Supplemental Document : BIG-IQ Centralized Management 8.0.0 :: Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.0.0

BIG-IQ CM Release Information

Version: 8.0.0
Build: 594.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Known Issues in BIG-IQ CM v8.0.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
901129-2 CVE-2020-5944 K57274211 DoS events and DNS Overview screens returns error message
795197-6 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
790469 CVE-2020-5873 K03585731 F5 secure shell vulnerability CVE-2020-5873
737574-7 CVE-2019-6621 K20541896 iControl REST input sanitization
737565-7 CVE-2019-6620 K20445457 iControl REST input sanitization
726327-4 CVE-2018-12120 K37111863 NodeJS debugger accepts connections from any host
670786 CVE-2017-1000364 K51931024 Linux kernel vulnerability CVE-2017-1000364
712649 CVE-2016-10708 K32485746 OpenSSH vulnerability CVE-2016-10708
682719 CVE-2017-3735 K21462542 CVE-2017-3735: OpenSSL Vulnerability
605900 CVE-2016-2775 K92991044 lwresd and bind vulnerability CVE-2016-2775
605579-6 CVE-2012-6702 K65460334 iControl-SOAP expat client library is subjected to entropy attack


Functional Change Fixes

ID Number Severity Solution Article(s) Description
799005 3-Major   A RADIUS user no longer automatically becomes a member of a previously created RADIUS user group
989949 4-Minor   The restjavad.properties.json file is not getting updated to the latest version following an upgrade


BIG-IQ Configuration - Local Traffic Fixes

ID Number Severity Solution Article(s) Description
859709 3-Major   Full name of the default pool does not display on the LTM virtual server properties screen
889049 4-Minor   Deployment and Configuration menus with long virtual server or pool names.


BIG-IQ Configuration - Security - Network Security Fixes

ID Number Severity Solution Article(s) Description
978405 3-Major   You might not be able to edit some Self-IP context objects after a BIG-IQ upgrade


BIG-IQ Configuration - Security - Shared Security Fixes

ID Number Severity Solution Article(s) Description
921025 3-Major   Network security log profile changes in 15.1 breaks BIG-IQ import


BIG-IQ Access Fixes

ID Number Severity Solution Article(s) Description
925301 3-Major   Unable to view Access reports when date/time filter is applied when your computer is set to a non-English language
922877 3-Major   Access Sessions Summary page shows duplicate data for a single session
922417 3-Major   Creating a CSV report for active sessions
914801 3-Major   Creating a local SAML SP service
912177 3-Major   Generating CSV report from Access User Summary
903121 3-Major   Evaluating and deploying Access Groups containing a remote desktop configuration
919093 4-Minor   BIG-IQ Access policy branch rule names don't allow '.'
918997 4-Minor   Custom expressions in the Visual Policy Editor will alter new line character for the Variable Assign agent
916881 4-Minor   Deploying an Access policy containing orphaned policy items fails


BIG-IQ Local Traffic & Management Fixes

ID Number Severity Solution Article(s) Description
923613 3-Major   Discovering a BIG-IP device and importing its services that contain 'bot-profiles'
921537 3-Major   BIG-IQ does not support BIG-IP tunnel objects binding with local-traffic
623822 3-Major   BIG-IQ unable to identify non-floating Virtual Servers when importing LTM config
906121 4-Minor   Adding Pool Members to Resource Groups


AppIQ Fixes

ID Number Severity Solution Article(s) Description
988621-5 3-Major   Upgrading BIG-IQ to 8.0.x with DCD might fail if the process times out
947325 3-Major   Configuring different retention for specific statistics groups
942849-1 3-Major K92678530 When appiqconfig loses connection to Elasticsearch (ES) it is unable to re-establish the connection
936081 3-Major   Improve Active Alerts Query response time when there is a large number of active alerts
908505-2 3-Major   Managing BIG-IP devices using a large number of virtual servers while running iApp analytics
872237-2 3-Major   CPU spikes on managed BIG-IP devices when using iApp analytics
978257-1 4-Minor   Monitoring graphs show incorrect start and end times
808133-2 4-Minor   Analytics iApp pushed from BIQ-IQ causes BIG-IP high availability (HA) peers to go out of sync


BIG-IQ Device Management Fixes

ID Number Severity Solution Article(s) Description
905737 2-Critical   Setting up BIG-IQ as a license manager only


BIG-IQ SSL Orchestrator Fixes

ID Number Severity Solution Article(s) Description
963993 3-Major   Unsuccessful import of SSLO configurations if the BIG-IP device and the BIG-IQ both deployed topologies with the same name
899609 3-Major   Deployment of an imported Existing Application SSL Orchestrator topology may fail from BIG-IQ
900849 4-Minor   Editing is disabled for deployed SSLO configurations after upgrading your managed BIG-IP devices from version 14.x to 15.x
899601 4-Minor   The number of security services in the SSL Orchestrator topology list page shows 0 for imported topologies
892901 4-Minor   Deployment of topologies, security policies, or services fails after removing an SSLO configuration
809725 4-Minor   Security Policy deployed through an SSLO topology in BIG-IQ is not visible on managed BIG-IP
807389 4-Minor   Number of services in the SSL Orchestrator device list page shows 0 for services deployed on BIG-IP HA devices
807249 4-Minor   SSLO topology can be saved without selecting a security policy in the 'Use Existing' dropdown in the security policy page


REST Framework and TMOS Platform Fixes

ID Number Severity Solution Article(s) Description
955145-7 2-Critical   REST API not properly handling workers
930569 2-Critical   ERROR: unsupported Unicode escape sequence
925169 2-Critical   BIG-IQ hardware upgrade might fail
911445 2-Critical   When BIG-IQ is performing resource-intensive operations, user sessions might prematurely terminate
974593 3-Major   Rotate postgresql SSL certificate when or before it expires
931353 3-Major   Table bloat causes high availability (HA) to fail
916441 3-Major   Operations using route domains fail with 'invalid input syntax for type inet'
903229 3-Major   Pruning of expired backups fails due to a failed query.
860473 3-Major   Connection and read timeout settings for the TACACS+ authentication provider
726441 3-Major   Linux kernel vulnerabilities CVE-2017-9075,CVE-2017-9076,CVE-2017-9077
725047 3-Major   SNMP traps do not follow current best practices
718147 3-Major   Multiple Oracle Java Vulnerabilities
702236 3-Major   CVE-2017-5753 (Spectre Variant 1)
946141 4-Minor   Wrong calculation of percent_var_available for in tokumond
931349 4-Minor   Restjavad dies on high var usage in high availability (HA) pair due to tokumond not being stopped on secondary
931337 4-Minor   Large backups cause high availability (HA) setup to remove backup on secondary when pairing is unsuccessful
921989 4-Minor   Querying BIG-IP devices by IP addresses
846665 4-Minor   Authentication to BIG-IQ might fail when using an LDAP or Active Directory authentication provider using LDAPS that has Server Certificate Validation disabled.
713061 4-Minor   Linux kernel vulnerability CVE-2017-8824
680387 4-Minor   Multiple Bash Vulnerabilities
671934 4-Minor   CVE-2017-3143: BIND zone contents may be manipulated
671932 4-Minor   CVE-2017-3142: TSIG authentication bypass in AXFR requests


BIG-IQ Web Application Security (ASM) Fixes

ID Number Severity Solution Article(s) Description
976241 3-Major   Analytics processes got errors becuase of BK infinite and negative values
921521 3-Major   Policy signatures ready to be enforced are not reported
907973 4-Minor   Imported virtual servers with application protection are displayed as unprotected
901689-1 4-Minor   L7 Dashboard grid does not report number of DoS attacks correctly


BIG-IQ Application Management Fixes

ID Number Severity Solution Article(s) Description
952641 3-Major   AS3 deployments from BIG-IQ that define a GSLB_Domain using poolsCName instead of pools
914361 3-Major   Deploying AS3 application service to a managed device after upgrading or rebooting BIG-IQ

 

Cumulative fix details for BIG-IQ CM v8.0.0 that are included in this release

989949 : The restjavad.properties.json file is not getting updated to the latest version following an upgrade

Component: REST Framework and TMOS Platform

Symptoms:
When you upgrade the BIG-IQ system, the /var/config/rest/config/restjavad.properties.json file previously existing on the BIG-IQ is carried forward in the UCS archive and is preserved following the upgrade. The restjavad.properties.json file in the ISO is not deployed to the BIG-IQ.

The intended use of the restjavad.properties.json file was solely for users to optionally set customized values that overwrite some of the default application properties values. During some of the past releases prior to 8.0, some vendor (F5)-defined default property values were accidentally included in the restjavad.properties.json file in the ISO file. Any new property value that was added to the restjavad.properties.json file in a particular version will not exist on the BIG-IQ following an upgrade to that version.

Conditions:
Upgrade the BIG-IQ from a version begining with 5.1 to a version up to and including 7.1.0.3.

Impact:
Any new property value that was added to the restjavad.properties.json file in a particular version will not exist on the BIG-IQ following an upgrade to that version.

Note: This only affects upgrades, not new installs. The restjavad.properties.json file on a newly installed BIG-IQ will have the same content as the file in the ISO.

Workaround:
Following an upgrade:
1. Retrieve the restjavad.properties.json file from the ISO.
2. Apply (add or replace) to it any custom settings you previously configured.
3. Replace that file as the /var/config/rest/config/restjavad.properties.json file on the BIG-IQ.

See K02972920: The restjavad.properties.json file is not updated with a newer version after upgrading the BIG-IQ system: https://support.f5.com/csp/article/K02972920.

Fix:
This was fixed in BIG-IQ 8.0.0. The restjavad.properties.json file in the ISO no longer contains any default application properties values.

On upgrade to version 8.0.0 or newer, the BIG-IQ will just work correctly, using the property values in the file prior to the upgrade. F5 recommends to replace the restjavad.properties.json file from the earlier BIG-IQ version with the new, clean file from the ISO, and only add to the file the property values you want to be different from the defaults.

For more information, see K62981141: Overview on the BIG-IQ restjavad property file: https://support.f5.com/csp/article/K62981141.

Behavior Change:
The restjavad.properties.json file in the ISO no longer contains any default application properties values.


988621-5 : Upgrading BIG-IQ to 8.0.x with DCD might fail if the process times out

Component: AppIQ

Symptoms:
When upgrading BIG-IQ to version 8.0.x, the upgrade might fail on some DCDs if the upgrade of DCD takes longer than 90 min.

Conditions:
Upgrade a DCD with a large amount of data.
The following error appears in the BIG-IQ var/log/restjavad.0.log:

Unable to complete software installation for {device-name} due to timeout

or:

Failed to start device software install due to time out

Impact:
The BIG-IQ upgrade fails and there is no automatic roll-back process. All DCDs that were upgraded successfully (before the timeout) must be rolled back to the previous partition (previous version). The last DCD that failed on timeout will need a manual reboot to the previous version.

Workaround:
The timeout is hardcoded. To work around this timeout us one of the following solutions:

1.Perform an incremental upgrade to the following versions before upgrading to 8.0.x:
7.0.0.2 or 7.1.0.3 where this bug is fixed.

OR

2.
Complete the rollback procedure and increase disk space before upgrading to 8.0.x

Fix:
The timeout is now 3.5 hours, rather than 90 minutes.
In addition new external parameters were added if 3.5 hours is not enough:
IF ever 3.5 hours will not be enough time for the upgrade, you can increase the timeout at restjavad parameters:
    private static final int INSTALL_CHECK_RETRIES = ServerProperties.getPropertyAsInt("platform", "clusterUpgrade",
            "isoInstallCheckRetries", 2520);
    private static final int SYSTEM_UP_CHECK_RETRIES = ServerProperties.getPropertyAsInt("platform", "clusterUpgrade",
            "upgradeSystemUpCheckRetries", 120);


978405 : You might not be able to edit some Self-IP context objects after a BIG-IQ upgrade

Component: BIG-IQ Configuration - Security - Network Security

Symptoms:
After you upgrade BIG-IQ from version 5.4 to 7.1.0.2, you might not be able to edit some of the Network Security Context objects created in BIG-IQ version 5.4.

Conditions:
When you upgrade BIG-IQ from version 5.4 to BIG-IQ 7.1.0.2, and try to edit the Self-IP context objects created using BIG-IQ version 5.4 version through the BIG-IQ user interface.

Impact:
You cannot edit some Network Security Context objects.

Workaround:
N/A

Fix:
This issue is now fixed and you can now edit Network Security Context objects after upgrading BIG-IQ.


978257-1 : Monitoring graphs show incorrect start and end times

Component: AppIQ

Symptoms:
Under certain circumstances, the time period shown in monitoring graphs when selecting "Last Hour" or "Last 30m" is incorrect - it shows one hour of offset compared to the local time.

Conditions:
The way to reproduce this is to change the computer's timezone. Once the computer timezone is changed, browse to a dashboard (e.g. /monitoring/dashboards/device/health), select "Last Hour" and see the wrong X axis showing times from the future.

Impact:
Displays of unexpected time in graphs.

Fix:
The chart axes displayed are according to the operator's time-zone and not the time-zone of the BIG-IQ device location. This has always been the way BIG-IQ displays information.
 
When the operator requests statistics for a specific time period, e.g. last hour, the returned statistics are for the operator's last hour. This is to show real-time data regardless of the operator's location.


976241 : Analytics processes got errors becuase of BK infinite and negative values

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
The Analytics processes appiqpostaggregator and appiqquery don't function correctly and might become OOM.

Conditions:
In rare instances, the BK may become corrupted. This may be temporal corruption of the ES cluster.

Impact:
The Analytics process receives exceptions, which affects its normal functionality.

Workaround:
N/A

Fix:
BIG-IQ now fixes itself when new BK is created for a particular module that becomes corrupted.


974593 : Rotate postgresql SSL certificate when or before it expires

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ creates an alert on the Monitoring > Alerts screen with an SSL certificate expires.

Conditions:
Always

Impact:
High

Workaround:
If BIG-IQ isn't in a high availability configuration, regenerate a new certificate by typing the following command: run ha_generate_certs -f <discovery_ip>.

If BIG-IQ is currently in high availability configuration, create a certificate and install it on its peer by running the following script on the BIG-IQ on which the certificate is expired/expiring:

ha_rotate_certs -i <discovery_ip> -p <peer_discovery_ip>

Fix:
When an SSL certificate expires run the following command.

For BIG-IQ that is not part of a high availability configuration: run ha_generate_certs -f <discovery_ip>

For BIG-IQ that is in a high availability configuration: ha_rotate_certs -i <discovery_ip> -p <peer_discovery_ip>


963993 : Unsuccessful import of SSLO configurations if the BIG-IP device and the BIG-IQ both deployed topologies with the same name

Component: BIG-IQ SSL Orchestrator

Symptoms:
You cannot import BIG-IP device configurations to BIG-IQ if the BIG-IP devices and your BIG-IQ have any deployed SSLO configurations with the same name.

