Applies To:
Show Versions
BIG-IQ Centralized Management
- 7.1.0
Summary:
Contents:
Version: 7.1.0.3
Build: 41.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
Cumulative fixes from BIG-IQ CM v7.1.0.2 that are included in this release
Cumulative fixes from BIG-IQ CM v7.1.0.1 that are included in this release
Known Issues in BIG-IQ CM v7.1.x
Functional Change Fixes
None
BIG-IQ Configuration - Security - Network Security Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 978405-1 | 3-Major | You may not be able to edit some Self-IP context objects after a BIG-IQ upgrade |
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 816637-1 | 3-Major | Discovering BIG-IP devices with VLAN failsafe-action option set to failover |
BIG-IQ SSL Orchestrator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 963993-1 | 3-Major | Unsuccessful import of SSLO configurations if the BIG-IP device and the BIG-IQ both deployed topologies with the same name | |
| 900849-1 | 4-Minor | Editing is disabled for deployed SSLO configurations after upgrading your managed BIG-IP devices from version 14.x to 15.x |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 955145-9 | 2-Critical | REST API not properly handling workers | |
| 918577-1 | 3-Major | Mcpd reports error message License is not operational |
BIG-IQ Web Application Security (ASM) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 976241-2 | 3-Major | Analytics processes got errors becuase of BK infinite and negative values | |
| 974373-2 | 3-Major | Failed to delete indices '[]' for index family 'statistics' and index level 'tl0' |
BIG-IQ Application Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 952641-1 | 3-Major | AS3 deployments from BIG-IQ that define a GSLB_Domain using poolsCName instead of pools |
Cumulative fixes from BIG-IQ CM v7.1.0.2 that are included in this release
Functional Change Fixes
None
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Solution Article(s) | Description | |
| 911445-3 | 2-Critical | When BIG-IQ is performing resource-intensive operations, user sessions might prematurely terminate |
Cumulative fixes from BIG-IQ CM v7.1.0.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 901129-1 | CVE-2020-5944 | K57274211 | DoS events and DNS Overview screens returns error message |
Functional Change Fixes
None
BIG-IQ Configuration - Local Traffic Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 917577 | 3-Major | Importing BIG-IP devices when first character of profile name is a number | |
| 859709-2 | 3-Major | Full name of the default pool does not display on the LTM virtual server properties screen | |
| 889049-1 | 4-Minor | Deployment and Configuration menus with long virtual server or pool names. | |
| 843113 | 4-Minor | Bulk importing more than 50 certificates and keys for BIG-IP devices |
BIG-IQ System User Interface Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 930665 | 3-Major | Services connecting to postgresql | |
| 776021-1 | 4-Minor | Modifying a scheduled backup |
BIG-IQ Access Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 925301-2 | 3-Major | Unable to view Access reports when date/time filter is applied when your computer is set to a non-English language | |
| 922877-2 | 3-Major | Access Sessions Summary page shows duplicate data for a single session | |
| 922417-2 | 3-Major | Creating a CSV report for active sessions | |
| 914801-1 | 3-Major | Creating a local SAML SP service | |
| 912177-2 | 3-Major | Generating CSV report from Access User Summary | |
| 903121-2 | 3-Major | Evaluating and deploying Access Groups containing a remote desktop configuration | |
| 939869 | 4-Minor | Sorting for Attribute Consuming Service menu for SAML Auth Agent | |
| 919093-1 | 4-Minor | BIG-IQ Access policy branch rule names don't allow '.' | |
| 918997-1 | 4-Minor | Custom expressions in the Visual Policy Editor will alter new line character for the Variable Assign agent | |
| 916881-2 | 4-Minor | Deploying an Access policy containing orphaned policy items fails |
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 923613-3 | 3-Major | Discovering a BIG-IP device and importing its services that contain 'bot-profiles' | |
| 915865-1 | 3-Major | Creating VE on VMWare fails and results in error message | |
| 911765 | 3-Major | Deploying to BIG-IP with proxyCaPassphrase client-ssl | |
| 910069 | 3-Major | BIG-IQ is unable to manage special BIG-IP with auto-generated certificates | |
| 906121-1 | 4-Minor | Adding Pool Members to Resource Groups |
AppIQ Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 943521-1 | 2-Critical | Retrieving LTM pool data | |
| 942861-1 | 2-Critical | Retrieving LTM virtual server data | |
| 910481-2 | 3-Major | Viewing statistics for BIG-IP version 12.x devices | |
| 908505-3 | 3-Major | Managing BIG-IP devices using a large number of virtual servers while running iApp analytics | |
| 901625-1 | 3-Major | Analytics dashboards after upgrading to BIG-IQ version 7.1 | |
| 872237-3 | 3-Major | CPU spikes when using iApp analytics | |
| 808133-3 | 4-Minor | Analytics iApp pushed from BIQ-IQ causes BIG-IP high availability (HA) peers to go out of sync |
BIG-IQ Configuration - Infrastructure Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 933889 | 3-Major | Discovering and importing BIG-IP LTM with an IPv6 self IP that specifies both a VLAN tag (K15203) and a Route Domain | |
| 927837 | 3-Major | Renaming an SSL certificate in the Compare Silo page doesn't work |
BIG-IQ Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 905737-2 | 2-Critical | Setting up BIG-IQ as a license manager only |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 925169-2 | 2-Critical | BIG-IQ hardware upgrade might fail★ | |
| 911533 | 2-Critical | Importing and deploying large configurations | |
| 932433 | 3-Major | Adding a standby BIG-IQ when creating a high availability configuration | |
| 930833 | 3-Major | Viewing objects as a custom-role user assinged to a custom group | |
| 916441-1 | 3-Major | Operations using route domains fail with 'invalid input syntax for type inet' | |
| 925545 | 3-Major | Tokumond hangs on initial indexing | |
| 914757 | 3-Major | Adding a secondary BIG-IQ to a high availability configuration | |
| 912753 | 3-Major | Tokumond service restarts due to request timeout | |
| 860473-1 | 3-Major | Connection and read timeout settings for the TACACS+ authentication provider | |
| 927561 | 4-Minor | Auto failover for a BIG-IQ high availability configuration | |
| 921989 | 4-Minor | Querying BIG-IP devices by IP addresses | |
| 903677 | 4-Minor | Related items for a virtual server aren't displayed when creating a resource group★ | |
| 846665-1 | 4-Minor | Authentication to BIG-IQ might fail when using an LDAP or Active Directory authentication provider using LDAPS that has Server Certificate Validation disabled. |
BIG-IQ Web Application Security (ASM) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 937269-1 | 3-Major | IP address exception configuration in Centralized Policy Builder | |
| 921521-2 | 3-Major | Policy signatures ready to be enforced are not reported | |
| 872849-1 | 3-Major | Signatures in the Web Application Security event logs might not show correct applied blocking masks | |
| 907973-1 | 4-Minor | Imported virtual servers with application protection are displayed as unprotected | |
| 901689-2 | 4-Minor | L7 Dashboard grid does not report number of DoS attacks correctly |
BIG-IQ Application Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 943645 | 3-Major | Updated AS3 version support | |
| 918493 | 3-Major | Attempting to use allowVlans and rejectVlands from an AS3 template | |
| 914361 | 3-Major | Deploying AS3 application service to a managed device after upgrading or rebooting BIG-IQ★ | |
| 899789 | 3-Major | Viewing BIG-IQ application dashboard after changes to a legacy application service is redeployed to a BIG-IP cluster | |
| 898641 | 4-Minor | AS3 application deployment UI: persistence methods, iRule & Firewall Address List do not render values from template correctly |
Cumulative fix details for BIG-IQ CM v7.1.0.3 that are included in this release
978405-1 : You may not be able to edit some Self-IP context objects after a BIG-IQ upgrade
Component: BIG-IQ Configuration - Security - Network Security
Symptoms:
After you upgrade your BIG-IQ system from BIG-IQ 5.4 to BIG-IQ 7.1.0.2, you may not be able to edit some of the Self-IP context objects created using a 5.4 BIG-IQ.
Conditions:
This issue will occur when you upgrade your BIG-IQ from BIG-IQ 5.4 to BIG-IQ 7.1.0.2, and try to edit the Self-IP context objects created using the BIG-IQ 5.4 version. This will only occur if you are interacting with BIG-IQ using the UI.
Impact:
You will be unable to edit some Network Security Context objects.
Workaround:
N/A
Fix:
This issue is now fixed and you can now edit network security objects after upgrading BIG-IQ.
976241-2 : Analytics processes got errors becuase of BK infinite and negative values
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
The Analytics processes appiqpostaggregator and appiqquery don't function correctly and might become OOM.
Conditions:
In rare instances, the BK may become corrupted. This may be temporal corruption of the ES cluster.
Impact:
The Analytics processes receives exceptions, which effects its normal functionality.
Fix:
The system now fixes itself when new BK is created for a particular module that becomes corrupted.
974373-2 : Failed to delete indices '[]' for index family 'statistics' and index level 'tl0'
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
In /var/log/appiq/configserver.log there are the following errors:
ERROR c.f.a.c.r.RetentionBySetting [scheduling-1] Failed to deleted indices '[]' for index family 'statistics' and index level 'tl0'
java.lang.ArithmeticException: The calculation caused an overflow: -9223372036854775808 + -3600000
Conditions:
This can occur during statistics collection during normal operation.
Impact:
The analytics processes can raise exceptions, which impacts its normal functionality.
Fix:
This issue is now resolved and the system no longer raises the exceptions that impact functionality.
963993-1 : Unsuccessful import of SSLO configurations if the BIG-IP device and the BIG-IQ both deployed topologies with the same name
Component: BIG-IQ SSL Orchestrator
Symptoms:
You will be unable to import BIG-IP device configurations to BIG-IQ if your BIG-IP devices and your BIG-IQ have any deployed SSLO configurations with the same name.
