Applies To:
Show Versions
BIG-IP LTM
- 11.6.1
Release Information
Version: BIGIP-11.6.1
Build: 317.0
Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.6.x
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 565169 | CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 | SOL05200155 | Multiple Java Vulnerabilities |
| 542314-5 | CVE-2015-8099 | SOL35358312 | TCP vulnerability - CVE-2015-8099 |
| 529509-6 | CVE-2015-4620 | SOL16912 | BIND Vulnerability CVE-2015-4620 |
| 570535 | CVE-2011-5321 CVE-2012-6657 CVE-2013-4483 CVE-2014-3184 CVE-2014-3185 CVE-2014-3611 CVE-2014-3940 CVE-2014-6410 CVE-2014-8160 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1593 CVE-2015-1805 CVE-2015-3636 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE | Multiple Kernel Vulnerabilities | |
| 567475-5 | CVE-2015-8704 | SOL53445000 | BIND vulnerability CVE-2015-8704 |
| 560180-2 | CVE-2015-8000 | SOL34250741 | BIND Vulnerability CVE-2015-8000 |
| 553902-2 | CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 | Multiple NTP Vulnerabilities | |
| 545786-4 | CVE-2015-7393 | SOL75136237 | Privilege escalation vulnerability CVE-2015-7393 |
| 540849-7 | CVE-2015-5986 | SOL17227 | BIND vulnerability CVE-2015-5986 |
| 540846-7 | CVE-2015-5722 | SOL17181 | BIND vulnerability CVE-2015-5722 |
| 540767-2 | CVE-2015-5621 | SOL17378 | SNMP vulnerability CVE-2015-5621 |
| 534090-2 | CVE-2015-5380 | SOL17238 | Node.js vulnerability CVE-2015-5380 |
| 508057-1 | CVE-2015-0411 | SOL16355 | MySQL Vulnerability CVE-2015-0411 |
| 488015-1 | CVE-2014-3669 CVE-2014-3670 CVE-2014-3668 | SOL15866 | Multiple PHP vulnerabilities |
| 556383-1 | CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 | SOL31372672 | Multiple NSS Vulnerabilities |
| 534633-3 | CVE-2015-5600 | SOL17113 | OpenSSH vulnerability CVE-2015-5600 |
| 525232-1 | CVE-2015-4024 | SOL16826 | PHP vulnerability CVE-2015-4024 |
| 472696-1 | CVE-2014-1544 | SOL16716 | Multiple Mozilla Network Security Services vulnerabilities |
| 470842-1 | CVE-2012-5784 | SOL14371 | Apache Axis vulnerability CVE-2012-5784 |
| 560962-2 | CVE-2015-3196 | SOL55540723 | OpenSSL Vulnerability CVE-2015-3196 |
| 560948-2 | CVE-2015-3195 | SOL12824341 | OpenSSL vulnerability CVE-2015-3195 |
| 567484-5 | CVE-2015-8705 | SOL86533083 | BIND Vulnerability CVE-2015-8705 |
Functional Change Fixes
| ID Number | Severity | Description |
| 470715-5 | 2-Critical | Excessive IP fragmentation on tmm_bp vlan causes ftp data loss with vlan name >= 16 characters long |
| 570716-3 | 3-Major | Default net ipsec ike-peer anonymous state disable |
| 539130-6 | 3-Major | bigd may crash due to a heartbeat timeout |
| 530133-3 | 3-Major | Support for New Platform: BIG-IP 10350 FIPS |
| 382157-3 | 3-Major | Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats |
TMOS Fixes
| ID Number | Severity | Description |
| 492460-3 | 1-Blocking | Virtual deletion failure possible when using sFlow |
| 572086 | 2-Critical | Unable to boot v11.6.0 on 7250 or 10250 platforms |
| 564427-3 | 2-Critical | Use of iControl call get_certificate_list_v2() causes a memory leak. |
| 562959-2 | 2-Critical | In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel. |
| 562122-5 | 2-Critical | Adding a trunk might disable vCMP guest |
| 557680-1 | 2-Critical | Fast successive MTU changes to IPsec tunnel interface crashes TMM |
| 556380-2 | 2-Critical | mcpd can assert on active connection deletion |
| 555686-5 | 2-Critical | Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers |
| 554609-4 | 2-Critical | Kernel panics during boot when RAM spans multiple NUMA nodes. |
| 552481 | 2-Critical | Disk provisioning error after restarting ASM service. |
| 551661-2 | 2-Critical | Monitor with send/receive string containing double-quote may fail to load. |
| 544913-6 | 2-Critical | tmm core while logging from TMM during failover |
| 544481-5 | 2-Critical | IPSEC Tunnel fails for more than one minute randomly. |
| 543924 | 2-Critical | Update kernel to latest public RHEL6.4 kernel: 2.6.32-358.61.1.el6 |
| 520380-6 | 2-Critical | save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory |
| 511527-2 | 2-Critical | snmpd segmentation fault at get_bigip_profile_user_stat() |
| 510559-6 | 2-Critical | Add logging to indicate that compression engine is stalled. |
| 505071-5 | 2-Critical | Delete and create of the same object can cause secondary blades' mcpd processes to restart. |
| 504508-5 | 2-Critical | IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled |
| 503600-6 | 2-Critical | TMM core logging from TMM while attempting to connect to remote logging server |
| 502841-2 | 2-Critical | REST API hangs due to icrd startup issues |
| 490801-2 | 2-Critical | mod_ssl: missing support for TLSv1.1 and TLSv1.2 |
| 484453-6 | 2-Critical | Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand) |
| 365219-2 | 2-Critical | Trust upgrade fails when upgrading from version 10.x to version 11.x. |
| 563475-3 | 3-Major | ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. |
| 562928 | 3-Major | Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled |
| 560423-2 | 3-Major | VxLAN tunnel IP address modification is not supported |
| 560220-1 | 3-Major | Missing partition and subPath fields for some objects in iControl REST |
| 559584-2 | 3-Major | tmsh list/save configuration takes a long time when config contains nested objects. |
| 558573-2 | 3-Major | MCPD restart on secondary blade after updating Pool via GUI |
| 556284-5 | 3-Major | iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found |
| 554563-3 | 3-Major | Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics. |
| 554340-4 | 3-Major | IPsec tunnels fail when connection.vlankeyed db variable is disabled |
| 553649-3 | 3-Major | The SNMP daemon might lock up and fail to respond to SNMP requests. |
| 553576-3 | 3-Major | Intermittent 'zero millivolt' reading from FND-850 PSU |
| 552585-3 | 3-Major | AAA pool member creation sets the port to 0. |
| 551927-2 | 3-Major | ePVA snoop header's transform vlan should be set properly under asymmetric routing condition |
| 551742-2 | 3-Major | Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades |
| 550694-3 | 3-Major | LCD display stops updating and Status LED turns/blinks Amber |
| 550536-3 | 3-Major | Incorrect information/text (in French) is displayed when the Edge Client is launched |
| 549543-3 | 3-Major | DSR rejects return traffic for monitoring the server |
| 548239-3 | 3-Major | BGP routing using route-maps cannot match route tags |
| 547532-2 | 3-Major | Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades |
| 541569-3 | 3-Major | IPsec NAT-T (IKEv1) not working properly |
| 540996-2 | 3-Major | Monitors with a send attribute set to 'none' are lost on save |
