Applies To:
Show Versions
BIG-IQ Centralized Management
- 7.0.0
Summary:
Contents:
Version: 7.0.0.2
Build: 48.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
Cumulative fixes from BIG-IQ CM v7.0.0.1 that are included in this release
Known Issues in BIG-IQ CM v7.0.x
Functional Change Fixes
None
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 825921 | 2-Critical | Trunk object deployment fails in vCMP |
AppIQ Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 846101-3 | 3-Major | Statistics configuration for BIG-IP running version 14.1.2 | |
| 839729-1 | 3-Major | Gaps in HTTP statistics when BIG-IP messages contain fields with large values | |
| 825301-2 | 3-Major | BIG-IQ analytics iApp for managed BIG-IP | |
| 802425-4 | 3-Major | Errors logged on BIG-IP when BIG-IQ stats collection is taking place | |
| 808133-4 | 4-Minor | Analytics iApp pushed from BIQ-IQ causes BIG-IP high availability (HA) peers to go out of sync |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 955145-8 | 2-Critical | REST API not properly handling workers | |
| 844617 | 3-Major | Data transfer from the BIG-IQ system self IP might be slow |
BIG-IQ Web Application Security (ASM) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 921521-3 | 3-Major | Policy signatures ready to be enforced are not reported |
Cumulative fixes from BIG-IQ CM v7.0.0.1 that are included in this release
Functional Change Fixes
None
BIG-IQ System User Interface Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 843305 | 3-Major | Users assigned to custom roles deploying objects to BIG-IP devices |
BIG-IQ Access Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 858237 | 4-Minor | BIG-IQ APM deployment fails with the error message "Failed to update one of more JWKs" |
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 816637 | 3-Major | Discovering BIG-IP devices with VLAN failsafe-action option set to failover | |
| 856941 | 4-Minor | Pool admins cannot see Pool Member "Addresses" in the Monitoring panel | |
| 830337 | 4-Minor | VLAN objects for BIG-IP devices in a high availability configuration |
AppIQ Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 910481 | 3-Major | Viewing statistics for BIG-IP version 12.x devices | |
| 883697 | 3-Major | Syncing BIG-IP devices in a cluster with more than one sync-failover groupwhen installing analytics iApp | |
| 872237 | 3-Major | CPU spikes when using iApp analytics | |
| 785693-2 | 4-Minor | Analytics iApp for managed BIG-IP devices with SNMPv3 configuration |
BIG-IQ Configuration - Infrastructure Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 826977 | 2-Critical | Trunk objects for managed BIG-IP devices in a DSC configuration. |
BIG-IQ Application Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 819005 | 2-Critical | Upgrade from BIG-IQ v6.1.0 fails due to JS TypeError★ |
Cumulative fix details for BIG-IQ CM v7.0.0.2 that are included in this release
955145-8 : REST API not properly handling workers
Component: REST Framework and TMOS Platform
Symptoms:
Unspecified workers not being handled properly by REST API
Impact:
REST API not following best practice handling some workers
Workaround:
None
Fix:
REST API now following best practice handling workers
921521-3 : Policy signatures ready to be enforced are not reported
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Policy signatures that have passed the enforcement readiness period are not reported.
Conditions:
Create an ASM policy using Central Policy Builder and leave it active beyond 7 days (or the policy staging period). Check for signatures ready to be enforced.
Impact:
All signatures report readyToBeEnforced = false, even if there are signatures that passed the staging period.
Workaround:
N/A
Fix:
Policy signatures that have passed the necessary staging period are reported as ready to be enforced.
910481 : Viewing statistics for BIG-IP version 12.x devices
Component: AppIQ
Symptoms:
For managed BIG-IP v12.x devices, BIG-IQ might stop displaying statistics for the following:
http
pool-member
bigip-asm-violations
bigip-asm-transactions
Conditions:
BIG-IQ is managing a BIG-IP device running version 12.x
Impact:
You cannot view the statistics for:
http
pool-member
bigip-asm-violations
bigip-asm-transactions
Workaround:
For BIG-IQ version 7.0.x, run the following command:
curl -s -XPOST localhost:9200/dynamic_global_parameters/meta-data/use-dimensions-aggregation-dynamic-global-parameters/_update -d '{"script": "ctx._source.map.enabled.value=false"}'
For BIG-IQ version 7.1.X run the following command:
curl -s -XPOST localhost:9200/metadata_dynamic_global_parameters/meta-data/use-dimensions-aggregation-dynamic-global-parameters/_update -d '{"script": "ctx._source.map.enabled.value=false"}'
Fix:
BIG-IP v12.x statistics now display as expected.
883697 : Syncing BIG-IP devices in a cluster with more than one sync-failover groupwhen installing analytics iApp
Component: AppIQ
Symptoms:
When BIG-IP is configured to have a sync-only group that contains multiple devices that make up two or more sync-failover groups and the statistics collection is re-enabled, the call from BIG-IQ causes the groups to go out of sync.
Conditions:
1. Create a BIG-IP environment with multiple BIG-IP devices, with more than one sync-failover groups. All devices are in the same sync-only status.
2. Re-enable stats collection for BIG-IQ.
Impact:
BIG-IQ syncs the incorrect sync-failover groups, causing them to be out of sync when stats collection is re-enabled.
Fix:
BIG-IP sync groups now remain in sync when BIG-IQ stats collection is re-enabled.
872237 : CPU spikes when using iApp analytics
Component: AppIQ
Symptoms:
BIG-IQ regularly queries the status of virtual servers and pools on BIG-IP devices running iApp, which can cause CPU spikes when the number of servers and pools are high.
Conditions:
When collecting statistics with iApp on BIG-IP devices that have more than 600 virtual servers and/or 400 pools.
Impact:
CPU cores on BIG-IP device regularly reach maximum usage when statistics collection is enabled.
Workaround:
For BIG-IQ version 7.1. see the following article for a workaround: https://support.f5.com/csp/article/K53001642
Fix:
CPU spikes no longer occur as a result of status queries to BIG-IP devices.
858237 : BIG-IQ APM deployment fails with the error message "Failed to update one of more JWKs"
Component: BIG-IQ Access
Symptoms:
Deploying a BIG-IQ APM configuration to managed BIG-IP devices fails with the error: "Failed to update one of more JWKs."
The following errors are present in the restjavad.log
[WARN][26 Nov 2019 15:06:57 CET][/cm/access/working-config/apm/oauth/jwk-config WorkingJwkConfigCollectionWorker] Worker enrolled in task 7d9ee813-93db-4185-a182-78a5c9aa8cdf. Failing operation with task id cdceb2a7-5b05-4290-9870-d33df96fd957
[ERROR][26 Nov 2019 15:06:57 CET][/cm/access/tasks/discover-config/e584b619-c815-4299-8e72-e62cfb3d17f1/worker AccessDiscoveryTaskWorker] Failed updating JWKs in working config. Reason: java.lang.IllegalStateException: Coordination id cdceb2a7-5b05-4290-9870-d33df96fd957 does not match active task: 7d9ee813-93db-4185-a182-78a5c9aa8cdf
at
Conditions:
You may encounter this intermittent deployment issue when there are high number of OIDC provider objects in your Access configuration, and if you are trying to deploy the configurations to BIG-IP devices in an HA pair.
