Applies To:
Show Versions
BIG-IQ Centralized Management
- 8.0.0
Summary:
Contents:
BIG-IQ CM Release Information
Version: 8.0.0.1
Build: 41.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Known Issues in BIG-IQ CM v8.0.x
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 989929-4 | 3-Major | Sorting lists by description field | |
| 1011877 | 3-Major | Resizing partitions after upgrading |
BIG-IQ Configuration - Security - Network Security Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 998805-3 | 3-Major | Duplicated entries display when viewing Related Items for a particular object |
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 977109-4 | 3-Major | BIG-IQ might report errors when deploying changes to BIG-IP devices |
AppIQ Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 996601-5 | 2-Critical | Virtual Server, Pool, Pool Member and Node status might not display properly for BIG-IP versions 15.x or 16.x | |
| 1000061-1 | 2-Critical | Elasticsearch process in DCDs restarts every few hours | |
| 996829-2 | 3-Major | User configured statistics retention might not work correctly for BIG-IQ v7.1.0 or v8.0.0 | |
| 909205-1 | 3-Major | BIG-IQ statistics reports are missing the latest event data | |
| 1005049-1 | 3-Major | DCD cluster stops working after adding a DCD or a standby BIG-IQ to a high availability configuration |
BIG-IQ Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 998877-3 | 4-Minor | Purging User Script execution logs |
BIG-IQ DNS Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1011941-4 | 3-Major | Admin users can run arbitrary commands on the BIG-IQ configuration utility |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 995837-2 | 3-Major | K07869171 | BIG-IQ displays the message "Waiting for BIG-IQ services to become available..." after upgrading to version 8.0.0★ |
| 823565-1 | 3-Major | BIG-IQ REST framework JVM process fails intermittently |
BIG-IQ Web Application Security (ASM) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1004421-2 | 3-Major | ASM policy is removed after LTM virtual server deployment |
Cumulative fix details for BIG-IQ CM v8.0.0.1 that are included in this release
998877-3 : Purging User Script execution logs
Component: BIG-IQ Device Management
Symptoms:
BIG-IQ purges User Script execution logs after 14 days.
Conditions:
After 14 days, BIG-IQ purges User Script execution logs.
Impact:
You cannot change the 14-day purge setting from the user interface.
Workaround:
See Fix Text
Fix:
You can now configure the User Script execution log purge interval from the command line by setting a value for: platform.miscellaneous.userScriptTaskPurgeDays in /var/config/rest/config/restjavad.properties.json
998805-3 : Duplicated entries display when viewing Related Items for a particular object
Component: BIG-IQ Configuration - Security - Network Security
Symptoms:
If there are more than three items of a particular type(for example, Address List, Port List, Rules, Rule List) are attached to a Firewall policy on a managed BIG-IP device, BIG-IQ might display duplicate entries in a list when you click Show Related Items.
Conditions:
-- Attach more than 3 items of a particular kind to a Firewall Policy.
-- Select the Firewall Policy from the list and click Show Related Items.
Impact:
BIG-IQ displays duplicate objects.
Workaround:
This issue has no impact on BIG-IQ management functionality.
Fix:
This issue is fixed and you now see the correct number of objects when you click on Show Related Items for a policy.
996829-2 : User configured statistics retention might not work correctly for BIG-IQ v7.1.0 or v8.0.0
Component: AppIQ
Symptoms:
User configured analytics statistics retention (real-time, hourly, daily, monthly) might not work as expected in BIG-IQ v7.1.0 after upgrading from 7.0.X, or for BIG-IQ v8.0.0 after upgrading from BIG-IQ 7.1.0. This is setting is configured from BIG-IQ by navigating to System -> BIG-IQ DATA COLLECTION -> BIG-IQ Data Collection Cluster -> Configuration -> Statistics Data Collection -> Configure Retention.
Conditions:
For the issue to occur, the following conditions must be met:
1. Upgrade BIG-IQ v7.0.x to v7.1.0 or upgrade BIG-IQ v7.0.X to v7.1.0 and then to v8.0.0. NOTE: If there was an incremental upgrade from v7.0.x to v7.1.0.1, 7.1.0.2 or 7.1.0.3 this issue will not occur.
2. After upgrading, change the retention under System -> BIG-IQ DATA COLLECTION -> BIG-IQ Data Collection Cluster -> Configuration -> Statistics Data Collection -> Configure Retention. For example, adjust "real-time" to another value.
3. During the upgrade process, restart appiqconfig from BIG-IQ using the command: "bigstart restart appiqconfig"
4.View data in System -> BIG-IQ DATA COLLECTION -> BIG-IQ Data Collection Cluster -> Configuration -> Statistics Data Collection -> Configure Retention and see that the value is not what was previously configured.