| 540871-1 | 3-Major | Update/deletion of SNMPv3 user does not work correctly |
| 539822-4 | 3-Major | tmm may leak connflow and memory on vCMP guest. |
| 539784-4 | 3-Major | HA daemon_heartbeat mcpd fails on load sys config |
| 538663-3 | 3-Major | SSO token login does not work due to remote role update failures. |
| 538024-3 | 3-Major | Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load |
| 534582-4 | 3-Major | HA configuration may fail over when standby has only base configuration loaded. |
| 534076-2 | 3-Major | SNMP configured trap-source might not be used in v1 snmp traps. |
| 533826-5 | 3-Major | SNMP Memory Leak on a VIPRION system. |
| 531986-3 | 3-Major | Hourly AWS VE license breaks after reboot with default tmm route/gateway. |
| 531705-2 | 3-Major | List commands on non-existent iRules incorrectly succeeds. |
| 530242-3 | 3-Major | SPDAG on VIPRION B2250 and B2250F blades might cause traffic imbalance among TMMs |
| 529977-1 | 3-Major | OSPF may not process updates to redistributed routes |
| 529484-4 | 3-Major | Virtual Edition Kernel Panic under load |
| 528987-3 | 3-Major | Benign warning during formatting installation |
| 528276-7 | 3-Major | The device management daemon can crash with a malloc error |
| 526817-4 | 3-Major | snmpd core due to mcpd message timer thread not exiting |
| 526031-2 | 3-Major | OSPFv3 may not completely recover from "clear ipv6 ospf process" |
| 524300-2 | 3-Major | The MOS boot process appears to hang. |
| 523867-3 | 3-Major | 'warning: Failed to find EUDs' message during formatting installation |
| 522871-1 | 3-Major | [TMSH] nested wildcard deletion will delete all the objects (matched or not matched) |
| 522837-1 | 3-Major | MCPD can core as a result of another component shutting down prematurely |
| 522332-1 | 3-Major | Configuration upgrade of httpclass which has the 'hosts' attribute done incorrectly |
| 521144-5 | 3-Major | Network failover packets on the management interface sometimes have an incorrect source-IP |
| 517388-7 | 3-Major | Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs. |
| 517209-7 | 3-Major | tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable |
| 517020-5 | 3-Major | SNMP requests fail and subsnmpd reports that it has been terminated. |
| 516322-7 | 3-Major | iApp association removed from virtual server |
| 513974-7 | 3-Major | Transaction validation errors on object references |
| 513659-3 | 3-Major | AAM Policy not all regex characters can be used via the GUI |
| 512130-4 | 3-Major | Remote role group authentication fails with a space in LDAP attribute group name |
| 510381-3 | 3-Major | bcm56xxd on A108 (B4300 blade) might core when restarting due to bundling config change. |
| 503246-4 | 3-Major | TMM crashes when unable to allocate large amount of provisioned memory |
| 496679-5 | 3-Major | After renaming /cm device, load fail 'foreign key index (default_device_fk)'. |
| 495865-2 | 3-Major | iApps/tmsh cannot reconfigure pools that have monitors associated with them. |
| 491727-2 | 3-Major | Upgrade can fail to load config due to tcp profile no longer allowing time-wait-timeout of 4294967295 (indefinite). |
| 490537-6 | 3-Major | Persistence Records display in GUI might cause system crash with large number of records |
| 482373-3 | 3-Major | Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction |
| 480246-4 | 3-Major | Message: Data publisher not found or not implemented when processing request |
| 473415-1 | 3-Major | ASM Standalone license has to include URL and HTML Rewrite |
| 449453-5 | 3-Major | Loading the default configuration may cause the mcpd process to restart and produce a core file. |
| 442871-2 | 3-Major | BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor |
| 439559-2 | 3-Major | APM policy sync resulting in failover device group sync may make the failover sync fail |
| 433466-4 | 3-Major | Disabling bundled interfaces affects first member of associated unbundled interfaces |
| 421012-3 | 3-Major | scriptd incorrectly reports that it is running on a secondary blade |
| 405635-2 | 3-Major | Using the restart cm trust-domain command to recreate certificates required by device trust. |
| 553174-4 | 4-Minor | Unable to query admin IP via SNMP on VCMP guest |
| 533790-4 | 4-Minor | Creating multiple address entries in data-group might result in records being incorrectly deleted |
| 519216-4 | 4-Minor | Abnormally high CPU utilization from external SSL/OpenSSL monitors |
| 480071-2 | 4-Minor | Backslashes in policy rule added/duplicated when modified in GUI. |
| 401893-3 | 4-Minor | Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies |
| 223884 | 4-Minor | Module not licensed message appears when APM is provisioned and APML is licensed. |
| 572133-2 | 5-Cosmetic | tmsh save /sys ucs command sends status messages to stderr |
| 413708-5 | 5-Cosmetic | BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response. |
| 388274-3 | 5-Cosmetic | LTM pool member link in non-Common partition is wrong in Network Map. |
| 291469-2 | 5-Cosmetic | SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries. |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 536690-4 | 1-Blocking | Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm) |
| 476386-2 | 1-Blocking | DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 should only be supported for tls1.2 |
| 565810-2 | 2-Critical | OneConnect profile with an idle or strict limit-type might lead to tmm core. |
| 554967-3 | 2-Critical | Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets |
| 552151-2 | 2-Critical | Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected |
| 549782-1 | 2-Critical | XFV driver can leak memory |
| 545810-1 | 2-Critical | ASSERT in CSP in packet_reuse |
| 544375-1 | 2-Critical | Unable to load certificate/key pair |
| 542564-3 | 2-Critical | bigd detection and logging of load and overload |
| 540568-2 | 2-Critical | TMM core due to SIGSEGV |
| 540473-6 | 2-Critical | peer/clientside/serverside script with parking command may cause tmm to core. |
| 537988-5 | 2-Critical | Buffer overflow for large session messages |
| 534804-2 | 2-Critical | TMM may core with rate limiting enabled and service-down-action reselect on poolmembers |
| 534052-3 | 2-Critical | VLAN failsafe triggering on standby leaks memory |
| 530505-4 | 2-Critical | IP fragments can cause TMM to crash when packet filtering is enabled |
| 529920-7 | 2-Critical | Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit |
| 528739-1 | 2-Critical | DNS Cache could use cached data from ADDITIONAL sections in ANSWER responses. |
| 527011-6 | 2-Critical | Intermittent lost connections with no errors on external interfaces |
| 525882-2 | 2-Critical | SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate. |