Impact:
As a result, you will not be able to deploy APM configurations to managed BIG-IP devices.
Workaround:
N/A
Fix:
This issue is now resolved.
856941 : Pool admins cannot see Pool Member "Addresses" in the Monitoring panel
Component: BIG-IQ Local Traffic & Management
Symptoms:
In the Monitoring tab, users logged in as "Pool admins" (pool management privileges) are unable to use BIG-IQ to view data for their managed pool members.
Conditions:
1. Setup a BIG-IQ with a BIG-IP device
2. Setup BIG-IP with 2 pools
3. On BIG-IQ create a the following user roles:
admin user: Has access to a resource group which contains option selection to manage "all instance" of pools and a pool admin user. Does NOT explicitly add both pools into the resource group, rather use "all instance" option.
Pool admin user: Has access to specific pools (not all pools).
f. Logon to BIG-IQ UI as user with 'Pool admin' privileges
g. Browse in the Monitoring tab
Local Traffic > Pools & Pool Members
h. Open at the Dimensions panel on right
- Expand the 'Pool Members ADDRESS' dimension
Impact:
Pool IP addresses do not appear.
Workaround:
N/A
Fix:
Pool member IP addresses now display as expected for specified user roles.
846101-3 : Statistics configuration for BIG-IP running version 14.1.2
Component: AppIQ
Symptoms:
Statistics configuration and collection are not working as expected for managed BIG-IP devices running the patched version 14.1.2 in a BIG-IP DSC group.
Conditions:
There are two conditions:
1. Attempt to enable statistics collection when the BIG-IP cluster is out of sync.
2. Attempt to disable statistics on a secondary BIG-IP.
Impact:
Statistics are not working as expected when a BIG-IP DSC is out of sync.
Fix:
Statistics configuration for BIG-IQ version 7.1 now works as expected.
844617 : Data transfer from the BIG-IQ system self IP might be slow
Component: REST Framework and TMOS Platform
Symptoms:
TCP traffic on a BIG-IQ system using a self IP address might not correctly honor the MSS size specified during the connection establishment.
BIG IQ does not support IPV6 short form for high availability (HA) configurations.
BIG-IQ performs a plain string comparison and should return an "Unsupported form" error when it encounters IPV6 short form in the HA context.
When the promote task fails, the promote directives are not cleared from the failover state which causes promote to happen every time we create a HA pair leading to a split-brain problem.
Conditions:
When a large amount of data needs to be transferred using a self IP address, BIG-IQ might send fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however, some routers drop such packets. This might result in retransmissions and low throughput.
Impact:
The result is IP fragmentation of TCP segments sent out. The expected behavior is that TSO would package the TCP segments in a way that would not require fragmentation.
Workaround:
N/A
Fix:
Added the removal of promoteDirectives on ha_reset -f. Added check to return unsupported notation exception in ha_reset.
843305 : Users assigned to custom roles deploying objects to BIG-IP devices
Component: BIG-IQ System User Interface
Symptoms:
Users assigned to custom roles cannot deploy objects to BIG-IP devices if the custom role was created from the BIG-IQ Roles screen.
Conditions:
A custom role (BIG-IQ version 5.4) or custom service role (BIG-IQ version 6.0 and later) created from the BIG-IQ Roles screen.
Impact:
Users assigned to custom roles cannot deploy objects to BIG-IP devices.
Workaround:
To resolve this issue:
1. From the command line, run the following commands, and then assign the Resource Groups to the custom role you need for the user to deploy specific objects for a service (for example, an ASM policy).
# restcurl -X POST /shared/authorization/patch-resource-groups -d '{"resourceGroupName":"Relevant Devices Resource Group","resourceGroupDisplayName":"Relevant Devices Resource Group" ,"resourceGroupDescription":"Resource group containing relevant devices API for use with deployment","referenceExpressionsPatches":[{"targetKind":"cm:global:utility:device-association:deviceassociationstate" ,"referenceExpressions":[{"expression":"/cm/global/utility/device-association"}]}]}' # restcurl -X POST /shared/authorization/patch-resource-groups -d '{"resourceGroupName":"Deploy Configuration Resource Group" ,"resourceGroupDisplayName":"Deploy Configuration Resource Group","resourceGroupDescription":"Resource group containing relevant deploy API for use with deployment" ,"referenceExpressionsPatches":[{"targetKind":"cm:adc-core:tasks:deploy-configuration:deployconfigtaskstate","referenceExpressions":[{"expression":"/cm/adc-core/tasks/deploy-configuration/*"}]}]}'
2. Login as admin.
3. Create a new user, such as 'Exampleuser'.
4. Create a new resource group and add some objects to it, for example: Add POLICIES: WEB APPLICATION SECURITY.
5. Create a new custom service role.
a. Add role type, for example 'Web App Security Manager'.
b. Set role mode, Strict.
c. Add the resource group created in step 1 and 2, as resource groups (in 7.1, skip step 1 and add the Resource Group Deployer).
d. Assign user 'Exampleuser' the custom service role.
6. Login as 'Exampleuser', in order to deploy changes, select the object from the CONFIGURATION tab and click on the Deploy action to deploy changes.
Note: After creating the Deployment for your selected BIGIP device(s), you might not be able to see the differences between BIGIQ and BIGIP, this is the known issue to be worked on in the future.
7. To access to the history of the deployments, that user must manually navigate to the following URL:
https://<big-iq ip>/ui/deployment.
Fix:
To enable the users assigned to custom roles to deploy objects to BIG-IP devices, add the built-in resource group "Resource Group Deployer" in addition to other resource groups user wants access to. The workflow will be:
1. Login as admin.
2. Create a new user, such as 'Exampleuser'.
3. Create a new resource group and add some objects to it, for example: Add POLICIES: WEB APPLICATION SECURITY.
4. Create a new custom service role.
a. Add role type, for example 'Web App Security Manager'.
b. Set role mode, Strict.
c. Add the resource group created in step 3. In addition, add the built-in RG "Resource Group Deployer" to the resource groups.
d. Assign user 'Exampleuser' the custom service role.
5. Login as 'Exampleuser', in order to deploy changes, select the object from the CONFIGURATION tab and click on the Deploy action to deploy changes.
839729-1 : Gaps in HTTP statistics when BIG-IP messages contain fields with large values
Component: AppIQ
Symptoms:
HTTP statistics in BIG-IQ may be missing some data when avrd on the BIG-IP device sends messages to BIG-IQ that exceed a certain value.
Java errors may be logged on the BIG-IQ:
ERROR <device> Invalid valueInSource '13324123954881394885', metricSetName: request-duration, metricValue: Metric{name=sumsq, field=null, source=Source{name='SosRequestDuration', type=NUMBER_LONG, transform=null, defaultValue=null}, unit='null', uiInfo=null, customScript=null, mandatory=null}, sourceStatistics: SourceStatistics{module=http, group=http-all, aggregationInterval=30000, getTimestamp=1568910930000}
java.lang.NumberFormatException: For input string: "13324123954881394885"
Conditions:
This can occur with some events logged from avrd.