The import process for all BIG-IP devices with duplicate SSLO topology names fails with the error message "Duplicate names 'sslo_XXXX' detected between the BIG-IP device and BIG-IQ, please delete them on either side, then discover again."

Conditions:
This issue occurs when the name of the SSLO configuration deployed onto the BIG-IP device you want to import is the same as the name of an SSLO configuration originating from a BIG-IP device already being managed by BIG-IQ.

Impact:
You will not be able to discover and import the configuration to the BIG-IQ, unless you delete or rename the SSLO configuration in BIG-IQ causing the issue and re-deploy the topology.

Workaround:
N/A

Fix:
Discovery and import of BIG-IP devices with SSLO provisioned is successful, even when you use the same name for SSLO configurations across multiple BIG-IP devices, provided all BIG-IP devices are running the same SSLO RPM version.


955145-7 : REST API not properly handling workers

Component: REST Framework and TMOS Platform

Symptoms:
Unspecified workers not being handled properly by REST API

Impact:
REST API not following best practice handling some workers

Workaround:
None

Fix:
REST API now following best practice handling workers


952641 : AS3 deployments from BIG-IQ that define a GSLB_Domain using poolsCName instead of pools

Component: BIG-IQ Application Management

Symptoms:
If you try to deploy an AS3 template from BIG-IQ that defines a GSLB_Domain using 'poolsCName' instead of 'pools', it fails with the following error: "Failed to execute step SET_TENANT: java.lang.NullPointerException""

Conditions:
Attempting to deploy AS3 deployments from BIG-IQ that defines a GSLB_Domain using 'poolsCName' instead of 'pools'.

Impact:
Unable to deploy the Application Service.

Workaround:
Use 'pools' instead of 'poolsCName' for the GSLB_Domain.

Fix:
BIG-IQ now collect the pool value from either 'pools' or 'poolsCName'.


947325 : Configuring different retention for specific statistics groups

Component: AppIQ

Symptoms:
Adjust the retention configuration for specific statistics groups (such as HTTP or ASM).

Conditions:
User wants configure a different retention for each statistics index group, rather than using the same global retention for all statistic groups.

Impact:
No system impact

Fix:
For BIG-IQ 8.0 it is possible to configure a different retention for each index type.
Generally all the statistics have the same retention that configured at:
https://{BIG-IQ-IP}/ui/system/bigiq-data-collection/cluster/settings/statistics-collection/configure

The retention can be configure for raw, hourly, daily, or monthly indexes or as we call them tl0,tl1,tl2,tl3 at elasticsearch db.

the default is [tl0,tl1,tl2,tl3] = [PT10H, P7D, P31D, P365D]

Lets say we want to configure a different retention for 2 statistics modules: http and asm.

We first need to find out what is the group names of those modules (each group contains number of modules and the retention is configured per some group and not for some individual module).

We first got to BIG-IQ CM console and send the following rest call:

# curl -X GET localhost:8898/mgmt/ap/v1/platform-config/resources/dynamic_global_parameter/modules-group-retention-global-parameters | jq . | less

{
  "kind": "dynamic_global_parameter",
  "ownerGroup": "appiq",
  "id": "modules-group-retention-global-parameters",
  "dependsOn": [],
  "state": "ACTIVE",
  "deploymentTarget": "any",
  "parameters": {
    "dos-detailed-group": {
      "name": "dos-detailed-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    },
    "afm-group": {
      "name": "afm-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    },
    "tcp-group": {
      "name": "tcp-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    },
    "asm-group": {
      "name": "asm-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    },

.
.
.

    },
    "dns-detailed-group": {
      "name": "dns-detailed-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    },
    "http-group": {
      "name": "http-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    }
  },
  "selfLink": "https://localhost/mgmt/ap/v1/platform-config/resources/dynamic_global_parameter/modules-group-retention-global-parameters"
}


We can see here the 2 group names that we would like to configure: "http-group" and "asm-group".

We can see that each group has an array of size 4 - this is for the [tl0,tl1,tl2,tl3] different configuration - if it has empty string than the value is taken from the default configuration that configured at the UI (as explained above).

Let's say we would like the configure for the http-group different retention for tl0 and tl1 and for asm-group a different retention for tl1 and tl2 - then we will send the following rest:

curl -X PATCH localhost:8898/mgmt/ap/v1/platform-config/resources/dynamic_global_parameter/modules-group-retention-global-parameters -H 'Content-Type: application/json' -d '
{
"kind": "dynamic_global_parameter",
"ownerGroup": "appiq",
"id": "modules-group-retention-global-parameters",
"deploymentTarget": "any",
"parameters":
{
"http-group":
{
"name": "http-group",
"value": [
"PT24H",
"P12D",
"",
""
]
},
"dos-group":
{
"name": "dos-group",
"value": [
"",
"P5D",
"P62D",
""
]
}
}
}
'

Please note that the name of the group must appear twice - as the parameter name with the "name" inside.


946141 : Wrong calculation of percent_var_available for in tokumond

Component: REST Framework and TMOS Platform

Symptoms:
Tokumond logs show incorrect values for the amount of available storage

2020-08-18_06:40:01.087121086 [INFO] 67% storage available. Exiting...
2020-08-18_06:50:01.924146033 [INFO] 67% storage available. Exiting...
2020-08-18_07:00:01.899879226 [INFO] 67% storage available. Exiting...
2020-08-18_07:10:01.932731808 [INFO] 61% storage available. Exiting...
2020-08-18_07:20:01.382651783 [INFO] 33% storage available. Exiting...
2020-08-18_07:30:01.338448881 [INFO] 15% storage available. Exiting...
2020-08-18_07:40:01.458523897 [INFO] 100% storage available. Exiting..

Conditions:
When /var gets up to 100% used, the returned value is "00%" and the available space shows as 100%.

Impact:
Incorrect and confusing messages may appear in the log files.

Workaround:
N/A

Fix:
Tokumond logs now show the correct calculation of amount of space available for /var.


942849-1 : When appiqconfig loses connection to Elasticsearch (ES) it is unable to re-establish the connection

Solution Article: K92678530

Component: AppIQ

Symptoms:
Elasticsearch is filled with hundreds of statistics in _t10_* indexes because the postaggregator stops working.

Conditions:
The retention of indexes stops working because the aggregation of indexes from tl0 to tl1 stops working, causing the tl0 indexes to accumulate and not aggregate.

Impact:
Elasticsearch begins to work slowly, become unresponsive, and some indexes might become corrupted. Retention stops working.

Workaround:
For BIG-IQ version version 7.1.x or earlier, refer to the solution article for workaround procedures.

Fix:
Issue fixed for version 8.0

To resolve ElasticSearch indexes that caused the ES be unresponsive then we have added index overflow protection in BIG-IQ v8.0.

If for some reason the ES indexes will start to accumulate data, then the agent manger will stop receiving new traffic from the index type that can cause the ES to become unresponsive.


When the indexes overflow protection mechanism kicks in, an empty graph appears for statistics in the affected monitoring screens - this is because the agentmanager temporarily stops receiving new statistics for this index type, until the affected index issue is resolved.

Also the appiqagent log (/var/log/appiq/agentmanager.log) for each DCD will throw the following error (for example if the http group index been accumulated beyond the threshold):

2021-01-01 01:34:29,748 ERROR c.f.a.a.r.s.StatisticsIndexesOverflowDetector [scheduling-1] The number of 'statistics_tl0_http-group*' indexes , 19, is above [retention(10) + high_watermark(8)]. ***** Any of those new Statistics will not be written to ElasticSearch - Please Check if the appiqconfigserver or appiqpostaggregator are OK and running at the BIG-IQ CM or check what is the root cause for this accumulation of the indexes *****

And if the number of the affected indexes are back to normal, the following log entry is shown:

2021-01-01 13:34:30,093 INFO c.f.a.a.r.s.StatisticsIndexesOverflowDetector [scheduling-1] The number of 'statistics_tl0_default-group*' indexes, 1, got back to normal ***** Those new Statistics writes will be resumed *****


936081 : Improve Active Alerts Query response time when there is a large number of active alerts

Component: AppIQ

Symptoms:
The UI takes a long time to render pages that show active alerts related information.

Conditions:
The system is configured with a large number (thousands) of alerts

Impact:
Slowness of the UI in pages with active alert related information

Workaround:
Configure the query service to get alerts from in-memory storage (used by the health calculator process) instead of from elastic-search.

- In /var/config/appiq/queryservice/bin/run_queryservice_bigiq.sh, add "eventstore-alarms" to the "spring_profile" list.
- restart the query service using "bigstart restart appiquery" command.

Impact of workaround: There is a risk that a large amount of alerts will fill up the memory of appiqquery, hence it is important to increase its JVM memory, by editing the "/etc/biq_daemon_provision.json" file.
- If the alerts count on the UI is greater than 10k - the recommendation for 64GB systems is to increase the appiqquery JVM memory allocation from 800MB to 1.2GB while reducing the restjavad JVM memory allocation from 20000MB to 19600MB.
- If the alerts count on the UI is greater then 25k - the recommendation for 64GB system's is to increase the appiqquery JVM memory from 800MB to 2GB

For 32GB systems, the same values should apply. The only potential issue here is that it would not be safe to reduce the allocated JVM memory of restjavad in case the system has a large number of ASM devices with many ASM entities since, during import/discovery of these devices high memory consumption is expected by restjavad. Internal testing showed high memory consumption by restjavad with ~160 ASM devices and overall of 1000 policies. If this is not the case for your environment then you can safely modify the restjavad memory.

Once memory changes are done, query service and restjavad must be restarted, in order for the JVM memory changes to take effect, by running the command "bigstart restart restjavad appiqquery".

Fix:
Query service is configured by default to get alerts from in-memory storage (used by the health calculator process) instead of from elastic-search.

Data transfer between the health calculator service and query service has been improved to reduce the memory usage of the query service, which enables the query service to handle a much larger number of alerts without the need for increasing its JVM memory allocation.


931353 : Table bloat causes high availability (HA) to fail

Component: REST Framework and TMOS Platform

Symptoms:
Failover does not complete fully. You see an error in /var/log/restjavad.0.log:

Failed query '$skip=0&$top=150&$filter=name+eq+'*'&$orderby=name+asc&kind=cm:adc-core:working-config:ltm:pool:adcpoolstate&parentContext=https://localhost/mgmt/cm/adc-core/working-config/ltm/pool&modules=adc-core' - org.postgresql.util.PSQLException: ERROR: could not write to tuplestore temporary file: No space left on device

You also see diskmonitor errors:
err diskmonitor: 011d0004:3: Disk partition /var has only 7% free

Conditions:
This can occur if /var reaches 90% full, which can be caused by excessive table bloat in the Postgres database.

Impact:
HA configuration is removed, failover does complete.

Workaround:
Performing VACUUM FULL manually on DB will clean up bloat but can be disruptive to system. For more information on this procedure, see K18484011: BIG-IQ Reclaim unused disk space from postgres database, available at https://support.f5.com/csp/article/K18484011

Fix:
A weekly cron job has been scheduled that calls vacuum-digiq-db which will perform vacuum full on the 10 largest(memory) tables in bigiq_db


931349 : Restjavad dies on high var usage in high availability (HA) pair due to tokumond not being stopped on secondary

Component: REST Framework and TMOS Platform

Symptoms:
While in high availability (HA) pair, high /var usage will cause tokumond to stop on the primary but does not stop on the secondary, causing continued /var usage.

Conditions:
During high availability (HA) pair with high /var usage

Impact:
/var will eventually fill due to secondary tokumond not being filled


931337 : Large backups cause high availability (HA) setup to remove backup on secondary when pairing is unsuccessful

Component: REST Framework and TMOS Platform

Symptoms:
When a BIG-IQ has a large setup(database size), joining a device trust group may fail. If this occurs, the secondary's backup database may be removed.

Conditions:
-- Large database on BIG-IQ
-- You add the BIG-IQ to a device trust group

Impact:
Secondary device does not have a backup database after pairing fails

Fix:
Failed high availability (HA) backup does not remove secondary backup DB file anymore


930569 : ERROR: unsupported Unicode escape sequence

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IP may generate unsupported unicode error when policy workflows are triggered related to events:

ERROR: unsupported Unicode escape sequence
  Detail: \u0000 cannot be converted to text.
  Where: JSON data, line 1:

Conditions:
-- Policy workflows are created and triggered

Impact:
Unabled to see triggered workflows

Fix:
No longer see errors in restjavad logs


925301 : Unable to view Access reports when date/time filter is applied when your computer is set to a non-English language

Component: BIG-IQ Access

Symptoms:
For BIG-IQ Access dashboards, no data will display when you select the "Before/After/Between" to view reports for a specific date-time range.

Conditions:
This occurs if you set the language on your computer to anything other than US English.

Impact:
You will be unable to view data for all Access dashboards. The error message "No Data Available" displays.

Workaround:
N/A

Fix:
The Access dashboards now display properly when a date-time filter is applied.


925169 : BIG-IQ hardware upgrade might fail

Component: REST Framework and TMOS Platform

Symptoms:
When upgrading BIG-IQ hardware, there is a race condition due to two different services trying to perform disk provisioning that might cause the hardware upgrade to fail.

Conditions:
Upgrading BIG-IQ hardware.

Impact:
The BIG-IQ upgrade fails.

Workaround:
Install BIG-IQ version 7.1.0.x in a new volume. Select the option to not automatically reboot to the new volume.
Mount the new volume using the command: volumeset -f mount {X}.
Edit /mnt/X/etc/bigstart/scripts/tokumx as follows:
- Add the following line after the existing 'setproperties ${service}' line: waitfor_disk_provisioning ${service}
- Replace the existing line 'if [ -f /bin/halid ]; then' with: if false; then
Unmount the new volume with the command: volumeset -f umount {X}.
Reboot to the new volume.

Fix:
BIG-IQ hardware upgrades no longer have two different services attempting to perform the disk provisioning.


923613 : Discovering a BIG-IP device and importing its services that contain 'bot-profiles'

Component: BIG-IQ Local Traffic & Management

Symptoms:
After discovering a BIG-IP device and importing its ASM service, BIG-IQ returns an error similar to the following:

-- Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException: Invalid entry "bot-defense" in "controls" string, valid options are: [acceleration, asm, avr, caching, ce, classification, client-ssl, compression, forwarding, l7dos, persistence, request-adaptation, response-adaptation, server-ssl, ssl-intercept, websocket].

