions:
XML profile is assigned to the wildcard URL and having Header-Based Content profile.

Impact:
False positive violations could happen on the parameter enforcement (as it's not a parameter content but XML).

Workaround:
N/A


529900-3 : AVR missing some configuration changes in multiblade system

Component: Application Visibility and Reporting

Symptoms:
Some DB variables affect the behavior of AVR, but if they are modified in a multiblade system, then not all blades will be aware of the change, which later leads to errors in functionality.

Conditions:
Multiblade system, having one of the following changes:
1. New primary blade is selected.
2. Change to AVR max number of entities in the DB.

Impact:
Data might not be loaded into the DB, or not be queried correctly.

Workaround:
Restart of monpd solves the problem.


529535-1 : MCP validation error while deactivating a policy that is assigned to a virtual server

Component: Application Security Manager

Symptoms:
When deactivating a security policy via REST, and the policy is assigned to a virtual server, then BIG-IP reports the following error:
----------------------------
"MCP Validation error - 01071726:3:
Cannot deactivate policy action '/Common/<VS_name>'. It is in use by ltm policy '/Common/<L7_policy_name>'.",
----------------------------

However, the security policy becomes inactive and remains assigned to virtual server.

This will cause the virtual server to stop processing network traffic, and there will be the following errors in 'bd.log':
----------------------------
BD_MISC|ERR |Jun 24 12:53:35.698|17566|src/acc_reject_policy.c:0165|Account id 10 has no reject policy configured. Cannot get data
----------------------------

Conditions:
ASM provisioned, with a security policy assigned to a Virtual Server, then the security policy is deactivated via the REST API

Impact:
An inactive security policy remains assigned to a Virtual Server

Workaround:
Deactivate the security policy via GUI at:
'Security ›› Application Security : Security Policies : Active Policies':


529400-1 : An SSL handshake can show `no ciphers selected' in some circumstances

Component: Local Traffic Manager

Symptoms:
If an SSL profile is configured with only RSA key/cert pair and only ecdhe-ecdsa ciphers are selected, the configuration did not show an error message.
Subsequent SSL handshakes will not succeed and will show 'no ciphers selected' error messages.

Conditions:
ecdhe-ecdsa ciphers are selected in the `ciphers' list, but no ecde-ecdsa key and cert is configured in the SSL profile.

Impact:
All SSL handshakes will fail with `no cipher suite selected'

Workaround:
When configuring an SSL profile, if an ecdhe-ecdsa cipher is selected in the 'ciphers' field, make sure ecdhe-ecdsa key/cert is also configured.


528787-2 : PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code.

Component: Policy Enforcement Manager

Symptoms:
PEM responds with RAA with DIAMETER_SUCCESS code even though session has been deleted.

Conditions:
Diameter virtual is down, then RADIUS sessions are deleted via tmsh, then the Diameter virtual is brought back up

Impact:
PCRF might be misled as it thinks session exists.

Workaround:
Make sure PCRF sends RAR with at least 1 policy and the PEM will responds with RAA with unable to comply


528734-3 : TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.

Component: Local Traffic Manager

Symptoms:
In a Standard virtual server, A data segment will be retransmitted when an ICMP Type 3, Code 4 message with an MTU (>= 0) is received. The retransmission occurs until there are no ICMP Type 3, Code 4 messages, a connection times out or an ACK is received.

Conditions:
Malicious router or client send in icmp frag message with random MTU values. It can be increasing, decreasing, same or 0 MTU.

Impact:
Packets fill up the pipe and cause a minor outage. It can allow a DoS risk that can be exploitable from outside the network.


528424-1 : IE11 on Windows 10 doesn't show tooltips/toast notifications when Network Access changes state

Component: Access Policy Manager

Symptoms:
Tooltips/Toast notification are not displayed when Network Access changes state (Connect, Disconnect, Reconnect, etc). Beginning with Microsoft Windows 8, tooltips are replaced by Toast Notifications; Windows does not convert tooltips to toast notification for F5 WebComponent in Windows 10.

Conditions:
The problem occurs under these conditions: Internet Explorer 11.
Windows 10.
Networks Access changes state.

Impact:
User is not notified about state change.

