Release Notes : F5 SSL Orchestrator Release Notes version

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 17.0.0
Release Notes
Software Release Date: 07/25/2022
Updated Date: 02/01/2024


This release note documents the version 10.1 release of F5® SSL Orchestrator™.

For SSL Orchestrator 10.0 Release Note, click F5 SSL Orchestrator Release Notes version 17.0.0-10.0.


Platform support

Important: The BIG-IP version number from the SSL Orchestrator RPM version 9.1 onwards has changed. Uploading an RPM version 9.1 and above using the SSL Orchestrator GUI while the BIG-IP is still running the 9.0 RPM, would cause an upload failure. If you are running the 9.0 RPM, please install 9.1 or later versions using the iApps > Package Management LX menu. If you are running 9.1 RPM or above, you can use either of the upgrade methods. Refer to the article for more details.

To import the RPM software package manager using the Package Management LX menu:

  1. Obtain the RPM upgrade file.
  2. Navigate to iApps > Package Management LX and click Import.
  3. Select the SSL Orchestrator 9.2 RPM package.
  4. Wait until the upload completes, then wait another 15 minutes for the reconciliation and upgrade processes to complete.
  5. Visit the SSL Orchestrator GUI to ensure the upgraded version is correctly reported.

SSL Orchestrator standalone base license is supported on the following platforms:

Platform name Platform ID
iSeries i2800 C120
iSeries i4800 C115
iSeries i5800 C121
iSeries i7800 C118
iSeries i10800 Discovery High C122
iSeries i11800 Discovery, i11800-DS Discovery Extreme C123, C124
iSeries i15800, i15820-DF Endeavour D116, D120
rSeries r2800 (supported only on BIG-IP 15.1.x / SSL Orchestrator 7.x) C130
rSeries r4800 (supported only on BIG-IP 15.1.x / SSL Orchestrator 7.x) C131
rSeries r5800, r5900 (supported only on BIG-IP 15.1.x / SSL Orchestrator 7.x) C129
rSeries r10800, r10900 (supported only on BIG-IP 15.1.x / SSL Orchestrator 7.x) C128


Chassis name Platform ID
VIPRION 4800 S101
VIPRION 4800 S100
VELOS CX410 F101
C2100 ---
VIPRION C2200 D114
C4400 J100
Note: SSL Orchestrator 10.1 requires BIG-IP version Refer to the Installing and Upgrading SSL Orchestrator section for installation and upgrade information.
Note: The supported platform information applies to the most recent release version.
Note: Search for supported Platform ID information that applies to Platform names.
High Performance F5 SSL Orchestrator Virtual Edition (VE) options:
  • 8 CPU
  • 12 CPU
  • 16 CPU
  • 20 CPU
  • 24 CPU
  • 16 GB RAM or greater
  • Large management provisioning
    Note: You must always set a large management provisioning.

If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:

  • URLF Filtering (subscription)
  • IPI (subscription)
  • Network HSM
  • Access Policy Manager (APM)
  • Advanced Firewall Manager (AFM)
  • Advanced Web Application Firewall (AWF)
  • Advanced Routing
  • Secure Web Gateway (SWG)

F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on:

  • Most Bourne series
  • Any iSeries
  • Any rSeries
  • Any VELOS
  • Any VE and HPVE

Guided Configuration browser support

The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:

  • Microsoft Internet Explorer 11.0, or later- Only 32-bit browsers are supported.
  • Mozilla Firefox 102.0, or later
  • Google Chrome 103.0.5060, or later

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.

New Features in SSL Orchestrator 10.1

F5 recommends you review the entire SSL Orchestrator release notes and setup guide prior to upgrading and configuring a deployment.

Note: Reviewing the release note section on Installing and Upgrading SSL Orchestrator provides you with the details necessary for fulling any prerequisites and required steps that streamline the process.

Enhanced Logging capabilities

The SSL Orchestrator connection summary logs now have enhanced capabilities to log new data such as Ingress/Egress VLAN, policy rule names, URL categories, TLS handshake status, reset causes, and connection failures. Previously, there was no way to identify which policy rule was taking effect and directing the traffic to the ending (allow or reject). Now, with the rule name logging in the summary logs, you can determine which rules reject, allow, abort, or bypass traffic making it easier to spot and troubleshoot problems.

iFILE Snapshot support

SSL Orchestrator now supports a Snapshots utility that lets you create a backup copy of your deployed configurations. You can preserve your existing configurations as an iFILE and provide yourself with a restore point. The Snapshot feature lets you freely experiment with configuration settings and restore your backed-up configurations quickly when required.