Conditions:
This happens when you are running BIG-IQ version 7.1.0

This issue occurs when you import a BIG-IP with the following configuration:
a. BIG-IP contains a Bot Profile
b. BIG-IP contains an LTM Policy attached to this Bot Profile

Impact:
You cannot import the ASM services associated with the discovered BIG-IP device that contains bot-profiles.

BIG-IQ version 7.1.0 does support 'Anti-Bot Detection and Protection.

Fix:
Discovering a BIG-IP device and importing its ASM services that contain 'bot-profiles' no longer reports an error message.


922877 : Access Sessions Summary page shows duplicate data for a single session

Component: BIG-IQ Access

Symptoms:
The Access Session Summary page displays more than one entry per Session ID.

Conditions:
This happens when you view the Access Summary Page at BIG-IQ >> MONITORING >> DASHBOARDS >> Access >> Sessions >> Session Summary page.

Impact:
Some session details distributed across various columns are missing. Session details are duplicated across duplicate rows in the report.

Fix:
Session data is no longer listed twice on the dashboard, and this issue no longer occurs.


922417 : Creating a CSV report for active sessions

Component: BIG-IQ Access

Symptoms:
When trying to create a CSV report for active sessions, BIG-IQ returns an error similar to the following: "Error: No handler found for uri.".

Conditions:
This happens if you attempt to generate an Active Sessions report with more than 1,000 records.

Impact:
You cannot generate the CSV reports for Access reporting screens if the report contains a large number of records.

Workaround:
N/A

Fix:
This issue is now resolved and the Active Sessions CSV report properly downloads.


921989 : Querying BIG-IP devices by IP addresses

Component: REST Framework and TMOS Platform

Symptoms:
When searching for BIG-IP devices by IP addresses, BIG-IQ doesn't always include all results.

Conditions:
Searchnig for BIG-IP devices by IP addresses.

Impact:
Not all BIG-IP devices are displayed.

Workaround:
sed -i '/document._system_search_tags = row._system_search_tags;/a\ \ \ \ document._ranges = row._ranges;' /usr/share/rest/tokumon/src/transforms.js

bigstart kill tokumond

Fix:
The correct BIG-IP devices are displayed when searching by IP devices.


921537 : BIG-IQ does not support BIG-IP tunnel objects binding with local-traffic

Component: BIG-IQ Local Traffic & Management

Symptoms:
Config sync fails and tunnel objects are configured incorrectly across devices in a device group.

Conditions:
All of the following:
 
1) BIG-IP is using a tunnel object
2) The tunnel is assigned to traffic-group-local-only
3) BIG-IP is configured with Device Services Clustering with config sync enabled.

Impact:
An incorrect tunnel object might be synced from one device to another device

Workaround:
A potential workaround is to have all tunnels on cluster reside on one BIG-IP device and import it last.

Fix:
Fixed an issue with config sync of tunnels that are assigned to traffic-group-local-only.


921521 : Policy signatures ready to be enforced are not reported

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Policy signatures that have passed the enforcement readiness period are not reported.

Conditions:
Create an ASM policy using Central Policy Builder and leave it active beyond 7 days (or the policy staging period). Check for signatures ready to be enforced.

Impact:
All signatures report readyToBeEnforced = false, even if there are signatures that passed the staging period.

Workaround:
N/A

Fix:
Policy signatures that have passed the necessary staging period are reported as ready to be enforced.


921025 : Network security log profile changes in 15.1 breaks BIG-IQ import

Component: BIG-IQ Configuration - Security - Shared Security

Symptoms:
New storage fields included in BIG-IP 15.1.x are not validated in BIG-IQ, which is causing import failures

Conditions:
Import Network Security logs from BIG-IP v15.1.x that include storage values.

Impact:
Importing Network Security log with storage fields results in error message:

restjavad.4.log:[ERROR][19 Jun 2020 09:18:34 CEST][/cm/security-shared/working-config/log-profiles/232543a8-6e3e-3e3a-a42c-d2c592d223d4/network WorkingProfileNetworkCollectionWorker] Validation failure: java.lang.IllegalArgumentException: Invalid format field value : dest_ipint_categories
restjavad.4.log:[ERROR][19 Jun 2020 09:18:34 CEST][/cm/security-shared/tasks/config-copy/b16532b8-fd5d-431a-87cf-486ac566b9ad/worker SharedConfigCopyTaskWorker] Failed POST to target https://localhost/mgmt/cm/security-shared/working-config/log-profiles/232543a8-6e3e-3e3a-a42c-d2c592d223d4/network: java.lang.IllegalArgumentException: Invalid format field value : dest_ipint_categorie

Fix:
This issue is resolved for BIG-IQ version 8.x or later.


919093 : BIG-IQ Access policy branch rule names don't allow '.'

Component: BIG-IQ Access

Symptoms:
When you create an Access policy branch rule, BIG-IQ does not allow you to input a branch rule name that contains the '.' punctuation mark.

Conditions:
This issue occurs when you create an Access policy branch rule name that contains the '.' punctuation mark.

Impact:
You won't be able to create an Access policy branch rule with the punctuation mark '.' in the name.

Workaround:
N/A

Fix:
You can now create an Access policy branch rule name with the '.' punctuation in the name. This issue no longer occurs.


918997 : Custom expressions in the Visual Policy Editor will alter new line character for the Variable Assign agent

Component: BIG-IQ Access

Symptoms:
A Variable Assign agent in the VPE with custom expressions and attached to an Access policy might change new line characters to "\n". This causes the custom expression to fail with an error.

Conditions:
This error might happen if the Variable Assign agent was created with custom expressions spanning multiple lines. When the policy is deployed to managed BIG-IP devices, the new line characters show up as "\n" instead of actual new lines.

Impact:
The APM custom expression fails to work.

Workaround:
N/A

Fix:
This issue no longer occurs. You can now deploy a Variable Assign agent with multi-line custom expressions and attach it to an Access policy and deploy it to a BIG-IP device sucessfully.


916881 : Deploying an Access policy containing orphaned policy items fails

Component: BIG-IQ Access

Symptoms:
Deploying an Access policy containing orphaned policy items to a BIG-IP device might fail with the following error:

"Critical Error: The access policy ("access-policy") has an item ("orphaned-policy-item") which is not referenced by any policy rule."

Conditions:
This error can happen if you:

1) Create an Access policy with a branch rule such as "URL Branching".
2) Add another item to that branch.
3) Delete the branch rule in "URL Branching".
4) Deploy the Access policy to a BIG-IP device.

Impact:
You cannot deploy access policies with orphaned policy items.

Fix:
This issue is now fixed and you can now deploy Access policies with orphaned objects.


916441 : Operations using route domains fail with 'invalid input syntax for type inet'

Component: REST Framework and TMOS Platform

Symptoms:
The storage system might not recognize an address with a route domain (% followed by a number after the IP address) as a valid address. This could cause operations to fail or to hang. Logs under /var/log/postgres/ shows an error similar to:

ERROR: invalid input syntax for type inet: "10.10.1.4%6"

Conditions:
This happen when route domains are used.

Impact:
Operations might fail or hang and errors are logged.

Workaround:
None

Fix:
Addresses containing route domains are now correctly recognized as valid.


914801 : Creating a local SAML SP service

Component: BIG-IQ Access

Symptoms:
A local SAML SP service cannot be created with entity ID containing session variables, since host name is a mandatory field for local SP service.

Conditions:
When you create a local SAML SP service with session variables as entity ID and host name is not provided.

Impact:
You are unable to create the service until you specify a hostname.

Workaround:
N/A

Fix:
You are now able to create a local SAML SP service without a hostname.


914361 : Deploying AS3 application service to a managed device after upgrading or rebooting BIG-IQ

Component: BIG-IQ Application Management

Symptoms:
After upgrading BIG-IQ, you are unable to deploy an AS3 application service from BIG-IQ.

Error message:
Failed to get cm-bigip-allBigIpDevices device for address 3.90.185.47 : java.lang.IllegalStateException: Device not found in device group: java.lang.IllegalStateException: Device not found in device group

Conditions:
This happens after you upgrade or reboot BIG-IQ.

Impact:
You cannot deploy an AS3 application service from BIG-IQ.

Workaround:
To work around this issues, from the command line type: bigstart restart restjavad

Fix:
This issue is now fixed.


912177 : Generating CSV report from Access User Summary

Component: BIG-IQ Access

Symptoms:
When you click the CSV Report button from the Access User Summary by navigating to Monitoring >> Dashboard >> Access >> User Summary screen and the following error displays "Error: Not Authenticated."

Conditions:
This can happen when you click the CSV Report button on Access Reporting page.

Impact:
You can't export or generate the CSV reports for certain Access reporting screen.

Workaround:
N/A

Fix:
This issue no longer occurs and the CSV Report button now works as expected from the Access screen.


911445 : When BIG-IQ is performing resource-intensive operations, user sessions might prematurely terminate

Component: REST Framework and TMOS Platform

Symptoms:
When BIG-IQ is performing resource-intensive operations, API responses might be slowed which can lead sometimes cause log-in sessions to time out, forcing users to log out of BIG-IQ.

Conditions:
BIG-IQ is performing resource-intensive operations, such as importing large device configurations.

Impact:
Users are forcibly logged out of the BIG-IQ user interface.

Workaround:
None

Fix:
This issue is now fixed and authorization is maintained even during periods of resource-intensive operations.


908505-2 : Managing BIG-IP devices using a large number of virtual servers while running iApp analytics

Component: AppIQ

Symptoms:
Managed BIG-IP devices running iApp analytics logs an error message similar to the following error /var/log/ltm:

err scriptd[8484]: 014f0013:3: Script (/Common/bigiq-analytics-send_stats) generated this Tcl error: (script did not successfully complete: (couldn't create pipe: too many open files while executing "exec /usr/bin/tmsh -c "list ltm virtual $virtual_name partition" | grep "partition " | tr -s " " | cut -d " " -f3- " ("foreach" body line 3) invoked from within "foreach virtual $virtual_list { set virtual_name "/[tmsh::get_name $virtual]" set partition_name [exec /usr/bi..." invoked from within "if { [file exists ${filename}0] != 1 || [ expr [clock seconds] - [file mtime ${filename}0] ] > 360 } { set infile [open "$filename$curr..." line:346))

Conditions:
When managing a BIG-IP device with a large number of virtual servers and running iApp analytics.

Impact:
iApp does not collect statistics for virtual server, pool, nodes, or statuses.

Workaround:
A workaround is available for BIG-IQ version 7.1. For more information see: https://support.f5.com/csp/article/K53001642

Fix:
iApp now collects data as expected.


907973 : Imported virtual servers with application protection are displayed as unprotected

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Protected virtual servers with a monitoring/blocking application protection policy do not display enforcement mode following import from BIG-IP.

Conditions:
1. On BIG-IQ discover a BIG-IP device with a protected virtual server.

2. Check the virtual server's enforcement mode in the L7 security grid (Monitoring > DASHBOARDS > L7 Security).

Impact:
The virtual server will display 'Not Protected' enforcement status.

Workaround:
PATCH the VS (or update it via UI), wait a minute and it will get the protection mode.

For batch mode, restart restjavad, which marks all vips as dirty and protection mode will be recalculated for all of them.

Fix:
Protected virtual servers imported from a managed BIG-IP device now display the correct enforcement mode.


906121 : Adding Pool Members to Resource Groups

Component: BIG-IQ Local Traffic & Management

Symptoms:
When adding a Pool or Virtual Server to a Resource Group, the related Pool Members appear individually instead of all Pool Members.

Conditions:
When adding a Pool or Virtual Server to Resource Group.

Impact:
You must add Pool Members individually to Resource Groups after they are created or they will not be visible to the user with the associated role.

Workaround:
You can use an API call to create a Resource Group (RG) with the pools as you want them and use that Resource Group in a Role.
Here are the steps for that,

1. Find the pool (or pools that you want in the role and capture it's membersCollectionReference:
GET cm/adc-core/working-config/ltm/pool

2. modify the json body below to match the retrieved pool members URI path
 - change the name, description, and expression (note the /* at the end of the membersCollectionReference URI path)
 - you just need the pool members expression (the pool that owns it will be automatically added to the RG.)
 - you can have more than one expression in the referenceExpressions array.
{
  "resourceGroupName": "workaroundRGSample",
  "resourceGroupDisplayName": "workaroundRGSample",
  "resourceGroupDescription": "",
  "referenceExpressionsPatches": [
    {
      "targetKind": "cm:adc-core:working-config:ltm:pool:members:adcpoolmemberstate",
      "referenceExpressions": [
        {
          "name": "All Pool Members for newPool",
          "description": "All existing and future Pool Members for newPool.",
          "expression": "/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members/*"
        }
      ]
    }
  ]
}

3. POST that to here: /shared/authorization/patch-resource-groups
- note this is a declarative API. If you want to change the RG you need to include ALL expressions that you want in the RG and POST to the same endpoint again. Like if you wnted to add a pool/members then the body above would contain two referenceExpressions.

4. You'll get a response like this:
{
    "id": "cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b",
    "kind": "shared:authorization:resource-groups:resourcegroupstate",
    "name": "workaroundRGSampleXX",
    "isPublic": true,
    "selfLink": "https://localhost/mgmt/shared/authorization/resource-groups/cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b",
    "isBuiltIn": false,
    "generation": 1,
    "description": "",
    "displayName": "workaroundRGSampleXX",
    "isSystemManaged": false,
    "lastUpdateMicros": 1588021146636422,
    "referenceExpressionCollectionReference": {
        "link": "https://localhost/mgmt/shared/authorization/resource-groups/cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b/reference-expressions",
        "isSubcollection": true
    },
    "differences": {
        "added": [
            "/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members",
            "/cm/adc-core/working-config/ltm/pool",
            "/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members/*",
            "/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631"
        ],
        "removed": []
    }
}

5. Now create a second Resource Group in the UI that does NOT include the Pool and Pool Members for the VIP.

6. Create a role that includes the RG you manually created above and the second RG (without the Pool and Pool Member) that you created in the UI.

Fix:
This issue is fixed.


905737 : Setting up BIG-IQ as a license manager only

Component: BIG-IQ Device Management

Symptoms:
If you are configuring BIG-IQ as a BIG-IP license manager only, selecting the option to skip licensing during setup, setup fails.

Conditions:
Selecting the skip license option when setting up a BIG-IQ to manage licenses for BIG-IP devices.

Impact:
Setup will fail to license a BIG-IP.

Workaround:
When setting up BIG-IQ to only manage licenses for BIG-IP devices, make sure to enter a license manager base registration key during setup.

Fix:
This issue is fixed.


903229 : Pruning of expired backups fails due to a failed query.

Component: REST Framework and TMOS Platform

Symptoms:
When a backup expires, BIG-IQ is supposed to delete it according to its global pruning schedule (GPS). The GPS runs at around 1AM on every BIG-IQ device. However, this pruning of expired backups fails due to an invalid query.