Impact:
If default retention values were changed, and the config server was restarted, BIG-IQ reloads the previous retention value or might remove the user-configured retention data.
For example if the retention for raw-data was 10 hours and then was adjusted to 13 hours, then after the appiqconfig restart, the retention will be 10 hours again and 3 oldest indexes of raw data are deleted.
Workaround:
If this issue is recognized according to conditions above then the workaround is as follows:
For BIG-IQ v7.1.0:
1. From the BIG-IQ command line, run the following command:
curl -XPOST -s localhost:9200/metadata_indices_management/meta-data/_delete_by_query -H 'Content-Type: application/json' -d '
{"query":{"bool":{"must":{"match":{"indexFamily":"statistics"}},"must_not":{"term":{"_id":"statistics"}}}}}'
2. Restart the appiqconfig by running the following command:
bigstart restart appiqconfig
For BIG-IQ v8.0.0:
1. From the BIG-IQ command line, run the following command:
curl -XPOST -ks https://localhost:9200/metadata_indices_management/meta-data/_delete_by_query -H 'Content-Type: application/json' -d '
{"query":{"bool":{"must":{"match":{"indexFamily":"statistics"}},"must_not":{"term":{"_id":"statistics"}}}}}'
2. Restart the appiqconfig by running the following command:
bigstart restart appiqconfig
Fix:
Statistics data retained as expected following an upgrade.
996601-5 : Virtual Server, Pool, Pool Member and Node status might not display properly for BIG-IP versions 15.x or 16.x
Component: AppIQ
Symptoms:
BIG-IQ might not properly display the status of Virtual Servers, Pools, Pools Members and Nodes configured on managed BIG-IP devices running versions 15.x and 16.x that have DNS configured.
When this happens, BIG-IQ logs an the following in the /var/log/appiq/agentmanager.log:
java.lang.ArrayIndexOutOfBoundsException: 1
Conditions:
Managing BIG-IP devices running v15.X and 16.x that has one or more Wide-IP configured to the DNS(GTM) configuration with LTM status updates from DCDs enabled on BIG-IQ.
restcurl -X PUT /cm/adc-core/current-config/stats-refresh -d '
{ "isMonitorRunning": true,
"useAppIqDcd": true,
"pollingIntervalSeconds": 300 }'
Impact:
BIG-IQ doesn't properly display the status of LTM objects
on the application dashboards for DNS application services on the Applications > APPLICATIONS screen.
Workaround:
Use one of the following workarounds to fix this issue.
1. Disable the LTM status collection from the DCD and allow status to be collected directly by BIG-IQ. This option might increase the CPU usage, see article K91114310 titled: Reducing the performance impact of BIG-IQ statistics gathering on managed BIG-IP systems at support.f5.com/csp/article/K91114310.
2. Update the analytics iApp RPM. For more information, see article K53001642 titled: Updating the BIG-IQ iApp to prevent BIG-IP performance issues on managed BIG-IP systems and improve DNS statistics collection at https://support.f5.com/csp/article/K53001642
Fix:
The iApp script installed by the BIG-IQ on managed BIG-IP devices now allows the system to display objects as expected.
995837-2 : BIG-IQ displays the message "Waiting for BIG-IQ services to become available..." after upgrading to version 8.0.0★
Solution Article: K07869171
Component: REST Framework and TMOS Platform
Symptoms:
If you attempt to upgrade BIG-IQ to version 8.0.0 and there are more than 100,000 records for a single task in the BIG-IQ database, the upgrade does not complete successfully.
Conditions:
Upgrading BIG-IQ to version 8.0.0 when its database has more than 100,000 records.
Impact:
BIG-IQ displays a spinner with a message: Waiting for BIG-IQ services to become available...
Workaround:
To work around this issue, see: https://support.f5.com/csp/article/K07869171
Fix:
N/A
989929-4 : Sorting lists by description field
Component: REST Framework and TMOS Platform
Symptoms:
Due to limitations, we disabled the option to sort lists on the description field in BIG-IQ version 6.0.0.
Conditions:
Attempting to sort on description field for a list.
Impact:
Users can't sort lists on the description field.
Workaround:
There is no workaround.
Fix:
Sorting lists by description field is re-enabled.
Behavior Change:
You can now sort on the description field for lists.
977109-4 : BIG-IQ might report errors when deploying changes to BIG-IP devices
Component: BIG-IQ Local Traffic & Management
Symptoms:
BIG-IQ can sometimes display errors similar to the following when deploying changes to BIG-IP devices: 'Exception in verifyConfig: java.lang.NullPointerException'
Conditions:
This happens when BIG-IQ is managing BIG-IP devices with varying versions. It can also occur when a BIG-IP device has been upgraded multiple times.