The import process for all BIG-IP devices with SSLO topology names duplicated in BIG-IQ will fail with the error message "Duplicate names 'sslo_XXXX' detected between the BIG-IP device and BIG-IQ, please delete them on either side, then discover again."
Conditions:
This issue will occur when the name of the SSLO configuration deployed onto the BIG-IP device you want to import is the same as the name of an SSLO configuration originating from a BIG-IP devices already being managed by BIG-IQ.
Impact:
You will not be able to discover and import the configuration to the BIG-IQ, unless you delete or rename the SSLO configuration in BIG-IQ causing the issue and re-deploy the topology.
Workaround:
N/A
Fix:
Discovery and import of BIG-IP devices with SSLO provisioned is successful, even when you use the same name for SSLO configurations across multiple BIG-IP devices, provided all BIG-IP devices are running the same SSLO RPM version.
955145-9 : REST API not properly handling workers
Component: REST Framework and TMOS Platform
Symptoms:
Unspecified workers not being handled properly by REST API
Impact:
REST API not following best practice handling some workers
Workaround:
None
Fix:
REST API now following best practice handling workers
952641-1 : AS3 deployments from BIG-IQ that define a GSLB_Domain using poolsCName instead of pools
Component: BIG-IQ Application Management
Symptoms:
If you try to deploy an AS3 template from BIG-IQ that defines a GSLB_Domain using 'poolsCName' instead of 'pools', it fails with the following error: "Failed to execute step SET_TENANT: java.lang.NullPointerException""
Conditions:
Attempting to deploy AS3 deployments from BIG-IQ that defines a GSLB_Domain using 'poolsCName' instead of 'pools'.
Impact:
Unable to deploy the Application Service.
Workaround:
Use 'pools' instead of 'poolsCName' for the GSLB_Domain.
Fix:
BIG-IQ now collect the pool value from either 'pools' or 'poolsCName'.
943645 : Updated AS3 version support
Component: BIG-IQ Application Management
Symptoms:
BIG-IQ now includes support for AS3 release 3.22.1.
For more information on BIG-IQ Centralized Management compatibility with AS3, see the following article
https://support.f5.com/csp/article/K54909607
Conditions:
n/a
Impact:
n/a
Workaround:
n/a
Fix:
n/a
943521-1 : Retrieving LTM pool data
Component: AppIQ
Symptoms:
When querying LTM pools configuration data the service log displays the following error:
2020-09-09 15:09:29,660 ERROR c.f.a.q.c.BigIQConfigDataServiceImpl [XNIO-2 task-6] An Error has occurred reaching the API: /cm/adc-core/working-config/ltm/pool. Returning partial results. Error message: Error while extracting response for type [com.f5.analytics.queryservice.configdata.common.BigIqCollection<com.f5.analytics.queryservice.configdata.adc.pool.AdcPoolItem>] and content type [application/json;charset=UTF-8]; nested exception is org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Missing required creator property 'id' (index 0); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Missing required creator property 'id' (index 0)
Conditions:
This happens when a user without administrative priviledges logs into BIG-IQ to view statistics-related data.
Impact:
Non-administrator users might have access to LTM statistics that they are not permitted to view.
Fix:
BIG-IQ now displays pool data data only to users with administrative privileges.
942861-1 : Retrieving LTM virtual server data
Component: AppIQ
Symptoms:
When querying LTM virtual server configuration data the service log displays the following error:
ERROR c.f.a.q.c.BigIQConfigDataServiceImpl [XNIO-2 task-4] An Error have occurred reaching the API: /cm/adc-core/working-config/ltm/virtual. Returning partial results. Error message: Error while extracting response for type [com.f5.analytics.queryservice.configdata.common.BigIqCollection<com.f5.analytics.queryservice.configdata.adc.virtualserver.AdcVirtualServerItem>] and content type [application/json;charset=UTF-8]; nested exception is org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Missing required creator property 'deviceReference' (index 6); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Missing required creator property 'deviceReference' (index 6)
Conditions:
This happens when a user without administrative priviledges logs into BIG-IQ to view statistics-related data.
Impact:
Non-administrator users might have access to LTM statistics that they are not permitted to view.
Fix:
BIG-IQ now displays virtual server data data only to users with administrative privileges.
939869 : Sorting for Attribute Consuming Service menu for SAML Auth Agent
Component: BIG-IQ Access
Symptoms:
Values displayed in the Attribute Consuming Service menu within the SAML Auth Agent in VPE are not sorted, and no search bar is provided.
Conditions:
This occurs when you add a SAML Auth agent to the Visual Policy Editor in an Access policy. Under the properties screen for the agent, the Attribute Consuming Service dropdown is not sorted based on the values displayed.
Impact:
This can make searching for a specific value time consuming, if there are a large number of values in the Attribute Consuming Service menu.
Workaround:
N/A
Fix:
BIG-IQ now displays values sorted in ascending order in the Attribute Consuming Service menu for the SAML Auth agent in the Visual Policy Editor.
937269-1 : IP address exception configuration in Centralized Policy Builder
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
The Centralized Policy Builder does not behave in accordance with the IP Exception (IP Address List in configuration).
Whether an IP is set to be ignored (in learning suggestion) or trusted by the policy builder, it is treated like any IP address.
Conditions:
When you configure an IP address as ignored or trusted by the policy builder in IP Address List and traffic can be learned from is sent for the IP address.
Impact:
If the IP address was set to be 'Ignored In Learning Suggestion', it will not be ignored and would impact learning.
If the IP address was set as 'Policy Builder Trusted IP', it will not be considered trusted by the Centralized Policy Builder.
Fix:
Centralized Policy Builder now ignores or trusts IP Addresses correctly according to the Centralized Policy Builder's configuration.
933889 : Discovering and importing BIG-IP LTM with an IPv6 self IP that specifies both a VLAN tag (K15203) and a Route Domain
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
If you discover a BIG-IP device that that has an IPv6 self IP that specifies both a VLAN tag (K15203) and a Route Domain, and import its LTM service the import task fails with a message similar to the following:
"java.lang.IllegalArgumentException: Invalid address: fe80::4%vlan1246%3/64. Only one '%' character is allowed."
Conditions:
A BIG-IP device has a self IP is configured with an IPv6 address that specifies both a VLAN tag and a Route Domain.
Impact:
BIG-IQ cannot discover and import the BIG-IP device's LTM service.
Workaround:
If possible, change the IPv6 self IP to use the VLAN tag for a VLAN that is part of the implicit default Route Domain (0). However, if your environment requires the Self IP to use a VLAN that is in an explicit, non-default Route Domain, then no workaround is available.
Fix:
BIG-IQ can now discover and import BIG-IP devices that include IPv6 self IPs specifying both a VLAN tag and a Route Domain.
932433 : Adding a standby BIG-IQ when creating a high availability configuration
Component: REST Framework and TMOS Platform
Symptoms:
When attempting to add a secondary BIG-IQ to create a high availability configuration, when communication fails BIG-IQ incorrectly logs the following message:
"Completed pg_basebackup successfully.".
Conditions:
This happens when you attempt to add a secondary BIG-IQ to the primary BIG-IQ to create a high availability configuration.
Impact:
The BIG-IQ high availability creation fails but appears to be successful from the log message.
Workaround:
N/A
Fix:
If the secnodary BIG-IQ does not connect to the primary during the high availability configuration, BIG-IQ now properly logs the message of failure.
930833 : Viewing objects as a custom-role user assinged to a custom group
Component: REST Framework and TMOS Platform
Symptoms:
Custom-role users assigned to a custom resource group are not able to view objects they should be able to.
Conditions:
When a user it assigned to a custom role and associated to a custom group and tries to access objects they have priviiledges to.
Impact:
User cannot view objects that should be able to.
Workaround:
N/A
Fix:
Users are now able to view the objects they have privileges to.
930665 : Services connecting to postgresql
Component: BIG-IQ System User Interface
Symptoms:
If postgresql is not properly configured to allow SSL connections, services (such as tokumond) fail to connect to postgresql and an error similar to the following is logged in
/var/log/tokumon/current:
2020-07-07_08:25:04.37666 [ERROR] postgresql: Failed connecting to dbConnectUrl:postgres://postgres_replication@[localhost]:<REDACTED>postgres://postgres_replication@[localhost]:5432/bigiq_db - Error: The server does not support SSL connections
Conditions:
This occurs when the postgresql config file at /var/lib/pgsql/data/postgresql.conf has the default SSL settings, instead of "ssl = on". This can happen if the postgresql configuration gets reset to defaults after being configured for SSL connections. Because the SSL certificate and key files exist under /var/lib/pgsql/config, the modifications to the configuration file are assumed to already be complete and are not re-applied.
Impact:
Services are not able to connect to postgres. Setup and bootstrap are unable to complete successfully.
Workaround:
Run the following command to force re-configuration of postgresql:
# ha_generate_certs --force <DISCOVERY_ADDRESS>
Replacing <DISCOVERY_ADDRESS> with your BIG-IQ's discovery IP address.
Fix:
Reconfiguring postgresql for SSL mode no longer depends on the absence of the SSL certificate and key files. Instead, the configuration will be updated to SSL mode (if it isn't already in SSL mode) any time ha_generate_certs runs. Since ha_generate_certs runs on bootstrap (on default service startup or on completion of the setup wizard), a misconfiguration will be automatically repaired by running the setup wizard or by restarting services with "bigstart restart".
927837 : Renaming an SSL certificate in the Compare Silo page doesn't work
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
Renaming a siloed SSL certificate using the Compare Silo page is presented as an option, but it fails with a Java error.
Conditions:
1. Discover a device with an SSL cert that creates a conflict.
2. Import the device to a silo to analyze/resolve conflicts.
3. Type in a New Name for the SSL cert and click Save.
The task fails.
Impact:
You can't use the rename option on the Compare Silo page, but you can achieve the same result using the clone option.
Workaround:
Clone the certificate object and give it a different name; then remove the original(siloed) object.