Workaround:
To enable tooltips, in Group Policy change this setting:
"User Configuration \ Administrative Templates \ Start Menu and Taskbar \ Disable showing balloon notifications as toasts" to Enable.


528295-5 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.

Component: TMOS

Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.

Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.

Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.

Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.


528083-1 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Component: TMOS

Symptoms:
On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Conditions:
System shutdown. Unable to reproduce the issue reliably, so conditions for the crash are unknown

Impact:
Since the core happens on shutdown, operation on the device is not affected, but a core file may be generated.

Workaround:
None


528031-2 : AVR not reporting the activity of standby systems.

Component: Application Visibility and Reporting

Symptoms:
When working in Active/Standby configurations, the standby system is completely ignored when generating an AVR report. The standby system might have been an active system in the past, so its statistics should also be counted.

Conditions:
Configuration with Active and Standby systems.

Impact:
Some historical activity might not be reported by AVR.

Workaround:
None.


527992-3 : tmm might crash with 'DHCP:dhcp_server_flow_connect' error when the server flow is already connected to a different client.

Component: Policy Enforcement Manager

Symptoms:
When the DHCP server flow is trying to connect to the same client flow that is already connected and not released, there might be a tmm crash.

Conditions:
This can occur when using the dhcpv6 profile.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


527206-2 : Management interface may flap due to LOP sync error

Component: TMOS

Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.

Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.

Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.

Workaround:
None.


526708-3 : system_check shows fan=good on removed PSU of 4000 platform

Component: TMOS

Symptoms:
Running system_check on a 4000 platform with one PSU removed will still show status FAN=good; STATUS=good

Conditions:
This applies only to the BIG-IP 4000 platform.

Impact:
Fan shows status of 'good' when the PSU is removed. Reading the power supply status in the system_check output will show the PSU as down.


524839-1 : Dynamic routing may not properly handle moving a self IP between VLANs

Component: TMOS

Symptoms:
When a dynamic routing protocol is in use and a self IP is moved from one VLAN to another, the connected route for the self IP network may be removed from ZebOS and not readded.

Conditions:
Dynamic routing is configured, self IP is moved from one VLAN to another.

Impact:
Networks advertised or learned via dynamic routing may not be reachable if they depend on the connected route.

Workaround:
Restart tmrouted. Note: This interrupts dynamic routing.


524641-5 : Wildcard NAPTR record after deleting the NAPTR records

Component: Local Traffic Manager

Symptoms:
There is a dns query issue when adding/deleting a NAPTR record through the Zonerunner.

Conditions:
After deleting a specific NAPTR record, the previously added wildcard NAPTR record will fail for wildcard dig queries and the system does not show the correct subdomains.

Impact:
Wildcard NAPTR record call fails after deleting the NAPTR records.

Workaround:
None.


524193-5 : Multiple Source addresses are not allowed on a TMSH SNMP community

Component: TMOS

Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.

Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.

Impact:
The command is accepted, but only the first address will be allowed snmp access.

Workaround:
Add an additional source address to another snmp community object that has the same community string.


524123-2 : iRule ISTATS::remove does not work

Component: TMOS

Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.

Conditions:
Invoking the ISTATS::remove command from an iRule.

Impact:
The value of the iStat remains defined.

Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.


523985-3 : Certificate bundle summary information does not propagate to device group peers

Component: TMOS

Symptoms:
Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync.

Conditions:
A certificate file is create in a folder synced to a device group.

Impact:
Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available.

Workaround:
None.


522934-1 : Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy

Component: Policy Enforcement Manager

Symptoms:
Some PCRF's require subscription ID in all CCR messages over Gx/Gy for easier session management.

Impact:
Some PCRF's will not work properly with PEM if subscription ID is not specified in CCR-u and CCR-T messages.

Workaround:
Set sys db varaible Tmm.diameter.application.encode.subscriber.id.in.all.ccr to True to see Subscription ID in CCR-u and CCR-T messages as well. By default it is set to True.


522124-2 : Secondary MCPD restarts when SAML IdP or SP Connector is created

Component: Access Policy Manager

Symptoms:
Secondary MCPD restarts when the admin creates APM SAML IdP Connector (or SP Connectors) from attached metadata on the primary blade.

Conditions:
BIG-IP chassis with multiple blades where the configuration includes APM SAML IdP Connector or SP Connector created from attached metadata file.

