Applies To:
Show Versions
BIG-IQ Centralized Management
- 7.1.0
Summary:
Contents:
Version: 7.1.0.1
Build: 133.0
IMPORTANT: This content is current as of the software release date
Updates to Known Issues can occur after release. When a Known Issue is updated after release, that information is captured in Bug Tracker. For the most up-to-date bug data, see Bug Tracker.
Known Issues in BIG-IQ CM v7.1.x
Functional Change Fixes
None
BIG-IQ Configuration - Local Traffic Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 917577 | 3-Major | Importing BIG-IP devices when first character of profile name is a number | |
| 859709-2 | 3-Major | Full name of the default pool does not display on the LTM virtual server properties screen | |
| 889049-1 | 4-Minor | Deployment and Configuration menus with long virtual server or pool names. | |
| 843113 | 4-Minor | Bulk importing more than 50 certificates and keys for BIG-IP devices |
BIG-IQ Configuration - Security - Shared Security Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 901129-1 | 3-Major | DoS events and DNS Overview screens returns error message |
BIG-IQ System User Interface Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 930665 | 3-Major | Services connecting to postgresql | |
| 776021-1 | 4-Minor | Modifying a scheduled backup |
BIG-IQ Access Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 925301-2 | 3-Major | Viewing Access reports when date/time filter is applied | |
| 922877-2 | 3-Major | Access Sessions Summary page shows duplicate data for a single session | |
| 922417-2 | 3-Major | Creating a CSV report for active sessions | |
| 914801 | 3-Major | Creating a local SAML SP service | |
| 912177-2 | 3-Major | Generating CSV report from Access User Summary | |
| 903121-2 | 3-Major | Evaluating and deploying Access Groups containing a remote desktop configuration | |
| 939869 | 4-Minor | Sorting for Attribute Consuming Service menu for SAML Auth Agent | |
| 919093-1 | 4-Minor | Branch rule names don't allow '.'. | |
| 918997 | 4-Minor | BIG-IQ APM expressions change newline character for Variable Assign agent | |
| 916881-2 | 4-Minor | Deploying an access policy containing orphaned policy items |
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 923613-3 | 3-Major | Discovering a BIG-IP device and importing its services that contain 'bot-profiles' | |
| 915865-1 | 3-Major | Creating VE on VMWare fails and results in error message | |
| 911765 | 3-Major | Deploying to BIG-IP with proxyCaPassphrase client-ssl | |
| 910069 | 3-Major | BIG-IQ is unable to manage special BIG-IP with auto-generated certificates | |
| 906121-1 | 4-Minor | Adding Pool Members to Resource Groups |
AppIQ Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 943521-1 | 2-Critical | Retrieving LTM pool data | |
| 942861-1 | 2-Critical | Retrieving LTM virtual server data | |
| 910481-2 | 3-Major | Viewing statistics for BIG-IP version 12.x devices | |
| 908505-3 | 3-Major | Managing BIG-IP devices using a large number of virtual servers while running iApp analytics | |
| 901625-1 | 3-Major | Analytics dashboards after upgrading to BIG-IQ version 7.1 | |
| 872237-3 | 3-Major | CPU spikes when using iApp analytics | |
| 808133-3 | 4-Minor | Analytics iApp pushed from BIQ-IQ causes BIG-IP high availability (HA) peers to go out of sync |
BIG-IQ Configuration - Infrastructure Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 933889 | 3-Major | Discovering and importing BIG-IP LTM with an IPv6 self IP that specifies both a VLAN tag (K15203) and a Route Domain | |
| 927837 | 3-Major | Renaming an SSL certificate in the Compare Silo page doesn't work |
BIG-IQ Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 905737-2 | 2-Critical | Setting up BIG-IQ as a license manager only |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 925169-2 | 2-Critical | BIG-IQ hardware upgrade might fail★ | |
| 911533 | 2-Critical | Importing and deploying large configurations | |
| 932433 | 3-Major | Adding a standby BIG-IQ when creating a high availability configuration | |
| 930833 | 3-Major | Viewing objects as a custom-role user assinged to a custom group | |
| 925545 | 3-Major | Tokumond hangs on initial indexing | |
| 916441-1 | 3-Major | Operations using route domains fail with 'invalid input syntax for type inet' | |
| 914757 | 3-Major | Adding a secondary BIG-IQ to a high availability configuration | |
| 912753 | 3-Major | Tokumond service restarts due to request timeout | |
| 860473-1 | 3-Major | Connection and read timeout settings for the TACACS+ authentication provider | |
| 927561 | 4-Minor | Auto failover for a BIG-IQ high availability configuration | |
| 921989 | 4-Minor | Querying BIG-IP devices by IP addresses | |
| 903677 | 4-Minor | Related items for a virtual server aren't displayed when creating a resource group★ | |
| 846665-1 | 4-Minor | Authentication to BIG-IQ might fail when using an LDAP or Active Directory authentication provider using LDAPS that has Server Certificate Validation disabled. |
BIG-IQ Web Application Security (ASM) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 937269-1 | 3-Major | IP address exception configuration in Centralized Policy Builder | |
| 921521-2 | 3-Major | Policy signatures ready to be enforced are not reported | |
| 872849-1 | 3-Major | Signatures in the Web Application Security event logs might not show correct applied blocking masks | |
| 907973-1 | 4-Minor | Imported virtual servers with application protection are displayed as unprotected | |
| 901689-2 | 4-Minor | L7 Dashboard grid does not report number of DoS attacks correctly |
BIG-IQ Application Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 943645 | 3-Major | Updated AS3 version support | |
| 918493 | 3-Major | Attempting to use allowVlans and rejectVlands from an AS3 template | |
| 914361 | 3-Major | Deploying AS3 application service to a managed device after upgrading or rebooting BIG-IQ★ | |
| 899789-1 | 3-Major | Viewing BIG-IQ application dashboard after changes to a legacy application service is redeployed to a BIG-IP cluster | |
| 898641-1 | 4-Minor | AS3 application deployment UI: persistence methods, iRule & Firewall Address List do not render values from template correctly |
Cumulative fix details for BIG-IQ CM v7.1.0.1 that are included in this release
943645 : Updated AS3 version support
Component: BIG-IQ Application Management
Symptoms:
BIG-IQ now includes support for AS3 release 3.22.1.
For more information on BIG-IQ Centralized Management compatibility with AS3, see the following article
https://support.f5.com/csp/article/K54909607
Conditions:
n/a
Impact:
n/a
Workaround:
n/a
Fix:
n/a
943521-1 : Retrieving LTM pool data
Component: AppIQ
Symptoms:
When querying LTM pools configuration data the service log displays the following error:
2020-09-09 15:09:29,660 ERROR c.f.a.q.c.BigIQConfigDataServiceImpl [XNIO-2 task-6] An Error has occurred reaching the API: /cm/adc-core/working-config/ltm/pool. Returning partial results. Error message: Error while extracting response for type [com.f5.analytics.queryservice.configdata.common.BigIqCollection<com.f5.analytics.queryservice.configdata.adc.pool.AdcPoolItem>] and content type [application/json;charset=UTF-8]; nested exception is org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Missing required creator property 'id' (index 0); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Missing required creator property 'id' (index 0)
Conditions:
This happens when a user without administrative priviledges logs into BIG-IQ to view statistics-related data.
Impact:
Non-administrator users might have access to LTM statistics that they are not permitted to view.
Fix:
BIG-IQ now displays pool data data only to users with administrative privileges.