Conditions:
BIG-IQ is configured and is running.

Impact:
Expired BIG-IQ backups are not pruned and a warning is logged.

Workaround:
Manually select and delete the expired backups.

Fix:
Fixed the datetime to be always stored in UTC and corrected the way timestamps are queried.
These two issues were the root cause that was preventing the BIG-IQ from successfully pruning expired backups.


903121 : Evaluating and deploying Access Groups containing a remote desktop configuration

Component: BIG-IQ Access

Symptoms:
When evaluating and deploying Access Groups containing a Remote Desktop configuration to a BIG-IP device, it might fail with the following following error:

"Critical error: Error getting aclOrder value on object."

Conditions:
This error can happen if a Remote Desktop object was created on a managed BIG-IP running version 15.1 or later and then discovered and services imported.

Impact:
You might not be able to deploy configurations containing Remote Desktop objects to a managed BIG-IP devices.

Workaround:
To resolve this issue, you can define aclOrder for a Remote Desktop object using the following API calls:

For Remote Desktop - Citrix
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/citrix

For Remote Desktop - RDP
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/rdp

For Remote Desktop - VMWare
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/vmware-view

After defining the aclOrder for the Remote Desktop objects, you should be able to successfully evaluate and deploy this configuration to managed BIG-IP devices.

Fix:
This issue no longer occurs. You should be able to import configurations containing Remote Desktop objects and edit and save it on BIG-IQ. You should also be able to deploy configurations containing Remote Desktop objects to target BIG-IP devices from BIG-IQ.


901689-1 : L7 Dashboard grid does not report number of DoS attacks correctly

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
The grid for the L7 Security Dashboard does not report attack data, even when objects are under attack.

Conditions:
Go to Monitoring > DASHBOARDS > L7 Security Dashboard
Run a DoS L7 attack
View the attacks in the summary bar (confirming attacks)
View the DoS attacks column in the grid, all report "No Data"

Impact:
No DoS attack count data for column in object grid.

Workaround:
N/A

Fix:
DoS attack information is now displayed correctly in the L7 dashboard.


901129-2 : DoS events and DNS Overview screens returns error message

Solution Article: K57274211


900849 : Editing is disabled for deployed SSLO configurations after upgrading your managed BIG-IP devices from version 14.x to 15.x

Component: BIG-IQ SSL Orchestrator

Symptoms:
After upgrading your managed BIG-IP devices from any 14.x version to 15.x and you try to edit a deployed SSL Orchestrator topology running RPM 5.4, BIG-IQ returns an error. As a result, you are unable to save the SSLO configuration and proceed to the next step.

Conditions:
This issue can happen in BIG-IQ after upgrading your managed BIG-IP devices from 14.x to 15.x.

Impact:
You cannot edit a deployed topology after upgrading a BIG-IP image from 14.X to 15.X.

Workaround:
To resolve this issue follow the steps in the order shown:
1. Re-deploy the security policy used by the topology before editing the topology. Remove all devices from the device page, add the devices back, then re-deploy the policy.
2. Edit the SSLO topology in a topology workflow. Click the topology icon in the first step of the wizard. Do not click Save & Next, and instead click the interception rule icon in the wizard. Update the Access profile in the interception rule page, click Save, and deploy the topology.

Fix:
You can now edit and and re-deploy all deployed SSLO configurations after upgrading the managed BIG-IP devices from version 14.x to 15.x.


899609 : Deployment of an imported Existing Application SSL Orchestrator topology may fail from BIG-IQ

Component: BIG-IQ SSL Orchestrator

Symptoms:
A deployment of an SSL Orchestrator topology can fail if that topology is an Existing Application type topology, and if the configuration was imported from a managed BIG-IP to the BIG-IQ.

Conditions:
For this condition to occur, an Existing Application topology must be deployed in BIG-IP and then imported back to BIG-IQ. After this, any redeployment of this imported topology which uses the Existing Application configuration type may fail.

Impact:
You cannot deploy an imported 'Existing Application' SSL Orchestrator topology from BIG-IQ.

Workaround:
Currently, there is no direct workaround to redeploy the imported topology without a deployment failure. Instead, you can delete the topology that is failing and deploy a new Existing Application topology with the same configuration.

Fix:
Deployment of an Existing Application SSLO topology is successful, even when you have imported that topology from the managed BIG-IP device to the BIG-IQ.


899601 : The number of security services in the SSL Orchestrator topology list page shows 0 for imported topologies

Component: BIG-IQ SSL Orchestrator

Symptoms:
In the SSL Orchestrator topology list page under the Configuration tab, the number of security services in the imported topology always shows 0, even if there are services that exist in this configuration.

Conditions:
This occurs whenever you try to view the number of services deployed in the topology list page.

Impact:
You might not be able to see how many services are being used by an imported topology.

Workaround:
To find the number of services attached to a particular topology, go to the service chain attached to the topology and check the number of services there.

Fix:
The topology list page now shows the exact number of security services associated with each topology.


892901 : Deployment of topologies, security policies, or services fails after removing an SSLO configuration

Component: BIG-IQ SSL Orchestrator

Symptoms:
After selecting the button to remove an SSL Orchestrator (SSLO) configuration for any topologies running all 5.X SSLO RPM versions, the topology deployment will fail.

Conditions:
This issue occurs only when removing configurations from topologies running any 5.X SSLO RPM version.

Impact:
You are unable to deploy any SSLO topology, security policy, or inspection services to managed BIG-IP devices after using the Remove SSLO Configuration button in BIG-IQ unless you employ the workaround.

Workaround:
To effectively deploy a configuration after using the Remove SSLO Configuration button and clearing your device of all SSL Orchestrator configurations, you must reset your Device Settings and deploy them before attempting additional configurations on the device. Follow the steps in this order to get a successful deployment:

1) In BIG-IQ under Configuration >> SSL Orchestrator >> Devices, click on each managed device for which you did a full clean-up.
2) On each managed device page, modify the General Settings to your specifications. If you have nothing to change, change a field and then revert it to re-activate the Deploy button.
3) Click Deploy.
4) Make other configurations within a topology on this managed BIG-IP device and deploy them successfully.

Fix:
This issue is now fixed and the SSLO topology deployments will succeed after removing all SSLO configurations.


889049 : Deployment and Configuration menus with long virtual server or pool names.

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
The Deployment and Configuration menus are currently not wide enough to display long virtual server and pool names.

Conditions:
This happens if the combination of partition and object names combined exceeds 21 characters.

Impact:
You cannot to read the full name of the virtual server or the pool configured for the virtual server.

Workaround:
None.

Fix:
This issue is now fixed.


872237-2 : CPU spikes on managed BIG-IP devices when using iApp analytics

Component: AppIQ

Symptoms:
BIG-IQ regularly queries the status of virtual servers and pools on BIG-IP devices running iApp, which can cause CPU spikes when the number of servers and pools are high.

Conditions:
When collecting statistics with iApp on BIG-IP devices that have more than 600 virtual servers and/or 400 pools.

Impact:
CPU usage spikes on managed BIG-IP devices when they reach maximum usage when statistics collection is enabled.

Workaround:
For BIG-IQ version 7.1, see the following article for a workaround: https://support.f5.com/csp/article/K53001642

Fix:
CPU spikes no longer occur as a result of status queries to BIG-IP devices.


860473 : Connection and read timeout settings for the TACACS+ authentication provider

Component: REST Framework and TMOS Platform

Symptoms:
The TACACS+ authentication provider uses a fixed, hard-coded value (5 seconds) for the timeout to get a response from the TACACS+ server. If a request to the TACACS+ server to authenticate a user or to retrieve the user properties does not complete within 5 seconds, the request fails. This causes the BIG-IQ authentication of a remote TACACS+ user to fail as well.

Conditions:
When you use a TACACS+ authentication provider to authenticate to BIG-IQ and the TACACS+ server is too slow, it will probably time out before you get authenticated.

Impact:
TACACS+ user authentication to BIG-IQ fails.

Workaround:
N/A

Fix:
You can now configure the connection timeout and read timeout settings.


859709 : Full name of the default pool does not display on the LTM virtual server properties screen

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
LTM Virtual Server properties screen shows only the first 32 to 40 characters of the default pool's full name.

Conditions:
1. Log in with read-only permissions.
2. Navigate to Configuration>LOCAL TRAFFIC>Virtual Servers.
3. Click the name of a virtual server and scroll down to the Default Pool drop-down box.

Impact:
If the default pool has a long name, read-only users cannot see the full name of the default pool.

Workaround:
Keep the pool name shorter than 32 characters.

Fix:
The issue is now fixed.


846665 : Authentication to BIG-IQ might fail when using an LDAP or Active Directory authentication provider using LDAPS that has Server Certificate Validation disabled.

Component: REST Framework and TMOS Platform

Symptoms:
When you set up an LDAP or Active Directory authentication provider that uses the LDAPS protocol on TCP port 636 with Server Certificate Validation enabled, and then disable Server Certificate Validation in the authentication provider settings you get an unexpected result.

When the user tries to authenticate to the BIG-IQ, the authentication fails with the error:
 Unable to connect to the authentication server. java.security.cert.CertificateException: No subject alternative names present.

Conditions:
LDAP or Active Directory authentication provider with 'Server Certificate Validation' enabled, then disabled.

Impact:
User authentication to BIG-IQ fails.

Workaround:
There are 3 potential workarounds:

1. Set up the LDAP or Active Directory authentication provider to use StartTLS on TCP port 389 instead of LDAPS on TCP port 636. Ideally, enable 'Server Certificate Validation'.
This is the most secure option.

2. If your LDAP/Active Directory server does not support StartTLS and you need to use LDAPS, set up the authentication provider with 'Server Certificate Validation' enabled.
This option is more secure than the next option.

3. If you need to use LDAPS and for some reason the authentication provider cannot validate the server certificate, then disable certificate validation from the very beginning. If you have first set it up with 'Server Certificate Validation' enabled:
  a. Delete the authentication provider.
  b. Restart restjavad.
  c. Re-create the authentication provider with 'Server Certificate Validation' disabled.

This last option is not recommended, because it is less secure.

Fix:
This has been fixed. User authentication to BIG-IQ does work correctly when you create an LDAP or Active Directory authentication provider with 'Server Certificate Validation' enabled, then you disable it.


809725 : Security Policy deployed through an SSLO topology in BIG-IQ is not visible on managed BIG-IP

Component: BIG-IQ SSL Orchestrator

Symptoms:
If you deploy a security policy through a topology from BIG-IQ, it does not display on BIG-IP.

Conditions:
1) Create a Security Policy with Proxy Connect enabled and with a BIG-IP device pool selected.
2) Create an Outbound SSLO topology, and in the 'Security Policy' section, use an existing security policy that was just created with the proxy connect enabled.
3) Deploy the topology.

Impact:
The security policy does not display on the managed BIG-IP device.

Workaround:
Deploy the same topology to BIG-IP from BIG-IQ with a security policy that does not have Proxy Connect enabled. Alternatively, disable the Proxy Connect option on the same topology and re-deploy.

Fix:
The issue is fixed. You now will be unable to select a security policy in the 'Use-Existing' security policy options when the following is true:

1) You are using an outbound topology
2) You enable Proxy Connect for the security policy

As a result, you will not be able to deploy a topology with an invalid security policy.


808133-2 : Analytics iApp pushed from BIQ-IQ causes BIG-IP high availability (HA) peers to go out of sync

Component: AppIQ

Symptoms:
BIG-IP high availability (HA) peers become out of sync and log audit messages similar to the following.

01420002:5: AUDIT - pid=20880 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=modify security analytics settings collect-all-dos-statistic enabled

Conditions:
When analytics iApp is pushed from BIG-IQ.

Impact:
BIG-IP high availability (HA) peers become out of sync.

Fix:
Peer BIG-IP devices in an HA configuration no longer become out of sync when BIG-IQ pushes the iApp.


807389 : Number of services in the SSL Orchestrator device list page shows 0 for services deployed on BIG-IP HA devices

Component: BIG-IQ SSL Orchestrator

Symptoms:
In the page Configuration >> SSL Orchestrator >> Services, the number of devices of the service always shows 0, when some of the devices are configured as BIG-IP HA.

Conditions:
This occurs whenever you try to view the number of devices are being used by a particular service in the page Configuration >> SSL Orchestrator >> Services.

Impact:
You might not be able to see how many devices are being used by a particular service when some of the devices are configured as BIG-IP HA.

Workaround:
To find the number of devices on which a particular service is deployed, in service list page find the location of the service, then go to page Configuration >> SSL Orchestrator >> Devices, check the number of devices attached to the location.

Fix:
The device list page shows the exact number of security services deployed to each device or cluster.


807249 : SSLO topology can be saved without selecting a security policy in the 'Use Existing' dropdown in the security policy page

Component: BIG-IQ SSL Orchestrator

Symptoms:
When creating a new SSLO topology, you can still save your security policy configuration if you select the option to use an existing security policy, but do not select a security policy to add to your topology.

Conditions:
This will occur if you try to create a new topology, choose the 'Use Existing' option in the security policy configuration page, and save the configuration without selecting any security policy in the dropdown.

Impact:
You may deploy an invalid SSLO topology without a security policy attached.

Workaround:
When you create a new topology, and want to use an existing security policy, select the 'Use Existing' option from the security policy page and then select an existing security policy in the dropdown. You may also choose create a new security policy or not attach a security policy in order to avoid deploying an invalid topology.

Fix:
The issue is fixed. The security policy step in the topology wizard will require you to select a security policy when you opt to use an existing security policy.


799005 : A RADIUS user no longer automatically becomes a member of a previously created RADIUS user group

Component: REST Framework and TMOS Platform

Symptoms:
Prior to BIG-IQ version 8.0.0, all RADIUS users were automatically members of a BIG-IQ RADIUS user group with no authorization attributes.

Conditions:
Create a RADIUS authentication provider and a RADIUS user group with no authorization attributes.

Impact:
Beginning with BIG-IQ version 8.0.0, a newly created RADIUS user group must have at least one authorization attribute. Only users having all the group's authorization attributes will be members of the group.

After you upgrade to BIG-IQ 8.0.0 or later, any existing RADIUS user groups without any authorization attributes will contain no members. They will therefore serve no purpose. All existing RADIUS users will have no authorization to access BIG-IQ functionality through the default membership in a group.

Workaround:
Create a user group with the necessary authorization attributes to provide users with permissions granted by the roles the group is in. A user associated with the Administrator role can make these changes to the RADIUS authentication provider (user groups).

Fix:
N/A

Behavior Change:
Prior to BIG-IQ version 8.0.0, all RADIUS users were automatically members of a RADIUS user group with no authorization attributes.