Impact:
You cannot manage the BIG-IP device from BIG-IQ when that error occurs.
Workaround:
If you manage BIG-IP devices running the same version and you have no changes pending on BIG-IQ, run the following command from BIG-IQ to clear the error status: clear-rest-storage
If you manage several BIG-IP devices of varying versions then you will be unable to work around this issue.
Fix:
This issue is fixed. BIG-IQ no longer displays error messages when deploying BIG-IP changes.
909205-1 : BIG-IQ statistics reports are missing the latest event data
Component: AppIQ
Symptoms:
BIG-IQ statistics reports are missing the latest event data.
Conditions:
This occurs when the default system-generated Elasticsearch indices are manually deleted by administrators.
This can also happen when the disk becomes full and BIG-IQ runs out of disk space due to accumulating events/logs.
Impact:
This issue results in a loss of statistics data.
Workaround:
The workaround involves repairing the elasticsearch indices storing statistics data.
To identify the statistics that are impacted
- list all index names & index aliases
# curl -s localhost:9200/_cat/indices?v
# curl -s localhost:9200/_cat/aliases?v
- run below command (or create a periodic task) to detect affected/corrupted elasticsearch cluster indices
# curl -s localhost:9200/_cat/indices?h=index | grep _writer
- every index output in above command requires a repair procedure outlined in the remainder of article as the name of index is not expected to have '_writer' suffix (only names of index aliases will have the '_writer' suffix)
lets say it reports youraffectedindex1_writer/youraffectedindex2_writer
- for every index reported above you can see the size of statistics data that have been accumulated under it (this it the amount of data not getting reported in BIG-IQ GUI)
# curl -s localhost:9200/_cat/indices | youraffectedindex1_writer
# curl -s localhost:9200/_cat/indices | youraffectedindex2_writer
If statistics data for impacted/corrupt indices is non-critical (and permanent deletion is acceptable), then please follow procedure A. If you need to preserve the corrupt data proceed to procedure B. However, both procedures repair the impacted elasticsearch indices.
------------
Procedure A
------------
Use this procedure to permanently delete the corrupt data and repair the impacted indices
1. Deactivate the impacted service.
- on BIG-IQ CM, navigate to System -> BIG-IQ DATA COLLECTION -> BIG-IQ Data Collection Devices
- deactivate the impacted service (based on the reported indices earlier) for all DCDs
Ex: Access / DOS Protection / Fraud Protection Service / IPSec / Network Security / Web Application Security
- wait for 5 minutes to allow existing connections to close
- on BIG-IQ DCD verify all external connections to special ports are closed:
# netstat -an | grep -E "9997|8018|8514|8020|8008"
2. Delete the impacted elasticsearch index.
- on CM (or DCD) remove the incorrect index from elasticsearch, ex:
# curl -sX DELETE localhost:9200/youraffectedindex1_writer
Note: above command should return {"acknowledged":true}
- confirm the index is no longer reported by below command
# curl -s localhost:9200/_cat/indices | grep _writer
3. Reactivate the service.
- on BIG-IQ CM, navigate to System -> BIG-IQ DATA COLLECTION -> BIG-IQ Data Collection Devices and activate the impacted services again
------------
Procedure B
------------
Use this procedure to recover the corrupt data and repair the impacted indices
1. Deactivate the impacted service.
see step #1 from Procedure A
2. Create a temporary elasticsearch index.
- identify naming convention (including a date suffix) by observing output of below command
# curl -s localhost:9200/_cat/indices?h=index
ex: youraffectedindex1_2020-xx-xxtxx-xx-xx-xxxx
- create a temporary index using name identified in above step
# curl localhost:9200/youraffectedindex1_2020-xx-xxtxx-xx-xx-xxxx -X PUT -d {}
ex: # curl localhost:9200/afmlogindex_2020-02-01t10-10-10-0100 -X PUT -d {}
3. Reindex data from corrupt index to the temporary elasticsearch index.
- this may take time depending on size of data in affected index
- begin the indexing process
# curl -s localhost:9200/_reindex?wait_for_completion=false -d '{"source":{"index":"youraffectedindex1_writer"},"dest":{"index":"youraffectedindex1_2020-xx-xxtxx-xx-xx-xxxx"}}' | jq .
ex: # curl -s localhost:9200/_reindex?wait_for_completion=false -d '{"source":{"index":"afmlogindex_writer"},"dest":{"index":"afmlogindex_2020-02-01t10-10-10-0100"}}' | jq .