942861-1 : Retrieving LTM virtual server data
Component: AppIQ
Symptoms:
When querying LTM virtual server configuration data the service log displays the following error:
ERROR c.f.a.q.c.BigIQConfigDataServiceImpl [XNIO-2 task-4] An Error have occurred reaching the API: /cm/adc-core/working-config/ltm/virtual. Returning partial results. Error message: Error while extracting response for type [com.f5.analytics.queryservice.configdata.common.BigIqCollection<com.f5.analytics.queryservice.configdata.adc.virtualserver.AdcVirtualServerItem>] and content type [application/json;charset=UTF-8]; nested exception is org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Missing required creator property 'deviceReference' (index 6); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Missing required creator property 'deviceReference' (index 6)
Conditions:
This happens when a user without administrative priviledges logs into BIG-IQ to view statistics-related data.
Impact:
Non-administrator users might have access to LTM statistics that they are not permitted to view.
Fix:
BIG-IQ now displays virtual server data data only to users with administrative privileges.
939869 : Sorting for Attribute Consuming Service menu for SAML Auth Agent
Component: BIG-IQ Access
Symptoms:
Values displayed in the Attribute Consuming Service menu on SAML Auth Agent in VPE is not sorted. and no search bar is provided.
Conditions:
User adds SAML Auth agent on Access Policy. Under the properties screen for the agent, Attribute Consuming Service dropdown is not sorted based on values displayed.
Impact:
This can make searching for a specific value time consuming if there are a large number of values in the Attribute Consuming Service menu.
Workaround:
N/A
Fix:
BIG-IQ now displays values sorted in ascending order in the Attribute Consuming Service menu for SAML Auth agent
937269-1 : IP address exception configuration in Centralized Policy Builder
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
The Centralized Policy Builder does not behave in accordance with the IP Exception (IP Address List in configuration).
Whether an IP is set to be ignored (in learning suggestion) or trusted by the policy builder, it is treated like any IP address.
Conditions:
When you configure an IP address as ignored or trusted by the policy builder in IP Address List and traffic can be learned from is sent for the IP address.
Impact:
If the IP address was set to be 'Ignored In Learning Suggestion', it will not be ignored and would impact learning.
If the IP address was set as 'Policy Builder Trusted IP', it will not be considered trusted by the Centralized Policy Builder.
Workaround:
N/A
Fix:
Centralized Policy Builder now ignores or trusts IP Addresses correctly according to the Centralized Policy Builder's configuration.
933889 : Discovering and importing BIG-IP LTM with an IPv6 self IP that specifies both a VLAN tag (K15203) and a Route Domain
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
If you discover a BIG-IP device that that has an IPv6 self IP that specifies both a VLAN tag (K15203) and a Route Domain, and import its LTM service the import task fails with a message similar to the following:
"java.lang.IllegalArgumentException: Invalid address: fe80::4%vlan1246%3/64. Only one '%' character is allowed."
Conditions:
A BIG-IP device has a self IP is configured with an IPv6 address that specifies both a VLAN tag and a Route Domain.
Impact:
BIG-IQ cannot discover and import the BIG-IP device's LTM service.
Workaround:
If possible, change the IPv6 self IP to use the VLAN tag for a VLAN that is part of the implicit default Route Domain (0). However, if your environment requires the Self IP to use a VLAN that is in an explicit, non-default Route Domain, then no workaround is available.
Fix:
BIG-IQ can now discover and import BIG-IP devices that include IPv6 self IPs specifying both a VLAN tag and a Route Domain.
932433 : Adding a standby BIG-IQ when creating a high availability configuration
Component: REST Framework and TMOS Platform
Symptoms:
When attempting to add a secondary BIG-IQ to create a high availability configuration, when communication fails BIG-IQ incorrectly logs the following message:
"Completed pg_basebackup successfully.".
Conditions:
This happens when you attempt to add a secondary BIG-IQ to the primary BIG-IQ to create a high availability configuration.
Impact:
The BIG-IQ high availability creation fails but appears to be successful from the log message.
Workaround:
N/A
Fix:
If the secnodary BIG-IQ does not connect to the primary during the high availability configuration, BIG-IQ now properly logs the message of failure.
930833 : Viewing objects as a custom-role user assinged to a custom group
Component: REST Framework and TMOS Platform
Symptoms:
Custom-role users assigned to a custom resource group are not able to view objects they should be able to.
Conditions:
When a user it assigned to a custom role and associated to a custom group and tries to access objects they have priviiledges to.
Impact:
User cannot view objects that should be able to.
Workaround:
N/A
Fix:
Users are now able to view the objects they have privileges to.
930665 : Services connecting to postgresql
Component: BIG-IQ System User Interface
Symptoms:
If postgresql is not properly configured to allow SSL connections, services (such as tokumond) fail to connect to postgresql and an error similar to the following is logged in
/var/log/tokumon/current:
2020-07-07_08:25:04.37666 [ERROR] postgresql: Failed connecting to dbConnectUrl:postgres://postgres_replication@[localhost]:<REDACTED>postgres://postgres_replication@[localhost]:5432/bigiq_db - Error: The server does not support SSL connections
Conditions:
This occurs when the postgresql config file at /var/lib/pgsql/data/postgresql.conf has the default SSL settings, instead of "ssl = on". This can happen if the postgresql configuration gets reset to defaults after being configured for SSL connections. Because the SSL certificate and key files exist under /var/lib/pgsql/config, the modifications to the configuration file are assumed to already be complete and are not re-applied.
Impact:
Services are not able to connect to postgres. Setup and bootstrap are unable to complete successfully.
Workaround:
Run the following command to force re-configuration of postgresql:
# ha_generate_certs --force <DISCOVERY_ADDRESS>
Replacing <DISCOVERY_ADDRESS> with your BIG-IQ's discovery IP address.
Fix:
Reconfiguring postgresql for SSL mode no longer depends on the absence of the SSL certificate and key files. Instead, the configuration will be updated to SSL mode (if it isn't already in SSL mode) any time ha_generate_certs runs. Since ha_generate_certs runs on bootstrap (on default service startup or on completion of the setup wizard), a misconfiguration will be automatically repaired by running the setup wizard or by restarting services with "bigstart restart".
927837 : Renaming an SSL certificate in the Compare Silo page doesn't work
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
Renaming a siloed SSL certificate using the Compare Silo page is presented as an option, but it fails with a Java error.
Conditions:
1. Discover a device with an SSL cert that creates a conflict.
2. Import the device to a silo to analyze/resolve conflicts.
3. Type in a New Name for the SSL cert and click Save.
The task fails.
Impact:
You can't use the rename option on the Compare Silo page, but you can achieve the same result using the clone option.
Workaround:
Clone the certificate object and give it a different name; then remove the original(siloed) object.
Fix:
This issue is fixed and available in the 7.1.0.1 release.
927561 : Auto failover for a BIG-IQ high availability configuration
Component: REST Framework and TMOS Platform
Symptoms:
Auto failover fails for BIG-IQ systems in a high availability (HA) configuration.
Conditions:
BIG-IQ configured in an HA auto failover configuration and Tokumond is down on the secondary BIG-IQ system.
Impact:
Auto failover does not happen.
Workaround:
N/A
Fix:
Auto failover now occurs even if Tokumund is down on the secondary BIG-IQ system in the HA configuration.
925545 : Tokumond hangs on initial indexing
Component: REST Framework and TMOS Platform
Symptoms:
Tokumond hangs during initial indexing and is not able to enter oplog mode.
You may see an error in /var/log/postgresql.log
ERROR: replication slot "ha_replication" does not exist
Conditions:
BIG-IQ with large amounts of configs
Impact:
Tokumond hangs, /var partition may fill up
Workaround:
Restart tokumond by bigstart kill tokumond
Fix:
Tokumond should be able to enter oplog mode
925301-2 : Viewing Access reports when date/time filter is applied
Component: BIG-IQ Access
Symptoms:
When Before/After/Between filter is selected to view reports for a specific date-time range, BIG-IQ displays a "No Data Available" message.
Conditions:
This happens if your computer is set to anything other than US English.