Fix:
This issue is fixed and available in the 7.1.0.1 release.
927561 : Auto failover for a BIG-IQ high availability configuration
Component: REST Framework and TMOS Platform
Symptoms:
Auto failover fails for BIG-IQ systems in a high availability (HA) configuration.
Conditions:
BIG-IQ configured in an HA auto failover configuration and Tokumond is down on the secondary BIG-IQ system.
Impact:
Auto failover does not happen.
Workaround:
N/A
Fix:
Auto failover now occurs even if Tokumund is down on the secondary BIG-IQ system in the HA configuration.
925301-2 : Unable to view Access reports when date/time filter is applied when your computer is set to a non-English language
Component: BIG-IQ Access
Symptoms:
For BIG-IQ Access dashboards, no data will display when you select the "Before/After/Between" to view reports for a specific date-time range.
Conditions:
This occurs if you set the language on your computer to anything other than US English.
Impact:
You will be unable to view data for all Access dashboards. The error message "No Data Available" displays.
Workaround:
N/A
Fix:
The Access dashboards now display properly when a date-time filter is applied.
925169-2 : BIG-IQ hardware upgrade might fail★
Component: REST Framework and TMOS Platform
Symptoms:
When upgrading BIG-IQ hardware, there is a race condition due to two different services trying to perform disk provisioning that might cause the hardware upgrade to fail.
Conditions:
Upgrading BIG-IQ hardware.
Impact:
The BIG-IQ upgrade fails.
Workaround:
Install BIG-IQ version 7.1.0.x in a new volume. Select the option to not automatically reboot to the new volume.
Mount the new volume using the command: volumeset -f mount {X}.
Edit /mnt/X/etc/bigstart/scripts/tokumx as follows:
- Add the following line after the existing 'setproperties ${service}' line: waitfor_disk_provisioning ${service}
- Replace the existing line 'if [ -f /bin/halid ]; then' with: if false; then
Unmount the new volume with the command: volumeset -f umount {X}.
Reboot to the new volume.
Fix:
BIG-IQ hardware upgrades no longer have two different services attempting to perform the disk provisioning.
923613-3 : Discovering a BIG-IP device and importing its services that contain 'bot-profiles'
Component: BIG-IQ Local Traffic & Management
Symptoms:
After discovering a BIG-IP device and importing its ASM service, BIG-IQ returns an error similar to the following:
-- Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException: Invalid entry "bot-defense" in "controls" string, valid options are: [acceleration, asm, avr, caching, ce, classification, client-ssl, compression, forwarding, l7dos, persistence, request-adaptation, response-adaptation, server-ssl, ssl-intercept, websocket].
Conditions:
This happens when you are running BIG-IQ version 7.1.0
This issue occurs when you import a BIG-IP with the following configuration:
a. BIG-IP contains a Bot Profile
b. BIG-IP contains an LTM Policy attached to this Bot Profile
Impact:
You cannot import the ASM services associated with the discovered BIG-IP device that contains bot-profiles.
BIG-IQ version 7.1.0 does support 'Anti-Bot Detection and Protection.
Fix:
Discovering a BIG-IP device and importing its ASM services that contain 'bot-profiles' no longer reports an error message.
922877-2 : Access Sessions Summary page shows duplicate data for a single session
Component: BIG-IQ Access
Symptoms:
The Access Session Summary page displays more than one entry per Session ID.
Conditions:
This happens when you view the Access Summary Page at BIG-IQ >> MONITORING >> DASHBOARDS >> Access >> Sessions >> Session Summary page.
Impact:
Some session details distributed across various columns are missing. Session details are duplicated across duplicate rows in the report.
Fix:
Session data is no longer listed twice on the dashboard, and this issue no longer occurs.
922417-2 : Creating a CSV report for active sessions
Component: BIG-IQ Access
Symptoms:
When trying to create a CSV report for active sessions, BIG-IQ returns an error similar to the following: "Error: No handler found for uri.".
Conditions:
This happens if you attempt to generate an Active Sessions report with more than 1,000 records.
Impact:
You cannot generate the CSV reports for Access reporting screens if the report contains a large number of records.
Workaround:
N/A
Fix:
This issue is now resolved and the Active Sessions CSV report properly downloads.
921521-2 : Policy signatures ready to be enforced are not reported
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Policy signatures that have passed the enforcement readiness period are not reported.
Conditions:
Create an ASM policy using Central Policy Builder and leave it active beyond 7 days (or the policy staging period). Check for signatures ready to be enforced.
Impact:
All signatures report readyToBeEnforced = false, even if there are signatures that passed the staging period.
Workaround:
N/A
Fix:
Policy signatures that have passed the necessary staging period are reported as ready to be enforced.
921989 : Querying BIG-IP devices by IP addresses
Component: REST Framework and TMOS Platform
Symptoms:
When searching for BIG-IP devices by IP addresses, BIG-IQ doesn't always include all results.
Conditions:
Searchnig for BIG-IP devices by IP addresses.
Impact:
Not all BIG-IP devices are displayed.
Workaround:
sed -i '/document._system_search_tags = row._system_search_tags;/a\ \ \ \ document._ranges = row._ranges;' /usr/share/rest/tokumon/src/transforms.js
bigstart kill tokumond
Fix:
The correct BIG-IP devices are displayed when searching by IP devices.
919093-1 : BIG-IQ Access policy branch rule names don't allow '.'
Component: BIG-IQ Access
Symptoms:
When you create an Access policy branch rule, BIG-IQ does not allow you to input a branch rule name that contains the '.' punctuation mark.
Conditions:
This issue occurs when you create an Access policy branch rule name that contains the '.' punctuation mark.
Impact:
You won't be able to create an Access policy branch rule with the punctuation mark '.' in the name.
Workaround:
N/A
Fix:
You can now create an Access policy branch rule name with the '.' punctuation in the name. This issue no longer occurs.
918997-1 : Custom expressions in the Visual Policy Editor will alter new line character for the Variable Assign agent
Component: BIG-IQ Access
Symptoms:
A Variable Assign agent in the VPE with custom expressions and attached to an Access policy might change new line characters to "\n". This causes the custom expression to fail with an error.
Conditions:
This error might happen if the Variable Assign agent was created with custom expressions spanning multiple lines. When the policy is deployed to managed BIG-IP devices, the new line characters show up as "\n" instead of actual new lines.
Impact:
The APM custom expression fails to work.
Workaround:
N/A
Fix:
This issue no longer occurs. You can now deploy a Variable Assign agent with multi-line custom expressions and attach it to an Access policy and deploy it to a BIG-IP device sucessfully.
918577-1 : Mcpd reports error message License is not operational
Component: REST Framework and TMOS Platform
Symptoms:
BIG-IQ is in Inoperative mode. Mcpd license error logs a message every ten minutes:
License is not operational (expired or digital signature does not match contents).
Conditions:
Installing the BIG-IQ License Manger with the skipLicense option set from GUI.
Impact:
Continuous error messages, and BIG-IQ in Inoperative mode.
Workaround:
None
Fix:
This issue is now fixed.
918493 : Attempting to use allowVlans and rejectVlands from an AS3 template
Component: BIG-IQ Application Management
Symptoms:
When you try to use allowVlans and rejectVlans from an AS3 template that was created from the BIG-IQ user interface, returns a deployment failure message: "allowVlans: should be array" and deployment fails.
Conditions:
1. Create an AS3 template from BIG-IQ.
2. Select Editable for "VLAN list to allow" (below the Service_HTTP for example).
3. Deploy an AS3 Application Service using the template with a known VLAN entered into "VLAN list to allow".
4. Deployment fails with error: "allowVlans: should be array"
Impact:
You cannot deploy changes to the VLAN.
Workaround:
To work around this, deploy the VLAN from an API.
Fix:
This issue is fixed and you can successfully deploy an AS3 template with a VLAN change from the BIG-IQ user interface.
917577 : Importing BIG-IP devices when first character of profile name is a number
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
The BIG-IQ discover/import process fails when the BIG-IP devices being discovered/imported have configurations with profile or rule names that begin with a number.
Conditions:
A policy rule name starts with a number, for example "8rule". When BIG-IQ sees this, it will fail validation and then fail the discovery/import process.
Impact:
BIQ-IQ cannot manage these BIG-IP devices.
Workaround:
Fixed.
Fix:
BIG-IQ can manage BIG-IP devices that have a policy rule name that starts with a number.
916881-2 : Deploying an Access policy containing orphaned policy items fails
Component: BIG-IQ Access
Symptoms:
Deploying an Access policy containing orphaned policy items to a BIG-IP device might fail with the following error:
"Critical Error: The access policy ("access-policy") has an item ("orphaned-policy-item") which is not referenced by any policy rule."
Conditions:
This error can happen if you:
1) Create an Access policy with a branch rule such as "URL Branching".
2) Add another item to that branch.
3) Delete the branch rule in "URL Branching".
4) Deploy the Access policy to a BIG-IP device.
Impact:
You cannot deploy access policies with orphaned policy items.
Fix:
This issue is now fixed and you can now deploy Access policies with orphaned objects.
916441-1 : Operations using route domains fail with 'invalid input syntax for type inet'
Component: REST Framework and TMOS Platform
Symptoms:
The storage system might not recognize an address with a route domain (% followed by a number after the IP address) as a valid address. This could cause operations to fail or to hang. Logs under /var/log/postgres/ shows an error similar to:
ERROR: invalid input syntax for type inet: "10.10.1.4%6"
Conditions:
This happen when route domains are used.
Impact:
Operations might fail or hang and errors are logged.
Workaround:
None
Fix:
Addresses containing route domains are now correctly recognized as valid.
915865-1 : Creating VE on VMWare fails and results in error message
Component: BIG-IQ Local Traffic & Management
Symptoms:
When deploying a new BIG-IP Virtual Edition from BIG-IQ, you might receive a message similar to the following:
Cannot create VE on vCenter: Could not find VM:<name>. Reason: Failed to create vm: <name> in VMware. Reason: MODULE FAILURE See stdout/stderr for the exact error
Conditions:
This error can happen if there is a mistake in the Cloud Environment configuration. For example, a misspelling, or specifying a VMWare path or object that does not exist.