| 524605-2 | 2-Critical | Requests/responses may not be fully delivered to plugin in some circumstances |
| 523995-2 | 2-Critical | IPv4 link-local addresses can cause TMM crash when used in conjunction with ECMP routes |
| 521336-6 | 2-Critical | pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core |
| 520105-3 | 2-Critical | Possible segfault during hardware accelerated compression. |
| 518275-2 | 2-Critical | The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file |
| 517465-4 | 2-Critical | tmm crash with ssl |
| 509284-2 | 2-Critical | Improved reliability of a module interfacing with HSM |
| 507611-4 | 2-Critical | On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors. |
| 489451-3 | 2-Critical | TMM might panic due to OpenSSL failure during handshake generation |
| 489329-6 | 2-Critical | Memory corruption can occur with SPDY/HTTP2 profile(s) |
| 483719-2 | 2-Critical | vlan-groups configured with a single member VLAN result in memory leak |
| 341928-4 | 2-Critical | CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM. |
| 570617-4 | 3-Major | HTTP parses fragmented response versions incorrectly |
| 564371-2 | 3-Major | FQDN node availability not reset after removing monitoring |
| 562308-2 | 3-Major | FQDN pool members do not support manual-resume |
| 562292-1 | 3-Major | Nesting periodic after with parking command could crash tmm |
| 560685 | 3-Major | TMM may crash with 'tmsh show sys conn'. |
| 559933-2 | 3-Major | tmm might leak memory on vCMP guest in SSL forward proxy |
| 558517-3 | 3-Major | Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf. |
| 557783-2 | 3-Major | TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr |
| 557645-3 | 3-Major | On VIPRION 2200 and 2400 platforms, internal HA communication between devices will occasionally fail. |
| 557519 | 3-Major | TMM may core when disabling HTTP in an iRule on a virtual server with HTTP and FastL4 profiles |
| 556568-2 | 3-Major | TMM can crash with ssl persistence and fragmented ssl records |
| 556560-2 | 3-Major | DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records. |
| 556103-3 | 3-Major | Abnormally high CPU utilization for external monitors |
| 554769-4 | 3-Major | CPM might crash when TCLRULE_HTTP_RESPONSE is triggered. |
| 554761-5 | 3-Major | Negotiated TCP timestamps not maintained on syncookie flows |
| 553688-4 | 3-Major | TMM can core due to memory corruption when using SPDY profile. |
| 553613-3 | 3-Major | FQDN nodes do not support session user-disable |
| 552931-4 | 3-Major | Configuration fails to load if DNS Express Zone name contains an underscore |
| 552865-4 | 3-Major | SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. |
| 550689-2 | 3-Major | Resolver H.ROOT-SERVERS.NET Address Change |
| 549800-2 | 3-Major | Renaming a virtual server with an attached plugin can cause buffer overflow |
| 549406-5 | 3-Major | Destination route-domain specified in the SOCKS profile |
| 548680-2 | 3-Major | TMM may core when reconfiguring iApps that make use of iRules with procedures. |
| 548678-2 | 3-Major | ASM blocking page does not display when using SPDY profile |
| 548563-2 | 3-Major | Transparent Cache Messages Only Updated with DO-bit True |
| 547732-1 | 3-Major | TMM may core on using SSL::disable on an already established serverside connection |
| 544028-5 | 3-Major | Verified Accept counter 'verified_accept_connections' might underflow. |
| 543220-1 | 3-Major | Global traffic statistics does not include PVA statistics |
| 542724-1 | 3-Major | If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash |
| 542640-2 | 3-Major | bigd intentionally cores when it should shutdown cleanly |
| 541571-3 | 3-Major | FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses |
| 538639-3 | 3-Major | P-256 ECDH performance improvements |
| 538603-2 | 3-Major | TMM core file on pool member down with rate limit configured |
| 537964-4 | 3-Major | Monitor instances may not get deleted during configuration merge load |
| 535759-3 | 3-Major | SMTP monitor marks a server down if the server does not close connections after a quit command is received |
| 534457-2 | 3-Major | Dynamically discovered routes might fail to remirror connections. |
| 533820-5 | 3-Major | DNS Cache response missing additional section |
| 532911-2 | 3-Major | Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates. |
| 532107-2 | 3-Major | [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted |
| 530761-1 | 3-Major | TMM crash in DNS processing on a TCP virtual |
| 529899-1 | 3-Major | Installation may fail with the error "(Storage modification process conflict.)". |
| 528407-4 | 3-Major | TMM may core with invalid lasthop pool configuration |
| 528007-6 | 3-Major | Memory leak in ssl |
| 527149-3 | 3-Major | FQDN template node transitions to 'unknown' after configuration reload |
| 527027-4 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information |
| 527024-3 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information |
| 525989-2 | 3-Major | A disabled blade is spontaneously re-enabled |
| 525958-11 | 3-Major | TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop. |
| 525672-2 | 3-Major | tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup. |
| 525322-7 | 3-Major | Executing tmsh clientssl-proxy cached-certs crashes tmm |
| 524960-2 | 3-Major | 'forward' command does not work if virtual server has attached pool |
| 524641-1 | 3-Major | Wildcard NAPTR record after deleting the NAPTR records |
| 523471-2 | 3-Major | pkcs11d core when connecting to SafeNet HSM |
| 519217-4 | 3-Major | tmm crash: valid proxy |
| 517282-7 | 3-Major | The DNS monitor may delay marking an object down or never mark it down |
| 517053-2 | 3-Major | bigd detection and logging of load and overload |
| 516816-4 | 3-Major | RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake. |
| 515759-3 | 3-Major | Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time |
| 513213-5 | 3-Major | FastL4 connection may get RSTs in case of hardware syncookie enabled. |
| 513142-3 | 3-Major | FQDN nodes with a default monitor may cause configuration load failure |
| 512119-2 | 3-Major | Improved UDP DNS packet truncation |
| 511057-5 | 3-Major | Config sync fails after changing monitor in iApp |
| 510264-1 | 3-Major | TMM core associated with smtps profile. |
| 509641-3 | 3-Major | Ephemeral pool members may not inherit attributes from FQDN parent |
| 507410-2 | 3-Major | Possible TMM crash when handling certain types of traffic with SSL persistence enabled |
| 507109-4 | 3-Major | inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade |
| 505089-4 | 3-Major | Spurious ACKs result in SYN cookie rejected stat increment. |