Impact:
Secondary slot's MCPD restarts.


521370-2 : Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8

Component: Application Security Manager

Symptoms:
Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8, which results in suggestions for allowing meta-characters that cannot be accepted.

Conditions:
Auto-Detect Language policy is created, and then set to UTF-8 encoding.

Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.


520604-9 : Route domain creation may fail if simultaneously creating and modifying a route domain

Component: Local Traffic Manager

Symptoms:
Failure trying to create and modify a route domain in a single operation.

Conditions:
Performing create and modify operations in the same transactions, as can be done using tmsh and iControl.

Impact:
Transaction fails. Even though an ID is passed in with the create method, the system posts an error similar to the following: 01070734:3: Configuration error: route-domain Name /Common/test_rd_200 is non-numeric, so an ID must be specified.

Workaround:
Perform create and modify operations in different transactions.


518201-3 : ASM policy creation fails with after upgrading

Component: Application Security Manager

Symptoms:
You cannot create an ASM security policy after upgrading to version 11.6.x. You will see the following error message:
------------------
# tmsh create asm policy /Common/blabla active encoding utf-8
Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy.
------------------

It does not matter if the security policy was created by the command line or by the Configuration utility.

Conditions:
ASM provisioned
Upgrade to 11.6.X

Impact:
ASM policies cannot be created.

Workaround:
Please apply the following workaround, as root user, from the command line of the affected BIG-IP.
Please run these exact commands - copy and paste into the command line:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------

Be advised that this operation will permanently affect the mentioned database table.
It is strongly advised to first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP:
---------------------
# tmsh save sys ucs /shared/tmp/backup.ucs
---------------------

Before applying the workaround, first make sure that you indeed need one.
You can do that by running this in the command line:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
In case this query does not return any output - it means that there is no need to apply the mentioned workaround.

In case you do need to apply the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.


518086-4 : Safenet HSM Traffic failure after system reboot/switchover

Component: Local Traffic Manager

Symptoms:
SafeNet hardware security module (HSM) Traffic failure after system reboot/switchover.

Conditions:
Restart of services on primary or secondary blade.

Impact:
Now traffic will fail. There will be no pkcs11 connection on new primary blade.

Workaround:
The workaround is to restart pkcs11d on the secondary blade.


515764-5 : PVA stats only being reported on virtual-server and system-level basis.

Component: TMOS

Symptoms:
The VLAN/interfaces stats do not include PVA stats. PVA stats are reported on a per-virtual-server including virtual server plus pool and pool members.

Conditions:
Viewing PVA stats.

Impact:
Interfaces stats only count TMM software traffic stats, and do not include PVA traffic stats. Although this is by design, it makes it difficult to monitor per-VLAN throughput on their devices.

Workaround:
Retrieve pool member PVA stats for server-side PVA stats on the associated VLANs. Also look at PVA stats in the virtual server stats for client-side PVA stats. Note: On the client side, the virtual server might be configured to run on multiple VLANs, so the client-side details are not included in the stats.


513887-4 : The audit logs report that there is an unsuccessful attempt to install a mysql user on the system

Component: Application Security Manager

Symptoms:
There are "/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'

Conditions:
Provisioning AFM and/or APM after ASM is already provisioned.

Impact:
"/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'

no other impact

Workaround:
none


512954-3 : ospf6d might leak memory distribute-list is used

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv3 and the Routing Information Base (RIB). The leak may lead to a crash unrelated to memory exhaustion.

Conditions:
OSPFv3 in use with a distribute-list, and LSAs in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospf6d crashes interrupt all dynamic routing using OSPFv3.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.


511324-9 : HTTP::disable does not work after the first request/response.

Component: Local Traffic Manager

Symptoms:
The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message.

Conditions:
HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it.

Impact:
The connection is reset.

Workaround:
None.


506543-4 : Disabled ephemeral pool members continue to receive new connections

Component: Local Traffic Manager

Symptoms:
Disabled ephemeral pool members continue to be selected for new connections.

Conditions:
FQDN parent node is disabled causing its derived ephemeral pool members to be marked disabled.

Impact:
Unexpected traffic load balanced to disabled pool members

Workaround:
None.


503125-1 : Excessive MPI net traffic can cause tmm panics on chassis systems

Component: Local Traffic Manager

Symptoms:
Excessive MPI net traffic can cause tmm panics on chassis systems.