Impact:
You cannot see the report data on Access Reporting screens. "No Data Available" message is displayed.
Workaround:
N/A
Fix:
Access now display properly when a filter is applied.
925169-2 : BIG-IQ hardware upgrade might fail★
Component: REST Framework and TMOS Platform
Symptoms:
When upgrading BIG-IQ hardware, there is a race condition due to two different services trying to perform disk provisioning that might cause the hardware upgrade to fail.
Conditions:
Upgrading BIG-IQ hardware.
Impact:
The BIG-IQ upgrade fails.
Workaround:
Install BIG-IQ version 7.1.0.x in a new volume. Select the option to not automatically reboot to the new volume.
Mount the new volume using the command: volumeset -f mount {X}.
Edit /mnt/X/etc/bigstart/scripts/tokumx as follows:
- Add the following line after the existing 'setproperties ${service}' line: waitfor_disk_provisioning ${service}
- Replace the existing line 'if [ -f /bin/halid ]; then' with: if false; then
Unmount the new volume with the command: volumeset -f umount {X}.
Reboot to the new volume.
Fix:
BIG-IQ hardware upgrades no longer have two different services attempting to perform the disk provisioning.
923613-3 : Discovering a BIG-IP device and importing its services that contain 'bot-profiles'
Component: BIG-IQ Local Traffic & Management
Symptoms:
After discovering a BIG-IP device and importing its ASM services, BIG-IQ returns an error similar to the following:
-- Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException: Invalid entry "bot-defense" in "controls" string, valid options are: [acceleration, asm, avr, caching, ce, classification, client-ssl, compression, forwarding, l7dos, persistence, request-adaptation, response-adaptation, server-ssl, ssl-intercept, websocket].
Conditions:
This happens when you are running BIG-IQ version 7.1.0
This issue occurs when you import a BIG-IP with the following configuration:
a. BIG-IP contains a Bot Profile
b. BIG-IP contains an LTM Policy attached to this Bot Profile
Impact:
You cannot import the ASM services associated with the discovered BIG-IP device.
BIG-IQ version 7.1.0 does support 'Anti-Bot Detection and Protection.
Workaround:
None
Fix:
Discovering a BIG-IP device and importing its services that contain 'bot-profiles' no longer reports an error message.
922877-2 : Access Sessions Summary page shows duplicate data for a single session
Component: BIG-IQ Access
Symptoms:
The Access Session Summary page displays more than one entry/row per SessionId.
Conditions:
This happens when you view the Access Summary Page at BIG-IQ > MONITORING > DASHBOARDS > Access > Sessions > Session Summary page
Impact:
Session Metadata distributed across various columns are missing. Session Metadata is duplicated across duplicate rows/entries in the report.
Workaround:
N/A
Fix:
This issue no longer occurs.
922417-2 : Creating a CSV report for active sessions
Component: BIG-IQ Access
Symptoms:
When trying to create a CSV report for active sessions, BIG-IQ returns an error similar to the following: "Error: No handler found for uri.".
Conditions:
Attempting to generate an Active Sessions report with more than 1,000 records.
Impact:
You cannot generate the CSV reports for Access reporting screens if the report contains a large number of records.
Workaround:
N/A
Fix:
This issue is now resolved and the Active Sessions CSV report properly downloads.
921989 : Querying BIG-IP devices by IP addresses
Component: REST Framework and TMOS Platform
Symptoms:
When searching for BIG-IP devices by IP addresses, BIG-IQ doesn't always include all results.
Conditions:
Searchnig for BIG-IP devices by IP addresses.
Impact:
Not all BIG-IP devices are displayed.
Workaround:
sed -i '/document._system_search_tags = row._system_search_tags;/a\ \ \ \ document._ranges = row._ranges;' /usr/share/rest/tokumon/src/transforms.js
bigstart kill tokumond
Fix:
The correct BIG-IP devices are displayed when searching by IP devices.
921521-2 : Policy signatures ready to be enforced are not reported
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Policy signatures that have passed the enforcement readiness period are not reported.
Conditions:
Create an ASM policy using Central Policy Builder and leave it active beyond 7 days (or the policy staging period). Check for signatures ready to be enforced.
Impact:
All signatures report readyToBeEnforced = false, even if there are signatures that passed the staging period.
Workaround:
N/A
Fix:
Policy signatures that have passed the necessary staging period are reported as ready to be enforced.
919093-1 : Branch rule names don't allow '.'.
Component: BIG-IQ Access
Symptoms:
When creating a branch rule, the branch rule name won't allow something named as "br.", which contains a '.'.
Conditions:
When inputing a branch rule name which contains '.'.
Impact:
You won't be able to create a branch rule with a branch rule name having a '.' in the name.
Workaround:
N/A
Fix:
You can now create a branch rule name with a '.' in the name.
918997 : BIG-IQ APM expressions change newline character for Variable Assign agent
Component: BIG-IQ Access
Symptoms:
A Variable Assign agent with custom expressions and attached to an Access policy might show newline characters as "\n". This causes the APM expressions to fail with an error.
Conditions:
This error might happen if the Variable Assign agent was created with custom expressions spanning multiple lines. When the policy is deployed to a BIG-IP, the newline characters show up as "\n" instead of actual new lines.
Impact:
APM expressions fails to work.
Workaround:
N/A
Fix:
Deploying a Variable Assign agent with multi-line custom expressions and attached to an Access policy to a BIG-IP device no longer fails.
918493 : Attempting to use allowVlans and rejectVlands from an AS3 template
Component: BIG-IQ Application Management
Symptoms:
When you try to use allowVlans and rejectVlans from an AS3 template that was created from the BIG-IQ user interface, returns a deployment failure message: "allowVlans: should be array" and deployment fails.
Conditions:
1. Create an AS3 template from BIG-IQ.
2. Select Editable for "VLAN list to allow" (below the Service_HTTP for example).
3. Deploy an AS3 Application Service using the template with a known VLAN entered into "VLAN list to allow".
4. Deployment fails with error: "allowVlans: should be array"
Impact:
You cannot deploy changes to the VLAN.
Workaround:
To work around this, deploy the VLAN from an API.
Fix:
This issue is fixed and you can successfully deploy an AS3 template with a VLAN change from the BIG-IQ user interface.
917577 : Importing BIG-IP devices when first character of profile name is a number
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
The BIG-IQ discover/import process fails when the BIG-IP devices being discovered/imported have configurations with profile or rule names that begin with a number.
Conditions:
A policy rule name starts with a number, for example "8rule". When BIG-IQ sees this, it will fail validation and then fail the discovery/import process.
Impact:
BIQ-IQ cannot manage these BIG-IP devices.
Workaround:
Fixed.
Fix:
BIG-IQ can manage BIG-IP devices that have a policy rule name that starts with a number.
916881-2 : Deploying an access policy containing orphaned policy items
Component: BIG-IQ Access
Symptoms:
Deployment of an access policy containing orphaned policy items to a BIG-IP device might fail with the following error:
Critical Error: The access policy ("access-policy") has an item ("orphaned-policy-item") which is not referenced by any policy rule.
Conditions:
This error can happen if you:
1) Create an access policy with a branch rule such as "URL Branching".
2) Add another item to that branch.
3) Delete the branch rule in "URL Branching".
4) Deploy the access policy to a BIG-IP device.
Impact:
You cannot deploy access policies with orphaned policy items.
Workaround:
N/A
Fix:
This issue is now fixed.
916441-1 : Operations using route domains fail with 'invalid input syntax for type inet'
Component: REST Framework and TMOS Platform
Symptoms:
The storage system may not recognize an address with a route domain (% followed by a number after the IP address) as a valid address. This may cause operations to fail or to hang. Logs under /var/log/postgres/ shows an error similar to:
ERROR: invalid input syntax for type inet: "10.10.1.4%6"
Conditions:
This may occur any time route domains are used.