Beginning with BIG-IQ version 8.0.0, a newly created RADIUS user group must have at least one authorization attribute. Only users having all the group's authorization attributes will be members of the group. After you upgrade to BIG-IQ 8.0.0 or later, any existing RADIUS user groups without any authorization attributes will contain no members. They will therefore serve no purpose. All existing RADIUS users will have no authorization to access BIG-IQ functionality through the default membership in a group.


795197-6 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Solution Article: K26618426


790469 : F5 secure shell vulnerability CVE-2020-5873

Solution Article: K03585731


737574-7 : iControl REST input sanitization

Solution Article: K20541896


737565-7 : iControl REST input sanitization

Solution Article: K20445457


726441 : Linux kernel vulnerabilities CVE-2017-9075,CVE-2017-9076,CVE-2017-9077

Component: REST Framework and TMOS Platform

Symptoms:
For more information on CVE-2017-9075, please see:
https://support.f5.com/csp/article/K02236463
For more information on CVE-2017-9076, please see:
https://support.f5.com/csp/article/K02613439
For more information on CVE-2017-9077, please see:
https://support.f5.com/csp/article/K61429540

Conditions:
For more information on CVE-2017-9075, please see:
https://support.f5.com/csp/article/K02236463
For more information on CVE-2017-9076, please see:
https://support.f5.com/csp/article/K02613439
For more information on CVE-2017-9077, please see:
https://support.f5.com/csp/article/K61429540

Impact:
For more information on CVE-2017-9075, please see:
https://support.f5.com/csp/article/K02236463
For more information on CVE-2017-9076, please see:
https://support.f5.com/csp/article/K02613439
For more information on CVE-2017-9077, please see:
https://support.f5.com/csp/article/K61429540

Workaround:
For more information on CVE-2017-9075, please see:
https://support.f5.com/csp/article/K02236463
For more information on CVE-2017-9076, please see:
https://support.f5.com/csp/article/K02613439
For more information on CVE-2017-9077, please see:
https://support.f5.com/csp/article/K61429540

Fix:
For more information on CVE-2017-9075, please see:
https://support.f5.com/csp/article/K02236463
For more information on CVE-2017-9076, please see:
https://support.f5.com/csp/article/K02613439
For more information on CVE-2017-9077, please see:
https://support.f5.com/csp/article/K61429540


726327-4 : NodeJS debugger accepts connections from any host

Solution Article: K37111863


725047 : SNMP traps do not follow current best practices

Component: REST Framework and TMOS Platform

Symptoms:
SNMP traps do not follow current best practices

Impact:
SNMP traps do not follow current best practices

Fix:
SNMP traps now follow current best practices


718147 : Multiple Oracle Java Vulnerabilities

Component: REST Framework and TMOS Platform

Symptoms:
For more information on CVE-2018-2783, please see:
https://support.f5.com/csp/article/K44923228
For more information on CVE-2018-2790, please see:
https://support.f5.com/csp/article/K73122539
For more information on CVE-2018-2794, please see:
https://support.f5.com/csp/article/K54143451
For more information on CVE-2018-2795, please see:
https://support.f5.com/csp/article/K70321874
For more information on CVE-2018-2796, please see:
https://support.f5.com/csp/article/K71021401
For more information on CVE-2018-2797, please see:
https://support.f5.com/csp/article/K05441360
For more information on CVE-2018-2798, please see:
https://support.f5.com/csp/article/K24593421
For more information on CVE-2018-2799, please see:
https://support.f5.com/csp/article/K33924005
For more information on CVE-2018-2800, please see:
https://support.f5.com/csp/article/K35513527
For more information on CVE-2018-2811, please see:
https://support.f5.com/csp/article/K01294982
For more information on CVE-2018-2814, please see:
https://support.f5.com/csp/article/K60350722
For more information on CVE-2018-2815, please see:
https://support.f5.com/csp/article/K15217245
For more information on CVE-2018-2825, please see:
https://support.f5.com/csp/article/K13655013
For more information on CVE-2018-2826, please see:
https://support.f5.com/csp/article/K13655013

Conditions:
For more information on CVE-2018-2783, please see:
https://support.f5.com/csp/article/K44923228
For more information on CVE-2018-2790, please see:
https://support.f5.com/csp/article/K73122539
For more information on CVE-2018-2794, please see:
https://support.f5.com/csp/article/K54143451
For more information on CVE-2018-2795, please see:
https://support.f5.com/csp/article/K70321874
For more information on CVE-2018-2796, please see:
https://support.f5.com/csp/article/K71021401
For more information on CVE-2018-2797, please see:
https://support.f5.com/csp/article/K05441360
For more information on CVE-2018-2798, please see:
https://support.f5.com/csp/article/K24593421
For more information on CVE-2018-2799, please see:
https://support.f5.com/csp/article/K33924005
For more information on CVE-2018-2800, please see:
https://support.f5.com/csp/article/K35513527
For more information on CVE-2018-2811, please see:
https://support.f5.com/csp/article/K01294982
For more information on CVE-2018-2814, please see:
https://support.f5.com/csp/article/K60350722
For more information on CVE-2018-2815, please see:
https://support.f5.com/csp/article/K15217245
For more information on CVE-2018-2825, please see:
https://support.f5.com/csp/article/K13655013
For more information on CVE-2018-2826, please see:
https://support.f5.com/csp/article/K13655013

Impact:
For more information on CVE-2018-2783, please see:
https://support.f5.com/csp/article/K44923228
For more information on CVE-2018-2790, please see:
https://support.f5.com/csp/article/K73122539
For more information on CVE-2018-2794, please see:
https://support.f5.com/csp/article/K54143451
For more information on CVE-2018-2795, please see:
https://support.f5.com/csp/article/K70321874
For more information on CVE-2018-2796, please see:
https://support.f5.com/csp/article/K71021401
For more information on CVE-2018-2797, please see:
https://support.f5.com/csp/article/K05441360
For more information on CVE-2018-2798, please see:
https://support.f5.com/csp/article/K24593421
For more information on CVE-2018-2799, please see:
https://support.f5.com/csp/article/K33924005
For more information on CVE-2018-2800, please see:
https://support.f5.com/csp/article/K35513527
For more information on CVE-2018-2811, please see:
https://support.f5.com/csp/article/K01294982
For more information on CVE-2018-2814, please see:
https://support.f5.com/csp/article/K60350722
For more information on CVE-2018-2815, please see:
https://support.f5.com/csp/article/K15217245
For more information on CVE-2018-2825, please see:
https://support.f5.com/csp/article/K13655013
For more information on CVE-2018-2826, please see:
https://support.f5.com/csp/article/K13655013

Workaround:
For more information on CVE-2018-2783, please see:
https://support.f5.com/csp/article/K44923228
For more information on CVE-2018-2790, please see:
https://support.f5.com/csp/article/K73122539
For more information on CVE-2018-2794, please see:
https://support.f5.com/csp/article/K54143451
For more information on CVE-2018-2795, please see:
https://support.f5.com/csp/article/K70321874
For more information on CVE-2018-2796, please see:
https://support.f5.com/csp/article/K71021401
For more information on CVE-2018-2797, please see:
https://support.f5.com/csp/article/K05441360
For more information on CVE-2018-2798, please see:
https://support.f5.com/csp/article/K24593421
For more information on CVE-2018-2799, please see:
https://support.f5.com/csp/article/K33924005
For more information on CVE-2018-2800, please see:
https://support.f5.com/csp/article/K35513527
For more information on CVE-2018-2811, please see:
https://support.f5.com/csp/article/K01294982
For more information on CVE-2018-2814, please see:
https://support.f5.com/csp/article/K60350722
For more information on CVE-2018-2815, please see:
https://support.f5.com/csp/article/K15217245
For more information on CVE-2018-2825, please see:
https://support.f5.com/csp/article/K13655013
For more information on CVE-2018-2826, please see:
https://support.f5.com/csp/article/K13655013

Fix:
For more information on CVE-2018-2783, please see:
https://support.f5.com/csp/article/K44923228
For more information on CVE-2018-2790, please see:
https://support.f5.com/csp/article/K73122539
For more information on CVE-2018-2794, please see:
https://support.f5.com/csp/article/K54143451
For more information on CVE-2018-2795, please see:
https://support.f5.com/csp/article/K70321874
For more information on CVE-2018-2796, please see:
https://support.f5.com/csp/article/K71021401
For more information on CVE-2018-2797, please see:
https://support.f5.com/csp/article/K05441360
For more information on CVE-2018-2798, please see:
https://support.f5.com/csp/article/K24593421
For more information on CVE-2018-2799, please see:
https://support.f5.com/csp/article/K33924005
For more information on CVE-2018-2800, please see:
https://support.f5.com/csp/article/K35513527
For more information on CVE-2018-2811, please see:
https://support.f5.com/csp/article/K01294982
For more information on CVE-2018-2814, please see:
https://support.f5.com/csp/article/K60350722
For more information on CVE-2018-2815, please see:
https://support.f5.com/csp/article/K15217245
For more information on CVE-2018-2825, please see:
https://support.f5.com/csp/article/K13655013
For more information on CVE-2018-2826, please see:
https://support.f5.com/csp/article/K13655013


713061 : Linux kernel vulnerability CVE-2017-8824

Component: REST Framework and TMOS Platform

Symptoms:
For more information, pleaser see:
https://support.f5.com/csp/article/K15526101

Conditions:
For more information, pleaser see:
https://support.f5.com/csp/article/K15526101

Impact:
For more information, pleaser see:
https://support.f5.com/csp/article/K15526101

Workaround:
None

Fix:
For more information, pleaser see:
https://support.f5.com/csp/article/K15526101


712649 : OpenSSH vulnerability CVE-2016-10708

Solution Article: K32485746


702236 : CVE-2017-5753 (Spectre Variant 1)

Component: REST Framework and TMOS Platform

Symptoms:
For more information see: https://support.f5.com/csp/article/K91229003

Impact:
For more information see: https://support.f5.com/csp/article/K91229003

Fix:
For more information see: https://support.f5.com/csp/article/K91229003


682719 : CVE-2017-3735: OpenSSL Vulnerability

Solution Article: K21462542


680387 : Multiple Bash Vulnerabilities

Component: REST Framework and TMOS Platform

Symptoms:
* An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances.
(CVE-2016-0634)

* An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543)

* A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401)

Impact:
* An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances.
(CVE-2016-0634)

* An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543)

* A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401)

Fix:
This has been fixed in BIG-IQ 8.0, which uses bash v. 4.2.46-29, which is not vulnerable.

This fix resolves CVE-2016-0634, CVE-2016-7543, and CVE-2016-9401.


671934 : CVE-2017-3143: BIND zone contents may be manipulated

Component: REST Framework and TMOS Platform

Symptoms:
Please see the KB article for details:
https://support.f5.com/csp/article/K02230327

Conditions:
BIG-IQ system was NOT VULNERABLE in default, standard and recommended configuration. To be considered vulnerable, it must have allowed remote update with TSIG authentication configured in BIND. This configuration combination is not a default configuration.

Impact:
Zone contents may be manipulated

Workaround:
To mitigate this vulnerability, you can use BIND's access control lists (ACLs) that require both address range validation and use of TSIG authentication in parallel. For information about configuring this type of compound authentication control, refer to the Using Access Control Lists (ACLs) with both addresses and keys Internet Systems Consortium (ISC) article.

Fix:
This has been fixed in BIG-IQ 8.0, which uses BIND v. 9.11.8, which is not vulnerable.


671932 : CVE-2017-3142: TSIG authentication bypass in AXFR requests

Component: REST Framework and TMOS Platform

Symptoms:
See KB for details:
https://support.f5.com/csp/article/K59448931

An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name might be able to circumvent TSIG authentication of AXFR requests through a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into providing an AXFR of a zone to an unauthorized recipient accepting bogus NOTIFY packets.

Conditions:
BIG-IQ is not vulnerable in default, standard, and recommended configuration. To be vulnerable, BIG-IQ would have to be specifically configured bind for zones and allow zone transfers and TSIG security.

Impact:
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name might be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into providing an AXFR of a zone to an unauthorized recipient.
accepting bogus NOTIFY packets.

Workaround:
To mitigate this vulnerability, you can use BIND's access control lists (ACLs) that require both address range validation and use of TSIG authentication in parallel. For information about configuring this type of compound authentication control, refer to the Using Access Control Lists (ACLs) with both addresses and keys Internet Systems Consortium (ISC) article.

Fix:
This has been fixed in BIG-IQ 8.0.0, which uses BIND version 9.11.8, which is not vulnerable.


670786 : Linux kernel vulnerability CVE-2017-1000364

Solution Article: K51931024


623822 : BIG-IQ unable to identify non-floating Virtual Servers when importing LTM config

Component: BIG-IQ Local Traffic & Management

Symptoms:
When the configuration gets imported from the BIG-IP into the working config, non-floating Virtual Servers are converted into floating Virtual Servers.

Conditions:
-- Virtual Servers are assigned to non-floating traffic-
groups on BIG-IP.
-- BIG-IP configuration is imported into BIG-IQ

Impact:
Potential errors when deploying configurations with Change Management, given that there's a discrepancy between the working-config in BigIQ and the running-config of the devices.