| 504545-2 | 3-Major | FQDN: node without service checking reported as 'service checking enabled, no results yet' |
| 502480-1 | 3-Major | Mirrored connections on standby device do not get closed when Verified Accept is enabled |
| 500786-6 | 3-Major | Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile |
| 499430-2 | 3-Major | Standby unit might bridge network ingress packets when bridge_in_standby is disabled |
| 488921-2 | 3-Major | BIG-IP system sends unnecessary gratuitous ARPs |
| 476567-5 | 3-Major | fastL4: acceleration state is incorrectly reported on show sys conn |
| 476564-5 | 3-Major | ePVA FIX: no RST for an unaccelerated flow targeting a network virtual |
| 475701-2 | 3-Major | FastL4 with FIX late-bind enabled may not honor client-timeout |
| 472532-4 | 3-Major | Cipher dhe-rsa-aes256-sha256 is missing from the SSL cipher list |
| 460946-2 | 3-Major | NetHSM key is displayed as normal in GUI |
| 458348-2 | 3-Major | RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing. |
| 455762-1 | 3-Major | DNS cache statistics incorrect |
| 452443-2 | 3-Major | DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured |
| 452439-5 | 3-Major | TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads |
| 446526-7 | 3-Major | TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash. |
| 441058 | 3-Major | TMM can crash when a large number of SSL objects are created |
| 424831-6 | 3-Major | State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover |
| 418890-2 | 3-Major | OpenSSL bug can prevent RSA keys from rolling forward |
| 406001-3 | 3-Major | Host-originated traffic cannot use a nexthop in a different route domain |
| 372473-2 | 3-Major | mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes |
| 554774-2 | 4-Minor | Persist lookup across services might fail to return a matching record when multiple records exist. |
| 551614-2 | 4-Minor | MTU Updates should erase all congestion metrics entries |
| 546747-2 | 4-Minor | Occasional SSL connection handshake failure when one ClientHello is sent in multiple packets |
| 534458-6 | 4-Minor | SIP monitor marks down member if response has different whitespace in header fields. |
| 452482-7 | 4-Minor | HTTP virtual servers with cookie persistence might reset incoming connections |
| 558053-2 | 5-Cosmetic | Pool's 'active_member_cnt' attribute may not be updated as expected. |
| 529897-1 | 5-Cosmetic | Diameter monitor logging displays hex when monitor failing instead of the AVP which the monitor is failing on. |
Performance Fixes
| ID Number | Severity | Description |
| 489816-1 | 1-Blocking | F5 Enterprise MIB attribute sysTmmStatMemoryTotal returning zero |
| 548796-2 | 2-Critical | Avrd is at CPU is 100% |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 533658-5 | 2-Critical | DNS decision logging can trigger TMM crash |
| 471467 | 2-Critical | gtmparse segfaults when loading wideip.conf because of duplicate virtual server names |
| 469033 | 2-Critical | Large big3d memory footprint. |
| 551767-3 | 3-Major | GTM server 'Virtual Server Score' not showing correctly in TMSH stats |
| 546640 | 3-Major | tmsh show gtm persist <filter option> does not filter correctly |
| 529460-7 | 3-Major | Short HTTP monitor responses can incorrectly mark virtual servers down. |
| 526699-6 | 3-Major | TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port. |
| 481328-2 | 3-Major | Many 'tmsh save sys config gtm-only partitions all' stack memory issue. |
| 552352-2 | 4-Minor | tmsh list display incorrectly for default values of gtm listener translate-address/translate-port |
| 494796 | 4-Minor | Unable to create GTM Listener with non-default protocol profile. |
| 494070-2 | 4-Minor | BIG-IP DNS cannot use a loopback address with fallback IP load balancing |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 565463-2 | 1-Blocking | ASM-config consumes 1.3GB RAM after repeated Policy Import via REST |
| 566758-2 | 2-Critical | Manual changes to policy imported as XML may introduce corruption for Login Pages |
| 555057-3 | 2-Critical | ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies. |
| 555006-3 | 2-Critical | ASM REST: lastUpdateMicros is not updated when changing a Custom Signature |
| 552139-2 | 2-Critical | ASM limitation in the pattern matching matrix builtup |
| 478351-1 | 2-Critical | Changing management IP can lead to bd crash |
| 474252-1 | 2-Critical | Applying ASM security policy repeatedly fills disk partition on a chassis |
| 574451-2 | 3-Major | ASM chassis sync occasionally fails to load on secondary slot |
| 563237 | 3-Major | ASM REST: name for ipIntelligenceReference is incorrect |
| 562775-2 | 3-Major | Memory leak in iprepd |
| 558642-1 | 3-Major | Cannot create the same navigation parameter in two different policies |
| 554367-1 | 3-Major | BIG-IQ ASM remote logger: Requests are not be logged. |
| 553146-2 | 3-Major | BD memory leak |
| 547000-4 | 3-Major | Enforcer application might crash on XML traffic when out of memory |
| 542511-2 | 3-Major | 'Unhandled keyword ()' error message in GUI and/or various ASM logs |
| 541852-1 | 3-Major | ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails |
| 541406-1 | 3-Major | ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request |
| 540390-2 | 3-Major | ASM REST: Attack Signature Update cannot roll back to older attack signatures |
| 538195-1 | 3-Major | Incremental Manual sync does not allow overwrite of 'newer' ASM config |
| 535188-3 | 3-Major | Response Pages custom content with \n instead of \r\n on policy import. |
| 534246-2 | 3-Major | rest_uuid should be calculated from the actual values inserted to the entity |
| 531809-2 | 3-Major | FTP/SMTP traffic related bd crash |
| 530598-1 | 3-Major | Some Session Tracking data points are lost on TMM restart |
| 529610-1 | 3-Major | On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db |
| 529535-4 | 3-Major | MCP validation error while deactivating a policy that is assigned to a virtual server |
| 526162-7 | 3-Major | TMM crashes with SIGABRT |
| 520732-3 | 3-Major | XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty |
| 514313-1 | 3-Major | Logging profile configuration is updated unnecessarily |
| 514061-4 | 3-Major | False positive scenario causes SMTP transactions to hang and eventually reset. |
| 503696-1 | 3-Major | BD enforcer updates may be stuck after BD restart |
| 491371-1 | 3-Major | CMI: Manual sync does not allow overwrite of 'newer' ASM config |
| 491352-3 | 3-Major | Added ASM internal parameter to add more XML memory |
| 481530-1 | 3-Major | Signature reporting details for sensitive data violation |
| 538837-1 | 4-Minor | REST: Filtering login pages or parameters by their associated URL does not work |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 529900-1 | 2-Critical | AVR missing some configuration changes in multiblade system |