Office 365 Tenant Restrictions as a service

SSL Orchestrator 10.1 now offers Office 365 Tenant Restrictions within the SSL Orchestrator interface, specifically in the F5 tab as part of the Solutions Catalog. This update enables organizations to control their users' access only to the company Office 365 resources while blocking access to personal/non-company Office 365 resources. The SSL Orchestrator inserts Microsoft "Tenant-Restriction" HTTP headers into outbound HTTP flows and provides a mechanism to allow or deny access to O365 resources based on organizational requirements.

Office 365 URL categorization

SSL Orchestrator now allows you to create a schedule to fetch O365 URLs and add fetched data to custom URL categories/data groups according to their specifications. You can attach the URL category to an SSLO security policy to dictate which traffic will be inspected or bypassed and then deploy the policy to managed BIG-IP devices.

Security Policy enhancements

SSL Orchestrator Security Policy step now has the following enhancements while creating a new rule:

  • A new drop-down list contains the "is" and "is not" operators to compare or negate your specified condition. Previously, you could configure rules having search/filter conditions with the "is/are" or "contains" operator. With this release, you can use the "is not" operator that can negate your selected conditions into "is not"/"are not" and "not contains."
  • A new condition, "IP Protocol," lets you match the SSL traffic based on Internet Protocols such as TCP and UDP.
  • With the new "Bypass (Client Hello)" setting in SSL Proxy Action, you can bypass traffic on certain conditions without triggering the TLS handshake. However, the SSL conditions such as "Server Certificate (Issuer DN, SANs, Subject DN)" and "Category Lookup (All)" do not have this setting enabled.


Note: The following bugs are applicable to the SSL Orchestrator iAppLX (UI and BIG-IP configuration automation) and not BIG-IP (SSL Orchestrator traffic processing). Refer to the corresponding BIG-IP release notes for further detail about your version.
ID number Description
1088489 When the Office365 configuration is deleted from the command line using the full uninstall feature of the Python script and created again, the URL Category IDs change. There was no help text to inform the user of the next steps if this happens. Now, a help text informs the user when they uninstall categories from the command line that they would need to redeploy the security policy if it uses any of those categories.
1101609 Previously, restarting restnoded after the upgrade restarted the upgrade process. This happened because the version number in the network block was not updated during the upgrade process triggering the upgrade process again. This issue is fixed, and the version number is now updated after the upgrade.

Workaround: After upgrade is complete, investigate the block via the iControl REST endpoint /mgmt/shared/iapp/blocks. If any block is not updated with the correct version number, then patch the block with the correct version number. The correct version number can be derived from the RPM name. Example, if RPM name is f5-iappslx-ssl-orchestrator-17.0.0-10.0.144.noarch then the version number will be "10.0".

Known issues

ID number Description
738086 When a base configuration is reloaded, the box is reset, and VLANs are removed. To create network objects, at least one VLAN is required.

Workaround: Manually create a VLAN if no VLAN is present.

739549 When choosing to deploy L2 outbound and L2 inbound deployment modes, the user can configure a default gateway under System Settings.

Workaround: Gateway and SNAT settings are globally configured but ignored for L2 deployments.

755037 If there is an intermittent static state of any iAppLX application, it takes 2 minutes for REST storage to get replicated on the secondary blade. Therefore, the changes will be lost if you modify and deploy a config during this period.
759592 HTTP traffic cannot pass when SSL Orchestrator is configured in Inbound mode. For example, if you configure a virtual with any policy, the HTTPS traffic successfully passes, but the HTTP traffic fails. On the server side, the BIG-IP sends a client "Hello" on port 80 to the server. It should instead be a plain text GET request. This results in causing a failure.
788477 Occasionally, on lower-end platforms, deployments of SSL Orchestrator may fail with the following error:

"Operation to the configProcessor timed out after waiting 30 seconds. Please increase the timeout or contact the iApp writer for further instructions."

This can occur with default management provisioning of management module on small end platforms (e.g 2600, 2800, 4800).

Workaround: Change the provisioning of the system to 3G manually.

tmsh> modify sys db provision.extramb value 3000

814245 When you refresh the high availability (HA) status pages of both devices simultaneously, the 'Overall Status'/'Peer HA Verification response' may be displayed as bad even though it is good.