Impact:
Operations may fail or hang and errors can be observed in log files.
Workaround:
None
Fix:
Addresses containing route domains are now correctly recognized as valid.
915865-1 : Creating VE on VMWare fails and results in error message
Component: BIG-IQ Local Traffic & Management
Symptoms:
When deploying a new BIG-IP Virtual Edition from BIG-IQ, you might receive a message similar to the following:
Cannot create VE on vCenter: Could not find VM:<name>. Reason: Failed to create vm: <name> in VMware. Reason: MODULE FAILURE See stdout/stderr for the exact error
Conditions:
This error can happen if there is a mistake in the Cloud Environment configuration. For example, a misspelling, or specifying a VMWare path or object that does not exist.
Impact:
The creation fails and the error message is confusing because it does not specify the reason for the failure.
Workaround:
Check that the object values in the environment are correct.
Review the /var/log/gunicorn.out log for more information.
And check the vCenter Task Console for more details about the error.
Fix:
This issue has been fixed.
914801 : Creating a local SAML SP service
Component: BIG-IQ Access
Symptoms:
A local SAML SP service cannot be created with entity ID containing session variables, since host name is a mandatory field for local SP service.
Conditions:
When you create a local SAML SP service with session variables as entity ID and host name is not provided.
Impact:
You are unable to create the service until you specify a hostname.
Workaround:
N/A
Fix:
You are now able to create a local SAML SP service without a hostname.
914757 : Adding a secondary BIG-IQ to a high availability configuration
Component: REST Framework and TMOS Platform
Symptoms:
If you try to add a secnodary BIG-IQ to a primary BIG-IQ to create a high availability (HA) configuration and the TCP port 5432 between the BIG-IQ systems are not open, the HA configuration attempt fails.
Conditions:
Adding a secondary BIG-IQ to a primary BIG-IQ without the TCP port 5432 open between them. Secondary Postgres cannot be restarted.
Impact:
The HA configuration attemp fails and the first BIG-IQ system deletes the /var/lib/pgsql/data folder.
Workaround:
To fix this issue, open the TCP port 5432 between the BIG-IQ sysetms.
Fix:
BIG-IQ now checks to see if the TCP port 5432 is open between the BIG-IQ systems. If it is not open, BIG-IQ returns an errorand the high availability status displays as red. You can then remove the standby on the primary, open the connection for TCP port 5432, and re-add the secondary BIG-IQ.
914361 : Deploying AS3 application service to a managed device after upgrading or rebooting BIG-IQ★
Component: BIG-IQ Application Management
Symptoms:
After upgrading BIG-IQ, you are unable to deploy an AS3 application service from BIG-IQ.
Error message:
Failed to get cm-bigip-allBigIpDevices device for address 3.90.185.47 : java.lang.IllegalStateException: Device not found in device group: java.lang.IllegalStateException: Device not found in device group
Conditions:
This happens after you upgrade or reboot BIG-IQ.
Impact:
You cannot deploy an AS3 application service from BIG-IQ.
Workaround:
To work around this issues, from the command line type: bigstart restart restjavad
Fix:
This issue is now fixed.
912753 : Tokumond service restarts due to request timeout
Component: REST Framework and TMOS Platform
Symptoms:
Tokumond occasionally restarts due to searchd service load after 60 seconds on the request.
Conditions:
Large configurations during cpu heavy operation(discovery/import)
Impact:
Tokumond restarts and needs to be reindexed
Workaround:
Increase timeout for tokumon. To do this, change line 28 of
/usr/share/rest/tokumon/lib/http.js from :
const DEFAULT_REQUEST_TIMEOUT = (1000 * 60);
to:
const DEFAULT_REQUEST_TIMEOUT = (1000 * 120);
Fix:
This issue no longer occurs.
912177-2 : Generating CSV report from Access User Summary
Component: BIG-IQ Access
Symptoms:
When you click the CSV Report button from the Access User Summary > Monitoring -> Dashboard -> Access screen and the following error displays "Error: Not Authenticated".
Conditions:
This can happen when you click the CSV Report button on Access Reporting page.
Impact:
You can't export or generate the CSV reports for certain Access reporting screen.
Workaround:
N/A
Fix:
The CSV Report button now works as expected from the Access screen.
911765 : Deploying to BIG-IP with proxyCaPassphrase client-ssl
Component: BIG-IQ Local Traffic & Management
Symptoms:
Deployment from BIG-IQ fails for BIG-IP's that use a client-ssl proxyCaPassphrase.
Conditions:
A client-SSL object is referenced by other objects like virtual server. The client-SSL object uses the property proxyCaPassphrase, but the property value was empty.
Impact:
Cannot deploy any changes to BIG-IP devices using this type of client-SSL object.
Workaround:
N/A
Fix:
BIG-IQ no longer sends the proxyCaPassphrase object to BIG-IP as part of the deployment process.
911533 : Importing and deploying large configurations
Component: REST Framework and TMOS Platform
Symptoms:
When you perform certain actions that uses a lot of BIG-IQ resources (such as importing or deploying a large configuration), BIG-IQ might log you out.
Conditions:
The BIG-IQ is under heavy system strain due to operations related to large configurations.
Impact:
You are logged out of BIG-IQ.
Workaround:
N/A
Fix:
BIG-IQ no longer logs you out when you are importing or deploying a large configuration.
910481-2 : Viewing statistics for BIG-IP version 12.x devices
Component: AppIQ
Symptoms:
For managed BIG-IP v12.x devices, BIG-IQ might stop displaying statistics for the following:
http
pool-member
bigip-asm-violations
bigip-asm-transactions
Conditions:
BIG-IQ is managing a BIG-IP device running version 12.x
Impact:
You cannot view the statistics for:
http
pool-member
bigip-asm-violations
bigip-asm-transactions
Workaround:
For BIG-IQ version 7.0.x, run the following command:
curl -s -XPOST localhost:9200/dynamic_global_parameters/meta-data/use-dimensions-aggregation-dynamic-global-parameters/_update -d '{"script": "ctx._source.map.enabled.value=false"}'
For BIG-IQ version 7.1.X run the following command:
curl -s -XPOST localhost:9200/metadata_dynamic_global_parameters/meta-data/use-dimensions-aggregation-dynamic-global-parameters/_update -d '{"script": "ctx._source.map.enabled.value=false"}'
Fix:
BIG-IP v12.x statistics now display as expected.
910069 : BIG-IQ is unable to manage special BIG-IP with auto-generated certificates
Component: BIG-IQ Local Traffic & Management
Symptoms:
BIG-IQ fails during the discovery and import process when attempting to discover and import BIG-IP devices with auto-generated certificates.
Conditions:
BIG-IP has a type of certificate that can change automatically and immediately without user input. This is a scenario that the BIG-IQ architecture does not support, causing the discovery and import process to fail for BIG-IP devices with these type of certificates.
Impact:
BIG-IQ cannot manage BIG-IP devices with auto-generated, dynamic certificates.
Workaround:
This issue has been fixed in 7.1.0.1, or customers can simply use a stable certificate for managed BIG-IP devices.
Fix:
BIG-IQ is now able to manage BIG-IP where certificates are changed automatically generated on BIG-IP.
908505-3 : Managing BIG-IP devices using a large number of virtual servers while running iApp analytics
Component: AppIQ
Symptoms:
Managed BIG-IP devices running iApp analytics logs an error message similar to the following error /var/log/ltm:
err scriptd[8484]: 014f0013:3: Script (/Common/bigiq-analytics-send_stats) generated this Tcl error: (script did not successfully complete: (couldn't create pipe: too many open files while executing "exec /usr/bin/tmsh -c "list ltm virtual $virtual_name partition" | grep "partition " | tr -s " " | cut -d " " -f3- " ("foreach" body line 3) invoked from within "foreach virtual $virtual_list { set virtual_name "/[tmsh::get_name $virtual]" set partition_name [exec /usr/bi..." invoked from within "if { [file exists ${filename}0] != 1 || [ expr [clock seconds] - [file mtime ${filename}0] ] > 360 } { set infile [open "$filename$curr..." line:346))
Conditions:
When managing a BIG-IP device with a large number of virtual servers and running iApp analytics.