| 519257-2 | 2-Critical | cspm script isn't injected in text/html chuncked response |
| 470559 | 2-Critical | TMM crash after traffic stress with rapid changes to Traffic capturing profiles |
| 552488-1 | 3-Major | Missing upgrade support for AFM Network DoS reports. |
| 549393-3 | 3-Major | SWG URL categorization may cause the /var file system to fill. |
| 535246-6 | 3-Major | Table values are not correctly cleaned and can occupy entire disk space. |
| 530952-1 | 3-Major | MySql query fails with error number 1615 'Prepared statement needs to be re-prepared' |
| 529903-1 | 3-Major | Incorrect reports on multi-bladed systems |
| 528031-3 | 3-Major | AVR not reporting the activity of standby systems. |
| 491185-1 | 3-Major | URL Latencies page: pagination limited to 180 pages |
| 490999-2 | 3-Major | Subscriber-level AVR statistics display the subscriber-type as "Unknown" for subscribers created using Radius Acct-Start |
| 537435-1 | 4-Minor | Monpd might core if asking for export report by email while monpd is terminating |
| 495744-1 | 4-Minor | Some user defined ASM reports are not loading correctly after upgrade from 11.4 upwards |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 553330-3 | 1-Blocking | Unable to create a new document with SharePoint 2010 |
| 579559-2 | 2-Critical | DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration |
| 572563-3 | 2-Critical | --- |
| 569306-3 | 2-Critical | Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected |
| 555507-2 | 2-Critical | Under certain conditions, SSO plugin can overrun memory not owned by the plugin. |
| 551764-3 | 2-Critical | [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform |
| 530622-1 | 2-Critical | EAM plugin uses high memory when serving very high concurrent user load |
| 522997-3 | 2-Critical | Websso cores when it tries to shutdown |
| 491080-5 | 2-Critical | Memory leak in access framework |
| 571003-1 | 3-Major | TMM Restarts After Failover |
| 570563-2 | 3-Major | CRL is not being imported/exported properly |
| 569255-3 | 3-Major | Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON |
| 566908-5 | 3-Major | Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file |
| 565527-3 | 3-Major | Static proxy settings are not applied if NA configuration |
| 564496-3 | 3-Major | Applying APM Add-on License Does Not Change Effective License Limit |
| 564493 | 3-Major | Copying an access profile appends an _1 to the name. |
| 564262-4 | 3-Major | Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code |
| 564253-5 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
| 563474-2 | 3-Major | SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile |
| 561976 | 3-Major | Values of high-water and low-water mark for 'apd' pending request queue might not handle requests completely. |
| 558870-3 | 3-Major | Protected workspace does not work correctly with third party products |
| 558631-2 | 3-Major | APM Network Access VPN feature may leak memory |
| 555457-5 | 3-Major | Reboot is required, but not prompted after F5 Networks components have been uninstalled |
| 555435-2 | 3-Major | AD Query fails if cross-domain option is enabled and administrator's credentials are not specified |
| 554993-2 | 3-Major | Profile Stats Not Updated After Standby Upgrade Followed By Failover |
| 554899-2 | 3-Major | MCPD core with access policy macro during config sync in HA configuration |
| 554626-1 | 3-Major | Database logging truncates log values greater than 1024 |
| 554228-5 | 3-Major | OneConnect does not work when WEBSSO is enabled/configured. |
| 554041-5 | 3-Major | No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled |
| 553734-1 | 3-Major | Issue with assignment of non-string value to Form.action in javascript. |
| 553063-1 | 3-Major | Epsec version rolls back to previous version on a reboot |
| 552498-1 | 3-Major | APMD basic authentication cookie domains are not processed correctly |
| 549588-2 | 3-Major | EAM memory leak when cookiemap is destroyed without deleting Cookie object in it |
| 549108-1 | 3-Major | RDP resource 'Custom parameters' fail to accept parameters containing spaces or colon in the value |
| 548361 | 3-Major | Performance degradation when adding VDI profile to virtual server |
| 543222-3 | 3-Major | apd may crash if an un-encoded session variable contains "0x" |
| 539270-6 | 3-Major | A specific NTLM client fails to authenticate with BIG-IP |
| 539229-7 | 3-Major | EAM core while using Oracle Access Manager |
| 531983-5 | 3-Major | [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added |
| 528808-3 | 3-Major | Source NAT translation doesn't work when APM is disabled using iRule |
| 526637-4 | 3-Major | tmm crash with APM clientless mode |
| 522791-2 | 3-Major | HTML rewriting on client might leave 'style' attribute unrewritten. |
| 520088-2 | 3-Major | Citrix HTML5 Receiver does not properly display initial tour and icons |
| 518550-3 | 3-Major | Incorrect value of form action attribute inside 'onsubmit' event handler in some cases |
| 517846-2 | 3-Major | View Client cannot change AD password in Cross Domain mode |
| 511893-5 | 3-Major | Client connection timeout after clicking Log In to Access Policy Manager on a Chassis |
| 492122-5 | 3-Major | Now Windows Logon Integration does not recreate temporary user for logon execution each time |
| 488811-5 | 3-Major | F5-prelogon user profile folder are not fully cleaned-up |
| 482177-4 | 3-Major | Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO |
| 472446-2 | 3-Major | Customization Group Template File Might Cause Mcpd to Restart |
| 471318-1 | 3-Major | AD/LDAP group name matching should be case-insensitive |
| 467256-2 | 3-Major | Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat |
| 462598-4 | 3-Major | Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members. |
| 462258-8 | 3-Major | AD/LDAP server connection failures might cause apd to stop processing requests when service is restored |
| 461084-3 | 3-Major | Kerberos Auth might fail if client request contains Authorization header |
| 389328-7 | 3-Major | RSA SecurID node secret is not synced to the standby node |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 551010-7 | 3-Major | Crash on unexpected WAM storage queue state |
| 525478-2 | 3-Major | Requests for deflate encoding of gzip documents may crash TMM |
Wan Optimization Manager Fixes
| ID Number | Severity | Description |
| 552198-5 | 3-Major | APM App Tunnel/AM iSession Connection Memory Leak |
| 547537-3 | 3-Major | TMM core due to iSession tunnel assertion failure |
Service Provider Fixes
| ID Number | Severity | Description |