Conditions:
This occurs on chassis systems with excessive internal traffic resulting from abnormal load distribution or excessive session DB usage. The session DB usage can be the result of modules or of custom iRules that store session data.

Impact:
Temporary outage and possible failover when using HA. The source conditions will also continue on the new active device, which can cause repeated failovers. When this occurs, the tmm logs will contain messages similar to: notice MPI stream: connection to node 127.20.3.24 expired for reason: TCP retransmit timeout

Workaround:
If affected by this when using iRules to create custom keys and data, this can be partially mitigated by consolidating multiple keys and using smaller key lengths as possible. This is affected by the amount of data stored as well, but large keys can exacerbate the issue.


502129-2 : Hash Cookie Persistence interacts poorly with persistence iRules

Component: Local Traffic Manager

Symptoms:
Persistence may fail to work correctly if hash persistence is selected via an iRule persist command. Later requests could then use the hash cookie value as the name of the persistence cookie to inspect.

Conditions:
Cookie persistence is configured, and then overridden by cookie hash persistence by an iRule persist command.

Impact:
Persistence may fail to work correctly when the persist iRule command overrides from cookie to hash-cookie persistence.


499404-4 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies

Component: Local Traffic Manager

Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.

Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.

Impact:
The wrong MSS value is advertised during 3WHS.

Workaround:
None.


488686-2 : Large file transfer hangs when HTTP is in passthrough mode

Component: Local Traffic Manager

Symptoms:
Large file transfer hangs when HTTP is in passthrough mode. HTTP could go into passthrough mode through enforcement, iRule, unknown method detection or switching protocols.

Conditions:
Large file transfer is attempted and HTTP goes into passthrough mode.

Impact:
File transfer hangs.


483570-1 : TMM/APMD fail to communicate when handling a large amount of data under high load conditions.

Component: Access Policy Manager

Symptoms:
VPN users begin to report that they are unable to connect to a normally functioning (but busy) APM virtual. The virtual server is using an iRule configured with ACCESS::POLICY evaluate.

Conditions:
This can occur when using the 'ACCESS::POLICY evaluate' iRule with a large number of new users per second when handling a large amount of data.

Impact:
Multiple failures. The system posts messages similar to the following in debug tmm logs with failing policy execution: notice acs_mpi_send/912: ACS: IPC send channel stuck!

Workaround:
None.


476524-1 : SSL handshake delay when SSL mirroring enabled or mirrored connection fails to recover after failover.

Component: Local Traffic Manager

Symptoms:
SSL handshake delay when SSL mirroring enabled, or mirrored connection fails to recover after failover.

Conditions:
Mirroring enabled on TCP virtual server.

Impact:
- SSL handshake delayed for 80% of SSL handshake timeout.
- Mirrored connection fails to recover after failover.
- In rare situations the SSL handshake might be delayed after the ClientHello is transmitted or a mirrored connection may fail to recover after failover.

Workaround:
Set connection.syncookies.threshold (or, in the GUI, SYN Check Activation Threshold) to 0 and enable hardware syncookies in the TCP profile.


474252-3 : Applying ASM security policy repeatedly fills disk partition on a chassis

Component: Application Security Manager

Symptoms:
Applying ASM security policy repeatedly on a chassis will cause /var disk partition to fill.

Conditions:
ASM security policy is applied repeatedly on a chassis.

Impact:
/var disk partition is filled.

Workaround:
Delete the contents of /var/ts/var/cluster/send.


474149-5 : SOD posts error message: Config digest module error: Traffic group device not found

Component: TMOS

Symptoms:
SOD posts error message: Config digest module error: Traffic group device not found.

Conditions:
In a failover device group, if a peer device (non self device) has gone through a management IP address change, SOD fails to clean up the old IP address from its internal storage, so the system subsequently and incorrectly behaves as if there is a 'configuration data inconsistent' error.

Impact:
System posts the message: notice sod[8118]: 010c0062:5: Config digest module error: Traffic group device not found.

This causes the HA failover next-active device selection to fall back to the static (IP-based) selection algorithm, which in Device Service Clusters with more than 2 devices, may cause a device other than the intended device to take over services.