Impact:
The creation fails and the error message is confusing because it does not specify the reason for the failure.
Workaround:
Check that the object values in the environment are correct.
Review the /var/log/gunicorn.out log for more information.
And check the vCenter Task Console for more details about the error.
Fix:
This issue has been fixed.
914801-1 : Creating a local SAML SP service
Component: BIG-IQ Access
Symptoms:
A local SAML SP service cannot be created with entity ID containing session variables, since host name is a mandatory field for local SP service.
Conditions:
When you create a local SAML SP service with session variables as entity ID and host name is not provided.
Impact:
You are unable to create the service until you specify a hostname.
Workaround:
N/A
Fix:
You are now able to create a local SAML SP service without a hostname.
914757 : Adding a secondary BIG-IQ to a high availability configuration
Component: REST Framework and TMOS Platform
Symptoms:
If you try to add a secondary BIG-IQ to a primary BIG-IQ to create a high availability (HA) configuration and the TCP port 5432 between the BIG-IQ systems are not open, the HA configuration attempt fails.
Conditions:
Adding a secondary BIG-IQ to a primary BIG-IQ without the TCP port 5432 open between them. Secondary Postgres cannot be restarted.
Impact:
The HA configuration attempt fails and the first BIG-IQ system deletes the /var/lib/pgsql/data folder.
Workaround:
To fix this issue, open the TCP port 5432 between the BIG-IQ systems and if configured in an auto failover configuration, the BIG-IQ DCD Quorum as well.
Fix:
BIG-IQ now checks to see if the TCP port 5432 is open between the BIG-IQ systems. If it is not open, BIG-IQ returns an error and the high availability status displays as red. You can then remove the standby on the primary, open the connection for TCP port 5432, and re-add the secondary BIG-IQ.
914361 : Deploying AS3 application service to a managed device after upgrading or rebooting BIG-IQ★
Component: BIG-IQ Application Management
Symptoms:
After upgrading BIG-IQ, you are unable to deploy an AS3 application service from BIG-IQ.
Error message:
Failed to get cm-bigip-allBigIpDevices device for address 3.90.185.47 : java.lang.IllegalStateException: Device not found in device group: java.lang.IllegalStateException: Device not found in device group
Conditions:
This happens after you upgrade or reboot BIG-IQ.
Impact:
You cannot deploy an AS3 application service from BIG-IQ.
Workaround:
To work around this issues, from the command line type: bigstart restart restjavad
Fix:
This issue is now fixed.
912753 : Tokumond service restarts due to request timeout
Component: REST Framework and TMOS Platform
Symptoms:
Tokumond occasionally restarts due to searchd service load after 60 seconds on the request.
Conditions:
Large configurations during cpu heavy operation(discovery/import)
Impact:
Tokumond restarts and needs to be reindexed
Workaround:
Increase timeout for tokumon. To do this, change line 28 of
/usr/share/rest/tokumon/lib/http.js from :
const DEFAULT_REQUEST_TIMEOUT = (1000 * 60);
to:
const DEFAULT_REQUEST_TIMEOUT = (1000 * 120);
Fix:
This issue no longer occurs.
912177-2 : Generating CSV report from Access User Summary
Component: BIG-IQ Access
Symptoms:
When you click the CSV Report button from the Access User Summary by navigating to Monitoring >> Dashboard >> Access >> User Summary screen and the following error displays "Error: Not Authenticated."
Conditions:
This can happen when you click the CSV Report button on Access Reporting page.
Impact:
You can't export or generate the CSV reports for certain Access reporting screen.
Workaround:
N/A
Fix:
This issue no longer occurs and the CSV Report button now works as expected from the Access screen.
911765 : Deploying to BIG-IP with proxyCaPassphrase client-ssl
Component: BIG-IQ Local Traffic & Management
Symptoms:
Deployment from BIG-IQ fails for BIG-IP's that use a client-ssl proxyCaPassphrase.
Conditions:
A client-SSL object is referenced by other objects like virtual server. The client-SSL object uses the property proxyCaPassphrase, but the property value was empty.
Impact:
Cannot deploy any changes to BIG-IP devices using this type of client-SSL object.
Workaround:
N/A
Fix:
BIG-IQ no longer sends the proxyCaPassphrase object to BIG-IP as part of the deployment process.
911533 : Importing and deploying large configurations
Component: REST Framework and TMOS Platform
Symptoms:
When you perform certain actions that uses a lot of BIG-IQ resources (such as importing or deploying a large configuration), BIG-IQ might log you out.
Conditions:
The BIG-IQ is under heavy system strain due to operations related to large configurations.
Impact:
You are logged out of BIG-IQ.
Workaround:
N/A
Fix:
BIG-IQ no longer logs you out when you are importing or deploying a large configuration.
911445-3 : When BIG-IQ is performing resource-intensive operations, user sessions might prematurely terminate
Component: REST Framework and TMOS Platform
Symptoms:
When BIG-IQ is performing resource-intensive operations, API responses might be slowed which can lead sometimes cause log-in sessions to time out, forcing users to log out of BIG-IQ.
Conditions:
BIG-IQ is performing resource-intensive operations, such as importing large device configurations.
Impact:
Users are forcibly logged out of the BIG-IQ user interface.
Workaround:
None
Fix:
This issue is now fixed and authorization is maintained even during periods of resource-intensive operations.
925545 : Tokumond hangs on initial indexing
Component: REST Framework and TMOS Platform
Symptoms:
Tokumond hangs during initial indexing and is not able to enter oplog mode.
You may see an error in /var/log/postgresql.log
ERROR: replication slot "ha_replication" does not exist
Conditions:
BIG-IQ with large amounts of configs
Impact:
Tokumond hangs, /var partition may fill up
Workaround:
Restart tokumond by bigstart kill tokumond
Fix:
Tokumond should be able to enter oplog mode
910481-2 : Viewing statistics for BIG-IP version 12.x devices
Component: AppIQ
Symptoms:
For managed BIG-IP v12.x devices, BIG-IQ might stop displaying statistics for the following:
http
pool-member
bigip-asm-violations
bigip-asm-transactions
Conditions:
BIG-IQ is managing a BIG-IP device running version 12.x
Impact:
You cannot view the statistics for:
http
pool-member
bigip-asm-violations
bigip-asm-transactions
Workaround:
For BIG-IQ version 7.0.x, run the following command:
curl -s -XPOST localhost:9200/dynamic_global_parameters/meta-data/use-dimensions-aggregation-dynamic-global-parameters/_update -d '{"script": "ctx._source.map.enabled.value=false"}'
For BIG-IQ version 7.1.X run the following command:
curl -s -XPOST localhost:9200/metadata_dynamic_global_parameters/meta-data/use-dimensions-aggregation-dynamic-global-parameters/_update -d '{"script": "ctx._source.map.enabled.value=false"}'
Fix:
BIG-IP v12.x statistics now display as expected.
908505-3 : Managing BIG-IP devices using a large number of virtual servers while running iApp analytics
Component: AppIQ
Symptoms:
Managed BIG-IP devices running iApp analytics logs an error message similar to the following error /var/log/ltm:
err scriptd[8484]: 014f0013:3: Script (/Common/bigiq-analytics-send_stats) generated this Tcl error: (script did not successfully complete: (couldn't create pipe: too many open files while executing "exec /usr/bin/tmsh -c "list ltm virtual $virtual_name partition" | grep "partition " | tr -s " " | cut -d " " -f3- " ("foreach" body line 3) invoked from within "foreach virtual $virtual_list { set virtual_name "/[tmsh::get_name $virtual]" set partition_name [exec /usr/bi..." invoked from within "if { [file exists ${filename}0] != 1 || [ expr [clock seconds] - [file mtime ${filename}0] ] > 360 } { set infile [open "$filename$curr..." line:346))
Conditions:
When managing a BIG-IP device with a large number of virtual servers and running iApp analytics.
Impact:
iApp does not collect statistics for virtual server, pool, nodes, or statuses.
Workaround:
A workaround is available for BIG-IQ version 7.1. For more information see: https://support.f5.com/csp/article/K53001642
Fix:
iApp now collects data as expected.
808133-3 : Analytics iApp pushed from BIQ-IQ causes BIG-IP high availability (HA) peers to go out of sync
Component: AppIQ
Symptoms:
BIG-IP high availability (HA) peers going out of sync.
Seeing recurring messages in the audit log that indicate the following:
01420002:5: AUDIT - pid=20880 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=modify security analytics settings collect-all-dos-statistic enabled
Conditions:
Analytics iApp pushed from BIG-IQ.
Impact:
BIG-IP high availability (HA) peers become out of sync.
Fix:
BIG-IQ HA peers no longer become out of sync when BIG-IQ pushes the iApp.
910069 : BIG-IQ is unable to manage special BIG-IP with auto-generated certificates
Component: BIG-IQ Local Traffic & Management
Symptoms:
BIG-IQ fails during the discovery and import process when attempting to discover and import BIG-IP devices with auto-generated certificates.
Conditions:
BIG-IP has a type of certificate that can change automatically and immediately without user input. This is a scenario that the BIG-IQ architecture does not support, causing the discovery and import process to fail for BIG-IP devices with these type of certificates.
Impact:
BIG-IQ cannot manage BIG-IP devices with auto-generated, dynamic certificates.
Workaround:
This issue has been fixed in 7.1.0.1, or customers can simply use a stable certificate for managed BIG-IP devices.
Fix:
BIG-IQ is now able to manage BIG-IP where certificates are changed automatically generated on BIG-IP.
907973-1 : Imported virtual servers with application protection are displayed as unprotected
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Protected virtual servers with a monitoring/blocking application protection policy do not display enforcement mode following import from BIG-IP.