| 538784-3 | 3-Major | ICAP implementation incorrect when HTTP request or response is missing a payload |
| 523854-1 | 3-Major | TCP reset with RTSP Too Big error when streaming interleaved data |
| 545985-3 | 4-Minor | ICAP 2xx response (except 200, 204) is treated as error |
| 489957-9 | 4-Minor | RADIUS::avp command fails when AVP contains multiple attribute (VSA). |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 477769-2 | 2-Critical | TMM crash (panic) in AFM pktclass code (Assertion 'classifier ref non-zero' failed.) when virtual server has SPDY or HTTP Prefetching enabled along with AFM Rules. |
| 561433-3 | 3-Major | TMM Packets can be dropped indiscriminately while under DOS attack |
| 489379-1 | 3-Major | Bot signature is not matched |
| 469512-3 | 3-Major | TMM aborted by SOD due to heartbeat failure when trying to load huge firewall policies. |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 529634-2 | 2-Critical | Crash observed with HSL logging |
| 512069-2 | 2-Critical | TMM restart while relicensing the BIG-IP using the base license. |
| 510923-2 | 2-Critical | TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered. |
| 565765-3 | 3-Major | Flow reporting does not occur for unclassified flows. |
| 564263-3 | 3-Major | PEM: TMM asserts when Using Debug Image when Gy is being used |
| 560607-3 | 3-Major | Resource Limitation error when removing predefined policy which has multiple rules |
| 559382-1 | 3-Major | Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers |
| 557675-3 | 3-Major | Failover from PEM to PCRF can cause session lookup inconsistency |
| 549283-3 | 3-Major | Add a log message to indicate transition in the state of Gx and Gy sessions. |
Carrier-Grade NAT Fixes
| ID Number | Severity | Description |
| 555369-3 | 2-Critical | CGNAT memory leak when non-TCP/UDP traffic directed at public addresses |
| 545783-3 | 2-Critical | TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool |
| 540571-2 | 2-Critical | TMM cores when multicast address is set as destination IP via iRules and LSN is configured |
| 540484-2 | 2-Critical | "show sys pptp-call-info" command can cause tmm crash |
| 535101-1 | 2-Critical | Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile. |
Centralized Management Fixes
| ID Number | Severity | Description |
| 538722-3 | 3-Major | Configurable maximum message size limit for restjavad |
iApp Technology Fixes
| ID Number | Severity | Description |
| 546082-5 | 2-Critical | Special characters might change input. |
Cumulative fix details for BIG-IP v11.6.1 that are included in this release
579559-2 : DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
Component: Access Policy Manager
Symptoms:
Network Access always fallbacks to TLS connection even if DTLS is configured when connecting to some hardware platforms.
Conditions:
Network Access is configured to use DTLS Hardware BIG-IP with DTLS Nitrox acceleration is used,
Impact:
Network Access connection always fallbacks to TLS connection
Workaround:
N/A
Fix:
Nitrox hardware acceleration support was fixed
574451-2 : ASM chassis sync occasionally fails to load on secondary slot
Component: Application Security Manager
Symptoms:
ASM chassis sync occasionally fails to load on secondary slot when a new policy is created after a series of other configuration changes in quick succession.
Conditions:
A new policy is created after a series of other configuration changes in quick succession
Impact:
ASM chassis sync fails to load on secondary slot.
Workaround:
Make another system-wide configuration change, such as creating a user-defined signature, or wait until the hourly sync occurs.
Fix:
ASM chassis blades are now synchronized correctly after every policy creation.
572563-3 : ---
Component: Access Policy Manager
Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).
Conditions:
One of our DLLs, vdeskctrl.dll, provides COM services. Internet Explorer (IE), consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. For some reason (especially on slow systems), IE does not unload the the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, old DLL provides the service. Due to the recent renewal of our signing certificate, old DLL can't certify the integrity of the new PWS components. We have researched the issue, but we have not found a way to instruct IE to unload the old DLL after upgrade.
Impact:
PWS session does not launch.
Workaround:
After upgrade, if Internet Explorer(IE) does not enter into PWS within 60 seconds, please close IE and start a new session. This is an one time event.
572133-2 : tmsh save /sys ucs command sends status messages to stderr
Component: TMOS
Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.
Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.
Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.
Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.
Fix:
The command will send the status messages to stdout.
572086 : Unable to boot v11.6.0 on 7250 or 10250 platforms
Component: TMOS
Symptoms:
Unable to boot or system constantly rebooting.
Conditions:
Booting into v11.6.0 on 7250 or 10250 platform with RAID disk layout.
Impact:
Unable to boot.
Workaround:
None.
Fix:
This version of the software boots boots correctly on 7250 or 10250 platforms with RAID disk layout.
571003-1 : TMM Restarts After Failover
Component: Access Policy Manager
Symptoms:
TMM generates core file and restarts.
Conditions:
1. In a HA pair running pre 11.5.3-HF2 or 11.6.0-HF6, the standby is upgraded to 11.6.0-HF6 EHF 186, 241, 243, or 247. 2. Force failover. 3. A new session is established or an existing session terminated.
Impact:
Serivce is disrupted. All existing sessions are terminated.
Workaround:
None.
Fix:
TMM no longer generates core file and restarts upon upgrade.
570716-3 : Default net ipsec ike-peer anonymous state disable
Component: TMOS
Symptoms:
The default of 'net ipsec ike-peer anonymous state' has been changed from enabled to disabled.
Conditions:
This applies to the 'net ipsec ike-peer anonymous state' setting.
Impact:
In order to use ike-peer anonymous, it must be explicitly enabled.
Workaround:
Set 'net ipsec ike-peer anonymous state' to enable if that is what is desired.
Fix:
The default 'net ipsec ike-peer anonymous state' is disable.
Behavior Change:
The default of 'net ipsec ike-peer anonymous state' has been changed from enabled to disabled.
570617-4 : HTTP parses fragmented response versions incorrectly
Component: Local Traffic Manager
Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.
Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.
Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.
Workaround:
None.
Fix:
HTTP correctly bounds the response version for other filters to parse.