- above command will print a task-identifier
ex: "task": "rur5BcBNTGqdtydEDjHMAA:22687961"
- use above reported unique task-identifier and repeatedly query the progress of the task until it completes
# curl -s localhost:9200/_tasks/rur5BcBNTGqdtydEDjHMAA:22687961 | jq .completed
true
- verify the index status
# curl -s localhost:9200/_cat/indices?v
# curl -s localhost:9200/_cat/aliases?v
4. Remove the corrupted elasticsearch index.
- see step #2 in Procedure A.
5. Create a new *_writer alias for the temporary elasticsearch index.
- run below command to create an alias (for your newly created index) named as the index you just deleted
# curl localhost:9200/_aliases -X POST -d '{"actions" : [ {"add" : { "index" : "youraffectedindex1_2020-xx-xxtxx-xx-xx-xxxx" , "alias" : "youraffectedindex1_writer" }} ] }'
ex: # curl localhost:9200/_aliases -X POST -d '{"actions" : [ {"add" : { "index" : "afmlogindex_2020-02-01t10-10-10-0100" , "alias" : "afmlogindex_writer" }} ] }'
- verify the index status
# curl -s localhost:9200/_cat/indices?v
# curl -s localhost:9200/_cat/aliases?v
6. Reactivate the impacted service.
see step #3 in Procedure A.
7. Confirm newly initialized elasticsearch indices.
- verify the index status
# curl -s localhost:9200/_cat/indices?v
# curl -s localhost:9200/_cat/aliases?v
- confirm that you see a new index named yourimpactedindex1_YYYY_MM_DD and that yourimpactedindex1_writer points to this latest index instance
- this happens because eventually index are rotated and removed (this also depends on the retention policy)
Fix:
Statistics and event data displays as expected.
823565-1 : BIG-IQ REST framework JVM process fails intermittently
Component: REST Framework and TMOS Platform
Symptoms:
The BIG-IQ REST framework JVM process (restjavad) fails intermittently when RAM memory is low or during highly intensive memory operations.
Conditions:
This happens when there is not enough RAM available for the normal operation of the BIG-IQ REST framework, especially in environments with a relatively large number of managed BIG-IP devices and related configuration objects, and a high volume of collected statistical data.
Impact:
BIG-IQ management interface and device management workflows are temporarily unavailable while restjavad restarts.
Workaround:
Increase the physical memory (RAM) that is available for BIG-IQ (hardware or virtual).
Fix:
This issue is fixed and restjavad no longer fails under these conditions.
1011941-4 : Admin users can run arbitrary commands on the BIG-IQ configuration utility
Component: BIG-IQ DNS Management
Symptoms:
Admin users can run arbitrary commands in the BIG-IQ configuration utility using unspecified methods.
Conditions:
Admin users can run arbitrary commands in the BIG-IQ configuration utility using unspecified methods.
Impact:
Admin users can run arbitrary commands in the BIG-IQ configuration utility using unspecified methods.
Workaround:
None
Fix:
Admin users are now limited with what commands they are allowed to use.
1011877 : Resizing partitions after upgrading
Component: REST Framework and TMOS Platform
Symptoms:
Unable to increase the /var partitions after upgrading to BIG-IQ version 8.0.0.
Conditions:
1) Create a virtual server of BIG-IQ 7.1.x
2) Increase the /var partition size
3) Upgrade BigIQ to 8.0.0
2) Try running the resizevol script as resizevol /var 272218920
Impact:
Unable to resize the /var partition with resizevol tool.
Workaround:
If you have already upgraded, you can resize the /var partition after the upgrade completes and BIG-IQ reboots using the command similar to: lvresize -rL 10G /dev/vg-db-sda/set.2._var
Fix:
The resizevol tool script is now included starting in BIG-IQ version 8.0.0.1.
Behavior Change:
You can now resize the /var partitions with the resizevol tool
using a command similar to lvresize -rL 10G /dev/vg-db-sda/set.2._var. When you run this command, BIG-IQ resizes the partition as specified.
1005049-1 : DCD cluster stops working after adding a DCD or a standby BIG-IQ to a high availability configuration
Component: AppIQ
Symptoms:
After adding a standby BIG-IQ to a high availability (HA) configuration or while (less likely) adding a DCD, the DCD cluster no longer functions and the restjavad.0.logs shows a message similar to the following:
[HTTP/1.1 503 Service Unavailable]
Open Distro not initialized
Conditions:
Adding a standby BIG-IQ in a high availability (HA) configuration, or (less likely) when adding a DCD.
Impact:
BIG-IQ is unable to receive new analytics statistics and events and cannot display existing events.