Workaround: Click the Refresh button after a while (around 10 seconds), and the status page will show "good" if everything else is working fine.

830781 When downgrading one device after an upgrade was performed, the High Availability (HA) status page may show the wrong BIG-IP version for that device. For example, after two HA devices upgrade to BIG-IP 15.1.0 and SSL Orchestrator 7.0, if the user downgrades one of the devices back to 14.x.x and SSL Orchestrator 5.x, the other device's HA status page (introduced in 7.0) may show the wrong BIG-IP version for the downgraded device. For the 15.1.0-7.0 device, the framework gives SSL Orchestrator the wrong BIG-IP version for its peer.

Workaround: Re-establish HA from scratch. In addition, upgrade the downgraded device to the same version as its peer.

833209 SSL Orchestrator non-L2 Wire VLAN is filtered out on the Interception Rule screen. For the L2 wire box for L2 topologies, all the VLANs that are not virtual wired enabled are filtered out. This occurs when the following conditions are met:
  1. The BIG-IP system is L2 virtual wire enabled.
  2. You are trying to deploy an L2 topology.
  3. The VLAN is not virtual wire enabled.
As a result, you cannot select the non-virtual wired enabled VLANs on Interception Rules for the L2 wire box.

Workaround: None. This is as-designed functionality. For L2 deployment, only virtual wire-enabled VLANs should be used, so other VLANs are getting filtered out.

835469 When you upgrade SSL Orchestrator from any 5.x and 6.0 version to 6.1 and higher, policy upgrade fails with the following error:

Operation to the configProcessor timed out after waiting 120 seconds. Please increase the timeout or contact the iApp writer for further instructions.

Workaround: Before installing the new ISO and before booting into the new partition, make sure there is no Orchestrator block (entry which contains sslo_ob text) in pending, deployed and error state. If there is any block then delete it using the iApps > Application Services > Applications LX menu.

852921 Certain Viprion chassis, combined with certain blade models with a minimal MAC address pool, do not support inline L2 devices. These particular chassis and blade combinations may result in duplicate source and destination MAC addresses and no traffic flowing to the configured inline L2 services. For example, the following chassis and blade combinations are impacted by this issue: B2250 blade on 2400 chassis; B4300 blade on 4800 chassis; B4450 blade on a 4480 chassis. For further information, review the details provided in the MAC address assignment for interfaces, trunks, and VLANs (11.x and later) article.
869677 When the SSL Orchestrator configuration upgrade is pending due to blade high availability (HA) state, and you reset the device trust, the upgrade process resumes and starts deploying the SSL Orchestrator configuration. If device trust is reset, the device becomes a standalone device and triggers the pending configuration upgrade.
872969 When a strictness-disabled configuration is modified, and the Preview Merge Config button is clicked, followed by the Cancel button, it takes you back to the main page. It shows the Strictness icon enabled, irrespective of the true status.

Workaround: You can either deploy or delete the pending configuration to see the actual state of the Strictness field.

873173 SSL Forward Proxy does not mirror the forged Online Certificate Status Protocol (OCSP) responses to the session database on the standby high availability (HA) device. As a result, the OCSP Responder on the BIG-IP system cannot respond to out-of-band OCSP requests right after a failover event occurs and before the SSL handshake is performed with the backend server.

Workaround: The OCSP responses succeed after the new active device performs an SSL handshake to the backend server, which would then re-forge and cache the server certificate and status.

876341 You cannot delete MCP objects inside an app service folder when the folder name has been deleted. For example, the ssloN_name has been removed, but the self IP under the ssloN_name app service folder was still there.

Workaround: Create the app service and delete it again.

876585 Modifying iRule on virtual in TMUI does not trigger the proper reconciliation for the SSL Orchestrator UI's Interception Rule page or potential topology page.

Workaround: Click the update button for the virtual server on TMUI, which will trigger a quick reconciliation.

889621 When you restore the SSL Orchestrator UCS on only one device in the high availability (HA) configuration and then try to sync the configuration, the operation does not complete successfully. This happens when an SSL Orchestrator HA configuration UCS is restored and synced on only one device. Configuration does not sync on the peer device.
Workaround: Restore the UCS on both units. Each unit should have its own UCS file.
Note: Do not use the same UCS file to restore on both units unless the UCS is generated using RMA steps.
892489 SSL Orchestrator deployed configuration ends up in an error state after deployment or after upgrade if restnoded or restjavad re-starts during the process.