Impact:
iApp does not collect statistics for virtual server, pool, nodes, or statuses.
Workaround:
A workaround is available for BIG-IQ version 7.1. For more information see: https://support.f5.com/csp/article/K53001642
Fix:
iApp now collects data as expected.
907973-1 : Imported virtual servers with application protection are displayed as unprotected
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Protected virtual servers with a monitoring/blocking application protection policy do not display enforcement mode following import from BIG-IP.
Conditions:
1. On BIG-IQ discover a BIG-IP device with a protected virtual server.
2. Check the virtual server's enforcement mode in the L7 security grid (Monitoring > DASHBOARDS > L7 Security).
Impact:
The virtual server will display 'Not Protected' enforcement status.
Workaround:
PATCH the VS (or update it via UI), wait a minute and it will get the protection mode.
For batch mode, restart restjavad, which marks all vips as dirty and protection mode will be recalculated for all of them.
Fix:
Protected virtual servers imported from a managed BIG-IP device now display the correct enforcement mode.
906121-1 : Adding Pool Members to Resource Groups
Component: BIG-IQ Local Traffic & Management
Symptoms:
When adding a Pool or Virtual Server to a Resource Group, the related Pool Members appear individually instead of all Pool Members.
Conditions:
When adding a Pool or Virtual Server to Resource Group.
Impact:
You must add Pool Members individually to Resource Groups after they are created or they will not be visible to the user with the associated role.
Workaround:
You can use an API call to create a Resource Group (RG) with the pools as you want them and use that Resource Group in a Role.
Here are the steps for that,
1. Find the pool (or pools that you want in the role and capture it's membersCollectionReference:
GET cm/adc-core/working-config/ltm/pool
2. modify the json body below to match the retrieved pool members URI path
- change the name, description, and expression (note the /* at the end of the membersCollectionReference URI path)
- you just need the pool members expression (the pool that owns it will be automatically added to the RG.)
- you can have more than one expression in the referenceExpressions array.
{
"resourceGroupName": "workaroundRGSample",
"resourceGroupDisplayName": "workaroundRGSample",
"resourceGroupDescription": "",
"referenceExpressionsPatches": [
{
"targetKind": "cm:adc-core:working-config:ltm:pool:members:adcpoolmemberstate",
"referenceExpressions": [
{
"name": "All Pool Members for newPool",
"description": "All existing and future Pool Members for newPool.",
"expression": "/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members/*"
}
]
}
]
}
3. POST that to here: /shared/authorization/patch-resource-groups
- note this is a declarative API. If you want to change the RG you need to include ALL expressions that you want in the RG and POST to the same endpoint again. Like if you wnted to add a pool/members then the body above would contain two referenceExpressions.
4. You'll get a response like this:
{
"id": "cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b",
"kind": "shared:authorization:resource-groups:resourcegroupstate",
"name": "workaroundRGSampleXX",
"isPublic": true,
"selfLink": "https://localhost/mgmt/shared/authorization/resource-groups/cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b",
"isBuiltIn": false,
"generation": 1,
"description": "",
"displayName": "workaroundRGSampleXX",
"isSystemManaged": false,
"lastUpdateMicros": 1588021146636422,
"referenceExpressionCollectionReference": {
"link": "https://localhost/mgmt/shared/authorization/resource-groups/cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b/reference-expressions",
"isSubcollection": true
},
"differences": {
"added": [
"/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members",
"/cm/adc-core/working-config/ltm/pool",
"/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members/*",
"/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631"
],
"removed": []
}
}
5. Now create a second Resource Group in the UI that does NOT include the Pool and Pool Members for the VIP.
6. Create a role that includes the RG you manually created above and the second RG (without the Pool and Pool Member) that you created in the UI.
Fix:
This issue is fixed.
905737-2 : Setting up BIG-IQ as a license manager only
Component: BIG-IQ Device Management
Symptoms:
If you are configuring BIG-IQ as a BIG-IP license manager only, selecting the option to skip licensing during setup, setup fails.
Conditions:
Selecting the skip license option when setting up a BIG-IQ to manage licenses for BIG-IP devices.
Impact:
Setup will fail to license a BIG-IP.
Workaround:
When setting up BIG-IQ to only manage licenses for BIG-IP devices, make sure to enter a license manager base registration key during setup.
Fix:
This issue is fixed.
903677 : Related items for a virtual server aren't displayed when creating a resource group★
Component: REST Framework and TMOS Platform
Symptoms:
While trying to create resource groups, selecting a Virtual Server returns an empty list of "related items".
Conditions:
Creating a resource group and selecting a virtual server.
Impact:
Apps are unable to query data correctly and may not be seen correctly.
Workaround:
After setup, run the following commands:
sed -i '/document._system_search_tags = row._system_search_tags;/a\ \ \ \ document._searchmeta = row._searchmeta;' /usr/share/rest/tokumon/src/transforms.js
If done after upgrade, execute the following command to reindex:
bigstart kill tokumond
Fix:
This issue no longer occurs.
903121-2 : Evaluating and deploying Access Groups containing a remote desktop configuration
Component: BIG-IQ Access
Symptoms:
When evaluating and deploying Access Groups containing a Remote Desktop configuration to a BIG-IP device, it might fail with the following following error: Critical error: Error getting aclOrder value on object.
Conditions:
This error can happen if a Remote Desktop object was created on a managed BIG-IP running version 15.1 or later and then discovered and services imported.
Impact:
You might not be able to deploy configurations containing Remote Desktop objects to a managed BIG-IP devices.
Workaround:
To resolve this issue, you can define aclOrder for a Remote Desktop object using the following API calls:
For Remote Desktop - Citrix
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/citrix
For Remote Desktop - RDP
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/rdp
For Remote Desktop - VMWare
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/vmware-view
After defining the aclOrder for the Remote Desktop objects, you should be able to successfully evaluate and deploy this configuration to managed BIG-IP devices.
Fix:
You should be able to import configurations containing Remote Desktop objects and edit and save it on BIG-IQ. You should also be able to deploy configurations containing Remote Desktop objects to target BIG-IP devices from BIG-IQ.
901689-2 : L7 Dashboard grid does not report number of DoS attacks correctly
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
The grid for the L7 Security Dashboard does not report attack data, even when objects are under attack.
Conditions:
Go to Monitoring > DASHBOARDS > L7 Security Dashboard
Run a DoS L7 attack
View the attacks in the summary bar (confirming attacks)
View the DoS attacks column in the grid, all report "No Data"
Impact:
No DoS attack count data for column in object grid.
Workaround:
N/A
Fix:
DoS attack information is now displayed correctly in the L7 dashboard.
901625-1 : Analytics dashboards after upgrading to BIG-IQ version 7.1
Component: AppIQ
Symptoms:
In rare instances, statistics data previously gathered might not display in the Applications > Monitoring > DASHBOARDS (excluding Access reports) Application Service dashboards after upgrading to BIG-IQ version 7.1.
Conditions:
1. Upgrade any supported version of BIG-IQ with DCDs to version 7.1.
2. From the user interface, analytics do not include data prior to the upgrade.
3. Two to four days after a sucessful upgrade, the the BIG-IQ logs And the /var/log/restjavad.0.log (or /var/log/restjavad.1.log if the log was rotated) must
contain the following:
"Analytics script /var/config/appiq/upgrade/upgrade_analytics_reindex_tmstat_statistics_7_0_to_7_1.py finish successfully"
4. You see (3.) but the upgrade scripts are still unable to complete processing data because the maximum retries was reached.