Workaround:
After adding the standby BIG-IQ for a high availability (HA) configuration, or a DCD, run the following command on the active BIG-IQ:
export JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk.x86_64 ; /bin/bash -c "/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -h `netstat -nap | grep ':9300 ' | grep LISTEN | awk '{print $4}' | rev | cut -c 6- | rev` --accept-red-cluster -cd /var/config/appiq/elasticsearch/utils/ -icl -nhnv -cacert /var/config/rest/elasticsearch/config/es_root-ca.pem -cert /var/config/rest/elasticsearch/config/es_admin.pem -key /var/config/rest/elasticsearch/config/es_admin-key.pem"
Fix:
This issue is fixed and DCD clusters work as expected after adding a standby BIG-IQ or a DCD.
1004421-2 : ASM policy is removed after LTM virtual server deployment
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
BIG-IQ removes any configured ASM policies related to a BIG-IP virtual server when you deploy a full LTM configuration or deploy a change for LTM on that virtual server with the ASM policies.
Conditions:
LTM and ASM services are provisioned and discovered by BIG-IQ while adding a BIG-IP device.
Impact:
Web application security is disabled on the affected virtual servers.
Workaround:
Redeploy BIG-IP virtual servers licensed for ASM and re-import LTM with the auto-generated ASM policy for the virtual server.
Fix:
BIG-IQ no longer removes ASM policies after you deploy an LTM virtual server.
1000061-1 : Elasticsearch process in DCDs restarts every few hours
Component: AppIQ
Symptoms:
Attempting to aggregate statistics data from BIG-IQ can cause the Elasticsearch (ES) process in the data collection devices (DCDs) to restart every few hours. When this happens, the following exception appears in the elasticsearch/esnode.log file for affected DCDs:
java.lang.NoClassDefFoundError: org/elasticsearch/client/RestClient
Conditions:
Many statistic dimension combinations are defined for a specific module, which might create more unique ES documents than the allowed document limit per BIG-IP (50000 / DCDs num).
For example, a managed BIG-IP device configured with an HTTP module might have traffic from multiple client IPs, with each client IP having multiple destination URLs.
Impact:
When BIG-IQ attempts to aggregate the statistics data under these conditions, the ES process fails and then restarts, resulting in the loss of that aggregated statistics data and pending module events.
Workaround:
Upgrade F5 Elasticsearch plugins.
Fix:
This issue is fixed and the Elasticsearch process no longer restarts every few hours.
Known Issues in BIG-IQ CM v8.0.x
BIG-IQ Local Traffic & Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 970041-1 | 3-Major | Deploying tunnel objects to BIG-IP devices using a Tunnel Profile | |
| 990605 | 4-Minor | Tunnels created on BIG-IQ are not added to the default route domain of the other devices in the Device Service Cluster |
AppIQ Issues
| ID Number | Severity | Solution Article(s) | Description |
| 984877-1 | 3-Major | User with SSM custom role is not authorised to see DoS attack summary bar for Network and DNS attacks | |
| 979205-1 | 4-Minor | Applications Page displays statistics for applications the user does not have permissions to view |
BIG-IQ Device Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 1010521 | 3-Major | FirewallPortList class in DO doesn't render properly using BIG-IQ 8.0 and DO 1.20+ |
BIG-IQ DNS Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 986121 | 3-Major | Cannot delete a GSLB server when there are prober pools on BIG-IQ but not BIG-IP | |
| 988117 | 4-Minor | State (on BIG-IP) field is visible when you create a new DNS Listener object |
REST Framework and TMOS Platform Issues
| ID Number | Severity | Solution Article(s) | Description |
| 583930-2 | 4-Minor | VE supports only 2 NUMA domains |
BIG-IQ Web Application Security (ASM) Issues
| ID Number | Severity | Solution Article(s) | Description |
| 991657 | 3-Major | ASM deployment evaluation with large scale might get stuck and eventually fail with OutOfMemory error | |
| 985305 | 4-Minor | ASM Policy comparison is not available for fine grained RBAC user | |
| 985301 | 4-Minor | Policy analyzer not authorized for a user with fine grained RBAC on policies | |
| 977701 | 4-Minor | Web Application Security/Bot Traffic Dashboards 500 Server Error following upgrade to 8.0★ |
BIG-IQ Application Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 986353 | 3-Major | creating AS3 application with internal virtual service in declaration fails | |
| 985077 | 3-Major | Data Transfer Service (DTS) docker service compressed logs may get deleted out of order after rotation | |
| 987205 | 4-Minor | Multiple DTS services running with same preferred Beacon account delete applications in Beacon | |
| 985781 | 4-Minor | No scroll bar for the Application - ENVIRONMENT Configuration view | |
| 985113 | 4-Minor | DNS Virtual Server Name" is not displayed correctly when AS3 application is created with "template": "generic |
Known Issue details for BIG-IQ CM v8.0.x
991657 : ASM deployment evaluation with large scale might get stuck and eventually fail with OutOfMemory error
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
When running an evaluate and deploy for 10 devices, the system might stop responding causing the UI becomes non-functional. This is caused by too many objects loaded onto memory during the evaluation process.