Impact:
BIG-IQ cannot interpret incoming data, logs an errors, and does not store the statistics.
Fix:
HTTP statistics are now collected and interpreted by BIG-IQ as expected.
830337 : VLAN objects for BIG-IP devices in a high availability configuration
Component: BIG-IQ Local Traffic & Management
Symptoms:
BIG-IQ treats VLAN objects for BIG-IP devices that belong to clusters as if they both have the same configuration. When BIG-IQ imports BIG-IP devices, it replaces the existing VLAN object with the one from the newly-imported BIG-IP device. Therefore, if you try to do a full deployment, BIG-IQ returns a message that it must modify the configuration of the VLAN
Conditions:
When BIQ-IQ is managing BIG-IP cluster pairs. Both BIG-IP devices have VLAN objects and their configurations are different.
Impact:
When BIG-IQ deploys to BIG-IP devices in a cluster, it breaks the VLAN object because it overwrites the VLAN object.
Workaround:
Manually fix the VLAN object on BIG-IP every time you make a deployment to BIG-IP devices in a cluster.
Fix:
VLAN objects are now treated as a BIG-IP device-specific object.
826977 : Trunk objects for managed BIG-IP devices in a DSC configuration.
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
BIG-IQ might modify or delete trunk objects for managed BIG-IP devices in a DSC configuration.
Conditions:
This can happen when managing BIG-IP devices in a DSC configuration from BIG-IQ.
Impact:
BIG-IQ might erroneously modify or delete trunk objects, which impacts the BIG-IP configuration.
Workaround:
Upgrade to BIG-IQ version 7.0.0.1 or later.
Fix:
BIG-IQ now properly manages trunk objects for managed BIG-IP devices in a DSC configuration.
825921 : Trunk object deployment fails in vCMP
Component: BIG-IQ Local Traffic & Management
Symptoms:
Trunk object deployment fails in vCMP environments
Conditions:
BIG-IQ manage BIG-IPs of vCMP category
Impact:
BIG-IQ is unable to manage trunk objects
Fix:
Trunk object deployment works for vCMP scenario
825301-2 : BIG-IQ analytics iApp for managed BIG-IP
Component: AppIQ
Symptoms:
1. The affected BIG-IP displays elevated CPU statistics.
2. The affected BIG-IP displays errors in /var/log/audit similar to:
Sep 9 10:45:20 slot2/BIG-IP-A notice scriptd[15709]: 014f0005:5: AUDIT - user=root action="periodic handler, run script: /Common/bigiq-analytics-send_stats" status="script did not successfully complete: (could not read "/shared/tmp/bigiq-analytics-stats_0": no such file or directory <-----
Conditions:
BIG-IQ version 7.0.0.1 managing BIG-IP devices running versions 11.x, 12.x, 13.x, 14.x or v15.x.
Impact:
BIG-IQ is unable to collect statistics data from the affected BIG-IP.
Fix:
This issue is now resolved.
819005 : Upgrade from BIG-IQ v6.1.0 fails due to JS TypeError★
Component: BIG-IQ Application Management
Symptoms:
When the pool member in an AS3 application service is referencing an existing node on BIG-IP, upgrading from BIG-IQ v6.1.0 to BIG-IQ v7.0.0 fails and displays the following error: Waiting for BIG-IQ services ready' and logs a failure to JS TypeError in the /var/log/tokuupgrade.log file.
Conditions:
This happens when an AS3 application service exists with a pool member referencing an existing node on BIG-IP.
Impact:
Upgrade from BIG-IQ v6.1.0 to BIG-IQ v7.0.0 fails.
Fix:
The upgrade script now properly extracts the existing BIG-IP from the AS3 declaration as expected.
816637 : Discovering BIG-IP devices with VLAN failsafe-action option set to failover
Component: BIG-IQ Local Traffic & Management
Symptoms:
After upgrading BIG-IQ from v6.1.0 to v7.0.0 and then discovering BIG-IP devices with the VLAN failsafe action option set to failover, BIG-IQ returns the following error:
Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException: failsafeAction failover Invalid state - 'failover'. Valid values are [reboot, restart-all, failover-restart-tm]
Error in Restjavad Logs:
Validation failure: java.lang.IllegalArgumentException: failsafeAction failover Invalid state - 'failover'. Valid values are [reboot, restart-all, failover-restart-tm]
Conditions:
This happens after upgrading from BIG-IQ v6.1. to v7.0.0 and you attempt to discover BIG-IP devices that have the LTM service's VLAN failsafe action option set to failover.
Impact:
Fails to discover the device
Workaround:
No viable workaround, EHF required.
Fix:
The values failover and failover-restart-tm have been added to VLAN failsafe action options so that import validation no longer fails.
808133-4 : Analytics iApp pushed from BIQ-IQ causes BIG-IP high availability (HA) peers to go out of sync
Component: AppIQ
Symptoms:
BIG-IP high availability (HA) peers going out of sync.
Seeing recurring messages in the audit log that indicate the following:
01420002:5: AUDIT - pid=20880 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=modify security analytics settings collect-all-dos-statistic enabled
Conditions:
Analytics iApp pushed from BIG-IQ.
Impact:
BIG-IP high availability (HA) peers become out of sync.
Fix:
BIG-IQ HA peers no longer become out of sync when BIG-IQ pushes the iApp.
802425-4 : Errors logged on BIG-IP when BIG-IQ stats collection is taking place
Component: AppIQ
Symptoms:
Errors logged on BIG-IP when BIG-IQ stats collection is taking place:
mcpd[20544] 01071859 Warning generated : /Common/f5.bigiq-analytics definition:130: warning: [use curly braces to avoid double substitution]
Conditions:
BIG-IQ stats collection
Impact:
Benign logs on BIG-IP
Fix:
Errors are not longer logged on BIG-IP.
785693-2 : Analytics iApp for managed BIG-IP devices with SNMPv3 configuration
Component: AppIQ
Symptoms:
Managed BIG-IP devices with the statistics collection check box selected do not show any statistics in BIG-IQ. Logs in /var/log/restjavad.0.log contain the following:
unable to configure iApp on device bigiq1.local: java.net.ProtocolException: status:400, body:{"code":400,"message":"{\"code\":400,\"message\":\"script did not successfully complete: (sys snmp {...}
Conditions:
The managed device has SNMPv3 settings and it is running BIG-IP version 14.x or later.
Impact:
Statistics collection agent is not properly installed in the managed device, so BIG-IQ cannot gather statistics.
Workaround:
Disable deprecation notifications in tmsh api with this command:
tmsh modify mgmt shared settings api-status log resource-property deprecatedApiAllowed false
These changes are not synchronized among members of a cluster. You'll need to run this command on each Device Services Clustering member.
Fix:
Statistics appear as expected.