When this happen, BIG-IQ logs the following:/var/log/upgrade_analytics_data.log
at this case it must contain ERROR log (not WARN) with the following text:
"ES Post failed for url"
5. From the BIG-IQ command line, run the following command to see if there is some old analytics data that was not converted:
curl localhost:9200/_cat/indices/statistics* | grep -v '\-group'
If this command returns some indexes after the process of post-upgrade finish, it meanst not all old analytics data was upgraded and do not appear after an upgrade.
Impact:
Statistics data gathered before upgrading to BIG-IQ v7.1 might not display.
Workaround:
After you have verified that all 5 conditions are met the workaround is as follows:
1. Copy the pre-upgrade script to a file /tmp/script.sh
For pre-upgrade procedures, see https://techdocs.f5.com/en-us/bigiq-7-1-0/upgrading-big-iq-5-4-7-0-dcd-cluster-latest/upgrading-bigiq-version-5-4-7-0_overview.html
2. Run the file with the added script:
source /tmp/script.sh
3. Run:
python2.7 /var/config/appiq/upgrade/upgrade_analytics_reindex_tmstat_statistics_7_0_to_7_1.py
4. The script processes unfinished old analytics data. You can monitor the progress at the
/var/log/upgrade_analytics_data.log
At the end of the process you should see at the log:
REINDEX statistics completed successfully
The script might run from couple of hours to couple or days depending on the data size left.
Fix:
Statistics gathered prior to the upgrade now appear in the dashboards as expected after upgrading.
901129-1 : DoS events and DNS Overview screens returns error message
Component: BIG-IQ Configuration - Security - Shared Security
Symptoms:
The DoS Summary events and DNS Overview screens returns an error message.
Conditions:
1. Ensure that you have logging configured for DoS Protection.
2. Go to Monitoring > EVENTS> DoS > DoS Summary OR Monitoring > DASHBOARDS > DDoS > DNS Overview .
3. A login window appears, prompting a credential sign-in. You will only need to complete this step once.
5. View the DoS Summary events screen or DNS Overview screen
Impact:
The selected screen returns an error message instead of the expected graphs and system data.
The following is an example of the error message that appears in place of data:
{"code":404,"message":"URI path not registered. Please verify URI is supported and wait for /available suffix to be responsive.","referer":"https://00.00.00/ui/monitoring/dashboards/ddos/dns","restOperationId":32070180,"kind":":resterrorresponse"}
Workaround:
This workaround may expose a system vulnerability, please contact F5 Support, https://support.f5.com/, before attempting to complete this workaround.
1. With user admin credentials, sign into BIG-IQ command line.
2. From /etc/webd/webd.conf remove the comments from the grafana lines
3. Restart your BIG-IQ system
Fix:
DoS Summary events and DNS Overview screens now work as expected for BIG-IQ versions 7.1.0.1 and later.
899789-1 : Viewing BIG-IQ application dashboard after changes to a legacy application service is redeployed to a BIG-IP cluster
Component: BIG-IQ Application Management
Symptoms:
After you make a change to a legacy application service and redeploy it to a BIG-IP cluster, the user assigned to the custom application manager role doesn't see those changes on the BIG-IQ application dashboard.
Conditions:
Update pool members or virtual servers that belong to a legacy application service and redeploy to a BIG-IP cluster.
Impact:
Users assigned to the custom application manager role associated with the legacy application service can't see updates to legacy applications that have had virtual server and pools modified and won't be able to perform operations such as enable/disable/force offline.
The UI displays the error message: "Please add at least one pool first".
Workaround:
1. Log in as admin and delete the legacy application service.
2. Re-create the application and re-assign the custom application manager role to the user.
Fix:
This issue is fixed.
898641-1 : AS3 application deployment UI: persistence methods, iRule & Firewall Address List do not render values from template correctly
Component: BIG-IQ Application Management
Symptoms:
If you use the Basic Schema type, AS3 Deployment incorrectly renders:
-- Persistence methods and iRule fields for Service_HTTP/HTTPS AS3 classes.
-- Addresses field for Firewall_Address_List AS3 class.
Conditions:
This happens when you create an AS3 template Basic Schema type with persistent methods, iRule fields for Service_HTTP/HTTPS classes, and address field for Firewall_Address_List AS3 class and allow the Address property to be editable.
Impact:
BIG-IQ splits out the string in the template into multiple fields.
Workaround:
Use Advanced Schema Type option instead of Basic Schema type.
Fix:
This issue is now fixed.
889049-1 : Deployment and Configuration menus with long virtual server or pool names.
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
The Deployment and Configuration menus are currently not wide enough to display long virtual server and pool names.
Conditions:
This happens if the combination of partition and object names combined exceeds 21 characters.
Impact:
You cannot to read the full name of the virtual server or the pool configured for the virtual server.
Fix:
This issue is now fixed.
872849-1 : Signatures in the Web Application Security event logs might not show correct applied blocking masks
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Violation details of Attack Signature Detected, for a Web Application Security policy, report Applied Blocking Masks that are inconsistent with information reported on the host BIG-IP device.
Conditions:
1. Generate a Web Application Security signature violation
2. Select the events and view the Application Blocking Masks in the violation details in the Web Application Security Event Logs (Monitoring > EVENTS > Web Application Security > Event Logs > Events).
3. View the Applied Blocking Settings violation details on the host BIG-IP device.
Impact:
The Applied Blocking Masks found in the Web Application Security event logs display the incorrect blocking masks for the signature violation of a Web Application Security policy.
Workaround:
N/A
Fix:
Detected signatures in the Attack Signature Detected violation now show the correct blocking masks in the BIG-IQ Web Application Security event logs.
872237-3 : CPU spikes when using iApp analytics
Component: AppIQ
Symptoms:
BIG-IQ regularly queries the status of virtual servers and pools on BIG-IP devices running iApp, which can cause CPU spikes when the number of servers and pools are high.
Conditions:
When collecting statistics with iApp on BIG-IP devices that have more than 600 virtual servers and/or 400 pools.
Impact:
CPU cores on BIG-IP device regularly reach maximum usage when statistics collection is enabled.
Workaround:
For BIG-IQ version 7.1. see the following article for a workaround: https://support.f5.com/csp/article/K53001642
Fix:
CPU spikes no longer occur as a result of status queries to BIG-IP devices.
860473-1 : Connection and read timeout settings for the TACACS+ authentication provider
Component: REST Framework and TMOS Platform
Symptoms:
The TACACS+ authentication provider uses a fixed, hard-coded value (5 seconds) for the timeout to get a response from the TACACS+ server. If a request to the TACACS+ server to authenticate a user or to retrieve the user properties does not complete within 5 seconds, the request fails. This causes the BIG-IQ authentication of a remote TACACS+ user to fail as well.
Conditions:
When you use a TACACS+ authentication provider to authenticate to BIG-IQ and the TACACS+ server is too slow, it will probably time out before you get authenticated.
Impact:
TACACS+ user authentication to BIG-IQ fails.
Workaround:
N/A
Fix:
You can now configure the connection timeout and read timeout settings.
859709-2 : Full name of the default pool does not display on the LTM virtual server properties screen
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
LTM Virtual Server properties screen shows only the first 32 to 40 characters of the default pool's full name.
Conditions:
1. Log in with read-only permissions.
2. Navigate to Configuration>LOCAL TRAFFIC>Virtual Servers.
3. Click the name of a virtual server and scroll down to the Default Pool drop-down box.
Impact:
If the default pool has a long name, read-only users cannot see the full name of the default pool.
Workaround:
Keep the pool name shorter than 32 characters.
Fix:
The issue is now fixed.