Conditions:
Running an evaluate and deploy process for 10 devices. Each has
- 60 large ASM policies
- 250 virtual-servers
- 32GB RAM management console node.
Impact:
This might cause failure during verify-config stage of the evaluation. The overall impact affects large and full (not partial) deployments.
Workaround:
1. Conduct a partial deploy of the objects (ASM policies) you want to deploy to as many devices you wish, so long as the object count is less than 200.
2. Do a full deployment to maximum of 5 devices with similar configurations.
3. Using REST API, there's an option to skip the verify-config stage when starting an evaluation task. This will work if skipVerifyConfig:true is sent in the task body. This option is less recommended at the verify-config stage, but is important to verify features are deployable on the target devices.
990605 : Tunnels created on BIG-IQ are not added to the default route domain of the other devices in the Device Service Cluster
Component: BIG-IQ Local Traffic & Management
Symptoms:
When BIG-IQ creates a tunnel on a managed device that belongs to a Device Service Cluster (DSC), it also adds the tunnel to that device's default route domain.
But when BIG-IQ replicates the tunnel to the other devices within a DSC, it does not add the tunnel to the route domain for those devices.
Conditions:
Use BIG-IQ to add a tunnel to a BIG-IP device that is a member of a DSC.
Impact:
If no further steps are taken, the next deployment to the cluster will fail.
Workaround:
Manually add the tunnel to the route domain of the other devices in the DSC.
988117 : State (on BIG-IP) field is visible when you create a new DNS Listener object
Component: BIG-IQ DNS Management
Symptoms:
The State(on BIG-IP) field displays on the New Listener screen. Because the object does not exist on the BIG-IP yet, there is no state yet.
Conditions:
1. Click Configuration>DNS>Delivery>Create.
2. Note the State (on BIG-IP) field.
This field displays, even though there is no state on the BIG-IP because the object doesn't exist yet.
Impact:
Users could be confused by the appearance of this field, because it doesn't make sense to display it until the Listener has been deployed.
Workaround:
N/A
987205 : Multiple DTS services running with same preferred Beacon account delete applications in Beacon
Component: BIG-IQ Application Management
Symptoms:
Multiple DTS services running with same preferred Beacon account delete applications in Beacon.
Conditions:
Multiple DTS services are running with the same preferred Beacon account, each sending a different selectedApplicationNames list.
Impact:
Conflicting SelectedApplicationNames lists that are being sent to the same preferred beacon account will result in applications being removed from Beacon.
Beacon icons on application services may show as red, with instructions to check the logs. The Data transfer service logs indicate that applications have been removed from Beacon.
Workaround:
This functions as designed. Applications that are no longer present on BIG-IQ or that are not in a DTS's SelectedApplicationNames list will be deleted from Beacon. If you want to send application metrics for more than one set of applications you need to use a preferred Beacon account for each set of applications and specify it in the respective DTS's config file. To set up a preferred Beacon account: https://clouddocs.f5.com/cloud-services/latest/f5-cloud-services-Beacon-API.html#specify-preferred-account-header-in-a-multiple-accounts-divisions-scenario
986353 : creating AS3 application with internal virtual service in declaration fails
Component: BIG-IQ Application Management
Symptoms:
creating AS3 application with internal virtual service ("virtualType": "internal") fails.
Conditions:
app creation fails if declaration contains
"virtualType": "internal",
Impact:
The AS3 application can't be created.
986121 : Cannot delete a GSLB server when there are prober pools on BIG-IQ but not BIG-IP
Component: BIG-IQ DNS Management
Symptoms:
Cannot delete GSLB servers successfully.
Conditions:
A prober pool has been created on the BIG-IQ but not deployed to the BIG-IP.
Impact:
If there is a prober pool on the BIG-IQ that is not deployed to the BIG-IP, you cannot delete the GSLB server.
Workaround:
You can either create the prober pools on the BIG-IP or deploy them to the BIG-IP. You will then be able to delete a GSLB server.
985781 : No scroll bar for the Application - ENVIRONMENT Configuration view
Component: BIG-IQ Application Management
Symptoms:
There is no scroll bar in the Application -> ENVIRONMENT Configuration view.
Conditions:
For Service Catalog and Legacy Application Services, there is no scroll bar in the Application -> ENVIRONMENT, Configuration view
Impact:
User can not scroll in these screens.
Workaround:
N/A
985305 : ASM Policy comparison is not available for fine grained RBAC user
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Users with fine grained authorization on specific policies will not be able to access the policy comparison feature.