Workaround: Re-deploy the configuration again.

892497 SSL Orchestrator deployment failure and timeout due to high CPU usage. SSL Orchestrator fails to deploy if a deployment is created when CPU usage is very high. Often this ends up in deployment timeout.

Workaround: Re-deploy the configuration again.

897109 During certain transitory conditions involving the REST framework (For example, UCS backup/restore), when the REST framework is being restarted, the BIG-IP SSL Orchestrator user interface may become temporarily unavailable or have limited functionality. For example, deploying an SSL Orchestrator topology may result in a "URI path not registered" error.

Workaround 1: Refresh the SSL Orchestrator configuration page in the BIG-IP user interface.

Workaround 2: Exit the SSL Orchestrator configuration page in the BIG-IP user interface, and then access the SSL Orchestrator configuration page again before attempting to deploy.

898993 When deploying the SSL Orchestrator after restarting restnoded, a 'RestOperation failed' message appears in the log.
903465 If there is an intermittent static state of any iAppLX application, it will take 2 minutes for REST storage to get replicated on the secondary blade. If you modify SSL Orchestrator or any iAppLX application during that time, the configuration changes are lost. You may also get an error: [OrchestratorConfigProcessor] Deployment failed for Error: Unable to PATCH block from BINDING to BINDING state. Saved configuration and failover events occur before REST can replicate the state to a secondary blade. You must make your changes again.
903885 The SSL Orchestrator configuration does not appear on the high availability (HA) standby device when the configuration is pushed from the active device. When the Active peer is forced to standby in a HA group, the alternate active HA peer will display an empty SSL Orchestrator configuration page. The new active device correctly processes the SSL Orchestrator traffic, but the related configuration is unavailable in the web user interface.
Workaround: Run the following commands in the active device's terminal to address the issue:
  1. Delete HA sync (gossip) group device references in the REST framework:

    restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices

  2. Force REST gossip/sync to update device references:

    restcurl -X POST -d '{}' tm/shared/bigip-failover-state

904141 SSL Orchestrator: On vCMP chassis Blade failover during upgrade or deployment may cause deployment or upgrade failure. On vCMP chassis, when blade failover occurs during an SSL Orchestrator RPM upgrade or SSL Orchestrator configuration deployment, the upgrade and deployment may end up in an error state.

Workaround: Re-deploying the non-upgraded configuration or configuration in error will resolve the problem.

905113 In a rare scenario, some configs are duplicated after the RPM upgrade in a high availability (HA) environment.

Workaround: Delete the SSL Orchestrator config and make sure it gets deleted from all the devices in the HA environment.

906017 SSL Orchestrator's high availability (HA) pair is in an incorrect state after license reactivation. When HA peers have both licenses expire and reactivate, the Active unit reports an error.

One or more SSL Orchestrator configurations are in an incorrect state. Look for errors in /var/log/restnoded/restnoded.log for corrective action to those configurations before making additional changes to avoid further errors.

Workaround: Run the following command:

restcurl -X POST -d '{"resetDevices": true}' /mgmt/shared/iapp/f5-iappslx-ssl-orchestrator/ha-remediation.

If this does correct the issue, you must delete and rebuild the device group.

907605 Upgrading the non-strict SSL Orchestrator application to 8.0 does not trigger out-of-band change reconciliation. In v8.0, certain out-of-band changes that are reconcilable to the SSL Orchestrator GUI are reconciled, except for applications that are non-strict before the upgrade. Modifying such configurations using the SSL Orchestrator GUI might overwrite the out-of-band change.

Workaround: Click the Update button in the GUI for each non-strict application object with an out-of-band change. To ensure the change, review each object (primarily virtual servers, pools, and SSL profiles that have a greater impact).

913469 Creating a new Rule or editing the Client IP Subnet Match rule in Security Policy sometimes results with the Rules are currently non-editable error.

Workaround: Reload the Security Policy page.