Conditions:
1. On BIG-IQ discover a BIG-IP device with a protected virtual server.
2. Check the virtual server's enforcement mode in the L7 security grid (Monitoring > DASHBOARDS > L7 Security).
Impact:
The virtual server will display 'Not Protected' enforcement status.
Workaround:
PATCH the VS (or update it via UI), wait a minute and it will get the protection mode.
For batch mode, restart restjavad, which marks all vips as dirty and protection mode will be recalculated for all of them.
Fix:
Protected virtual servers imported from a managed BIG-IP device now display the correct enforcement mode.
906121-1 : Adding Pool Members to Resource Groups
Component: BIG-IQ Local Traffic & Management
Symptoms:
When adding a Pool or Virtual Server to a Resource Group, the related Pool Members appear individually instead of all Pool Members.
Conditions:
When adding a Pool or Virtual Server to Resource Group.
Impact:
You must add Pool Members individually to Resource Groups after they are created or they will not be visible to the user with the associated role.
Workaround:
You can use an API call to create a Resource Group (RG) with the pools as you want them and use that Resource Group in a Role.
Here are the steps for that,
1. Find the pool (or pools that you want in the role and capture it's membersCollectionReference:
GET cm/adc-core/working-config/ltm/pool
2. modify the json body below to match the retrieved pool members URI path
- change the name, description, and expression (note the /* at the end of the membersCollectionReference URI path)
- you just need the pool members expression (the pool that owns it will be automatically added to the RG.)
- you can have more than one expression in the referenceExpressions array.
{
"resourceGroupName": "workaroundRGSample",
"resourceGroupDisplayName": "workaroundRGSample",
"resourceGroupDescription": "",
"referenceExpressionsPatches": [
{
"targetKind": "cm:adc-core:working-config:ltm:pool:members:adcpoolmemberstate",
"referenceExpressions": [
{
"name": "All Pool Members for newPool",
"description": "All existing and future Pool Members for newPool.",
"expression": "/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members/*"
}
]
}
]
}
3. POST that to here: /shared/authorization/patch-resource-groups
- note this is a declarative API. If you want to change the RG you need to include ALL expressions that you want in the RG and POST to the same endpoint again. Like if you wnted to add a pool/members then the body above would contain two referenceExpressions.
4. You'll get a response like this:
{
"id": "cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b",
"kind": "shared:authorization:resource-groups:resourcegroupstate",
"name": "workaroundRGSampleXX",
"isPublic": true,
"selfLink": "https://localhost/mgmt/shared/authorization/resource-groups/cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b",
"isBuiltIn": false,
"generation": 1,
"description": "",
"displayName": "workaroundRGSampleXX",
"isSystemManaged": false,
"lastUpdateMicros": 1588021146636422,
"referenceExpressionCollectionReference": {
"link": "https://localhost/mgmt/shared/authorization/resource-groups/cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b/reference-expressions",
"isSubcollection": true
},
"differences": {
"added": [
"/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members",
"/cm/adc-core/working-config/ltm/pool",
"/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members/*",
"/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631"
],
"removed": []
}
}
5. Now create a second Resource Group in the UI that does NOT include the Pool and Pool Members for the VIP.
6. Create a role that includes the RG you manually created above and the second RG (without the Pool and Pool Member) that you created in the UI.
Fix:
This issue is fixed.
905737-2 : Setting up BIG-IQ as a license manager only
Component: BIG-IQ Device Management
Symptoms:
If you are configuring BIG-IQ as a BIG-IP license manager only, selecting the option to skip licensing during setup, setup fails.
Conditions:
Selecting the skip license option when setting up a BIG-IQ to manage licenses for BIG-IP devices.
Impact:
Setup will fail to license a BIG-IP.
Workaround:
When setting up BIG-IQ to only manage licenses for BIG-IP devices, make sure to enter a license manager base registration key during setup.
Fix:
This issue is fixed.
903677 : Related items for a virtual server aren't displayed when creating a resource group★
Component: REST Framework and TMOS Platform
Symptoms:
While trying to create resource groups, selecting a Virtual Server returns an empty list of "related items".
Conditions:
Creating a resource group and selecting a virtual server.
Impact:
Apps are unable to query data correctly and may not be seen correctly.
Workaround:
After setup, run the following commands:
sed -i '/document._system_search_tags = row._system_search_tags;/a\ \ \ \ document._searchmeta = row._searchmeta;' /usr/share/rest/tokumon/src/transforms.js
If done after upgrade, execute the following command to reindex:
bigstart kill tokumond
Fix:
This issue no longer occurs.
903121-2 : Evaluating and deploying Access Groups containing a remote desktop configuration
Component: BIG-IQ Access
Symptoms:
When evaluating and deploying Access Groups containing a Remote Desktop configuration to a BIG-IP device, it might fail with the following following error:
"Critical error: Error getting aclOrder value on object."
Conditions:
This error can happen if a Remote Desktop object was created on a managed BIG-IP running version 15.1 or later and then discovered and services imported.
Impact:
You might not be able to deploy configurations containing Remote Desktop objects to a managed BIG-IP devices.
Workaround:
To resolve this issue, you can define aclOrder for a Remote Desktop object using the following API calls:
For Remote Desktop - Citrix
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/citrix
For Remote Desktop - RDP
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/rdp
For Remote Desktop - VMWare
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/vmware-view
After defining the aclOrder for the Remote Desktop objects, you should be able to successfully evaluate and deploy this configuration to managed BIG-IP devices.
Fix:
This issue no longer occurs. You should be able to import configurations containing Remote Desktop objects and edit and save it on BIG-IQ. You should also be able to deploy configurations containing Remote Desktop objects to target BIG-IP devices from BIG-IQ.
901689-2 : L7 Dashboard grid does not report number of DoS attacks correctly
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
The grid for the L7 Security Dashboard does not report attack data, even when objects are under attack.
Conditions:
Go to Monitoring > DASHBOARDS > L7 Security Dashboard
Run a DoS L7 attack
View the attacks in the summary bar (confirming attacks)
View the DoS attacks column in the grid, all report "No Data"
Impact:
No DoS attack count data for column in object grid.
Workaround:
N/A
Fix:
DoS attack information is now displayed correctly in the L7 dashboard.
901625-1 : Analytics dashboards after upgrading to BIG-IQ version 7.1
Component: AppIQ
Symptoms:
In rare instances, statistics data previously gathered might not display in the Applications > Monitoring > DASHBOARDS (excluding Access reports) Application Service dashboards after upgrading to BIG-IQ version 7.1.
Conditions:
1. Upgrade any supported version of BIG-IQ with DCDs to version 7.1.
2. From the user interface, analytics do not include data prior to the upgrade.
3. Two to four days after a sucessful upgrade, the the BIG-IQ logs And the /var/log/restjavad.0.log (or /var/log/restjavad.1.log if the log was rotated) must
contain the following:
"Analytics script /var/config/appiq/upgrade/upgrade_analytics_reindex_tmstat_statistics_7_0_to_7_1.py finish successfully"
4. You see (3.) but the upgrade scripts are still unable to complete processing data because the maximum retries was reached.
When this happen, BIG-IQ logs the following:/var/log/upgrade_analytics_data.log
at this case it must contain ERROR log (not WARN) with the following text:
"ES Post failed for url"
5. From the BIG-IQ command line, run the following command to see if there is some old analytics data that was not converted:
curl localhost:9200/_cat/indices/statistics* | grep -v '\-group'
If this command returns some indexes after the process of post-upgrade finish, it meanst not all old analytics data was upgraded and do not appear after an upgrade.
Impact:
Statistics data gathered before upgrading to BIG-IQ v7.1 might not display.
Workaround:
After you have verified that all 5 conditions are met the workaround is as follows:
1. Copy the pre-upgrade script to a file /tmp/script.sh
For pre-upgrade procedures, see https://techdocs.f5.com/en-us/bigiq-7-1-0/upgrading-big-iq-5-4-7-0-dcd-cluster-latest/upgrading-bigiq-version-5-4-7-0_overview.html
2. Run the file with the added script:
source /tmp/script.sh
3. Run:
python2.7 /var/config/appiq/upgrade/upgrade_analytics_reindex_tmstat_statistics_7_0_to_7_1.py
4. The script processes unfinished old analytics data. You can monitor the progress at the
/var/log/upgrade_analytics_data.log
At the end of the process you should see at the log:
REINDEX statistics completed successfully
The script might run from couple of hours to couple or days depending on the data size left.
Fix:
Statistics gathered prior to the upgrade now appear in the dashboards as expected after upgrading.
901129-1 : DoS events and DNS Overview screens returns error message
Solution Article: K57274211
900849-1 : Editing is disabled for deployed SSLO configurations after upgrading your managed BIG-IP devices from version 14.x to 15.x
Component: BIG-IQ SSL Orchestrator
Symptoms:
After upgrading your managed BIG-IP devices from any 14.x version to 15.x and you try to edit a deployed SSL Orchestrator topology running RPM 5.4, BIG-IQ returns an error. As a result, you are unable to save the SSLO configuration and proceed to the next step.
Conditions:
This issue can happen in BIG-IQ after upgrading your managed BIG-IP devices from 14.x to 15.x.
Impact:
You cannot edit a deployed topology after upgrading a BIG-IP image from 14.X to 15.X.
Workaround:
To resolve this issue follow the steps in the order shown:
1. Re-deploy the security policy used by the topology before editing the topology. Remove all devices from the device page, add the devices back, then re-deploy the policy.
2. Edit the SSLO topology in a topology workflow. Click the topology icon in the first step of the wizard. Do not click Save & Next, and instead click the interception rule icon in the wizard. Update the Access profile in the interception rule page, click Save, and deploy the topology.
Fix:
You can now edit and and re-deploy all deployed SSLO configurations after upgrading the managed BIG-IP devices from version 14.x to 15.x.