Workaround:
Restart sod or reboot the device to restore correct failover functionality. This will cause a failover of any traffic groups currently Active on the device.

To restart sod, at the command line run bigstart restart sod


472860-4 : RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Component: Policy Enforcement Manager

Symptoms:
The RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Conditions:
Session created via iRule running on the RADIUS virtual server.

Impact:
RADIUS session statistics are not incremented.

Workaround:
None.


472308-4 : Management IP address change interaction with HA heartbeat / failover traffic

Component: TMOS

Symptoms:
When the management IP address changes (either as a result of enabling mgmt-dhcp, or the leased address changing), the system does not synchronize this updated address to other devices in the failover device group / trust domain. (That is, the system does not trigger an update to the device_trust_group.)

Conditions:
This occurs on HA configurations.

Impact:
This can cause disruption in an HA environment. The sod process discards any HA heartbeat traffic it receives (e.g., traffic over the self IP addresses) that does not contain a 'known' cluster_mgmt_ip.

Workaround:
None.


471835-2 : Invalid port blocks are incorrectly counted as active zombie blocks.

Component: Carrier-Grade NAT

Symptoms:
After changing the LSN pool configuration while port blocks are active, the port blocks may become invalid because they are no longer be in the pool. An active port block may also become invalid if a translation request occurs during the short period of time between when a block expires and when we process the expiration. These invalid blocks are incorrectly counted in the 'Active zombie port block' count. Since the invalid blocks are not zombie blocks, the count is not decremented when the invalid block expiration is processed.

Conditions:
More than one lsn-pool with overlapping address spaces, and virtual servers using these lsn-pools. Zombie timeout must be enabled on the pool and there must be active zombie port blocks.

Impact:
The PBA zombie statistics for the lsn-pool may be invalid.

Workaround:
None.


464801-4 : Intermittent tmm core

Component: Local Traffic Manager

Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"

Impact:
Traffic disrupted while tmm restarts.


464437-1 : Quickly repeated external datagroup loads might cause TMM crash.

Component: Local Traffic Manager

Symptoms:
TMM crashes while loading an external datagroup that has already been loaded.

Conditions:
External datagroup is already loaded, and is then re-loaded.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
To avoid this issue, wait a few seconds between load and reload the same external data group.


460176-5 : Hardwired failover asserts active even when standalone

Component: TMOS

Symptoms:
In BIG-IP software versions 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, and 12.0.0, the serial failover 'Active' signal is asserted even if the unit is not configured to be in a high availability (HA) pair. A unit can become Standalone if the configuration is reset, or if a return merchandise authorization (RMA) is performed. If the serial cable is still connected to its peer, then the HA peer may defer the Active status to the Standalone system, which does not actually take over and process traffic.

Conditions:
Serial cable failover in-use between two members of an HA pair.

Impact:
Traffic is interrupted when the Active unit transitions to Standby.

Workaround:
During an RMA, the serial cable failover can be temporarily disabled on the Active unit by issuing the following command:

tmsh modify sys db failover.usetty01 value disable


459671-3 : iRules source different procs from different partitions and executes the incorrect proc.

Component: Local Traffic Manager

Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.

Conditions:
Multiple iRule procs defined in multiple admin partitions.

Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.

Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.


452660-5 : SNMP trap engineID should not be configsynced between HA-pairs

Component: TMOS

Symptoms:
When configuring an engine_id for a SNMPv3 trap destination, the engine_id was synchronized to all HA peers.

Conditions:
All

Impact:
Received SNMPv3 traps would appear as if they originated from the same Big-IP system after failover to a backup Big-IP.

Workaround:
Workaround is to disbale configsync (change 'yes' to 'no') on engine_id in /defaults/config_base.conf. However, you must first remount the /usr partition to modify the file and then run tmsh load. For more information on remounting the /usr partition, see SOL11302: The /usr file system is mounted in read-only mode
at https://support.f5.com/kb/en-us/solutions/public/11000/300/sol11302.html


449402-7 : Pre-11.5.0 to 11.5.0 upgrades might fail to properly set ha-group reference in traffic-groups

Component: TMOS

Symptoms:
Upgrades from pre-11.5.0 to 11.5.0 might fail to properly set the ha-group failover references in traffic-groups.