846665-1 : Authentication to BIG-IQ might fail when using an LDAP or Active Directory authentication provider using LDAPS that has Server Certificate Validation disabled.
Component: REST Framework and TMOS Platform
Symptoms:
When you set up an LDAP or Active Directory authentication provider that uses the LDAPS protocol on TCP port 636 with Server Certificate Validation enabled, and then disable Server Certificate Validation in the authentication provider settings you get an unexpected result.
When the user tries to authenticate to the BIG-IQ, the authentication fails with the error:
Unable to connect to the authentication server. java.security.cert.CertificateException: No subject alternative names present.
Conditions:
LDAP or Active Directory authentication provider with 'Server Certificate Validation' enabled, then disabled.
Impact:
User authentication to BIG-IQ fails.
Workaround:
There are 3 potential workarounds:
1. Set up the LDAP or Active Directory authentication provider to use StartTLS on TCP port 389 instead of LDAPS on TCP port 636. Ideally, enable 'Server Certificate Validation'.
This is the most secure option.
2. If your LDAP/Active Directory server does not support StartTLS and you need to use LDAPS, set up the authentication provider with 'Server Certificate Validation' enabled.
This option is more secure than the next option.
3. If you need to use LDAPS and for some reason the authentication provider cannot validate the server certificate, then disable certificate validation from the very beginning. If you have first set it up with 'Server Certificate Validation' enabled:
a. Delete the authentication provider.
b. Restart restjavad.
c. Re-create the authentication provider with 'Server Certificate Validation' disabled.
This last option is not recommended, because it is less secure.
Fix:
This has been fixed. User authentication to BIG-IQ does work correctly when you create an LDAP or Active Directory authentication provider with 'Server Certificate Validation' enabled, then you disable it.
843113 : Bulk importing more than 50 certificates and keys for BIG-IP devices
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
After a bulk import of more than 50 BIG-IP certificates and keys, only the first 50 certificates and keys display.
Conditions:
Conduct a bulk import of more than 50 certificates and keys.
Impact:
BIG-IQ displays only the first 50 certificates and keys.
Workaround:
N/A
Fix:
All certificates and keys now properly display.
808133-3 : Analytics iApp pushed from BIQ-IQ causes BIG-IP high availability (HA) peers to go out of sync
Component: AppIQ
Symptoms:
BIG-IP high availability (HA) peers going out of sync.
Seeing recurring messages in the audit log that indicate the following:
01420002:5: AUDIT - pid=20880 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=modify security analytics settings collect-all-dos-statistic enabled
Conditions:
Analytics iApp pushed from BIG-IQ.
Impact:
BIG-IP high availability (HA) peers become out of sync.
Fix:
BIG-IQ HA peers no longer become out of sync when BIG-IQ pushes the iApp.
776021-1 : Modifying a scheduled backup
Component: BIG-IQ System User Interface
Symptoms:
BackupLifeTime is gone after user sets backupCounter
Conditions:
Create a backup with retention policy backupLifeTime, then update it with backupCounter
Impact:
No functional impact but it is confusing.
Workaround:
Don't provide conflict parameter backupLifeTime and backupCounter at the same time
Fix:
backupLifeTime and backupCounter do not coexist. They are two different types of retention policy. Also, you can see it from UI where you can only pick either one.
Known Issues in BIG-IQ CM v7.1.x
BIG-IQ Configuration - Local Traffic Issues
| ID Number | Severity | Solution Article(s) | Description |
| 873917-2 | 4-Minor | iRules with extremely long names |
BIG-IQ Access Issues
| ID Number | Severity | Solution Article(s) | Description |
| 807385 | 4-Minor | Egress gateway pool unselect empty the dropdown |
AppIQ Issues
| ID Number | Severity | Solution Article(s) | Description |
| 832801 | 2-Critical | BIG-IP with FIPS and BIG-IQ analytics iApp may become inaccessible | |
| 804213 | 2-Critical | BIG-IQ cannot handle same AVR profile for BIG-IP V13.x and V14.x | |
| 907321-1 | 3-Major | Elasticsearch instance on the BIG-IQ CM generates an OutOfMemory error | |
| 898341 | 3-Major | BIG-IP may stop sending statistics following a DCD reboot | |
| 876565-1 | 3-Major | Log files in /var/log/appiq not removed after 10 days | |
| 838265 | 3-Major | Agentmanager should not depend on elasticsearch cluster status to start | |
| 812065 | 3-Major | Pools & pool-member stats are not collected after upgrade |
REST Framework and TMOS Platform Issues
| ID Number | Severity | Solution Article(s) | Description |
| 911445-1 | 2-Critical | When BIG-IQ is performing resource-intensive operations, user sessions might prematurely terminate |
BIG-IQ System Issues
| ID Number | Severity | Solution Article(s) | Description |
| 940265 | 4-Minor | New Resource group appears to give access to only one, un-named pool. |
BIG-IQ Application Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 945545 | 3-Major | Permissions for Service Catalog Application roles after upgrading from BIG-IQ 7.1.0 to 7.1.0.1 | |
| 920461 | 3-Major | Big-IQ AS3 deployment shows as successful but is not present on the target device |
Known Issue details for BIG-IQ CM v7.1.x
945545 : Permissions for Service Catalog Application roles after upgrading from BIG-IQ 7.1.0 to 7.1.0.1
Component: BIG-IQ Application Management
Symptoms:
After Upgrading from BIG-IQ version 7.1.0 to 7.1.0.1, users assigned to the Service Catalog Application role might lose their permissions to applications.
Conditions:
Users assigned to the Service Catalog Application role attempting to view a service application after upgrading from BIG-IQ version 7.1.0 to 7.1.0.1 get an error message similar to the following: You are not authorized for Virtual Server (or Pool, and so forth) as a none-admin user.
Impact:
The user assigned to the Service Catalog Application role is unable to view application details and BIG-IQ displays an error.
Workaround:
To work around this issue, the BIG-IQ administrator can create an AS3 or Legacy Application Service and add the user to its Manager or Viewer role.
940265 : New Resource group appears to give access to only one, un-named pool.
Component: BIG-IQ System
Symptoms:
Overview:
If you edit the group properties incorrectly, it's possible to make it appear as if a pool has only one, un-named pool member, even though the pool contains multiple pool members.
Conditions:
Steps to Reproduce:
1.Create a new resource group that has access to all pool
members for all virtual servers:
a. System>ROLE MANAGEMENT>Resource Groups>Add.
b. Type a Name for the group.
c. On the bottom half of the screen, for Select Service,
choose Local Traffic (LTM).
d. For Select Object Type, choose Virtual Servers Local
Traffic.
e. For Source, click Any Instance.
f. On the right, clear the RELATED OBJECT TYPES check box,
and then scroll down and select the Pool Members check
box.
g. Click Add Selected.
h. Click Save and Close.
2. Edit the group so that it has access only to specific pool
members:
a. Click on the name of the newly created resource group to
edit it.
b. On the bottom half of the screen, for Select Service,
choose Local Traffic (LTM).
d. For Select Object Type, choose Virtual Servers Local
Traffic.
e. For Source, click Selected Instances, and then select
a virtual server that has pool members.
f. On the right, clear the RELATED OBJECT TYPES check box,
and then scroll down and select the Pool Members check
box.
g. Click Add Selected.
h. Under Selected Resources, expand Pools, and note the
presence of just one, un-named pool.
Impact:
The resource group is now unusable. It is trying to do two conflicting things at the same time:
* Grant access to all pool members for all virtual servers.
* Restrict access to only some pool members on some virtual
servers.
Workaround:
Delete the mis-formed resource group and create two new ones.
One group grants access to all pool members for all virtual servers.
The second group restricts access to only some pool members on some virtual servers.
920461 : Big-IQ AS3 deployment shows as successful but is not present on the target device
Component: BIG-IQ Application Management
Symptoms:
An AS3 deployment performed via BIG-IQ fails on the target device, but BIG-IQ marks the deployment as successful.