570563-2 : CRL is not being imported/exported properly
Component: Access Policy Manager
Symptoms:
CRL assigned as part of Machine Cert Auth is not being imported/exported properly.
Conditions:
This occurs when importing SSL Certificates and Keys using the CRL type. Or when adding the Machine Cert Check agent to import an Access Profile in when creating a New Certificate Authority Profile.
Impact:
Prevents CRL from being exported. Might also impact the import/export of Certificate Authority Profiles.
Workaround:
1. Copy and install the CRL to the other BIG-IP system separately. 2. Modify the exported configuration to use CRL from step 1
Fix:
Import and export of CRL is fully supported.
570535 : Multiple Kernel Vulnerabilities
Component: TMOS
Symptoms:
CVE-2011-5321 CVE-2012-6657 CVE-2013-4483 CVE-2014-3184 CVE-2014-3185 CVE-2014-3611 CVE-2014-3940 CVE-2014-6410 CVE-2014-8160 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1593 CVE-2015-1805 CVE-2015-3636 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104
Conditions:
+--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-2636.html RHSA: https://rhn.redhat.com/errata/RHSA-2016-0004.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-2645.html Vulnerabilities Fixed: CVE-2015-5307 CVE-2015-8104 * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-2636.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-1081.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-0864.html RHSA: https://rhn.redhat.com/errata/RHSA-2014-1167.html Vulnerabilities Fixed: CVE-2015-7872 CVE-2014-9529 * It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) * A race condition flaw was found in the way the Linux kernel keys management subsystem performed key garbage collection. A local attacker could attempt accessing a key while it was being garbage collected, which would cause the system to crash. (CVE-2014-9529, Moderate) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-2636.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-0284.html Vulnerabilities Fixed: CVE-2015-7613 CVE-2013-4483 * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * A flaw was found in the way the ipc_rcu_putref() function in the Linux kernel's IPC implementation handled reference counter decrementing. A local, unprivileged user could use this flaw to trigger an Out of Memory (OOM) condition and, potentially, crash the system. (CVE-2013-4483, Moderate) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-1623.html Vulnerabilities Fixed: CVE-2015-5364 CVE-2015-5366 * Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-1272.html Vulnerabilties Fixed: CVE-2014-3940 CVE-2014-3184 * A flaw was found in the way Linux kernel's Transparent Huge Pages (THP) implementation handled non-huge page migration. A local, unprivileged user could use this flaw to crash the kernel by migrating transparent hugepages. (CVE-2014-3940, Moderate) * Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled HID reports with an invalid report descriptor size. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer. (CVE-2014-3184, Low) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-1221.html Vulnerabilities Fixed: CVE-2015-1593 CVE-2011-5321 * An integer overflow flaw was found in the way the Linux kernel randomized the stack for processes on certain 64-bit architecture systems, such as x86-64, causing the stack entropy to be reduced by four. (CVE-2015-1593, Low) * A NULL pointer dereference flaw was found in the way the Linux kernel's virtual console implementation handled reference counting when accessing pseudo-terminal device files (/dev/pts/*). A local, unprivileged attacker could use this flaw to crash the system. (CVE-2011-5321, Moderate) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-1221.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-1643.html Vulnerabilities Fixed: CVE-2015-3636 * It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. (CVE-2015-3636, Moderate) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-1081.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-0864.html RHSA: https://rhn.redhat.com/errata/RHSA-2014-1997.html Vulnerabilities Fixed: CVE-2015-1805 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2014-6410 CVE-2012-6657 * It was found that the Linux kernel's implementation of vectored pipe read and write functionality did not take into account the I/O vectors that were already processed when retrying after a failed atomic access operation, potentially resulting in memory corruption due to an I/O vector array overrun. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-1805, Important) * It was found that the Linux kernel's ISO file system implementation did not correctly limit the traversal of Rock Ridge extension Continuation Entries (CE). An attacker with physical access to the system could use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service. (CVE-2014-9420, Low) * A race condition flaw was found in the way the Linux kernel keys management subsystem performed key garbage collection. A local attacker could attempt accessing a key while it was being garbage collected, which would cause the system to crash. (CVE-2014-9529, Moderate) * An information leak flaw was found in the way the Linux kernel's ISO9660 file system implementation accessed data on an ISO9660 image with RockRidge Extension Reference (ER) records. An attacker with physical access to the system could use this flaw to disclose up to 255 bytes of kernel memory. (CVE-2014-9584, Low) * A stack overflow flaw caused by infinite recursion was found in the way the Linux kernel's UDF file system implementation processed indirect ICBs. An attacker with physical access to the system could use a specially crafted UDF image to crash the system. (CVE-2014-6410, Low) * It was found that the Linux kernel's networking implementation did not correctly handle the setting of the keepalive socket option on raw sockets. A local user able to create a raw socket could use this flaw to crash the system. (CVE-2012-6657, Low) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-0284.html Vulnerabilities Fixed: CVE-2014-3611 CVE-2014-3185 CVE-2014-8160 * A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611, Important) * A memory corruption flaw was found in the way the USB ConnectTech WhiteHEAT serial driver processed completion commands sent via USB Request Blocks buffers. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3185, Moderate) * A flaw was found in the way the Linux kernel's netfilter subsystem handled generic protocol tracking. As demonstrated in the Stream Control Transmission Protocol (SCTP) case, a remote attacker could use this flaw to bypass intended iptables rule restrictions when the associated connection tracking module was not loaded on the system. (CVE-2014-8160, Moderate)
Impact:
Various. See CVE descriptions.
Workaround:
Various. See CVE descriptions.
Fix:
CVE-2011-5321 CVE-2012-6657 CVE-2013-4483 CVE-2014-3184 CVE-2014-3185 CVE-2014-3611 CVE-2014-3940 CVE-2014-6410 CVE-2014-8160 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1593 CVE-2015-1805 CVE-2015-3636 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104
569306-3 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
Component: Access Policy Manager
Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.
Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected
Impact:
User has to retype his credentials to connect to VPN
Workaround:
Enter the credentials again to connect to VPN
Fix:
Now logged on credentials are used automatically to connect to VPN
569255-3 : Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
Component: Access Policy Manager
Symptoms:
When Network Access is already established and a second network interface is being connected to client system, VPN quickly reconnects, which breaks existing TCP connections. Because reconnect occurs very quickly, it might appear to the user that nothing happened.
Conditions:
-- 'Allow Local subnet access' enabled. -- Client system is getting second network interface connected.
Impact:
Long-standing TCP connection may break, for example, VPN over Network Access.
Workaround:
Disable 'Allow Local subnet access'.
Fix:
Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.