899789 : Viewing BIG-IQ application dashboard after changes to a legacy application service is redeployed to a BIG-IP cluster
Component: BIG-IQ Application Management
Symptoms:
After you make a change to a legacy application service and redeploy it to a BIG-IP cluster, the user assigned to the custom application manager role doesn't see those changes on the BIG-IQ application dashboard.
Conditions:
Update pool members or virtual servers that belong to a legacy application service and redeploy to a BIG-IP cluster.
Impact:
Users assigned to the custom application manager role associated with the legacy application service can't see updates to legacy applications that have had virtual server and pools modified and won't be able to perform operations such as enable/disable/force offline.
The UI displays the error message: "Please add at least one pool first".
Workaround:
1. Log in as admin and delete the legacy application service.
2. Re-create the application and re-assign the custom application manager role to the user.
Fix:
This issue is fixed.
898641 : AS3 application deployment UI: persistence methods, iRule & Firewall Address List do not render values from template correctly
Component: BIG-IQ Application Management
Symptoms:
If you use the Basic Schema type, AS3 Deployment incorrectly renders:
-- Persistence methods and iRule fields for Service_HTTP/HTTPS AS3 classes.
-- Addresses field for Firewall_Address_List AS3 class.
Conditions:
This happens when you create an AS3 template Basic Schema type with persistent methods, iRule fields for Service_HTTP/HTTPS classes, and address field for Firewall_Address_List AS3 class and allow the Address property to be editable.
Impact:
BIG-IQ splits out the string in the template into multiple fields.
Workaround:
Use Advanced Schema Type option instead of Basic Schema type.
Fix:
This issue is now fixed.
889049-1 : Deployment and Configuration menus with long virtual server or pool names.
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
The Deployment and Configuration menus are currently not wide enough to display long virtual server and pool names.
Conditions:
This happens if the combination of partition and object names combined exceeds 21 characters.
Impact:
You cannot to read the full name of the virtual server or the pool configured for the virtual server.
Workaround:
None.
Fix:
This issue is now fixed.
872849-1 : Signatures in the Web Application Security event logs might not show correct applied blocking masks
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Violation details of Attack Signature Detected, for a Web Application Security policy, report Applied Blocking Masks that are inconsistent with information reported on the host BIG-IP device.
Conditions:
1. Generate a Web Application Security signature violation
2. Select the events and view the Application Blocking Masks in the violation details in the Web Application Security Event Logs (Monitoring > EVENTS > Web Application Security > Event Logs > Events).
3. View the Applied Blocking Settings violation details on the host BIG-IP device.
Impact:
The Applied Blocking Masks found in the Web Application Security event logs display the incorrect blocking masks for the signature violation of a Web Application Security policy.
Fix:
Detected signatures in the Attack Signature Detected violation now show the correct blocking masks in the BIG-IQ Web Application Security event logs.
872237-3 : CPU spikes when using iApp analytics
Component: AppIQ
Symptoms:
BIG-IQ regularly queries the status of virtual servers and pools on BIG-IP devices running iApp, which can cause CPU spikes when the number of servers and pools are high.
Conditions:
When collecting statistics with iApp on BIG-IP devices that have more than 600 virtual servers and/or 400 pools.
Impact:
CPU cores on BIG-IP device regularly reach maximum usage when statistics collection is enabled.
Workaround:
For BIG-IQ version 7.1. see the following article for a workaround: https://support.f5.com/csp/article/K53001642
Fix:
CPU spikes no longer occur as a result of status queries to BIG-IP devices.
860473-1 : Connection and read timeout settings for the TACACS+ authentication provider
Component: REST Framework and TMOS Platform
Symptoms:
The TACACS+ authentication provider uses a fixed, hard-coded value (5 seconds) for the timeout to get a response from the TACACS+ server. If a request to the TACACS+ server to authenticate a user or to retrieve the user properties does not complete within 5 seconds, the request fails. This causes the BIG-IQ authentication of a remote TACACS+ user to fail as well.
Conditions:
When you use a TACACS+ authentication provider to authenticate to BIG-IQ and the TACACS+ server is too slow, it will probably time out before you get authenticated.
Impact:
TACACS+ user authentication to BIG-IQ fails.
Workaround:
N/A
Fix:
You can now configure the connection timeout and read timeout settings.
859709-2 : Full name of the default pool does not display on the LTM virtual server properties screen
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
LTM Virtual Server properties screen shows only the first 32 to 40 characters of the default pool's full name.
Conditions:
1. Log in with read-only permissions.
2. Navigate to Configuration>LOCAL TRAFFIC>Virtual Servers.
3. Click the name of a virtual server and scroll down to the Default Pool drop-down box.
Impact:
If the default pool has a long name, read-only users cannot see the full name of the default pool.
Workaround:
Keep the pool name shorter than 32 characters.
Fix:
The issue is now fixed.
846665-1 : Authentication to BIG-IQ might fail when using an LDAP or Active Directory authentication provider using LDAPS that has Server Certificate Validation disabled.
Component: REST Framework and TMOS Platform
Symptoms:
When you set up an LDAP or Active Directory authentication provider that uses the LDAPS protocol on TCP port 636 with Server Certificate Validation enabled, and then disable Server Certificate Validation in the authentication provider settings you get an unexpected result.
When the user tries to authenticate to the BIG-IQ, the authentication fails with the error:
Unable to connect to the authentication server. java.security.cert.CertificateException: No subject alternative names present.
Conditions:
LDAP or Active Directory authentication provider with 'Server Certificate Validation' enabled, then disabled.
Impact:
User authentication to BIG-IQ fails.
Workaround:
There are 3 potential workarounds:
1. Set up the LDAP or Active Directory authentication provider to use StartTLS on TCP port 389 instead of LDAPS on TCP port 636. Ideally, enable 'Server Certificate Validation'.
This is the most secure option.
2. If your LDAP/Active Directory server does not support StartTLS and you need to use LDAPS, set up the authentication provider with 'Server Certificate Validation' enabled.
This option is more secure than the next option.
3. If you need to use LDAPS and for some reason the authentication provider cannot validate the server certificate, then disable certificate validation from the very beginning. If you have first set it up with 'Server Certificate Validation' enabled:
a. Delete the authentication provider.
b. Restart restjavad.
c. Re-create the authentication provider with 'Server Certificate Validation' disabled.
This last option is not recommended, because it is less secure.
Fix:
This has been fixed. User authentication to BIG-IQ does work correctly when you create an LDAP or Active Directory authentication provider with 'Server Certificate Validation' enabled, then you disable it.
843113 : Bulk importing more than 50 certificates and keys for BIG-IP devices
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
After a bulk import of more than 50 BIG-IP certificates and keys, only the first 50 certificates and keys display.
Conditions:
Conduct a bulk import of more than 50 certificates and keys.
Impact:
BIG-IQ displays only the first 50 certificates and keys.
Workaround:
N/A
Fix:
All certificates and keys now properly display.
816637-1 : Discovering BIG-IP devices with VLAN failsafe-action option set to failover
Component: BIG-IQ Local Traffic & Management
Symptoms:
After upgrading BIG-IQ from v6.1.0 to v7.0.0 and then discovering BIG-IP devices with the VLAN failsafe action option set to failover, BIG-IQ returns the following error:
Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException: failsafeAction failover Invalid state - 'failover'. Valid values are [reboot, restart-all, failover-restart-tm]
Error in Restjavad Logs:
Validation failure: java.lang.IllegalArgumentException: failsafeAction failover Invalid state - 'failover'. Valid values are [reboot, restart-all, failover-restart-tm]
Conditions:
This happens after upgrading from BIG-IQ v6.1. to v7.0.0 and you attempt to discover BIG-IP devices that have the LTM service's VLAN failsafe action option set to failover.
Impact:
Fails to discover the device
Workaround:
No viable workaround, EHF required.
Fix:
The values failover and failover-restart-tm have been added to VLAN failsafe action options so that import validation no longer fails.
776021-1 : Modifying a scheduled backup
Component: BIG-IQ System User Interface
Symptoms:
BackupLifeTime is gone after user sets backupCounter
Conditions:
Create a backup with retention policy backupLifeTime, then update it with backupCounter
Impact:
No functional impact but it is confusing.
Workaround:
Don't provide conflict parameter backupLifeTime and backupCounter at the same time
Fix:
backupLifeTime and backupCounter cannot coexist. They are two different types of retention policies. You can select only one from BIG-IQ.