Conditions:
Target device software version is 12.x.
Impact:
The AS3 application shows as successfully deployed in BIG-IQ, but it's not present in the target device.
Workaround:
Upgrade BIG-IP to v14 to workaround the error.
911445-1 : When BIG-IQ is performing resource-intensive operations, user sessions might prematurely terminate
Component: REST Framework and TMOS Platform
Symptoms:
When BIG-IQ is performing resource-intensive operations, API responses might be slowed which can lead sometimes cause log-in sessions to time out, forcing users to log out of BIG-IQ.
Conditions:
BIG-IQ is performing resource-intensive operations, such as importing large device configurations.
Impact:
Users are forcibly logged out of the BIG-IQ user interface.
Workaround:
None
907321-1 : Elasticsearch instance on the BIG-IQ CM generates an OutOfMemory error
Component: AppIQ
Symptoms:
On certain conditions the Elasticsearch instance on the BIG-IQ CM might run out of memory., and the following error is observed in the Elasticsearch log:
org.elasticsearch.ElasticsearchException: java.lang.OutOfMemoryError: GC overhead limit exceeded
Conditions:
In order for this issue to occur there must be a very large volume of traffic throughput to your BIG-IP systems.
1. Setup a large scale BIG-IQ system with 3 DCD's monitoring dozens of BIG-IP devices
2.Generate a large amount of statistical data collection by sending a high volume of traffic throughput to the BIG-IP devices in your system.
Impact:
The Elasticsearch cluster is not stable and prone to multiple restarts.
Workaround:
If your configuration includes an active/standby pair for your BIG-IQ CM setup, you must perform this procedure on both the active and standby devices.
1. On the BIG-IQ CM node go to:
vi /etc/biq_daemon_provision.json
2. Edit the restjavad memory to include:
"big_iq": {
"restjavad": {
"active": true,
"memory_allocation": {
"SYS_4GB": "800m",
"SYS_8GB": "3500m",
"SYS_16GB": "6000m",
"SYS_32GB": "12700m", -->>> change this to "10300m"
"SYS_64GB": "20000m",
"SYS_128GB": "20000m"
},
"new_ratio": {
"SYS_32GB": "1"
}
},
3. Edit the elasticsearch memory ( under "big_iq")
},
"elasticsearch": {
"active": true,
"memory_allocation": {
"SYS_4GB": "100m",
"SYS_8GB": "200m",
"SYS_16GB": "500m",
"SYS_32GB": "1600m", -->>> increase this to "4000m"
"SYS_64GB": "3200m",
"SYS_128GB": "6400m"
}
},
4. Use to bigstart restart restjavad
5. Use bigstart restart elasticsearch
6. Reduce the amount of shards in the Elasticsearch cluster by running the following API's one by one on the BIG-IQ CM console:
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl0\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"PT10H\",\"indexLevel\":\"tl0\",\"aggregationPeriod\":\"PT30S\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"PT1H\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl1\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"P7D\",\"indexLevel\":\"tl1\",\"aggregationPeriod\":\"PT1H\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"P1D\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl2\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"P180D\",\"indexLevel\":\"tl2\",\"aggregationPeriod\":\"P1D\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"P30D\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl3\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"P365D\",\"indexLevel\":\"tl3\",\"aggregationPeriod\":\"P30D\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"P180D\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
898341 : BIG-IP may stop sending statistics following a DCD reboot
Component: AppIQ
Symptoms:
After rebooting a data collection device, the monitored BIG-IPs might not send statistics to the rebooted DCD.
Conditions:
BIG-IQ CM and DCDs are rebooted.
Impact:
Affected BIG-IPs aren't sending statistics
Workaround:
Workaround: Re-enable stats (from BIG-IQ) to the disconnected BIG-IP.
876565-1 : Log files in /var/log/appiq not removed after 10 days
Component: AppIQ
Symptoms:
There are sizing limits that the number are size of log files generated per day, but no control over the number of days the log files can be saved. Due to this, log files accumulate. This creates a problem for /var partition and functionality of certain features.
Conditions:
Frequent logging
Impact:
Impact on /var/ partition, space gets consumed and manual intervention requires cleanup.
Workaround:
1. Manual intervention to cleanup /var/log/appiq sub folder log files.
873917-2 : iRules with extremely long names
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
BIG-IQ cannot display iRules with very long name.
Conditions:
An iRule with an extemely long name.
Impact:
An iRule with an extremely long name is not displayed.
838265 : Agentmanager should not depend on elasticsearch cluster status to start
Component: AppIQ
Symptoms:
The cluster state is red, but the relevant indices for the agentmanager are all fully available.
Conditions:
System has a DCD in its configuration.
Impact:
Customers with functional clusters might stop receiving statistics because the agentmanager will not start.
832801 : BIG-IP with FIPS and BIG-IQ analytics iApp may become inaccessible
Component: AppIQ
Symptoms:
BIG-IP with FIPS and BIG-IQ analytics iApp installed causes FIPS to fail the integrity check and cause the system to halt at reboot and become inaccessible.
ltm log will show:
crit root: BIG-IP Integrity Check: [ FAIL ] -- Contact F5 Networks technical support.
The BIG-IP script /usr/libexec/sys-eicheck.py (Integrity Test) will fail due to at least one "critical file(s) missing", namely /etc/avr/tmstat_tables.xml
Conditions:
- FIPS system
- Discover BIG-IP using BIG-IQ device and enable statistics.
- The BIG-IQ analytics iApp will install on BIG-IP.
Impact:
The system is halted or otherwise unusable.
Workaround:
Change permissions on file:
# chmod -x /etc/avr/tmstat_tables.xml
Confirm executable flag set on file:
# ls -la /usr/libexec/sys-eicheck.py
812065 : Pools & pool-member stats are not collected after upgrade
Component: AppIQ
Symptoms:
In some rare instances after upgrading to BIG-IQ version 7.0, BIG-IQ might not collect pool & pool-member statistics information.
Conditions:
When you upgrade from BIG-IQ version 6.x to 7.0.
To identify the presence of the issue, go to: Monitoring -> Dashboards -> Local Traffic -> Pools & Pool Members.
If stats are displayed - then the upgrade process was completed properly.
Impact:
Statistical information about pool and pool-member activities is not being collected and this information is not displayed in the corresponding dashboards.
Workaround:
The root cause of this problem is in ElasticSearch index mapping. To work around this issue, update the mapping manually:
1. unzip the attachment and place under /tmp on the CM.
2. run ./fix_es_mapping.sh
New mapping definitions take effect after the index is switched, so it can take up to 1 hour before BIG-IQ can collect statistis.
807385 : Egress gateway pool unselect empty the dropdown
Component: BIG-IQ Access
Symptoms:
If you select an existing pool in egress, then deselect it, the pool menu becomes empty.
Conditions:
When you select a pool with an egress, and then deselect it.
Impact:
The pool menu becomes empty.
Workaround:
Switch the gateway pool ratio to default and change back to use existing.
804213 : BIG-IQ cannot handle same AVR profile for BIG-IP V13.x and V14.x
Component: AppIQ
Symptoms:
Due to differences between BIG-IP versions 13.x and 14.x in the AVR Profile, using one AVR profile in BIG-IQ for both fails.
Conditions:
Having mix of BIG-IPs in versions 14.x and previous versions (12.1 or 13.x), or upgrading to 14.x.
Impact:
On discovery: When discovering a 14.x device that was upgraded from 13.x or prior version, a conflict is raised and the user has to choose by which version to keep the profile.
On deployment: Depends on how a profile is discovered, when deployed back to a different BIG-IP version, the deployment will fail.
Workaround:
Keep different profiles for the v14.x versions and for the previous versions.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