Known Issues in BIG-IQ CM v7.0.x
BIG-IQ Configuration - Local Traffic Issues
| ID Number | Severity | Solution Article(s) | Description |
| 859709-1 | 3-Major | Full name of the default pool does not display on the LTM virtual server properties screen |
BIG-IQ Configuration - Security - Shared Security Issues
| ID Number | Severity | Solution Article(s) | Description |
| 812717 | 3-Major | Viewing logging profiles after upgrading to BIG-IQ v7.0.0 |
BIG-IQ Monitoring - Logs Issues
| ID Number | Severity | Solution Article(s) | Description |
| 809149 | 3-Major | Attempting to enable remote loggin configuration |
BIG-IQ Search Issues
| ID Number | Severity | Solution Article(s) | Description |
| 891353 | 4-Minor | Online help results from the finder menu |
BIG-IQ System User Interface Issues
| ID Number | Severity | Solution Article(s) | Description |
| 812373-1 | 3-Major | Data collection after a service is forced to restart | |
| 776021-3 | 4-Minor | Modifying a scheduled backup |
BIG-IQ Local Traffic & Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 923613-1 | 3-Major | Discovering a BIG-IP device and importing its services that contain 'bot-profiles' | |
| 903585 | 3-Major | Error while importing BIG-IP containing monitors with unsupported characters (physical line breaks) |
BIG-IQ App Visibility and Reporting (AVR) Issues
| ID Number | Severity | Solution Article(s) | Description |
| 893657 | 3-Major | The BIG-IQ Monitoring:: REPORTS :: Security :: Web Application Security page does not work for BIG-IP devices 13.1.0.5 or later |
AppIQ Issues
| ID Number | Severity | Solution Article(s) | Description |
| 991617 | 2-Critical | Corrupted mapping prevents aggregation from all indexes and causing OOM and low disk space in the elasticsearch cluster | |
| 909205 | 3-Major | Missing elasticsearch indices causes loss of statistics data | |
| 907321 | 3-Major | Elasticsearch instance on the BIG-IQ CM generates an OutOfMemory error | |
| 898865 | 3-Major | External shared folder creation during BIG-IQ upgrade | |
| 898445 | 3-Major | Configuration changes for analytics retention | |
| 812065-1 | 3-Major | Pools & pool-member stats are not collected after upgrade | |
| 805457-1 | 3-Major | Viewing raw DDoS attacks | |
| 804601-1 | 3-Major | Custom user role does not display application and application services statistics |
BIG-IQ Configuration - Infrastructure Issues
| ID Number | Severity | Solution Article(s) | Description |
| 837541-3 | 4-Minor | BIG-IQ backup/snapshot retention count is not honored |
BIG-IQ Device Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 906045 | 3-Major | License Manager role cannot assign a purchased pool license | |
| 771397-3 | 3-Major | License Manager cannot license different devices with the same MAC address (public and private clouds) |
BIG-IQ DNS Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 776593-3 | 3-Major | BIG-IP devices might be reported as Unavailable with no reason provided |
REST Framework and TMOS Platform Issues
| ID Number | Severity | Solution Article(s) | Description |
| 969057 | 3-Major | BIG-IP cm-bigip-allDevices device group contains old version details after upgrade | |
| 892189-1 | 3-Major | Error deleting External Stroage configured on BIG-IQ | |
| 883701 | 3-Major | External storage and snapshot configurations when upgrading to BIG-IQ version 7.1.0 | |
| 843297 | 3-Major | Adding a Quorum DCD for a BIG-IQ auto failover HA | |
| 821381-1 | 3-Major | Client certificate authentication settings are not preserved after upgrading from BIG-IQ v7.0.0 to v7.0.0.1 | |
| 882121 | 4-Minor | Global config items are not indexed when objects have over 2000 fields |
BIG-IQ Web Application Security (ASM) Issues
| ID Number | Severity | Solution Article(s) | Description |
| 851769-1 | 4-Minor | BIG-IQ cannot accept ASM policy suggestions with missing parameters |
BIG-IQ Application Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 860385 | 3-Major | URL field won't show in AS3 template UI on BIG-IQ 7.0 using AS3.16 |
Known Issue details for BIG-IQ CM v7.0.x
991617 : Corrupted mapping prevents aggregation from all indexes and causing OOM and low disk space in the elasticsearch cluster
Component: AppIQ
Symptoms:
Indexes accumulate beyond their intended time and persist in Elasticsearch. Elasticsearch eventually becomes unresponsive due to lack of memory and disk space.
Conditions:
In rare cases there is temporal corruption in the elasticsearch cluster, and an index might be created without a template.
You will be able to identify the issue if the following message appears in /var/log/appiq/postaggregator.log on the device:
Caused by: org.elasticsearch.common.io.stream.NotSerializableExceptionWrapper: : Fielddata is disabled on text fields by default. Set fielddata=true on [dimensions.hash] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.
Impact:
Although only one index is corrupted, all indexes are impacted. Information is lost from all indexes and it causes the whole elasticsearch cluster to be unresponsive due to no memory and disk space.
969057 : BIG-IP cm-bigip-allDevices device group contains old version details after upgrade
Component: REST Framework and TMOS Platform
Symptoms:
When BIG-IP is upgraded from v12.1.3.3 to v14.1.2.8, cm-bigip-allDevices still shows old version details:
config # restcurl -u admin:admin /mgmt/shared/resolver/device-groups/cm-bigip-allDevices/devices/ | grep -i version
"version": "12.1.3.3",
"restFrameworkVersion": "12.1.3.3-0.0.1",
"version": "12.1.3.3",
"restFrameworkVersion": "12.1.3.3-0.0.1",
"version": "7.0.0.1",
"restFrameworkVersion": "7.0.0.1-0.0.6",
Conditions:
1. BIG-IP managed by BIG-IQ
2. BIG-IP updated from low version to higher version
Impact:
BIG-IP returns incorrect information about the current BIG-IP managed by BIG-IQ
923613-1 : Discovering a BIG-IP device and importing its services that contain 'bot-profiles'
Component: BIG-IQ Local Traffic & Management
Symptoms:
After discovering a BIG-IP device and importing its ASM service, BIG-IQ returns an error similar to the following:
-- Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException: Invalid entry "bot-defense" in "controls" string, valid options are: [acceleration, asm, avr, caching, ce, classification, client-ssl, compression, forwarding, l7dos, persistence, request-adaptation, response-adaptation, server-ssl, ssl-intercept, websocket].
Conditions:
This happens when you are running BIG-IQ version 7.1.0
This issue occurs when you import a BIG-IP with the following configuration:
a. BIG-IP contains a Bot Profile
b. BIG-IP contains an LTM Policy attached to this Bot Profile
Impact:
You cannot import the ASM services associated with the discovered BIG-IP device that contains bot-profiles.
BIG-IQ version 7.1.0 does support 'Anti-Bot Detection and Protection.
909205 : Missing elasticsearch indices causes loss of statistics data
Component: AppIQ
Symptoms:
BIG-IQ statistics reports are missing the latest event data.
BIG-IQ runs out of disk space due to accumulating events/logs.