Known Issues in BIG-IQ CM v7.1.x
BIG-IQ Configuration - Local Traffic Issues
| ID Number | Severity | Solution Article(s) | Description |
| 873917-2 | 4-Minor | iRules with extremely long names |
BIG-IQ Configuration - Security - Shared Security Issues
| ID Number | Severity | Solution Article(s) | Description |
| 921025-1 | 3-Major | Network security log profile changes in 15.1 breaks BIG-IQ import |
BIG-IQ Device User Interface Issues
| ID Number | Severity | Solution Article(s) | Description |
| 976285 | 3-Major | Creating a BIG-IP VE on VMware |
BIG-IQ Access Issues
| ID Number | Severity | Solution Article(s) | Description |
| 807385 | 4-Minor | Egress gateway pool unselect empty the dropdown |
BIG-IQ Local Traffic & Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 977109-1 | 3-Major | BIG-IQ may report errors when deploying changes to BIG-IP devices |
AppIQ Issues
| ID Number | Severity | Solution Article(s) | Description |
| 832801 | 2-Critical | BIG-IP with FIPS and BIG-IQ analytics iApp may become inaccessible | |
| 804213 | 2-Critical | BIG-IQ cannot handle same AVR profile for BIG-IP V13.x and V14.x | |
| 967725 | 3-Major | Data Collection restore task failed with error ES Restore failed to complete★ | |
| 942849 | 3-Major | When appiqconfig looses connection to Elasticsearch (ES) it is unable to re-establish the connection | |
| 907321-1 | 3-Major | Elasticsearch instance on the BIG-IQ CM generates an OutOfMemory error | |
| 898341 | 3-Major | BIG-IP may stop sending statistics following a DCD reboot | |
| 876565-1 | 3-Major | Log files in /var/log/appiq not removed after 10 days | |
| 838265 | 3-Major | Agentmanager should not depend on elasticsearch cluster status to start | |
| 812065 | 3-Major | Pools & pool-member stats are not collected after upgrade | |
| 978257 | 4-Minor | Monitoring graphs show incorrect start and end times |
BIG-IQ Configuration - Infrastructure Issues
| ID Number | Severity | Solution Article(s) | Description |
| 837541-4 | 4-Minor | BIG-IQ backup/snapshot retention count is not honored |
BIG-IQ Device Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 771397-1 | 3-Major | License Manager cannot license different devices with the same MAC address (public and private clouds) |
BIG-IQ System Issues
| ID Number | Severity | Solution Article(s) | Description |
| 940265 | 4-Minor | New Resource group appears to give access to only one, un-named pool. |
BIG-IQ Application Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 969541 | 2-Critical | AS3 Address_Discovery class does not render correctly in BIG-IQ UI | |
| 969793 | 3-Major | Force-deleting an AS3 application fails. | |
| 957117 | 3-Major | Deploying AS3 Application Services after upgrading BIG-IQ from version 7.1.0.1 to 7.1.0.2 | |
| 920461 | 3-Major | Big-IQ AS3 deployment shows as successful but is not present on the target device |
Known Issue details for BIG-IQ CM v7.1.x
978257 : Monitoring graphs show incorrect start and end times
Component: AppIQ
Symptoms:
Under certain circumstances, the time period shown in monitoring graphs when selecting "Last Hour" or "Last 30m" is incorrect - it shows one hour of offset compared to the local time.
Conditions:
The way to reproduce this is to change the computer's timezone. Once the computer timezone is changed, browse to a dashboard (e.g. /monitoring/dashboards/device/health), select "Last Hour" and see the wrong X axis showing times from the future.
Impact:
Displays of unexpected time in graphs.
977109-1 : BIG-IQ may report errors when deploying changes to BIG-IP devices
Component: BIG-IQ Local Traffic & Management
Symptoms:
You see the following error while deploying changes from BIG-IQ to BIG-IP : 'Exception in verifyConfig: java.lang.NullPointerException'
Conditions:
This occurs when BIG-IQ has been managing BIG-IP devices of varying versions. It can also occur with a single BIG-IP device that has been upgraded multiple times.
Impact:
You will be unable to manage the BIG-IP device from BIG-IQ
Workaround:
If you manage a BIG-IP device of a single version and if there are no changes pending on BIG-IQ, then you can run 'clear-rest-storage' on BIG-IQ to clear the bad state on BIG-IQ.
If you manage several BIG-IP devices of varying versions then you will be unable to workaround this issue.
976285 : Creating a BIG-IP VE on VMware
Component: BIG-IQ Device User Interface
Symptoms:
Unable to assign management IP from IP pool and create a BIG-IP VE in VMware from BIG-IQ. DHCP does work.
Error message: Could not assign mgmt IP address y.y.y.y to xxx. Reason: Unknown.
Conditions:
Use BIG-IP VE Creation feature to create a BIG-IP VE in VMware using an IP Pool on BIG-IQ.
Impact:
The VE created using VMware does not receive a Management IP.
Workaround:
Navigate in BIG-IQ -> Applications -> APPLICATIONS -> Cloud Environments -> <env_name>. Ensure the IP Pool Alias Mapping: IP Pool is set to "None".
969793 : Force-deleting an AS3 application fails.
Component: BIG-IQ Application Management
Symptoms:
When you send a POST request to the force-delete endpoint to delete an AS3 application, the delete fails with an error.
Error message includes: <certificate_key> is pinned to device <device>
Conditions:
This issue happens when certificate that is defined in the AS3 declaration and device is reimported/rediscovered.
Impact:
Can't use force-delete API to delete the application if cert and key(s) are already pinned to a device.
Workaround:
Here is the manual workaround
1) in UI, navigate to Configuration -> LOCAL TRAFFIC -> Pinning Policies
2) From Resource Type "SSL Certificates" select certificate and keys (the one included in the error message)
remove both of them.
3) run force-delete
969541 : AS3 Address_Discovery class does not render correctly in BIG-IQ UI
Component: BIG-IQ Application Management
Symptoms:
A custom AS3 template with an Address_Discovery class can be created in the BIG-IQ UI but when trying to use the template to create Application Services the form does not render correctly.
Conditions:
AS3 Address_Discovery class does not render correctly in BIG-IQ Application Service creation UI.
Impact:
Independent Address_Discovery. classes cannot be used in AS3 App Service creation UI.
Workaround:
No Workaround at this time.
967725 : Data Collection restore task failed with error ES Restore failed to complete★
Component: AppIQ
Symptoms:
Regular upgrade fails and the following error message displayed:
"Failed. Post install task https://localhost/mgmt/cm/shared/esmgmt/post-upgrade/[uuid] failed due to 'Data Collection restore task failed with error ES Restore failed to complete..'"
Conditions:
Upgrading BIG-IQ with data collection devices from version 7.0 or below to version 7.1.
Impact:
Upgrade failure
Workaround:
1. re-run regular upgrade
2. If during post upgrade the failure re-occurs stop all agent managers to avoid new indexing (there is a chance that it won't reproduce since it depends if a new events index was created during the restore)
3. delete the events index:
curl -X DELETE localhost:9200/events_tl0*
4. re-run the post-upgrade worker:
curl -X POST localhost:8100/cm/shared/esmgmt/post-upgrade -d '{currentStep: "GET_PRE_UPGRADE_ACCOUNTING"}'
957117 : Deploying AS3 Application Services after upgrading BIG-IQ from version 7.1.0.1 to 7.1.0.2
Component: BIG-IQ Application Management
Symptoms:
After upgrading BIG-IQ from version 7.1.0.1 to 7.1.0.2, deploying AS3 Application Services fails with a 404 error.
Conditions:
BIG-IQ returns a 404 error for "/shared/appvcs/info" if you attempt to deploy an AS3 Application Service or run the following command from the BIG-IQ commmand line.
curl -s http://localhost:8105/shared/appsvcs/info
Steps to reproduce:
1. Upgrade BIG-IQ from version 7.1.0.1 to 7.1.0.2.
2. Try to create an AS3 Application Service using a template.
3. Try curl on AS3 info endpoint curl -s http://localhost:8105/shared/appsvcs/info
Impact:
AS3 Application Services cannot be deployed.
Workaround:
In some instances, restarting the restnoded service will fix the problem.
1. ssh into BIG-IQ
2. Run the following command:
bigstart restart restnoded
If the problem persists reinstall AS3 from the RPM
1. ssh into BIG-IQ.
2. Verify the current AS3 RPM by typing the following command: ls /usr/lib/dco/packages/f5-appsvcs
3. Update AS3 using the version that is present. For example:
rpm -Uvh --force /usr/lib/dco/packages/f5-appsvcs/
f5-appsvcs-3.22.1-1.noarch.rpm
942849 : When appiqconfig looses connection to Elasticsearch (ES) it is unable to re-establish the connection
Component: AppIQ
Symptoms:
The ES is filled with hundreds of statistics in _t10_* indexes because ES on CM fails to reconnect.
Conditions:
The retention of indexes stops working because ES on CM fails to reconnect and that why the tl0 indexes accumulate.
Impact:
The ES begins to work slowly, is unresponsive, and some indexes are corrupted. Retention stops working.
Workaround:
Workaround related to version 7.1.x or earlier.
The only workaround is to delete all the statistic_tl0* indexes. And all the red indexes if any.
workaround to fix ES connectivity issue on CM:
1. In the CM, edit the file /var/config/appiq/configserver/bin/run_configserver_bigiq.sh
2. After line 71, add the following:
jvm_opts="${jvm_opts} -DES_DATA_SERVICE_HOST=${ES_HOST}"
3. Restart configserver with "bigstart restart appiqconfig"
940265 : New Resource group appears to give access to only one, un-named pool.
Component: BIG-IQ System
Symptoms:
Overview:
If you edit the group properties incorrectly, it's possible to make it appear as if a pool has only one, un-named pool member, even though the pool contains multiple pool members.
Conditions:
Steps to Reproduce:
1.Create a new resource group that has access to all pool
members for all virtual servers:
a. System>ROLE MANAGEMENT>Resource Groups>Add.
b. Type a Name for the group.
c. On the bottom half of the screen, for Select Service,
choose Local Traffic (LTM).
d. For Select Object Type, choose Virtual Servers Local
Traffic.
e. For Source, click Any Instance.
f. On the right, clear the RELATED OBJECT TYPES check box,
and then scroll down and select the Pool Members check
box.
g. Click Add Selected.
h. Click Save and Close.
2. Edit the group so that it has access only to specific pool
members:
a. Click on the name of the newly created resource group to
edit it.
b. On the bottom half of the screen, for Select Service,
choose Local Traffic (LTM).
d. For Select Object Type, choose Virtual Servers Local
Traffic.
e. For Source, click Selected Instances, and then select
a virtual server that has pool members.
f. On the right, clear the RELATED OBJECT TYPES check box,
and then scroll down and select the Pool Members check
box.
g. Click Add Selected.
h. Under Selected Resources, expand Pools, and note the
presence of just one, un-named pool.
Impact:
The resource group is now unusable. It is trying to do two conflicting things at the same time:
* Grant access to all pool members for all virtual servers.
* Restrict access to only some pool members on some virtual
servers.
Workaround:
Delete the mis-formed resource group and create two new ones.
One group grants access to all pool members for all virtual servers.
The second group restricts access to only some pool members on some virtual servers.