605900 : lwresd and bind vulnerability CVE-2016-2775

Solution Article: K92991044


605579-6 : iControl-SOAP expat client library is subjected to entropy attack

Solution Article: K65460334



Known Issues in BIG-IQ CM v8.0.x


BIG-IQ Configuration - Local Traffic Issues

ID Number Severity Solution Article(s) Description
873917 4-Minor   iRules with extremely long names


BIG-IQ Device User Interface Issues

ID Number Severity Solution Article(s) Description
982301 3-Major   Bulk re-import fails to start, no error displayed
981649 4-Minor   Adding DCD on the primary BIG-IQ after auto failover succeeds, but generates an error in the UI


BIG-IQ Monitoring - Dashboards & Reports Issues

ID Number Severity Solution Article(s) Description
981225 3-Major   The SWG Summary dashboard does not load data when you have multiple BIG-IP devices selected
979377 4-Minor   Data may not display for OAuth reports in BIG-IQ
868577 5-Cosmetic   Phishing alerts with URI containing 'extended' ASCII chars are encoded incorrectly while forwarding to WebSafe


BIG-IQ Monitoring - Logs Issues

ID Number Severity Solution Article(s) Description
945389-2 3-Major   BIG-IQ doesn't not automatically send audit logs to remote syslog server


BIG-IQ Search Issues

ID Number Severity Solution Article(s) Description
827009 4-Minor   Sorting lists on a description column


BIG-IQ Access Issues

ID Number Severity Solution Article(s) Description
925161 2-Critical   Errors with Access Remote Logging configuration on BIG-IQ


BIG-IQ Local Traffic & Management Issues

ID Number Severity Solution Article(s) Description
990605 4-Minor   Tunnels created on BIG-IQ are not added to the default route domain of the other devices in the Device Service Cluster
966301 4-Minor   Issues when re-importing LTM service for BIG-IP devices in a cluster
918797 4-Minor   Sorting or filtering virtual servers objects on the Virtual Servers page


AppIQ Issues

ID Number Severity Solution Article(s) Description
996601-4 2-Critical   Virtual, Pool, Member and Node status might not show properly for Big-IP versions 15.x or 16.x
986761 3-Major   If DCD addition to CM fails then rollback may also fail
984877-1 3-Major   User with SSM custom role is not authorised to see DoS attack summary bar for Network and DNS attacks
984869-1 3-Major   User with RBAC permissions to a virtual server cannot see its TCP statistics
913329 3-Major   BIG-IQ analytics data retention policy and data aggregation may not work as expected
979205-1 4-Minor   Applications Page displays statistics for applications the user does not have permissions to view


BIG-IQ Configuration - Infrastructure Issues

ID Number Severity Solution Article(s) Description
973089 3-Major   Adding BIG-IP version 11.6 devices to BIG-IQ for management


BIG-IQ Device Management Issues

ID Number Severity Solution Article(s) Description
771397-2 3-Major   License Manager cannot license different devices with the same MAC address (public and private clouds)


BIG-IQ DNS Management Issues

ID Number Severity Solution Article(s) Description
990589 3-Major   DNS Sync Group shows "Waiting for initial data collection"
986121 3-Major   Cannot delete a GSLB server when there are prober pools on BIG-IQ but not BIG-IP
988117 4-Minor   State (on BIG-IP) field is visible when you create a new DNS Listener object


BIG-IQ SSL Orchestrator Issues

ID Number Severity Solution Article(s) Description
995641 4-Minor   Network traffic diagram does not display for ICAP services in BIG-IQ SSLO
809421 4-Minor   BIG-IQ unable to save layer 2 security service when you select the same source and destination VLAN
807253 4-Minor   The security policy devices overrides option is not visible when using an existing security policy to configure an SSLO topology


REST Framework and TMOS Platform Issues

ID Number Severity Solution Article(s) Description
991357 3-Major   Upgrades to BIG-IQ version 8.0.0 can sometimes fail and display: 500 INTERNAL SERVER ERROR
978817 3-Major   BIG-IQ DCD cluster upgrade from version before 6.0.1 to 8.0.0
942441 3-Major   A data collection device (not the quorum one) is removed from active after autofailover happened
924885 3-Major   Task failure with Error "Failed calculating configuration differences; reason: Difference operation failed" reported
893653 3-Major   Hierarchical privileges to unlock Security Objects are missing
985029 4-Minor   "/var partition information not found" during BIG-IQ upgrade from pre-8.0 to 8.0 or later
978809 4-Minor   Log entries in setupd.out have incorrect timezone offset.★
995837 3-Major   BIG-IQ displays the message "Waiting for BIG-IQ services to become available..." after upgrading to version 8.0.0★

 


BIG-IQ Web Application Security (ASM) Issues

ID Number Severity Solution Article(s) Description
991657 3-Major   ASM deployment evaluation with large scale might get stuck and eventually fail with OutOfMemory error
985305 4-Minor   ASM Policy comparison is not available for fine grained RBAC user
985301 4-Minor   Policy analyzer not authorized for a user with fine grained RBAC on policies
977701 4-Minor   Web Application Security Dashboard 500 Server Error following upgrade to 8.0


BIG-IQ Application Management Issues

ID Number Severity Solution Article(s) Description
986353 3-Major   creating AS3 application with internal virtual service in declaration fails
985077 3-Major   Data Transfer Service (DTS) docker service compressed logs may get deleted out of order after rotation
945545-1 3-Major   Permissions for Service Catalog Application roles after upgrading BIG-IQ
941357 3-Major   BIG-IQ AS3 application deployments fail with an invalid RPM error
987205 4-Minor   Multiple DTS services running with same preferred Beacon account delete applications in Beacon
985781 4-Minor   No scroll bar for the Application - ENVIRONMENT Configuration view
985113 4-Minor   DNS Virtual Server Name" is not displayed correctly when AS3 application is created with "template": "generic
955501 4-Minor   'L7 DDOS ATTACKS' not updating for Legacy applications

 

Known Issue details for BIG-IQ CM v8.0.x

996601-4 : Virtual, Pool, Member and Node status might not show properly for Big-IP versions 15.x or 16.x

Component: AppIQ

Symptoms:
The statuses of Virtual Servers, Pools, Pools Members and Nodes at the BIG-IQ LTM configuration tables might not show properly if there is BIG-IP version 15.X or 16.X, with DNS configured, discovered to this BIG-IQ.
There will be exception like this at the /var/log/appiq/agentmanager.log:
WARN c.f.a.a.e.B.BigIPEventNormalizer [lightning-pipeline-8] Unexpected exception (events: [Message{, timestamp=1611671524000, sourceMessage=SourceMessage:{time=1611671524, host=eolbva-devsvc01.example.com, source=bigip.tmsh.wideip_status, sourcetype=f5:bigip:status:iapp:json, wideip_name=/dev_airwatch/airmobiledev.gslb.example.com, dscName=eolbva-devsvc-DSC, ssgName=, dnsSyncGroupName=dev_dns_sync, availability_state=available, enabled_state=enabled, status_reason=Available, dscClusterName=, dnsSyncGroup=}, aggregationInterval=0}])
java.lang.ArrayIndexOutOfBoundsException: 1

Conditions:
For the bug to reproduced there must be number of conditions:
1. BIG-IP v15.X or 16.x discovered on BIG-IQ.
2. Managed BIG-IP has one or more Wide-IP configured to the DNS(GTM) configuration.
3. The user has enabled the the LTM status updates via DCD:
restcurl -X PUT /cm/adc-core/current-config/stats-refresh -d '
{ "isMonitorRunning": true,
"useAppIqDcd": true,
"pollingIntervalSeconds": 300 }'

Impact:
The user will not see the correct statuses of the LTM objects in the BIG-IQ LTM configuration tables and wide-ip statuses at in application dashboards for DNS application services (see Applications > APPLICATIONS).

Workaround:
There are 2 options to fix the statuses in BIG-IQ:
1. Switch the LTM status collection via DCD to off. The status will be collected by BIG-IQ directly. Note: this option may increase the CPU, see article K91114310 at support.f5.com.

2.Replace the analytics iApp RPM to fixed iApp.
Refer to the article about how to download a fixed RPM and install it on BIG-IQ.


995641 : Network traffic diagram does not display for ICAP services in BIG-IQ SSLO

Component: BIG-IQ SSL Orchestrator

Symptoms:
BIG-IQ SSLO users may be unable to view network traffic diagrams after deploying ICAP services to managed BIG-IP devices.

Conditions:
This issue occurs when BIG-IQ SSLO users deploy a ICAP service from BIG-IQ and click the Service Analytic Data button in the ICAP service configuration wizard.

Impact:
You will not be able to view network traffic information for a deployed ICAP service.

Workaround:
To see traffic information, go to the managed BIG-IP device that the ICAP service is deployed to. Navigate to SSL Orchestrator >> Configuration >> Services, and click 'Pool member status' for the ICAP service. Select the tab 'Statistics', and you will be able to see all traffic information for the ICAP service deployed to this managed BIG-IP device.


991657 : ASM deployment evaluation with large scale might get stuck and eventually fail with OutOfMemory error

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
When running an evaluate and deploy for 10 devices, the system might stop responding causing the UI becomes non-functional. This is caused by too many objects loaded onto memory during the evaluation process.

Conditions:
Running an evaluate and deploy process for 10 devices. Each has
- 60 large ASM policies
- 250 virtual-servers
- 32GB RAM management console node.

Impact:
This might cause failure during verify-config stage of the evaluation. The overall impact affects large and full (not partial) deployments.

Workaround:
1. Conduct a partial deploy of the objects (ASM policies) you want to deploy to as many devices you wish, so long as the object count is less than 200.
2. Do a full deployment to maximum of 5 devices with similar configurations.
3. Using REST API, there's an option to skip the verify-config stage when starting an evaluation task. This will work if skipVerifyConfig:true is sent in the task body. This option is less recommended at the verify-config stage, but is important to verify features are deployable on the target devices.


991357 : Upgrades to BIG-IQ version 8.0.0 can sometimes fail and display: 500 INTERNAL SERVER ERROR

Component: REST Framework and TMOS Platform

Symptoms:
On rare occasions, during an upgrade, after the device (BIG-IQ console or DCD) is rebooted, when the user logs in to the device, the UI shows the error message "The system returned an unexpected error (500 INTERNAL SERVER ERROR)".

To further diagnose this problem, run:
tmsh list sys global-settings

The command will most likely return the error message:
"Unexpected Error: ltcfg error, can't load class, class:"system" error: can't load class definition from mcpd. This is most likely the result of a failure to load the base system configuration. To determine the root cause enter "tmsh load sys config" and include the output when the issue is reported."

If the 'ltcfg error' message displays, then this error most likely results from a failure to load the base system configuration.

Conditions:
Upgrade from to 8.0.0 leads to 500 INTERNAL SERVER ERROR

Impact:
The device/cluster upgrade can occasionally fail, which necessitates a workaround.

Workaround:
1. Log out of the BIG-IQ that you were using to perform the upgrade.
2. Use SSH to log in (as root) to the device that failed to upgrade (either CM or DCD).
2. Type "tmsh load sys config".
3. Type "bigstart restart setupd".
4. Log back into the device that failed and complete the upgrade.
5. If the upgrade failure happened during a DCD cluster upgrade, then after the failed device upgrades successfully, manually upgrade any DCDs in the cluster that have not been upgraded yet.


990605 : Tunnels created on BIG-IQ are not added to the default route domain of the other devices in the Device Service Cluster

Component: BIG-IQ Local Traffic & Management

Symptoms:
When BIG-IQ creates a tunnel on a managed device that belongs to a Device Service Cluster (DSC), it also adds the tunnel to that device's default route domain.
But when BIG-IQ replicates the tunnel to the other devices within a DSC, it does not add the tunnel to the route domain for those devices.

Conditions:
Use BIG-IQ to add a tunnel to a BIG-IP device that is a member of a DSC.

Impact:
If no further steps are taken, the next deployment to the cluster will fail.

Workaround:
Manually add the tunnel to the route domain of the other devices in the DSC.


990589 : DNS Sync Group shows "Waiting for initial data collection"

Component: BIG-IQ DNS Management

Symptoms:
BIG-IQ checks 7 pieces of information to determine if a DNS sync group is healthy or not. One of the pieces of information is broken due to a BIG-IP known issue.

In the Devices -> BIG-IP Clusters -> DNS Sync Groups UI, the sync group status is shown as "Waiting for initial data collection"

Conditions:
BIG-IQ manages BIG-IP devices running version 14.x.x or 16.x.x.

Impact:
This may give the user false positive status information.

Workaround:
Use the following three steps to double check if the DNS_Sync_Group is healthy or not.

1: Use the Rest API to check and find out what is not healthy:
GET https://{big-IQ}/mgmt/cm/dns/current-config/sync-group-health/{ID}

Due to this bug, you will notice the information below in the response.
{
   ...
  "code": "DEVICE_SERVICE",
  "color": "BLUE",
  "message": "Waiting for initial data collection"
   ...
}

2. Go to the BIG-IP device and check if the following 4 services are running:
          "mcpd", "gtmd", "big3d", "tmm"

For example, using the following Linux shell command shows the mcpd is running:
  # bigstart status |grep mcpd
  mcpd run (pid 7077) 233 days

3. If all 4 services are running on BIG-IP, it suggests that the issue reported is a false positive, and no action needs to be taken.


988117 : State (on BIG-IP) field is visible when you create a new DNS Listener object

Component: BIG-IQ DNS Management

Symptoms:
The State(on BIG-IP) field displays on the New Listener screen. Because the object does not exist on the BIG-IP yet, there is no state yet.

Conditions:
1. Click Configuration>DNS>Delivery>Create.
2. Note the State (on BIG-IP) field.

This field displays, even though there is no state on the BIG-IP because the object doesn't exist yet.

Impact:
Users could be confused by the appearance of this field, because it doesn't make sense to display it until the Listener has been deployed.

Workaround:
N/A


987205 : Multiple DTS services running with same preferred Beacon account delete applications in Beacon

Component: BIG-IQ Application Management

Symptoms:
Multiple DTS services running with same preferred Beacon account delete applications in Beacon.

Conditions:
Multiple DTS services are running with the same preferred Beacon account, each sending a different selectedApplicationNames list.

Impact:
Conflicting SelectedApplicationNames lists that are being sent to the same preferred beacon account will result in applications being removed from Beacon.

Beacon icons on application services may show as red, with instructions to check the logs. The Data transfer service logs indicate that applications have been removed from Beacon.

Workaround:
This functions as designed. Applications that are no longer present on BIG-IQ or that are not in a DTS's SelectedApplicationNames list will be deleted from Beacon. If you want to send application metrics for more than one set of applications you need to use a preferred Beacon account for each set of applications and specify it in the respective DTS's config file. To set up a preferred Beacon account: https://clouddocs.f5.com/cloud-services/latest/f5-cloud-services-Beacon-API.html#specify-preferred-account-header-in-a-multiple-accounts-divisions-scenario


986761 : If DCD addition to CM fails then rollback may also fail

Component: AppIQ

Symptoms:
DCD rollback is not reflected in the UI following an unsuccessful addition of a DCD.

Conditions:
In some cases when a new DCD is added and an error occurred, DCD rollback may fail and DCD and will still appear in the UI. Attempting to remove the added DCD from the UI fails.

This can occur when a DCD is added unsuccessfully. This may be an impact of system health issues,such as Elasticsearch connectivity problems, or Network health issues.

Impact:
Zombie DCD will appear in the UI although the added DCD failed.

Workaround:
1. Get f5-rest-id of the managed dcd, run from dcd:
# cat /config/f5-rest-device-id

2. Run from CM to manually to remove dcd from logging group:
# curl -XPOST localhost:8100/shared/resolver/device-group-remover -d '{"deviceReference": {"link": "https://localhost/mgmt/shared/resolver/device-groups/cm-esmgmt-logging-group/devices/{f5-rest-deive-id}"}, "command":"DELETE_DEVICE_FROM_GROUP"}'

3. Run log to troubleshoot root cause of DCD add failure.

4. Add DCD after troubleshooting root cause is solved.


986353 : creating AS3 application with internal virtual service in declaration fails

Component: BIG-IQ Application Management

Symptoms:
creating AS3 application with internal virtual service ("virtualType": "internal") fails.