Conditions:
This affects users of ha-groups who upgrade from pre-11.5.0 to 11.5.0. Upgrading from 10.x works correctly. The problem occurs because of the 11.5.0 ha-group functionality in which failover settings are configured per traffic-group. Previously, ha-group failover settings were configured per device.

Impact:
The ha-group failover method might no longer function.

Workaround:
None. To correct this issue when upgrading from pre-11.5.0 to 11.5.0, manually associate ha-group failover settings directly with traffic-groups.


442231-3 : Pendsect log entries have an unexpected severity

Component: TMOS

Symptoms:
Pendsect logs non-errors with a 'warning' severity.

Conditions:
This occurs when pendsect is executed.

Impact:
Unexpected log entries. When pendsect is executed and does not find any disk errors, it logs the following at the warning level: warning pendsect[21788]: pendsect: /dev/sdb no Pending Sectors detected. This is not an error. The message is posted at the incorrect severity level and does not indicate a problem with the BIG-IP system.

Workaround:
None needed. This is cosmetic.


441482-1 : SWG is seen on platforms with less than 8 GB of memory

Component: TMOS

Symptoms:
Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms.

Conditions:
This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.)

Impact:
Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.'

Workaround:
Do not attempt to provision SWG on platforms with less than 8 GB of memory.


434517-14 : HTTP::retry doesn't work in an early server response

Component: Local Traffic Manager

Symptoms:
If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly.

Conditions:
Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event.

Impact:
Typically, early server responses are error conditions.

Workaround:
HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.


433323-1 : Ramcache handling of Cache-Control: no-cache directive in Response

Component: Local Traffic Manager

Symptoms:
Previously, when a Cache-Control header from the OWS contained a no-cache directive, RAM Cache mistakenly interpreted that the same as a no-store directive.

Conditions:
Configure a virtual server with HTTP caching.

Impact:
Failure to cache a cachable document.

Workaround:
This issue has no workaround at this time.


431840 : Cannot add vlans to whitelist if they contain a hyphen

Component: Advanced Firewall Manager

Symptoms:
When attempting to add a vlan to the DoS protection whitelist and the vlan contains a hyphen, the following validation error is returned:

01071792:3: Vlan should be numeric form as vlan number / mask

Conditions:
Adding a vlan containing a hyphen to the whitelist

Impact:
Unable to add vlans that contain a hyphen

Workaround:
Instead of using the vlan by name, just specify the vlan tag #. Ignore the drop down menu offering the vlan names.


425980-4 : Blade number not displayed in CPU status alerts

Component: TMOS

Symptoms:
Messages displayed on the VIPRION chassis LCD display always reference the blade number of the Primary blade in the chassis at the time that the message was issued.
The slot number where the blade-specific condition is not included in message in the LCD display.
In the case of CPU status alerts, where the CPU temperature is too high or the CPU fan speed is too low, the identification of the blade is not included in the console output or log messages produced by the system_check utility.

Conditions:
Affects:
VIPRION B4100 (PB100), B4200 (PB200) and B4300-series blades in VIPRION C4400, C4480 and C4800 chassis.
VIPRION B2100, B2150 and B2250 blades in VIPRION C2400 and C2200 chassis with external LCD displays attached.

Impact:
It may not be possible to accurately determine which blade has actually experienced a blade-specific condition reported on the chassis LCD display.

Workaround:
Use one of the following commands to examine the CPU measurements to determine which CPU on which blade is experiencing excessive temperature and/or slow fan speed:
1. tmsh show sys hardware
2. tmctl cpu_status_stat


424542-6 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments

Component: TMOS

Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"

Conditions:
Only happens on clustered or virtual environments, not on appliances.

Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.

Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"


424228-2 : Parking iRules in CLIENT_DATA on virtual without assigned pool may not return

Component: Local Traffic Manager

Symptoms:
If a virtual server is created without an assigned pool (i.e. the pool is assigned in the iRule) and the iRule parks, the iRule may not return from suspension and the packet will be dropped.

Conditions:
A virtual server is created and an iRule is assigned that parks, and the virtual server has no assigned default pool.

Impact:
Packets are dropped.

Workaround:
Either use the CLIENT_ACCEPTED event for UDP data or assign a default pool.


423392-3 : tcl_platform is no longer in the static:: namespace

Component: Local Traffic Manager

Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.

Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.

Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.

Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see SOL14544: The tcl_platform iRules variable is not in the static:: namespace, available here: http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14544.html.


389857-2 : The bigd process may core and restart when using an snmp_dca_base monitor

Component: Local Traffic Manager

Symptoms:
The bigd process may core and restart continuously when an snmp_dca_base monitor is configured to collect more than 14 objects.

As a result of this issue, you may encounter the following symptoms:

An error message is reported to the console and logged to /var/log/daemon.log file. The error message appears similar to the following example:

local/<name of bigip> emerg logger: Re-starting bigd
An error message is logged to the /var/log/ltm file, and appears similar to the following example:

local/<name of bigip> notice bigd[3489]: 01060136:5: Received links up - monitoring starts
A bigd core file is written to the /shared/core file.

Conditions:
Using custom monitor with more than 14 user-defined arguments

Impact:
The BIG-IP system will not perform any health monitoring when the bigd process is restarting. As a result, the BIG-IP system may not collect information used for dynamic load balancing decisions and send traffic to nodes that are not responding.

Workaround:
To prevent this issue, you should configure the snmp_dca_base monitor to collect fewer than 14 objects.

To stop the bigd process from continuously restarting, you need to delete the affected snmp_dca_base monitor. To do so, perform the following procedure:

Impact of workaround: To delete a monitor, you must first ensure the monitor is not associated with any nodes. Information used for dynamic load balancing decisions will not be collected from a node if a working snmp_dca monitor is not associated with the node.

Deleting the affected monitor using the BIG-IP Configuration utility

Note: Attempting to delete the monitor using the command line can be difficult due to the error messages reported to console.

Log in to the Configuration utility.
Click Local Traffic.
Click Monitors.
Click on the monitor to be deleted.
Click Instances.

Make a list of any nodes the monitor is associated with. To delete a monitor, you must first ensure the monitor is not associated with any nodes.
Click Local Traffic.
Click Nodes.
Click Node List.
Click on the node name of the node associated with the monitor to be deleted.
In the Select Monitors section, remove the affected monitor name from the Active list.
Click Update.
Repeat steps 6 through 9 for each node (listed in step 5) associated with the monitor.
Click Local Traffic.
Click Monitors.
Select the check box next to the name of the monitor you want to delete.
Click Delete.
To confirm the deletion, click Delete.


384995-5 : Management IP changes are not synced to the device group.

Component: TMOS

Symptoms:
A device group shows a device as offline when it was previously working, and the device's management IP address has recently changed.

Conditions:
When the management IP is changed on a device in a trust domain, it is not updated in the device group even though its config sync IP is a SelfIP and config sync continues to work. Other devices show it offline under Device Management :: Devices.

Impact:
Incorrect device status displayed when looking at the device group.

Workaround:
To resolve this, the device that changed must be discovered from a device that is not changed.

Note: If you attempt to discover a device that is not changed from the device that is changed, the operation loses the hostname and other configuration objects.


375434-5 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.

Component: TMOS

Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.

Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.

Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.

Workaround:
None.


374067-9 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections

Component: Local Traffic Manager

Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.

Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.

Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.

Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.


372139-1 : Manage Sessions are not showing correct current sessions on VIPRION chassis.

Component: Access Policy Manager

Symptoms:
Manage Sessions are not showing correct current sessions on VIPRION chassis.

Conditions:
This occurs using APM on VIPRION chassis.

Impact:
On the Admin Page, Access Policy, Manage Sessions, Current sessions is missing, which makes it difficult to find all the sessions to delete those sessions.

Workaround:
None.


372118-2 : import_all_from_archive_file and import_all_from_archive_stream does not create file objects.

Component: TMOS

Symptoms:
An attempt to transition certs/keys/etc. from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream results in the files being copied to the directories under /config/ssl/, but no file-objects are created on the target system.

Conditions:
This occurs when you attempt to transition certs/keys/etc. from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream.

Impact:
Files being copied to the directories under /config/ssl/, but no file-objects are created on the target system.

Workaround:
None.


370131-3 : Loading UCS with low GTM Autoconf Delay drops pool Members from config

Component: Global Traffic Manager

Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.

Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.

Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.

Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Fri Sep 23 08:12:36 2016 PDT
Copyright F5 Networks (2016) - All Rights Reserved