Conditions:
This occurs when the default system generated elasticsearch indices are manually deleted by administrators.
This may also occur when the disk gets full.
Impact:
This issue results in a loss of statistics data.
Workaround:
The workaround involves repairing the elasticsearch indices storing statistics data.
To identify the statistics that are impacted
- list all index names & index aliases
# curl -s localhost:9200/_cat/indices?v
# curl -s localhost:9200/_cat/aliases?v
- run below command (or create a periodic task) to detect affected/corrupted elasticsearch cluster indices
# curl -s localhost:9200/_cat/indices?h=index | grep _writer
- every index output in above command requires a repair procedure outlined in the remainder of article as the name of index is not expected to have '_writer' suffix (only names of index aliases will have the '_writer' suffix)
lets say it reports youraffectedindex1_writer/youraffectedindex2_writer
- for every index reported above you can see the size of statistics data that have been accumulated under it (this it the amount of data not getting reported in BIG-IQ GUI)
# curl -s localhost:9200/_cat/indices | youraffectedindex1_writer
# curl -s localhost:9200/_cat/indices | youraffectedindex2_writer
If statistics data for impacted/corrupt indices is non-critical (and permanent deletion is acceptable), then please follow procedure A. If you need to preserve the corrupt data proceed to procedure B. However, both procedures repair the impacted elasticsearch indices.
------------
Procedure A
------------
Use this procedure to permanently delete the corrupt data and repair the impacted indices
1. Deactivate the impacted service.
- on BIG-IQ CM, navigate to System -> BIG-IQ DATA COLLECTION -> BIG-IQ Data Collection Devices
- deactivate the impacted service (based on the reported indices earlier) for all DCDs
Ex: Access / DOS Protection / Fraud Protection Service / IPSec / Network Security / Web Application Security
- wait for 5 minutes to allow existing connections to close
- on BIG-IQ DCD verify all external connections to special ports are closed:
# netstat -an | grep -E "9997|8018|8514|8020|8008"
2. Delete the impacted elasticsearch index.
- on CM (or DCD) remove the incorrect index from elasticsearch, ex:
# curl -sX DELETE localhost:9200/youraffectedindex1_writer
Note: above command should return {"acknowledged":true}
- confirm the index is no longer reported by below command
# curl -s localhost:9200/_cat/indices | grep _writer
3. Reactivate the service.
- on BIG-IQ CM, navigate to System -> BIG-IQ DATA COLLECTION -> BIG-IQ Data Collection Devices and activate the impacted services again
------------
Procedure B
------------
Use this procedure to recover the corrupt data and repair the impacted indices
1. Deactivate the impacted service.
see step #1 from Procedure A
2. Create a temporary elasticsearch index.
- identify naming convention (including a date suffix) by observing output of below command
# curl -s localhost:9200/_cat/indices?h=index
ex: youraffectedindex1_2020-xx-xxtxx-xx-xx-xxxx
- create a temporary index using name identified in above step
# curl localhost:9200/youraffectedindex1_2020-xx-xxtxx-xx-xx-xxxx -X PUT -d {}
ex: # curl localhost:9200/afmlogindex_2020-02-01t10-10-10-0100 -X PUT -d {}
3. Reindex data from corrupt index to the temporary elasticsearch index.
- this may take time depending on size of data in affected index
- begin the indexing process
# curl -s localhost:9200/_reindex?wait_for_completion=false -d '{"source":{"index":"youraffectedindex1_writer"},"dest":{"index":"youraffectedindex1_2020-xx-xxtxx-xx-xx-xxxx"}}' | jq .
ex: # curl -s localhost:9200/_reindex?wait_for_completion=false -d '{"source":{"index":"afmlogindex_writer"},"dest":{"index":"afmlogindex_2020-02-01t10-10-10-0100"}}' | jq .
- above command will print a task-identifier
ex: "task": "rur5BcBNTGqdtydEDjHMAA:22687961"
- use above reported unique task-identifier and repeatedly query the progress of the task until it completes
# curl -s localhost:9200/_tasks/rur5BcBNTGqdtydEDjHMAA:22687961 | jq .completed
true
- verify the index status
# curl -s localhost:9200/_cat/indices?v
# curl -s localhost:9200/_cat/aliases?v
4. Remove the corrupted elasticsearch index.
- see step #2 in Procedure A.
5. Create a new *_writer alias for the temporary elasticsearch index.
- run below command to create an alias (for your newly created index) named as the index you just deleted
# curl localhost:9200/_aliases -X POST -d '{"actions" : [ {"add" : { "index" : "youraffectedindex1_2020-xx-xxtxx-xx-xx-xxxx" , "alias" : "youraffectedindex1_writer" }} ] }'
ex: # curl localhost:9200/_aliases -X POST -d '{"actions" : [ {"add" : { "index" : "afmlogindex_2020-02-01t10-10-10-0100" , "alias" : "afmlogindex_writer" }} ] }'
- verify the index status
# curl -s localhost:9200/_cat/indices?v
# curl -s localhost:9200/_cat/aliases?v
6. Reactivate the impacted service.
see step #3 in Procedure A.
7. Confirm newly initialized elasticsearch indices.
- verify the index status
# curl -s localhost:9200/_cat/indices?v
# curl -s localhost:9200/_cat/aliases?v
- confirm that you see a new index named yourimpactedindex1_YYYY_MM_DD and that yourimpactedindex1_writer points to this latest index instance
- this happens because eventually index are rotated and removed (this also depends on the retention policy)
907321 : Elasticsearch instance on the BIG-IQ CM generates an OutOfMemory error
Component: AppIQ
Symptoms:
On certain conditions the Elasticsearch instance on the BIG-IQ CM might run out of memory., and the following error is observed in the Elasticsearch log:
org.elasticsearch.ElasticsearchException: java.lang.OutOfMemoryError: GC overhead limit exceeded
Conditions:
In order for this issue to occur there must be a very large volume of traffic throughput to your BIG-IP systems.
1. Setup a large scale BIG-IQ system with 3 DCD's monitoring dozens of BIG-IP devices
2.Generate a large amount of statistical data collection by sending a high volume of traffic throughput to the BIG-IP devices in your system.
Impact:
The Elasticsearch cluster is not stable and prone to multiple restarts.
Workaround:
If your configuration includes an active/standby pair for your BIG-IQ CM setup, you must perform this procedure on both the active and standby devices.