947249 SSL Orchestrator configured for high availability (HA) and with manual config sync, goes to an error state when reverse configSync is done after deleting or deploying operation.
  • For delete operation: Trigger the delete on both devices.
  • For config deployment: Sync the latest changes to the peer device.
957577 SSL Orchestrator has a protect/un-protect mechanism that allows administrators to modify the APM per-request policy derived from the security policy. Modification and re-protecting the config can sometimes fail if agents have been added or removed from the policy.
966013 When you change the description of a virtual server created by an SSL Orchestrator deployment and then upgrade to the next version of RPM or ISO, the changed name does not get updated on the Interception Rules page.
Workaround: Perform the following steps:
  1. Navigate to SSL Orchestrator > Configuration and click on the Interception Rule tab.
  2. Change the description in the Interception Rule.
  3. Deploy the Interception Rule.
966361 When config sync is triggered after an operation in the SSL Orchestrator GUI, if you overwrite the configuration from the peer box, causing reverse sync, the configuration is lost.
Important: Always initiate ConfigSync from the device you deleted config to the peer devices. Syncing the other way would result in undesired consequences.
969209 SSL Orchestrator configuration page shows the following warning message if the UCS files within a failover device group do not contain the same shared blocks. This prevented modifications of SSL Orchestrator configurations.

Loading SSL Orchestrator Configuration. Any configuration changes are not allowed till configuration is fully loaded.

Workaround: Ensure that UCS files are created on each device within the failover device group at the same time after both devices are in sync.

974945 The BIG-IP system upgrades the configuration to a newer version when you upgrade the SSL Orchestrator RPM. If this upgrade process is interrupted by a restnoded or restjavad restart, the upgrade fails with an error.

Workaround: Complete the following steps:

  1. Navigate to iAppsApplication Services: Applications LX. Delete objects in error (red) state.
  2. Perform config sync if required.
  3. Navigate to SSL Orchestrator > Configuration and click Upgrade SSL Orchestrator on the top right.
If the above steps do not work, upgrade SSL Orchestrator again.

In the high availability (HA) manual sync mode, when the user deletes the configuration on one device and tries to sync the configuration on a peer device, the operation does not complete successfully. This is because, the configuration does not get deleted on the peer device.

Workaround: After deleting the configuration from one device, wait for 30 seconds before trying config sync on a peer device. If you already triggered the config sync and the configuration did not sync, delete the configuration from the peer device manually and start config sync again.
995829 Clicking on the Fix Issue Manually link in the high availability (HA) screen of SSL Orchestrator fails to open the login screen of the affected device.

Workaround: Use the help text and help icons in the high availability (HA) screen to get assistance on fixing issues.


Upgrade fails with the following error when you create different topologies and redeploy them with cross-references of objects from other topologies:

Unable to complete the cleanup. You must resolve the error (if any), delete the iApp blocks in error state (if any) from the iApps menu on the left hand side and perform CMI sync. Then resume the upgrade process: click Upgrade.

Workaround 1: Complete the following steps:

  1. Remove the circular dependencies using the TMUI or TMSH commands.
  2. Navigate to SSL Orchestrator > Configuration and click Upgrade SSL Orchestrator on the top right.

Workaround 2: Complete the following steps:

  1. Boot back to the earlier partition.
  2. Remove the circular dependencies.
  3. Install a new ISO.
  4. Boot into the new partition.
  5. Navigate to the SSL Orchestrator menu.
1024417 Following the deployment of a topology, if an administrator modifies the associated Virtual Server under Local Traffic so that the source or destination is set to an address list in place of a host, traffic will continue to pass based on the addresses contained within the address list. As of 16.1.0, the SSL Orchestrator Guided Configuration allows changes to deployed objects without the administrator disabling strict updates. In some, within the Interception Rule of the Guided Configuration, the Source Address will show incorrectly as and Destination Address as %0/0, and the field will show the following error:

IP address with must CIDR prefix or optional Route Domain between 0 to 65534 Required.

Workaround: To clear the destination field error from the interception rule, the admin needs to set host addresses in place of address lists within the Virtual Server under Local Traffic. Once address lists have been replaced by host addresses within the virtual, any subsequent address changes can be made from the SSL Orchestrator Guided Configuration.

1025317 For the master key used for securing restricted attributes in SSL Orchestrator, if the BIG-IP system loses the master key or if the master key gets changed, the system cannot retrieve decrypted values. In addition, editing an old configuration might fail due to an incorrect key for already-decrypted values.

Workaround: Delete the deployed configuration and create it again.