Conditions:
Steps to Reproduce:
1. Create a resource group with 2 policies
2. Create role of "web application security manager" + the resource group
3. Create a user with this role
4. Login with the user and go to Configuration > Security > Web Application Security > Policies.
5. Select two policies and click More.
Impact:
The Compare Policies option is not available.
985301 : Policy analyzer not authorized for a user with fine grained RBAC on policies
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
Users with fine grained authorization on specific policies will not be able to access the Policy Analyzer feature.
Conditions:
1. create a resource group with 2 policies
2. create role of "web application security manager" + the resource group
3. create a user with this role
4. login with the user and go to Configuration > Security > Web Application Security > Policies.
5. Select a policy and then More. Select the Policy Analyzer option.
Impact:
The policy analyzer screen does not successfully load.
985113 : DNS Virtual Server Name" is not displayed correctly when AS3 application is created with "template": "generic
Component: BIG-IQ Application Management
Symptoms:
When an AS3 application is created from API with "template": "generic" in the AS3 declaration, the value of "DNS Virtual Server Name" under the Application Configuration tab appears in the following format: /<tenant_name>/<app_name>/ServiceMain, instead of the expected format: <app_name>
Conditions:
AS3 application is created from API with "template": "generic" and app_name instead of ServiceMain
Sample declaration is as follows:
"t_104197": {
"class": "Tenant",
"defaultRouteDomain": 0,
"dev1_dapi_fis_tp_dev_ally_com_443": {
"class": "Application",
"template": "generic",
"dev1_dapi_fis_tp_dev_ally_com_443_vs": {
"class": "Service_HTTPS",
"virtualAddresses": [
"10.47.67.78"
],
"virtualPort": 443,
Impact:
The DNS Virtual Server name in the Application Configuration tab is displayed in an unexpected format.
985077 : Data Transfer Service (DTS) docker service compressed logs may get deleted out of order after rotation
Component: BIG-IQ Application Management
Symptoms:
After the Data Transfer Service (DTS) runs for a few days, the logs go through rotation and compression. During rotation and compression a file(s) may get deleted out of order.
Conditions:
The docker Data Transfer Service has run for a few days, generating a large number of logs.
Impact:
Compressed rotated log file(s) may get deleted out of order.
Workaround:
Retrieve the missing data by checking the em* logs beneath /var/log directory.
984877-1 : User with SSM custom role is not authorised to see DoS attack summary bar for Network and DNS attacks
Component: AppIQ
Symptoms:
A user with an SSM custom role that contains a virtual server under DoS attack, of Network or DNS type, can't see the attack information in the per attack page under "Monitoring->DASHBOARDS->DDOS->Protection Summary".
Conditions:
A user assigned an SSM custom role with permissions to view a specific attacked SSM virtual server tries to view information for the virtual servers' DOS attack page from "Monitoring->DASHBOARDS->DDOS->Protection Summary".
Impact:
The user won't be able to view the summary information of the virtual server's DoS attack.
Workaround:
View the DoS attack information from an admin user login.
979205-1 : Applications Page displays statistics for applications the user does not have permissions to view
Component: AppIQ
Symptoms:
Since application and application service permissions are assigned separately to the user, using separate roles, it is possible to give a user permissions to view/manage application services but not to the application they are contained in.
In such a scenario, the user would not be able to see view the application and application aggregated statistics in the application page grid/tile view section. This is by design.
However, the user would be able to see, in the applications page summary bar, aggregated statistics for applications that contain application services which the user has permissions to see.
Conditions:
A user is assigned view/manage permissions for application services but is not assigned view/manage permissions for the application which contains those application services.
Impact:
The ability to view statistics for permitted application services from an application (application name) the user is not permitted to view.
977701 : Web Application Security/Bot Traffic Dashboards 500 Server Error following upgrade to 8.0★
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
In rare cases, following an upgrade from a BIG-IQ version 7.1 to 8.0, the Web Application Security Dashboard or Bot Traffic Dashboard might display a 500 error.
Conditions:
Following a period of time that a system is powered down (several days, or more), upgrade a BIG-IQ to version 8.0.
Go to the Web Application Security Dashboard (Monitoring : DASHBOARDS : Web Application Security).