1. On the BIG-IQ CM node go to:
vi /etc/biq_daemon_provision.json
2. Edit the restjavad memory to include:
"big_iq": {
"restjavad": {
"active": true,
"memory_allocation": {
"SYS_4GB": "800m",
"SYS_8GB": "3500m",
"SYS_16GB": "6000m",
"SYS_32GB": "12700m", -->>> change this to "10300m"
"SYS_64GB": "20000m",
"SYS_128GB": "20000m"
},
"new_ratio": {
"SYS_32GB": "1"
}
},
3. Edit the elasticsearch memory ( under "big_iq")
},
"elasticsearch": {
"active": true,
"memory_allocation": {
"SYS_4GB": "100m",
"SYS_8GB": "200m",
"SYS_16GB": "500m",
"SYS_32GB": "1600m", -->>> increase this to "4000m"
"SYS_64GB": "3200m",
"SYS_128GB": "6400m"
}
},
4. Use to bigstart restart restjavad
5. Use bigstart restart elasticsearch
6. Reduce the amount of shards in the Elasticsearch cluster by running the following API's one by one on the BIG-IQ CM console:
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl0\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"PT10H\",\"indexLevel\":\"tl0\",\"aggregationPeriod\":\"PT30S\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"PT1H\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl1\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"P7D\",\"indexLevel\":\"tl1\",\"aggregationPeriod\":\"PT1H\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"P1D\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl2\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"P180D\",\"indexLevel\":\"tl2\",\"aggregationPeriod\":\"P1D\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"P30D\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl3\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"P365D\",\"indexLevel\":\"tl3\",\"aggregationPeriod\":\"P30D\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"P180D\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
906045 : License Manager role cannot assign a purchased pool license
Component: BIG-IQ Device Management
Symptoms:
Users assigned to the built-in License Manager role gets the following error when trying to assign a purchased pool license:
System Unavailable - The system was unable to complete one of the requested tasks (504 Gateway timeout). Try performing this task again.
Conditions:
When a user assigned to the License Manager role tried to assign a license from a purchased pool.
Impact:
Cannot assign a license to BIG-IP.
Workaround:
Use a Registration Key Pool or Utility Pool instead along with the License Manager role if possible. Otherwise, use Administrator role.
903585 : Error while importing BIG-IP containing monitors with unsupported characters (physical line breaks)
Component: BIG-IQ Local Traffic & Management
Symptoms:
When importing BIG-IP devices with monitors that contain unsupported characters, BIG-IQ returns a message similar to the following:
"HTTP monitor <monitor_name> send contains new line please represent new line as '\n' instead."
The message also contains the property at fault (send, receive, etc.).
Conditions:
This happens if a BIG-IP configuration includes an HTTP monitor with strings containing unsupported characters within the string values for 'send' or 'receive' properties.
The unsupported character is termed a 'physical line break': a string split across multiple lines, possibly created by using the 'enter key'. For example,
"line1
line2"
A newline character '\n' is a supported character and is treated differently from the 'physical line break'.
Note:
-- The BIG-IP GUI no longer allow users to introduce such unsupported characters within monitors.
-- This situation typically arises for BIG-IP configurations that have carried over monitors from older installations.
-- This can also arise if you use TMSH/CLI to update monitors (TMSH/CLI continues to support such characters).
Impact:
You cannot import the BIG-IP device.
Workaround:
To work around this, update the monitor and re-import the BIG-IP device.
1. Logon to the BIG-IP system via the GUI.
2. Open the problematic monitor for edit.
3. Add '\n' characters in lieu of splitting text on multiple lines, for example:
-- Before edit
"line1
line2"
-- After edit
"line1\nline2"
4. Save the monitor.
5. Re-import the BIG-IP device on the BIG-IQ.
898865 : External shared folder creation during BIG-IQ upgrade
Component: AppIQ
Symptoms:
During a BIG-IQ DCD upgrade procedure, the shared folder creation might fail.
Conditions:
Upgrade from 7.0.0 with a DCD configuration to 7.1.0
1. Remove all existing external storage paths
2. Upload destination image to shared/images/
3. Go to System -> Software Management - > Upgrade
4. Choose regular upgrade
5. Deselect "Back up the BIG-IQ system before upgrade "
6. Choose existing target volume
7. Press on "next"
8. Provide external storage configuration details in the popup window and then test connection
9. Press next
Impact:
Upgrade procedure fails with exceptions, due to error on the shared folder, which is crucial for snapshot step.
Workaround:
Manually unmount the shared folder by using SSH on the local machine and typing the following command: umount <shared directory>
example:
# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
.
.
//10.240.20.6/upgrade/snapshots/shay
14530560 12758344 1772216 88% /var/config/rest/elasticsearch/data/essnapshot
# umount /var/config/rest/elasticsearch/data/essnapshot
898445 : Configuration changes for analytics retention
Component: AppIQ
Symptoms:
If you make changes to analytics retention configuration from the BIG-IQ user interface, the changes are not reflected at the database level, so BIG-IQ doesn't use the changes you made.
Conditions:
When you make changes for the following analytics retention settings:
keep real-time (raw) data up to:
Keep hourly data up to:
Keep daily data up to:
Keep monthly data up to:
Impact:
BIG-IQ does not behave as expected after the configuration changes.
For example, if you changed the raw data retention from 10H to 20H, BIG-IQ might continue to retain the raw data at 10H.
Workaround:
Change the ranalytics etention using the REST API.
For example, to change the real-time (raw) retention then:
1. Get the current configuration of of the raw index(tl0)
https://10.240.21.201/mgmt/ap/config/v1/platform-config/resources/a/es-index-statistics-tl0
2. From the returned JSON, find the retentionTime field.
3. Manually change the field to the desired value.
4. Send back the JSON with the changed value of retention using a PATCH to the same URL.
If you want to change the retention for other fields:
Keep hourly data up to:
Keep daily data up to:
Keep monthly data up to:
Then change, respectively, the URL ending with:
es-index-statistics-tl1
es-index-statistics-tl2
es-index-statistics-tl3
893657 : The BIG-IQ Monitoring:: REPORTS :: Security :: Web Application Security page does not work for BIG-IP devices 13.1.0.5 or later
Component: BIG-IQ App Visibility and Reporting (AVR)
Symptoms:
The Monitoring :: REPORTS :: Security :: Web Application Security page displays below message
--This type of report not supported for device XXX of XXX
Conditions:
-- Accessing the 'Web Application Security Reporting' page.
-- Selecting a BIG-IP device running version 14.1 and higher, from the 'Devices' drop down (these devices utilize 'streaming' based statistics collection).
Impact:
WAF statistics appear in different forms than in previous BIG-IQ software versions.
WAF statistics for BIG-IP devices running versions 14.1 and higher are available in 'L7 Security' and 'Web Application Security' dashboards. Those dashboards are superior and should be used instead of 'Web Application Security Reporting' on the BIG-IQ.
Workaround:
If your device is not supported by the reports screen, go to Monitoring :: DASHBOARD :: Web Application Security. For supported devices, it is recommended to use these updated screens for statistics visibility.
892189-1 : Error deleting External Stroage configured on BIG-IQ
Component: REST Framework and TMOS Platform
Symptoms:
While attempting to delete the External Storage configuration you see "Error on Server Request" with message "The system returned an unexpected error (400 Bad Request)"
Conditions:
You perform the following steps
-- Log on to the BIG-IQ management console
-- Browse to System >> BIG-IQ DATA COLLECTION >> BIG-IQ Data Collection Cluster >> CONFIGURATION >> External Storage & Snapshots
-- Click 'Delete' button next to the configured 'External Storage' mount.