Conditions:
app creation fails if declaration contains

"virtualType": "internal",

Impact:
The AS3 application can't be created.


986121 : Cannot delete a GSLB server when there are prober pools on BIG-IQ but not BIG-IP

Component: BIG-IQ DNS Management

Symptoms:
Cannot delete GSLB servers successfully.

Conditions:
A prober pool has been created on the BIG-IQ but not deployed to the BIG-IP.

Impact:
If there is a prober pool on the BIG-IQ that is not deployed to the BIG-IP, you cannot delete the GSLB server.

Workaround:
You can either create the prober pools on the BIG-IP or deploy them to the BIG-IP. You will then be able to delete a GSLB server.


985781 : No scroll bar for the Application - ENVIRONMENT Configuration view

Component: BIG-IQ Application Management

Symptoms:
There is no scroll bar in the Application -> ENVIRONMENT Configuration view.

Conditions:
For Service Catalog and Legacy Application Services, there is no scroll bar in the Application -> ENVIRONMENT, Configuration view

Impact:
User can not scroll in these screens.

Workaround:
N/A


985305 : ASM Policy comparison is not available for fine grained RBAC user

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Users with fine grained authorization on specific policies will not be able to access the policy comparison feature.

Conditions:
Steps to Reproduce:
1. Create a resource group with 2 policies
2. Create role of "web application security manager" + the resource group
3. Create a user with this role
4. Login with the user and go to Configuration > Security > Web Application Security > Policies.
5. Select two policies and click More.

Impact:
The Compare Policies option is not available.


985301 : Policy analyzer not authorized for a user with fine grained RBAC on policies

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Users with fine grained authorization on specific policies will not be able to access the Policy Analyzer feature.

Conditions:
1. create a resource group with 2 policies
2. create role of "web application security manager" + the resource group
3. create a user with this role
4. login with the user and go to Configuration > Security > Web Application Security > Policies.
5. Select a policy and then More. Select the Policy Analyzer option.

Impact:
The policy analyzer screen does not successfully load.


985113 : DNS Virtual Server Name" is not displayed correctly when AS3 application is created with "template": "generic

Component: BIG-IQ Application Management

Symptoms:
When an AS3 application is created from API with "template": "generic" in the AS3 declaration, the value of "DNS Virtual Server Name" under the Application Configuration tab appears in the following format: /<tenant_name>/<app_name>/ServiceMain, instead of the expected format: <app_name>

Conditions:
AS3 application is created from API with "template": "generic" and app_name instead of ServiceMain
Sample declaration is as follows:
"t_104197": {
"class": "Tenant",
"defaultRouteDomain": 0,
"dev1_dapi_fis_tp_dev_ally_com_443": {
"class": "Application",
"template": "generic",
"dev1_dapi_fis_tp_dev_ally_com_443_vs": {
"class": "Service_HTTPS",
"virtualAddresses": [
"10.47.67.78"
],
"virtualPort": 443,

Impact:
The DNS Virtual Server name in the Application Configuration tab is displayed in an unexpected format.


985077 : Data Transfer Service (DTS) docker service compressed logs may get deleted out of order after rotation

Component: BIG-IQ Application Management

Symptoms:
After the Data Transfer Service (DTS) runs for a few days, the logs go through rotation and compression. During rotation and compression a file(s) may get deleted out of order.

Conditions:
The docker Data Transfer Service has run for a few days, generating a large number of logs.

Impact:
Compressed rotated log file(s) may get deleted out of order.

Workaround:
Retrieve the missing data by checking the em* logs beneath /var/log directory.


985029 : "/var partition information not found" during BIG-IQ upgrade from pre-8.0 to 8.0 or later

Component: REST Framework and TMOS Platform

Symptoms:
When upgrading Data Collection Devices, an error "/var partition information not found" may be encountered.

Conditions:
This occurs when the Data Collection Device has partitions formatted using the ext4 file system. Typically ext4 is not used on BIG-IQ versions prior to 8.0, but if a BIG-IQ has upgraded to 8.0 or later, then downgraded to a pre-8.0 version, the partitions created during the downgrade will be ext4.

Impact:
Upgrading the BIG-IQ cluster using the UI will not work.

Workaround:
Installing an earlier version from a later version is not recommended. If you are in this situation, you may have to remove the Data Collection Devices, upgrade them individually, and then add them again.


984877-1 : User with SSM custom role is not authorised to see DoS attack summary bar for Network and DNS attacks

Component: AppIQ

Symptoms:
A user with an SSM custom role that contains a virtual server under DoS attack, of Network or DNS type, can't see the attack information in the per attack page under "Monitoring->DASHBOARDS->DDOS->Protection Summary".

Conditions:
A user assigned an SSM custom role with permissions to view a specific attacked SSM virtual server tries to view information for the virtual servers' DOS attack page from "Monitoring->DASHBOARDS->DDOS->Protection Summary".

Impact:
The user won't be able to view the summary information of the virtual server's DoS attack.

Workaround:
View the DoS attack information from an admin user login.


984869-1 : User with RBAC permissions to a virtual server cannot see its TCP statistics

Component: AppIQ

Symptoms:
A user with a strict custom role with LTM permissions for a specific virtual server, cannot see the virtual server TCP statistics
under Monitoring->DASHBOARDS->Local Traffic->TCP.

Conditions:
A user assigned a strict custom role with permissions to view a specific virtual server tries to view the virtual servers' TCP statistics under Monitoring->DASHBOARDS->Local Traffic->TCP.

Impact:
The user won't be able to view the TCP statistics for the virtual servers he is permitted to view.

Workaround:
View the virtual server TCP statistics from an admin user role.


982301 : Bulk re-import fails to start, no error displayed

Component: BIG-IQ Device User Interface

Symptoms:
When attempting to start a bulk re-import and re-discovery, the process does not start. No progress indicator or error dialog is shown.

Conditions:
This occurs when one or more of the BIG-IP devices selected for re-import has had its machineId changed in the past, often due to being RMAed or rebuilt.

Impact:
A Bulk Re-import and Re-discovery that includes affected BIG-IP devices will not work, but will silently fail to start.

Workaround:
The affected BIG-IP devices cannot be re-imported using the Bulk Re-Import and Re-Discover feature, but can be re-imported individually. Affected BIG-IP devices can be identified by querying the device state and looking at the fields "uuid" and "machineId". Affected devices have different values in these fields, while unaffected devices have identical values for the two fields.


981649 : Adding DCD on the primary BIG-IQ after auto failover succeeds, but generates an error in the UI

Component: BIG-IQ Device User Interface

Symptoms:
After the primary BIG-IQ in an auto failover HA configuration goes down and is recovered (but is still standalone), attempting to add a DCD on that primary BIG-IQ succeeds, but the following error appears:

"An error occurred while adding the Device.
Error: Failed to poll elasticsearch cluster health."

Conditions:
1. A BIG-IQ auto failover HA configuration fails over, and then the primary BIG-IQ is recovered, but is still standalone.

2. A DCD is added on the primary BIG-IQ.

Impact:
Unexpected and misleading error generated in the UI.

Workaround:
Running the clear-rest-storage command will enable adding the DCD without generating an error.


981225 : The SWG Summary dashboard does not load data when you have multiple BIG-IP devices selected

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Navigate to Monitoring >> Dashboards >> Access >> Secure Web Gateway >> Secure Web Gateway Summary. Select multiple BIG-IP devices from the device dropdown menu. The page does not load SWG statistics.

Conditions:
This issue will occur when you select multiple managed BIG-IP devices or all managed devices from the "ACCESS GROUP/DEVICE" dropdown on the SWG Summary dashboard.

Impact:
You will be unable to view SWG Summary data for multiple managed BIG-IP devices.

Workaround:
Enter the URL https://{YOUR_BIG_IQ_IP_Address}/ui/monitoring/dashboards/access/access-dashboard in your browser.

While you will be unable to generate a report of data from multiple BIG-IP devices, you can view data for BIG-IP devices one at a time. Select just one BIG-IP device in the "ACCESS GROUP/DEVICE" dropdown. You should be able to view SWG summary reports for multiple BIG-IP devices.


979377 : Data may not display for OAuth reports in BIG-IQ

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Navigate to Monitoring >> DASHBOARDS >> Access >> Federation >> OAuth and then select any of the OAuth reports.
Click on any widget in the dashboard with data.

Change the grant type to ROPC, and then change the grant type back to all grant types.

Navigate back to the parent dashboard. Select the widget again. No data displays on the drill-down dashboard.

Conditions:
When you change the grant type in the second level dashboards after you drill-down, you will see a message that says "No data available."

Impact:
You will be unable to view statistics for OAuth.

Workaround:
Select the values in the other dropdown such as "AUTHORIZATION SERVER" or "Client" to view the reports. Alternately, you can try reloading the page by clicking the reload button on the browser to fix the issue.


979205-1 : Applications Page displays statistics for applications the user does not have permissions to view

Component: AppIQ

Symptoms:
Since application and application service permissions are assigned separately to the user, using separate roles, it is possible to give a user permissions to view/manage application services but not to the application they are contained in.

In such a scenario, the user would not be able to see view the application and application aggregated statistics in the application page grid/tile view section. This is by design.
However, the user would be able to see, in the applications page summary bar, aggregated statistics for applications that contain application services which the user has permissions to see.

Conditions:
A user is assigned view/manage permissions for application services but is not assigned view/manage permissions for the application which contains those application services.

Impact:
The ability to view statistics for permitted application services from an application (application name) the user is not permitted to view.


978817 : BIG-IQ DCD cluster upgrade from version before 6.0.1 to 8.0.0

Component: REST Framework and TMOS Platform

Symptoms:
In BIG-IQ versions prior to 6.0.1, the device reboot timeout is set to 15 minutes, which may be insufficient for a DCD to reboot successfully. As a result, upgrading a BIG-IQ with DCD cluster from a version before 6.0.1 to version 8.0.0 might fail due to the DCD not coming up within the timeout.

Conditions:
Upgrading a BIG-IQ with a DCD cluster from a version prior to 6.0.1 to version 8.0.0.

Impact:
Upgrading a BIG-IQ with DCD cluster from a version before 6.0.1 to version 8.0.0 might fail.

Workaround:
Upgrade the BIG-IQ DCD cluster first to version 6.0.1, then upgraded to version 8.0.0.


978809 : Log entries in setupd.out have incorrect timezone offset.

Component: REST Framework and TMOS Platform

Symptoms:
The timestamps of the logs entries in setupd.out are expressed in local machine timezone, yet the offset is incorrectly set to "+0000", i.e., UTC.

Conditions:
Log entries written in setupd.out during setup.

Impact:
Timestamps in the setupd.out logs are misleading.

Workaround:
Interpret the timestamps of logs entries in setupd.out as expressed in local machine timezone.


995837 : BIG-IQ displays the message "Waiting for BIG-IQ services to become available..." after upgrading to version 8.0.0

Component: REST Framework and TMOS Platform

Symptoms:

When upgrading to version 8.0.0, BIG-IQ displays a spinner with a message, "Waiting for BIG-IQ services to become available..." and logs the following message in /var/log/bootstrap/bootstrap.out: "Database upgrade succeeded." The var/log/postgres/postgresql-.log displays the following:

ERROR: query string argument of EXECUTE is null
CONTEXT: PL/pgSQL function rbac_add_pattern(text,text,text,text[],boolean) line 108 at EXECUTE
STATEMENT: call rbac_add_pattern($1,$2,$3,$4,$5)



Conditions:
If the number of records for a single task in the BIG-IQ database grows past 100,000 and you attempt to upgrade to BIG-IQ version 8.0.0.

Impact:
BIG-IQ displays a spinner with a message: Waiting for BIG-IQ services to become available.

Workaround:
Examine all large tables and delete them before upgrading using the preUpgradeCheck script. The pre-upgrade script reports details about tables that need to be reduced in the "Checking large tasks record accumulations" section. For more information refer to https://support.f5.com/csp/article/K07869171


977701 : Web Application Security Dashboard 500 Server Error following upgrade to 8.0

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
In rare cases, following an upgrade from a BIG-IQ version 7.1 to 8.0 (latest build), the Web Application Security Dashboard might displays a 500 error.

Conditions:
Following a period of time that a system is shut off (several days), upgrade a UDF 7.1 (https://udf.f5.com/b/6c4de222-0225-4d18-a79a-eeceb09fbdcd#documentation) to version 8.0.

Go to the Web Application Security Dashboard (Monitoring > DASHBOARDS > Web Application Security).

Impact:
The system returns an unexpected error (500 Server Error). status:500, body:{"error":{"httpStatus":"INTERNAL_SERVER_ERROR","code":1002,"message":"INTERNAL_SERVER_ERROR: ElasticsearchStatusException[Elasticsearch exception [type=too_long_frame_exception, reason=An HTTP line is larger than 4096 bytes.]]","errorStack":[],"restOperationId":"0615d70c-8d06-444a-b5bb-e0d7ffe0ca55"}}

Workaround:
The workaround is to add this parameter to elasticsearch.yml on all devices - 'http.max_initial_line_length: 10mb' and then restart elastic search 'bigstart restart elasticsearch' on each device.


973089 : Adding BIG-IP version 11.6 devices to BIG-IQ for management

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
Attempting to add BIG-IP version 11.6 to BIG-IQ fails without an error.

Conditions:
Adding BIG-IP version 11.6 devices to BIG-IQ for management.

Impact:
BIG-IQ does not support BIG-IP versions 11.6 or earlier.

Workaround:
Upgrade the BIG-IP to version 12.1 or later and then add it to BIG-IQ.


966301 : Issues when re-importing LTM service for BIG-IP devices in a cluster

Component: BIG-IQ Local Traffic & Management

Symptoms:
When re-importing the LTM service for a BIG-IP device configured in a cluster, the re-import process does not succeed for all the devices in the cluster.

Conditions:
BIG-IQ is re-importing LTM configurations from a BIG-IP cluster that contains one or more LTM virtual servers that use an address list for the source or destination addresses.

Impact:
BIG-IQ reports import failure for some BIG-IP devices in the cluster. Consequently the configuration details for those devices on the BIG-IQ can be out of date.

Workaround:
1. On the Devices tab, click on the name of the BIG-IP device that failed to import.
2. Click the Services tab, and then try the re-import again.
   BIG-IQ should successfully import the service this time.


955501 : 'L7 DDOS ATTACKS' not updating for Legacy applications

Component: BIG-IQ Application Management

Symptoms:
In L7 security dashboard, 'L7 DDOS ATTACKS' under 'BLOCKED ATTACKS' counter will not be updated for virtual servers attached to a Legacy application service.