Impact:
The system returns an unexpected error (500 Server Error):
status:500, body:{"error":{"httpStatus":"INTERNAL_SERVER_ERROR","code":1002,"message":"INTERNAL_SERVER_ERROR: ElasticsearchStatusException[Elasticsearch exception [type=too_long_frame_exception, reason=An HTTP line is larger than 4096 bytes.]]","errorStack":[],"restOperationId":"0615d70c-8d06-444a-b5bb-e0d7ffe0ca55"}}
Workaround:
Add the 'http.max_initial_line_length: 10mb' parameter to /var/config/rest/elasticsearch/config/elasticsearch.yml on all nodes (CMs and DCDs), and then restart elastic search on each node:
bigstart restart elasticsearch
970041-1 : Deploying tunnel objects to BIG-IP devices using a Tunnel Profile
Component: BIG-IQ Local Traffic & Management
Symptoms:
If you attempt to deploy a tunnel object to a managed BIG-IP device using a Tunnel Profile, deployment fails with an error similar to the following:
"profile" is a required property and may not be set to "none" or an empty value'
Conditions:
This happens in either of the following cases:
*) An imported Tunnel object has been modified on BIG-IQ.
*) The tunnel object hasn't been modified, but one or more imported Tunnel objects has ended up with an incorrect "ifIndex" value on BIG-IQ.
Impact:
You cannot deploy the tunnel object to the BIG-IP device(s).
Workaround:
You can try to resolve the issue by performing one of the following options.
Option 1)
1. From BIG-IQ, rediscover and re-import the device, selecting the "Use BIG-IP" to clear any changes from tunnel objects on BIG-IQ.
2. Create a new Evaluation / Deployment and redeploy to the BIG-IP device.
Option 2)
If option 1 does is not successful, manually copy the current BIG-IP configuration into the working configuration by logging into BIG-IQ through SSH and performing the following steps:
1. Write all tunnel objects to a file by typing the following commands:
# restcurl /cm/adc-core/working-config/net/tunnels/tunnel | jq .items[] -c > /var/tmp/wc
# restcurl /cm/adc-core/current-config/net/tunnels/tunnel | jq .items[] -c > /var/tmp/cc
2. Perform a diff on the content for ifIndex by typing the following commands:
# cat /var/tmp/cc | jq .id -r | sort | while read uuid ; do grep $uuid /var/tmp/cc | jq .ifIndex > /var/tmp/mycc ; grep $uuid /var/tmp/wc | jq .ifIndex > /var/tmp/mywc ; diff /var/tmp/mywc /var/tmp/mycc >/dev/null ; if [ $? -eq "1" ] ; then echo $uuid ; fi ; done > /var/tmp/diffout
3. Verify that the diffout contains UID only, and test one of them to check the difference by typing commands similar to the following:
# test=$(head -n1 /var/tmp/diffout) ; grep $test /var/tmp/cc | jq .ifIndex
384
# test=$(head -n1 /var/tmp/diffout) ; grep $test /var/tmp/wc | jq .ifIndex
400
4. Create the Tunnel.sh script fix by typing the following:
TUNNELID=$1
restcurl "/cm/adc-core/current-config/net/tunnels/tunnel/$TUNNELID" | sed -e 's/current/working/g' | jq 'del(.generation,.lastUpdateMicros)' > workfinal
curl "localhost:8100/cm/adc-core/working-config/net/tunnels/tunnel/$TUNNELID" -X PUT -d @workfinal | jq
5. Provide execution permissions to fixTunnel.sh by typing the following:
# chmod +x fixTunnel.sh
6. Use the fixTunnel.sh script to correct the ifIndex by typing the following:
# cat /var/tmp/diffout | while read UUID ; do echo $UUID ; ./fixtunnel.sh $UUID ; done
583930-2 : VE supports only 2 NUMA domains
Component: REST Framework and TMOS Platform
Symptoms:
VMware ESX version 5.5 and greater can expose NUMA topology to guests, sometimes exposing more NUMA nodes than the two that Virtual Edition (VE) supports. This causes a TMM core, with the following error message in /var/log/tmm:
sys_get_numa_info: <N> exceeds max nodes of 2
Conditions:
-- VE running on VMware ESX 5.5 or greater.
-- 16 vCPUs configured.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
In VMware ESX, modify the guest hardware configuration to present a maximum of two sockets to the VE guest.
For example, if you configure an 8 CPU VM, set Cores per Socket to 4.
1010521 : FirewallPortList class in DO doesn't render properly using BIG-IQ 8.0 and DO 1.20+
Component: BIG-IQ Device Management
Symptoms:
1. Log in to a BIG-IQ running version 8.0 and DO version 1.20 or later.
2. On the BIG-IQ Device tab, click BIG-IP ONBOARDING, and then click Onboard.
3. Select the FirewallPortList class. BIG-IQ does not render the field correctly.
Conditions:
Attempt to onboard a BIG-IP device using BIG-IQ 8.0 and DO 1.20 or later.
Impact:
You cannot set a port or port list in the DO class FirewallPortList.
Workaround:
Use DO API to onboard the device.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