1031745 For SSL Orchestrator running versions 8.0 through 8.3, attempting to upload the version 8.4 RPM using the SSL Orchestrator UI gives a validation error.
Workaround: Complete the following steps to upload the RPM:
  1. Navigate to iApps > Package Management LX .
  2. Click Import.
  3. Click Choose File and select the 8.4 RPM.
  4. Click Upload.
1033113 The SSL Orchestrator iApp does not support editing, deleting, or deployment of multiple items in a configuration.
1038373 In the security policy configuration page of SSL Orchestrator UI, editing a rule with the condition "ip subnet match" with a data group value does not show the correct input field.

Workaround: Delete and re-create the rule.


When you unbind SSL from the Interception Rules and attempt to delete that configuration, you get an error message that the SSL is used in the topology.


The topology is outbound/explicit.

Interception rules are updated via the Interception Rules mini workflow.

Workaround: In the Topology flow, unbind SSL from the Interception Rules step and then deploy. Use the delete button to delete this SSL from the SSL Configuration list.
1044685 The BIG-IP version number from the SSL Orchestrator RPM version 9.1 onwards has changed. Uploading an RPM version 9.1 and above using the SSL Orchestrator GUI while the BIG-IP is still running the 9.0 RPM, would cause an upload failure with the following error message:

Cannot install f5-iappslx-ssl-orchestrator-16.1.1-9.1.23.noarch.rpm, package version should be 16.1.0-x.x.x and higher than 16.1.0-9.0.24

Workaround: If you are running the 9.0 RPM, please install 9.1 or later versions using the iApps > Package Management LX menu. If you are running 9.1 RPM or above, you can use either upgrade method.
Perform the following steps to install using the Package Management LX menu:
  1. Navigate to iApps > Package Management LX and click Import.
  2. Select the SSLO 9.2 RPM package.
  3. Wait until the upload completes, then wait another 15 minutes for the reconciliation and upgrade processes to complete.
  4. Visit the SSL Orchestrator GUI to ensure the upgraded version is correctly reported.
1048393 After upgrading SSL Orchestrator to version 9.1, some temporarily created client and server SSL profiles are left behind on the device and are not deleted during the upgrade delete/cleanup process.

Workaround: Run the following TMSH commands to delete these profile copies:

tmsh delete ltm profile client-ssl copy-ssloT*

tmsh delete ltm profile server-ssl copy-ssloT*

1049753 The HTTP traffic for Inbound application topology fails after upgrading to version 9.1 when interception rules have attached SSL profile(s).

Workaround: Manually remove the SSL profile(s) from the interception rule and redeploy the inbound topology.

1050205 For an Inbound topology, when a service is port re-map enabled and attached to the server chain, re-deployment fails with an error when you remove the SSL profiles from the Interception Rule page. This happens because Port Remap requires the Client SSL profile to function.

Workaround 1: When removing the SSL profile from the Interception Rule page, remove the Port Remap along with it. This is a temporary solution.

Workaround 2: Turn off Port Remap on service or disengage it from the policy or service chain.

1055389 When SSL Orchestrator is deployed in a HA configuration where Virtual Wire is in use, and the associated Network Trunks have LACP enabled, the traffic fails to pass following an upgrade from 15.1.x to 16.1.x.

Workaround: Disable LACP on all Network Trunks used by Virtual Wire before upgrading from 15.1.x to 16.1.x.


For HA devices, sometimes manual sync fails, and the config-sync icon in the upper left of the configuration utility turns red, displaying the status "Changes Pending." In such scenarios, it is crucial to initiate ConfigSync from the device you performed the SSL Orchestrator operation to the peer device. Do NOT sync from the device which does not have SSL Orchestrator operation running.

Important: Syncing the incorrect way would result in undesired consequences.
1062625 When using BIG-IP 16.1.1 and SSL Orchestrator 9.2, if the devices have the same RPM, any attempt to deploy a topology results in the following error in the restnoded.log: [RestOperationDispatcher] 'shared/iapp/f5-iappslx-ssl-orchestrator/sgc-status' not found.

Workaround: Restart restnoded using the following command:

bigstart restart restnoded restjavad
1063589 The iRule does not get attached to the virtual server created for L2 Outbound topology with Custom Interception Rule. The HTTPS traffic passes when an iRule is not attached, but HTTP traffic fails.

Workaround: Navigate to SSL Orchestrator configuration UI and attach the iRule manually.

1070245 With a Secure Web Gateway (SWG) subscription, you can configure Response Analytics and Request Analytics actions in the BIG-IP visual policy editor. Support for these agents is not available in SSL Orchestrator.