921025-1 : Network security log profile changes in 15.1 breaks BIG-IQ import
Component: BIG-IQ Configuration - Security - Shared Security
Symptoms:
New storage fields included in BIG-IP 15.1.x are not validated in BIG-IQ, which is causing import failures
Conditions:
Import Network Security logs from BIG-IP v15.1.x that include storage values.
Impact:
Importing Network Security log with storage fields results in error message:
restjavad.4.log:[ERROR][19 Jun 2020 09:18:34 CEST][/cm/security-shared/working-config/log-profiles/232543a8-6e3e-3e3a-a42c-d2c592d223d4/network WorkingProfileNetworkCollectionWorker] Validation failure: java.lang.IllegalArgumentException: Invalid format field value : dest_ipint_categories
restjavad.4.log:[ERROR][19 Jun 2020 09:18:34 CEST][/cm/security-shared/tasks/config-copy/b16532b8-fd5d-431a-87cf-486ac566b9ad/worker SharedConfigCopyTaskWorker] Failed POST to target https://localhost/mgmt/cm/security-shared/working-config/log-profiles/232543a8-6e3e-3e3a-a42c-d2c592d223d4/network: java.lang.IllegalArgumentException: Invalid format field value : dest_ipint_categorie
920461 : Big-IQ AS3 deployment shows as successful but is not present on the target device
Component: BIG-IQ Application Management
Symptoms:
An AS3 deployment performed via BIG-IQ fails on the target device, but BIG-IQ marks the deployment as successful.
Conditions:
Target device software version is 12.x.
Impact:
The AS3 application shows as successfully deployed in BIG-IQ, but it's not present in the target device.
Workaround:
Upgrade BIG-IP to v14 to workaround the error.
907321-1 : Elasticsearch instance on the BIG-IQ CM generates an OutOfMemory error
Component: AppIQ
Symptoms:
On certain conditions the Elasticsearch instance on the BIG-IQ CM might run out of memory., and the following error is observed in the Elasticsearch log:
org.elasticsearch.ElasticsearchException: java.lang.OutOfMemoryError: GC overhead limit exceeded
Conditions:
In order for this issue to occur there must be a very large volume of traffic throughput to your BIG-IP systems.
1. Setup a large scale BIG-IQ system with 3 DCD's monitoring dozens of BIG-IP devices
2.Generate a large amount of statistical data collection by sending a high volume of traffic throughput to the BIG-IP devices in your system.
Impact:
The Elasticsearch cluster is not stable and prone to multiple restarts.
Workaround:
If your configuration includes an active/standby pair for your BIG-IQ CM setup, you must perform this procedure on both the active and standby devices.
1. On the BIG-IQ CM node go to:
vi /etc/biq_daemon_provision.json
2. Edit the restjavad memory to include:
"big_iq": {
"restjavad": {
"active": true,
"memory_allocation": {
"SYS_4GB": "800m",
"SYS_8GB": "3500m",
"SYS_16GB": "6000m",
"SYS_32GB": "12700m", -->>> change this to "10300m"
"SYS_64GB": "20000m",
"SYS_128GB": "20000m"
},
"new_ratio": {
"SYS_32GB": "1"
}
},
3. Edit the elasticsearch memory ( under "big_iq")
},
"elasticsearch": {
"active": true,
"memory_allocation": {
"SYS_4GB": "100m",
"SYS_8GB": "200m",
"SYS_16GB": "500m",
"SYS_32GB": "1600m", -->>> increase this to "4000m"
"SYS_64GB": "3200m",
"SYS_128GB": "6400m"
}
},
4. Use to bigstart restart restjavad
5. Use bigstart restart elasticsearch
6. Reduce the amount of shards in the Elasticsearch cluster by running the following API's one by one on the BIG-IQ CM console:
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl0\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"PT10H\",\"indexLevel\":\"tl0\",\"aggregationPeriod\":\"PT30S\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"PT1H\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl1\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"P7D\",\"indexLevel\":\"tl1\",\"aggregationPeriod\":\"PT1H\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"P1D\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl2\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"P180D\",\"indexLevel\":\"tl2\",\"aggregationPeriod\":\"P1D\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"P30D\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
curl localhost:8898/mgmt/ap/v1/platform-config/resources/ap:es:time_based_index/es-index -H "Content-Type: application/json;charset=UTF-8" -X PATCH -d \
"{\"indexFamily\":\"statistics\",\"deploymentTarget\":\"any\",\"id\":\"es-index-statistics-tl3\",\"ownerGroup\":\"appiq\",\"kind\":\"ap:es:time_based_index\",\"retentionTime\":\"P365D\",\"indexLevel\":\"tl3\",\"aggregationPeriod\":\"P30D\",\"dateTimeFormat\":\"YYYY-DDD-HH\",\"rotationPeriod\":\"P180D\",\"settings\":{\"index.number_of_replicas\": 1 , \"index.number_of_shards\": 3 }}"
898341 : BIG-IP may stop sending statistics following a DCD reboot
Component: AppIQ
Symptoms:
After rebooting a data collection device, the monitored BIG-IPs might not send statistics to the rebooted DCD.
Conditions:
BIG-IQ CM and DCDs are rebooted.
Impact:
Affected BIG-IPs aren't sending statistics
Workaround:
Workaround: Re-enable stats (from BIG-IQ) to the disconnected BIG-IP.
876565-1 : Log files in /var/log/appiq not removed after 10 days
Component: AppIQ
Symptoms:
There are sizing limits that the number are size of log files generated per day, but no control over the number of days the log files can be saved. Due to this, log files accumulate. This creates a problem for /var partition and functionality of certain features.
Conditions:
Frequent logging
Impact:
Impact on /var/ partition, space gets consumed and manual intervention requires cleanup.
Workaround:
1. Manual intervention to cleanup /var/log/appiq sub folder log files.
873917-2 : iRules with extremely long names
Component: BIG-IQ Configuration - Local Traffic
Symptoms:
BIG-IQ cannot display iRules with very long names.
Conditions:
An iRule with an extremely long name.
Impact:
An iRule with an extremely long name is not displayed.
Workaround:
N/A.
838265 : Agentmanager should not depend on elasticsearch cluster status to start
Component: AppIQ
Symptoms:
The cluster state is red, but the relevant indices for the agentmanager are all fully available.
Conditions:
System has a DCD in its configuration.
Impact:
Customers with functional clusters might stop receiving statistics because the agentmanager will not start.
837541-4 : BIG-IQ backup/snapshot retention count is not honored
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
Backup snapshot schedule retention paramaters are not honored.
Conditions:
You have created a backup schedule with a maximum of snapshots and the count of snapshots exceeds a specified amount, but the older snapshots are not deleted.
Impact:
This can cause /var to run out of disk space.
832801 : BIG-IP with FIPS and BIG-IQ analytics iApp may become inaccessible
Component: AppIQ
Symptoms:
BIG-IP with FIPS and BIG-IQ analytics iApp installed causes FIPS to fail the integrity check and cause the system to halt at reboot and become inaccessible.
ltm log will show:
crit root: BIG-IP Integrity Check: [ FAIL ] -- Contact F5 Networks technical support.
The BIG-IP script /usr/libexec/sys-eicheck.py (Integrity Test) will fail due to at least one "critical file(s) missing", namely /etc/avr/tmstat_tables.xml
Conditions:
- FIPS system
- Discover BIG-IP using BIG-IQ device and enable statistics.
- The BIG-IQ analytics iApp will install on BIG-IP.
Impact:
The system is halted or otherwise unusable.
Workaround:
Change permissions on file:
# chmod -x /etc/avr/tmstat_tables.xml
Confirm executable flag set on file:
# ls -la /usr/libexec/sys-eicheck.py
812065 : Pools & pool-member stats are not collected after upgrade
Component: AppIQ
Symptoms:
In some rare instances after upgrading to BIG-IQ version 7.0, BIG-IQ might not collect pool & pool-member statistics information.
Conditions:
When you upgrade from BIG-IQ version 6.x to 7.0.
To identify the presence of the issue, go to: Monitoring -> Dashboards -> Local Traffic -> Pools & Pool Members.
If stats are displayed - then the upgrade process was completed properly.
Impact:
Statistical information about pool and pool-member activities is not being collected and this information is not displayed in the corresponding dashboards.
Workaround:
The root cause of this problem is in ElasticSearch index mapping. To work around this issue, update the mapping manually:
1. unzip the attachment and place under /tmp on the CM.
2. run ./fix_es_mapping.sh
New mapping definitions take effect after the index is switched, so it can take up to 1 hour before BIG-IQ can collect statistis.
807385 : Egress gateway pool unselect empty the dropdown
Component: BIG-IQ Access
Symptoms:
If you select an existing pool in egress, then deselect it, the pool menu becomes empty.
Conditions:
When you select a pool with an egress, and then deselect it.
Impact:
The pool menu becomes empty.
Workaround:
Switch the gateway pool ratio to default and change back to use existing.
804213 : BIG-IQ cannot handle same AVR profile for BIG-IP V13.x and V14.x
Component: AppIQ
Symptoms:
Due to differences between BIG-IP versions 13.x and 14.x in the AVR Profile, using one AVR profile in BIG-IQ for both fails.
Conditions:
Having mix of BIG-IPs in versions 14.x and previous versions (12.1 or 13.x), or upgrading to 14.x.
Impact:
On discovery: When discovering a 14.x device that was upgraded from 13.x or prior version, a conflict is raised and the user has to choose by which version to keep the profile.
On deployment: Depends on how a profile is discovered, when deployed back to a different BIG-IP version, the deployment will fail.
Workaround:
Keep different profiles for the v14.x versions and for the previous versions.
771397-1 : License Manager cannot license different devices with the same MAC address (public and private clouds)
Component: BIG-IQ Device Management
Symptoms:
BIG-IQ does not issue licenses to different devices with the same MAC address
Conditions:
Different devices with the same MAC address (common in public and private clouds).
Impact:
License Manager cannot issue licenses.
Workaround:
N/A
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