Conditions:
Have one or more virtual servers attached to a Legacy application service. Have an active blocked DDoS attack on one of these virtual servers.

Impact:
Lost information for Legacy virtual servers.

Workaround:
Detach virtual server from Legacy application.


945545-1 : Permissions for Service Catalog Application roles after upgrading BIG-IQ

Component: BIG-IQ Application Management

Symptoms:
After upgrading the BIG-IQ version, users assigned to the Service Catalog Application role might lose their permissions to applications.

Conditions:
Users assigned to the Service Catalog Application role, attempting to view a service application after upgrading BIG-IQ. The user gets an error message similar to the following: You are not authorized for Virtual Server (or Pool, and so forth) as a none-admin user.

Impact:
The user assigned to the Service Catalog Application role is unable to view application details and BIG-IQ displays an error.

Workaround:
To work around this issue, the BIG-IQ administrator can create an AS3 or Legacy Application Service and add the user to its Manager or Viewer role.


945389-2 : BIG-IQ doesn't not automatically send audit logs to remote syslog server

Component: BIG-IQ Monitoring - Logs

Symptoms:
After successfully installing or upgrading BIG-IQ, audit logs aren't successfully sent to the remote syslog server.

Conditions:
BIG-IQ is freshly installed or upgraded, and the remote syslog server is configured with the TCP or UDP option.

Impact:
Frequent messages like these appear in /var/log/restjavad.0.log:
{[cm/access/audit-logger AccessAuditLoggerCollectionWorker] Did not find own device , continue...
[/cm/global/audit-logger GlobalAuditLoggerCollectionWorker] Did not find own device , continue... }

Workaround:
After installing or upgrading BIG-IQ, restart the restjavad process with the following command:
bigstart restart restjavad
BIG-IQ will then successfully send audit logs to the remote syslog server.


942441 : A data collection device (not the quorum one) is removed from active after autofailover happened

Component: REST Framework and TMOS Platform

Symptoms:
After failover, the active device still has a monitor running on it. The data collection device goes offline and actively fences itself from the world. All data collection devices are removed.

Conditions:
This can occur when auto failover is enabled. The Active device has a data collection device (other than quorum) and it fails.

Impact:
All data collection devices are removed and they need to be manually added.


941357 : BIG-IQ AS3 application deployments fail with an invalid RPM error

Component: BIG-IQ Application Management

Symptoms:
After an upgrade, AS3 deployments from BIG-IQ produce an error similar to this: Invalid RPM: /usr/lib/dco/packages/f5-appsvcs/f5-appsvcs-3.19.1-1.noarch.rpm; validate global.appSvcs.rpmFilePath in /var/config/rest/config/restjavad.properties.json.

Conditions:
There is an rpmFilePath set in the /var/config/rest/config/restjavad.properties.json file that is no longer valid.

Impact:
AS3 Application deployment attempts fail.

Workaround:
Unless your BIG-IQ system requires a specific AS3 RPM version, the workaround is to simply remove the entire rpmFilePath entry from the /var/config/rest/config/restjavad.properties.json.

Removing this entry forces BIG-IQ to use the most recent version of the RPM in /usr/lib/dco/packages/f5-appsvcs.

If your BIG-IQ system requires a specific AS3 RPM version, you also need to copy the correct version of the RPM to /usr/lib/dco/packages/f5-appsvcs before BIG-IQ can use it to correctly deploy AS3 applications.


925161 : Errors with Access Remote Logging configuration on BIG-IQ

Component: BIG-IQ Access

Symptoms:
After you click the 'Configure' button on the Monitoring > DASHBOARDS >> Access >> Remote Logging Configuration page, you see the following text displayed under the 'Status' column:

"Failed - Failed to create Access-Remote-Syslog-Node-x.x.x.x"

Conditions:
This happens when a managed BIG-IP device is configured for ASM Remote Logging, and you attempt to configure Access Remote Logging on BIG-IQ using the following steps:

1. Navigate to the Monitoring >> DASHBOARDS >> Access >> Remote Logging Configuration.
2. Select the check box next to a managed BIG-IP device to enable remote logging on that device.
2. Click the 'Configure' button.

Impact:
Access Remote Logging remains in an error state.

As a result, Access Policy Manager (APM) logs will not aggregate in the BIG-IQ. APM logs are the primary source of data for Access dashboards and are used to record and monitor Access statistics.

The Access dashboards in BIG-IQ will fail to display data. For example,
Monitoring >> DASHBOARDS >> Access >> Access Summary displays "No Data Available" under the chart "Access Sessions Over Time."

Workaround:
You will need to reconfigure Access Remote Logging directly on the managed BIG-IP device.

For more information, follow the steps for configuring APM Remote Logging in the BIG-IP guide of the relevant version. For example, for BIG-IP version 15.1.0 devices, see

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-portal-access/logging-and-reporting.html

You might also need to enable two additional settings from the managed BIG-IP device using the below API calls.

1. Policy Tracing

    BIG-IP API : /mgmt/tm/sys/db/tmm.access.policytrace
    PATCH with { "value" : "enabled" }

Policy trace is a dB variable which, when enabled, logs policy trace messages on the managed BIG-IP device. This log message is used to generate Denied Reasons and Authentication Failure reports.

2. VPN Statistics

    BIG-IP API: /mgmt/tm/sys/db/vpn.logstats
    PATCH with { "value" : "enabled" }

VPN stats is a dB variable that needs to be enabled to received Bytes Transferred log message for VPN Sessions. These log messages are generated periodically.


924885 : Task failure with Error "Failed calculating configuration differences; reason: Difference operation failed" reported

Component: REST Framework and TMOS Platform

Symptoms:
When TokuMX database records are duplicated, any tasks involving those records may fail, resulting in error messages similar to "Error "Failed calculating configuration differences; reason: Difference operation failed". Depending on what records are duplicated, the error message may contain additional data or be slightly different.

Conditions:
The trigger for this condition is currently unknown. If a BIG-IQ is suspected to have duplicate records, two mongo queries should be run to search for duplicates in the working-config and current-config collections using the following procedure:

1. SSH to BIG-IQ
2. mongo
3. use bigiqDb
4. Search working-config
db.bigiqWorkingConfig.aggregate([{$match:{"_module":{$ne:"blablathisisnotamodule"}}}, {$group: { _id: {"_id": "$_id"},count: {$sum: 1}}}, {$match: {count: {"$gt": 1}}}])
5. Search current-config
db.bigiqCurrentConfig.aggregate([{$match:{"_module":{$ne:"blablathisisnotamodule"}}}, {$group: { _id: {"_id": "$_id"},count: {$sum: 1}}}, {$match: {count: {"$gt": 1}}}])

If a result of "{ "result" : [ ], "ok" : 1 }" is returned, the collection does not have any duplicate records.

If the result contains items like:
{
  "_id" : {
    "_id" : BinData(4,"Qqf2sdVLMACmniH6VXDeEw==")
  },
  "count" : 2
}
then the collection has duplicate records.

Impact:
Tasks involving the duplicate record are likely to fail with error messages similar to "Failed calculating configuration differences; reason: Difference operation failed". These tasks will likely fail in the CREATE_DIFFERENCE subtask.

Workaround:
If the affected BIG-IQ is in an high availability (HA) pair, run the queries to check for duplicates on the other BIG-IQ and if none are found, promote the unaffected BIG-IQ to primary (if not already) and overwrite the affected BIG-IQ's database with the unaffected BIG-IQ's version.

If the affected BIG-IQ is not in high availability (HA) or both high availability (HA) members are affected, either delete all database configuration and Discover/Import it or contact F5 Support to attempt targeted record deletion and re-import.


918797 : Sorting or filtering virtual servers objects on the Virtual Servers page

Component: BIG-IQ Local Traffic & Management

Symptoms:
When you sort the Virtual Servers on two columns ( 'Destination Port List' or 'Silo') BIG-IQ returns an error message similar to the following:

"The system returned an unexpected error (400 Bad Request). A pipeline processing error has occurred: ProtocolException (status:400, body:{"error":{"root_cause":[{"type":"query_shard_exception","reason":"No mapping found for [_value.destinationPortList] in order to sort on"

Conditions:
This happens when you navigate to the Configuration > LocalTraffic > Virtual Servers page and perform the following actions:

* Click a column to sort by a specific object.

* In the "Filter" search bar type the text you want to search for and press enter.

Impact:
You are unable to filter or find the objects as expected.


913329 : BIG-IQ analytics data retention policy and data aggregation may not work as expected

Component: AppIQ

Symptoms:
AppIQ/postaggregator logs are filled with memory exceptions (java.lang.OutOfMemoryError)

Location of log: var/log/appiq/postaggregator.log

Sample trace in log:

2020-05-07 00:10:15,010 ERROR c.f.a.a.TimeRangeAggregator [scheduling-1] Exception thrown while attempting to perform index aggregations java.lang.OutOfMemoryError: Java heap space

Conditions:
BIG-IQ configured to collect data.

Impact:
- The BIG-IQ disk space might fill up quickly, resulting in overall instability

Workaround:
Please follow below steps to expand JVM memory allocated to both post-aggregator service and the Elasticsearch instance on the CM.

For Elasticsearch instance on the CM:

1. vi /etc/biq_daemon_provision.json

2. edit the restjavad memory setting:

"big_iq": {
    "restjavad": {
      "active": true,
      "memory_allocation": {
        "SYS_4GB": "800m",
        "SYS_8GB": "3500m",
        "SYS_16GB": "6000m",
        "SYS_32GB": "12700m", -->>> change this to "9800m"
        "SYS_64GB": "20000m",
        "SYS_128GB": "20000m"
      },
      "new_ratio": {
        "SYS_32GB": "1"
      }
    },

3. edit the elasticsearch memory (the one under "big_iq")

 },
    "elasticsearch": {
      "active": true,
      "memory_allocation": {
        "SYS_4GB": "100m",
        "SYS_8GB": "200m",
        "SYS_16GB": "500m",
        "SYS_32GB": "1600m", -->>> increase this to "4000m"
        "SYS_64GB": "3200m",
        "SYS_128GB": "6400m"
      }
    },

4. bigstart restart restjavad

5. bigstart restart elasticsearch



For post aggregator service:

1. On the CM console start a SSH session

2. Edit the post-aggregator service config file
       /etc/bigstart/scripts/appiqpostaggregator

3. Change below line
       Old: MAX_JVM_HEAP=200m
       New: MAX_JVM_HEAP=1000m

4. Save the config file

5. Restart post-aggregator service
       bigstart restart appiqpostaggregator


893653 : Hierarchical privileges to unlock Security Objects are missing

Component: REST Framework and TMOS Platform

Symptoms:
Hierarchical privileges previously available to Security Manager and Network Security Manager to unlock UI objects in their areas are no longer present.

Conditions:
BIG-IQ user who is not an Administrator using the BIG-IQ administration console as follows:

-- Notices a 'lock' icon next to a configuration object (e.g., object1).
-- Browses to System :: Locked Objects
-- Expects to see the object1 listed with an option to 'Unlock' it.

Impact:
There is no object1 listed on the page.

Only users with Administrator roles are able to unlock objects locked by other users.

-- Security Manager is no longer able to unlock objects locked by Network Security Manager, Network Security Editor, or Network Security Deployer.

-- Network Security Manager is no longer able to unlock objects locked by Network Security Editor or Network Security Deployer.

Workaround:
None.


873917 : iRules with extremely long names

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
BIG-IQ cannot display iRules with very long names.

Conditions:
An iRule with an extremely long name.

Impact:
An iRule with an extremely long name is not displayed.

Workaround:
N/A.


868577 : Phishing alerts with URI containing 'extended' ASCII chars are encoded incorrectly while forwarding to WebSafe

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Alerts for phishing attempts, that contain a URI with extended ASCII characters, may not display properly in the BIG-IQ alert details.

Conditions:
- Configure a local BIG-IQ to forward alerts to the SOC dashboard.
- Generate alert with Greek letters in the URL field to be inserted to the BIG-IQ.
- Alert should arrive at SOC dashboard.

Impact:
The URL field displays at the SOC forwarded alert, contains incorrect characters.

Workaround:
None.


827009 : Sorting lists on a description column

Component: BIG-IQ Search

Symptoms:
When you sort on a description column on BIG-IQ screens that contain a list, BIG-IQ returns an error.

Conditions:
Sorting on a description column.

Impact:
You cannot sort on the description column.

Workaround:
None


809421 : BIG-IQ unable to save layer 2 security service when you select the same source and destination VLAN

Component: BIG-IQ SSL Orchestrator

Symptoms:
When you create a layer 2 security service in an SSLO topology, you will be unable to save the service if you select the same VLAN under the 'From BIG-IP' and 'To BIG-IP' in the 'Network Configuration' section.

Conditions:
This happens when you select the same VLAN under the section 'Default Properties - Network Configurations' when the VLAN field shows only one VLAN available to add to the security service.

Impact:
You cannot save the layer 2 service configuration or deploy it to a managed BIG-IP device.

Workaround:
If there is only one VLAN available for the l2 service configuration, do not select the same VLAN under both 'From BIG-IP VLAN' and 'To BIG-IP VLAN.' Log in to the managed BIG-IP device, and fill out the device-specific overrides under the 'Network Configuration' section, and create a new VLAN for the L2 service.


807253 : The security policy devices overrides option is not visible when using an existing security policy to configure an SSLO topology

Component: BIG-IQ SSL Orchestrator

Symptoms:
When you create a new SSLO topology, the 'Device Overrides' section is not visible in the security policy page when using an existing security policy.

Conditions:
This occurs whenever you try to create a new SSLO topology, choose the 'Using Existing' option in the security policy configuration page, and select a security policy which is already deployed to managed BIG-IP devices.

Impact:
You may not be able to view and modify device-specific security policy configurations when creating a new SSLO topology.

Workaround:
To view or edit device specific security policy configurations, you will need to configure device overrides outside of the SSLO topology wizard. From the 'Configuration' tab in BIG-IQ, navigate to 'SSL Orchestrator' >> 'Security Policies.' Select a security policy or create a new one and update the target BIG-IP devices or clusters if needed under the 'Target Members' section. View or edit device-specific configurations in the 'Device Overrides' section, save the security policy, and deploy the configuration to your managed BIG-IP devices.

When creating a new SSLO topology in the topology wizard, choose the 'Use Existing' to use the security policy you just configured.


771397-2 : License Manager cannot license different devices with the same MAC address (public and private clouds)

Component: BIG-IQ Device Management

Symptoms:
BIG-IQ does not issue licenses to different devices with the same MAC address

Conditions:
Different devices with the same MAC address (common in public and private clouds).

Impact:
License Manager cannot issue licenses.

Workaround:
N/A




This issue might cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************