Workaround: You can use the F5 Secure Web Gateway service for this requirement. The SWG service was supported starting from SSL Orchestrator 9.0. To use the SWG service:

  1. Create a per-request policy for SWG that uses Request Analytics and Response Analytics agents in VPE.
  2. Create a topology and add the SWG service in the Service Properties page.
  3. Attach the per-request policy.
1079765 SSL Orchestrator upgrade to 9.x and above fails when the ASM policy is used in the virtual servers created by SSL Orchestrator.
Workaround: Perform the following steps:
  1. While still on the older software version, take a user configuration set (UCS) backup.
  2. Remove the attached ASM policy and logs for the SSL Orchestrator-created virtual server. This can be done by navigating to Local Traffic > Virtual Servers: Virtual Server List > ssloS_<Virtual Name> > Security tab and selecting Disabled for Application Security Policy and Log Profile.
  3. Click Update.
  4. Do this for all the SSL Orchestrator-created virtual servers with ASM policy and logs attached.
  5. If the BIG-IP system is configured for high availability (HA), perform a configuration sync to replicate the changes to all devices.
  6. Install the new ISO. Refer to the Update or Upgrade the F5 SSL Orchestrator chapter in the BIG-IP update and upgrade guide for upgrade steps.
1085805 The UCS restore process with SSL Orchestrator deployment fails due to multiple iFiles. This happens because the UCS restore process does not clean up the existing iFile belonging to the SSL Orchestrator. On restore, the BIG-IP system contains two iFiles, one created as a part of the UCS and the other existing iFile belonging to SSL Orchestrator. Additionally, the path in the rest storage referencing the iFile object does not get updated. In the bigip.conf, the iFile version does not point to the iFile restored as part of the UCS restore process. To check the reference in restDB use the following https://<<MGMT-IP>>/mgmt/tm/sys/file/ifile/ OrchestratoriFile?options=-hidden.

Workaround: Before restoring the UCS file, perform the following steps:

  1. Delete the iFile object using the following command:

    tmsh delete sys application service

    Do not create any configuration using SSL Orchestrator UI after deleting the iFile.

  2. Restore the UCS.
  3. On UCS restore when the system is in an error state, use the following command to verify multiple files:

    /config/filestore/files_d/Common_d/ifile_d/ | grep SSLO

  4. Use the following commands, to delete the multiple iFiles:

    tmsh delete sys application service

    rm -fr /config/filestore/files_d/Common_d/ifile_d/\:Common\\:SSLOiFile_*

  5. Restore the UCS.
1087793 You cannot exclude a single IP subnet from the group of IP subnets created by Office 365.

Workaround: In the Security Policy, since rules are evaluated top-down, create two different policy rules, with the more specific rule occurring first. For example, to intercept but bypass *.example com, just using the *. rule would not separate the "app." To extract "app.", create two policy rules, the more specific app. rule first, and then the *. rule.

1099205 When an L3 Inbound topology is configured for application mode, the SSL configuration selected before deployment is not displayed in the Selected list after deployment on the Interception Rule step. This issue is UI related and does not impact traffic. You can view the selected SSL configuration in the Interception Rules mini flow.

Install and upgrade SSL Orchestrator

To install the F5 SSL Orchestrator 10.1, if you do not have an existing SSL Orchestrator add-on license or a previous version of SSL Orchestrator installed, download the image from See the BIG-IP Systems: Upgrading Software guide for complete step-by-step installation instructions.

Refer to the Update or Upgrade the F5 SSL Orchestrator chapter in the BIG-IP update and upgrade guide if you have an existing add-on license or want to upgrade to the newest version of SSL Orchestrator from a previous version prior to 5.0. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.

If your SSL Orchestrator experiences a failed upgrade and you need to recover your system, you must perform a series of manual steps to clean up the FDB nodes and the SSL Orchestrator application. For information about the manual steps, refer to the following documentation appropriate for your SSL Orchestrator version:

Note: If you are implementing a high availability (HA) environment for SSL Orchestrator, refer to the Update or Upgrade the F5 SSL Orchestrator chapter in the BIG-IP update and upgrade guide for more detailed information.
Note: If you are an SSL Orchestrator user with an HA setup, you may also use the F5 Guided Configuration for SSL Orchestrator: High Availability Diagnostics and Sync-Repair Tool guide to troubleshoot and fix HA setup issues.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage service requests and other web-based support online at F5 My Support (registration required). To register email with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.