Impact:
Unable to delete External Storage Configuration
Workaround:
To delete the External Storage configuration
(1) Verify and unmount the external storage manually on all DCDs and CMs using the following commands
# mount | grep "/var/config/rest/elasticsearch/data/essnapshot
# umount /var/config/rest/elasticsearch/data/essnapshot
(2) Clean up "es-mount-filesystem" endpoint on all DCDs and CMs using the following commands
# restcurl -X DELETE '/cm/shared/esmgmt/es-mount-filesystem'
891353 : Online help results from the finder menu
Component: BIG-IQ Search
Symptoms:
When searching using the finder menu, online help results do not display.
Conditions:
Trying to access an online help screen from the finder menu.
Impact:
The online help links do not display.
Workaround:
To access the online help for a specific screen, navigate to that screen and select the online help ( ? ) icon.
883701 : External storage and snapshot configurations when upgrading to BIG-IQ version 7.1.0
Component: REST Framework and TMOS Platform
Symptoms:
Upgrading BIG-IQ to v7.1.0 might fail.
Conditions:
When upgrading to BIG-IQ v7.1.0.
Impact:
The upgrade fails.
Workaround:
In BIG-IQ v7.0.0 the creation of external storage might throw an error. If it happens then the storage might have been created although the BIG-IQ returns an error. Refresh the page and see if storage is defined.
If the storage isn't defined, it can be difficult to find the root cause of the issue, because the errors return are too generic. The best way to proceed is to complete the following checklist:
- Is the external storage SMBv1? (other versions are not supported - see ID759806 and link the SR to that ID if required).
- Can all the CMs (including secondary CMs) and DCDs reach the external storage server?
- The best way to test is to manually replicate the mount command from the CLI in each one of the devices (substitute <ip>, <folder>, <user>, <pass> and <domain> with the appropriate values:
mount -t cifs //<ip>/<folder> /var/config/rest/elasticsearch/data/essnapshot -o uid=elasticsearch,gid=elasticsearch,rw,iocharset=utf8,noauto,sec=ntlm,user=<user>,password='<pass>',domain=<domain>
- If successful, unmount it with "umount /var/config/rest/elasticsearch/data/essnapshot"
- If this fails, fix the problem (it can be a network issue, a server issue, a creds issue, etc). The command needs to work.
- Be aware that this system is impacted by ID892189, which implies errors when deleting an existing external storage configuration from the GUI.
PoA if the checklist above has been successful:
1. Go over each one of the devices and run these two commands from the CLI:
# umount /var/config/rest/elasticsearch/data/essnapshot (This will prevent issues caused by ID892189, which are hard to diagnose)
# restcurl -X DELETE cm/shared/esmgmt/es-mount-filesystem (This will manually remove existing configuration from restjavad)
2. From the primary BIG-IQ command liney, run (substitute each <token> with the appropriate value):
# restcurl -X POST cm/shared/esmgmt/es-mount-filesystem -d '{"username":"<user>","password":"<pass>","externalFS":"//<ip>/<folder>","domain":"<domain>"}'
If the workaround is successful, BIG-IQ returns a response code and a JSON message indicating that. After which, the existing storage should be displayed as green and you can now schedule snapshots.
882121 : Global config items are not indexed when objects have over 2000 fields
Component: REST Framework and TMOS Platform
Symptoms:
BIG-IQ cannot index large global config items with over 2000 objects.
Conditions:
Global config items larger then 2000 fields will not be indexed
Impact:
Global config items with 2000+ fields will not be indexed
Workaround:
This can be fix it as follows.
# cd /usr/share/rest/tokumon/config/modules
# vim global.js
---> Change
settings: {}, // Use these to ovewrite parts or all of ES_SETTINGS
---> To
settings: {
"index" : {
"mapping" : {
"total_fields" : {
"limit" : "5000"
}
}
}
}, // Use these to ovewrite parts or all of ES_SETTINGS
:wq!
860385 : URL field won't show in AS3 template UI on BIG-IQ 7.0 using AS3.16
Component: BIG-IQ Application Management
Symptoms:
When using AS3.16 along with BIG-IQ 7.0, when the URL field is selected in an AS3 template, the screen displays a grey field for the URL field and does not allow any input.
Conditions:
Follow article K54909607 to update the AS3 RPM to version 3.16 on BIG-IQ 7.0.
Use a BIG-IQ AS3 template that has URL attributes in its AS3 class set to Editable in the UI.
Impact:
The AS3 default template named AS3-F5-HTTPS-WAF-external-url-lb-template-big-iq-default-v1 cannot be used, either in the BIG-IQ UI or any AS3 classes that use a URL (for example: WAF_Policy or iRule).
Workaround:
Use the API to deploy the Application Service along with the schema overlay.
859709-1 : Full name of the default pool does not display on the LTM virtual server properties screen
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
LTM Virtual Server properties screen shows only the first 32 to 40 characters of the default pool's full name.
Conditions:
1. Log in with read-only permissions.
2. Navigate to Configuration>LOCAL TRAFFIC>Virtual Servers.
3. Click the name of a virtual server and scroll down to the Default Pool drop-down box.
Impact:
If the default pool has a long name, read-only users cannot see the full name of the default pool.
Workaround:
Keep the pool name shorter than 32 characters.
851769-1 : BIG-IQ cannot accept ASM policy suggestions with missing parameters
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
After attempting to accept an ASM policy suggestion, BIG-IQ returns an error message and the option to accept the suggestion is no longer displayed.
Conditions:
This occurs when the parameter field in a suggestion is blank.
Impact:
You cannot accept the suggestion.
Workaround:
None.
843297 : Adding a Quorum DCD for a BIG-IQ auto failover HA
Component: REST Framework and TMOS Platform
Symptoms:
For BIG-IQ with DCD clusters are configured with auto-failover and the active, secondary, and DCD clusters have a network configuration similar to:
Mgmt: 10.145.x.x
Self IP: 10.3.x.x (subnet to talk to BIG IPs)
Discovery address: 10.5.x.x (could be a Gateway address)
The self IP is the subnet BIG-IQ uses to communicate with managed BIG-IP devices, so you must discover a DCD using the self IP. (Discovery/Listeners address)
This IP address is displayed from BIG-IQ and not well-formed because they are in a different subnet (10.3.x.x vs 10.5.x.x).
Conditions:
When the BIG-IQ Quorum for an auto-failover configuration's discovery address is different than the IP address used for the Discovery/listener's address when adding a DCD to BIG-IQ.
Impact:
Unable to form auto failover HA as the addresses are not in the same subnet/ because of the "is DCD attached to primary" validation.
Workaround:
Create an additional DCD that is in an isolated zone to ensure that it will not be assigned to a BIG-IP not in that zone.
Do not use an API to work around this, as BIG-IQ will return an error because there is a backend validation that compares the DCD cluster you added to the IP addresses of the Quorum.
837541-3 : BIG-IQ backup/snapshot retention count is not honored
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
Backup snapshot schedule retention paramaters are not honored.
Conditions:
You have created a backup schedule with a maximum of snapshots and the count of snapshots exceeds a specified amount, but the older snapshots are not deleted.
Impact:
This can cause /var to run out of disk space.
821381-1 : Client certificate authentication settings are not preserved after upgrading from BIG-IQ v7.0.0 to v7.0.0.1
Component: REST Framework and TMOS Platform
Symptoms:
If client certificate authentication is enabled for BIG-IQ v7.0.0, and you upgrade BIG-IQ, the webd.conf file gets overridden/replaced. This means the client certificate authentication settings are lost, and authentication no longer works correctly.
Conditions:
Client certificate authentication is enabled on BIG-IQ v7.0.0.
Impact:
Authentication no longer works correctly.
Workaround:
You can avoid this issue by disabling client certificate authentication before you upgrade BIG-IQ, then re-enabling it back after the upgrade.
Alternatively, if BIG-IQ v7.0.0 client certificate authentication is not disabled before the upgrade, ssh into the BIG-IQ and type the following command at the shell prompt:
client-cert-auth -x
This resets BIG-IQ authentication to the default username/password authentication using the local authentication provider.
812717 : Viewing logging profiles after upgrading to BIG-IQ v7.0.0
Component: BIG-IQ Configuration - Security - Shared Security
Symptoms:
After upgrading to BIG-IQ v7.0.0, some logging profiles do not display.
Conditions:
After upgrading to BIG-IQ v7.0.0.
Impact:
Some logging profiles do not display.
Workaround:
To display missing logging profiles, from the BIG-IQ command line, run the following command:
for item_id in 96a784ae-904c-340e-aa4b-700dd693e51b 9ac61bf5-cedf-3625-af0e-00f0a98a1cc0 d2a5fc31-d153-3fff-a8ea-97de03f95d97 f0a05642-f8ac-39e1-9f67-98fc6b8f4449 5ec7ef41-7938-384a-8489-f68df693c9b2; do restcurl -X PATCH /cm/security-shared/working-config/log-profiles/$item_id -d '{hidden:false}'; done
812373-1 : Data collection after a service is forced to restart
Component: BIG-IQ System User Interface
Symptoms:
Data collection cluster fails to collect data or respond to queries causing issues with event collection and visualization.
Conditions:
If one or more of the data collection devices becomes unreachable from the console or other data collection devices, due to networking, restarting, or other environmental issues, it is possible that the cluster can become unhealthy and unable to respond to inbound data or query requests.
Issues like excessive memory usage or network instability can trigger these erratic changes.
Impact:
Data collection and visualization becomes inoperative.
Workaround:
If data backups (snapshots) or data loss is acceptable then:
-- Stop elasticsearch process on console and each data collection device (“bigstart stop elasticsearch”)
-- Delete the contents of /var/config/rest/elasticsearch/data directory on the devices
rm -rf /var/config/rest/elasticsearch/data/*
-- Restart elasticsearch process on console and each data collection device (“bigstart start elasticsearch”)
812065-1 : Pools & pool-member stats are not collected after upgrade
Component: AppIQ
Symptoms:
In some rare instances after upgrading to BIG-IQ version 7.0, BIG-IQ might not collect pool & pool-member statistics information.
Conditions:
When you upgrade from BIG-IQ version 6.x to 7.0.
To identify the presence of the issue, go to: Monitoring -> Dashboards -> Local Traffic -> Pools & Pool Members.
If stats are displayed - then the upgrade process was completed properly.
Impact:
Statistical information about pool and pool-member activities is not being collected and this information is not displayed in the corresponding dashboards.
Workaround:
The root cause of this problem is in ElasticSearch index mapping. To work around this issue, update the mapping manually:
1. unzip the attachment and place under /tmp on the CM.
2. run ./fix_es_mapping.sh
New mapping definitions take effect after the index is switched, so it can take up to 1 hour before BIG-IQ can collect statistis.
809149 : Attempting to enable remote loggin configuration
Component: BIG-IQ Monitoring - Logs
Symptoms:
When attempting to enable remote logging configuration, BIG-IQ returns an error:
The requested Node (/Common/access-remote-syslog-node-*) already exists in partition.
Conditions:
This happens when you attempt to enable remote logging configuration.
Impact:
You are unable to Access reports from the Monitoring tab.
805457-1 : Viewing raw DDoS attacks
Component: AppIQ
Symptoms:
When navigating to Monitoring ->DASHBOARDS -> DDoS -> Protection Summary: Selected Attack, that BIG-IQ and query service log displays the following error message: TEMPLATE_MALFORMED
Conditions:
1. Generate DDos attack with more than one raw attack - an attack on multiple BIG-IP devices or an attack with multiple attack vectors.
2. Navigate to Monitoring->DASHBOARDS->DDoS->Protection Summary.
3. Click an active attack id.
4. Select "Raw Attacks" under "ATTACKED ENVIRONMENTS".
Impact:
TEMPLATE_MELFORMED error is shown in the charts area of the UI, and chart data is not shown.
TEMPLATE_MELFORMED error message is shown in the query service log file.
804601-1 : Custom user role does not display application and application services statistics
Component: AppIQ
Symptoms:
When configuring a custom application manager user, the user might not be able to view applications and application services statistics.
This occurs even when the Application Editor role is added to the settings of the user.
Conditions:
1. Create a user, assign them the Application Editor role, and give that role access to edit AS3 templates.
2. Create an application and application service with live traffic.
3. Provide permission for the Application Editor role to view the application and application services.
3. Sign in as the Application Editor.
4. Navigate to Applications or Application services.
Impact:
Statistics display as NO DATA.
Workaround:
Remove the Application Editor role from the user, and configure specific permissions manually for the role of an application editor.
776593-3 : BIG-IP devices might be reported as Unavailable with no reason provided
Component: BIG-IQ DNS Management
Symptoms:
Alerts and log messages might indicate BIG-IP devices are Unavailable without providing details. A log message with text like this is returned:
The following devices are not reachable from the BIG-IQ: some-bigip.mydomain
Conditions:
Specific conditions are not known, but most likely include intermittent network connectivity loss or network slowdowns, high CPU usage on the BIG-IP device, and so forth.
Impact:
Devices are temporarily marked unavailable, until the next successful poll.
Workaround:
Any details that are available are noted in the device-refresh API endpoint until the next refresh (every two minutes). For example, the following command can be run from the BIG-IQ shell:
# restcurl shared/identified-devices/config/device-refresh
Devices that are listed with isAvailable=false also have an errorResponse field with more information.
776021-3 : Modifying a scheduled backup
Component: BIG-IQ System User Interface
Symptoms:
BackupLifeTime is gone after user sets backupCounter
Conditions:
Create a backup with retention policy backupLifeTime, then update it with backupCounter
Impact:
No functional impact but it is confusing.
Workaround:
Don't provide conflict parameter backupLifeTime and backupCounter at the same time
771397-3 : License Manager cannot license different devices with the same MAC address (public and private clouds)
Component: BIG-IQ Device Management
Symptoms:
BIG-IQ does not issue licenses to different devices with the same MAC address
Conditions:
Different devices with the same MAC address (common in public and private clouds).
Impact:
License Manager cannot issue licenses.
Workaround:
N/A
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