567484-5 : BIND Vulnerability CVE-2015-8705
Component: TMOS
Symptoms:
In some versions of BIND, an error can occur when data that has been received in a resource record is formatted to text during debug logging. Depending on the version of BIND in which it is encountered, this error can cause either a REQUIRE assertion failure in buffer.c or an unpredictable crash (e.g. segmentation fault or other termination). (CVE-2015-8705)
Conditions:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/86/sol86533083.html
Impact:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/86/sol86533083.html
Workaround:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/86/sol86533083.html
Fix:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/86/sol86533083.html
567475-5 : BIND vulnerability CVE-2015-8704
Component: TMOS
Symptoms:
A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c. (CVE-2015-8704)
Conditions:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/53/sol53445000.html
Impact:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/53/sol53445000.html
Workaround:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/53/sol53445000.html
Fix:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/53/sol53445000.html
566908-5 : Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
Component: Access Policy Manager
Symptoms:
Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN if proxy.pac is defined in a way that forwards all web traffic over VPN.
Conditions:
proxy.pac, network access, OS X system.
Impact:
Local web server is inaccessible if proxy.pac is defined in a way that forwards all traffic over VPN to corporate proxy server.
Workaround:
None.
Fix:
Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server.
566758-2 : Manual changes to policy imported as XML may introduce corruption for Login Pages
Component: Application Security Manager
Symptoms:
Manual changes to policy imported as XML may introduce corruption for Login Pages. If the expiration period is omitted, the Login Page will be inaccessible.
Conditions:
Expiration period is omitted in hand-crafted XML policy file.
Impact:
The Login Page created as a result is inaccessible in GUI and REST.
Workaround:
Ensure that expiration period exists in XML policy file before import.
Fix:
A policy file, with a missing expiration field, imported as XML is now handled correctly.
565810-2 : OneConnect profile with an idle or strict limit-type might lead to tmm core.
Component: Local Traffic Manager
Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.
Conditions:
OneConnect profile with a limit-type value of idle or strict.
Impact:
tmm core.
Workaround:
Use a limit-type of 'none'.
Fix:
A OneConnect profile using an idle or strict limit-type no longer causes the tmm to core when attempting to shutdown idle connections.
565765-3 : Flow reporting does not occur for unclassified flows.
Component: Policy Enforcement Manager
Symptoms:
Flow reports are missing for some of the flows.
Conditions:
Flow reporting action has been configured with no classification filter. This was observed for flows that remained unclassified until the very end.
Impact:
If you are using flow reports to track the data usage of the subscriber, the usage will not be accurate.
Workaround:
None.
Fix:
For flows that do not get classified at all, the system now sends out flow reports at the end of the flow. The FLOW_INIT and FLOW_END reports are sent out in this case (that is, there are no FLOW_INTERIM reports). This is correct behavior
565527-3 : Static proxy settings are not applied if NA configuration
Component: Access Policy Manager
Symptoms:
Applications that cannot evaluate PAC file cannot make use of static proxy configuration either.
Conditions:
- Network Access (NA) setting has static proxy configuration. - Application on user's system does not support proxy auto configuration, but does support static proxy configuration.
Impact:
Application cannot make connections if the proxy is required to connect to the destination. This could result in failed connection from that application
Workaround:
None.
Fix:
Static proxy settings are now applied in Network Access configurations. This allow applications that do not support PAC files to work inside the VPN.
565463-2 : ASM-config consumes 1.3GB RAM after repeated Policy Import via REST
Component: Application Security Manager
Symptoms:
Multiple ASM-config processes are running (more than 10) and consuming more than a GB.
Conditions:
ASM provisioned. Repeated policy import via REST.
Impact:
The BIG-IP system might run low on memory and post the following message in /var/log/kern.log: Out of memory: Kill process 22699.
Workaround:
Restart asm - disrupting Restart asm_config_server.pl - non disrupting
Fix:
We modified an operation to limit the number of ASM configuration processes. The operation now reuses processes instead of creating new ones, so the system no longer runs out of memory.
565169 : Multiple Java Vulnerabilities
Component: Centralized Management
Symptoms:
CVE-2015-4734 Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS. CVE-2015-4805 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization. CVE-2015-4806 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. CVE-2015-4810 Unspecified vulnerability in Oracle Java SE 7u85 and 8u60 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2015-4835 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881. CVE-2015-4840 Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via unknown vectors related to 2D. CVE-2015-4842 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JAXP. CVE-2015-4843 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2015-4844 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVE-2015-4860 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883. CVE-2015-4871 Unspecified vulnerability in Oracle Java SE 7u85 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. CVE-2015-4881 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4835. CVE-2015-4882 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect availability via vectors related to CORBA. CVE-2015-4883 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4860. CVE-2015-4901 Unspecified vulnerability in Oracle Java SE 8u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX. CVE-2015-4902 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allows remote attackers to affect integrity via unknown vectors related to Deployment. CVE-2015-4903 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to RMI. CVE-2015-4906 Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 allows remote attackers to affect confidentiality via unknown vectors related to JavaFX, a different vulnerability than CVE-2015-4908 and CVE-2015-4916. CVE-2015-4908 Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 allows remote attackers to affect confidentiality via unknown vectors, a different vulnerability than CVE-2015-4906 and CVE-2015-4916. CVE-2015-4916 Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 allows remote attackers to affect confidentiality via unknown vectors, a different vulnerability than CVE-2015-4906 and CVE-2015-4908. CVE-2015-4868 Unspecified vulnerability in Oracle Java SE 8u60 and Java SE Embedded 8u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2015-4911 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4893.
Conditions:
Java.
Impact:
There is no impact; F5 products are not affected by this vulnerability.
Workaround:
None needed.
Fix:
CVE-2015-4734 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4901 CVE-2015-4902 CVE-2015-4903 CVE-2015-4906 CVE-2015-4908 CVE-2015-4916 CVE-2015-4868 CVE-2015-4911
564496-3 : Applying APM Add-on License Does Not Change Effective License Limit
Component: Access Policy Manager
Symptoms:
When an add-on license is applied on the active node, the effective license limit is not updated. even though telnet output shows that it is.
Conditions:
1. Set up a high availability (HA) configuration with a base APM license. 2. Apply an APM add-on license to increase Access and CCU license limits.
Impact:
The actual number of sessions that can be established remains unchanged after adding an add-on license.
Workaround:
To make the add-on license effective, run the command: bigstart restart tmm.
Fix:
Applying APM add-on license now increases Access and CCU license limits, as expected.
564493 : Copying an access profile appends an _1 to the name.
Component: Access Policy Manager
Symptoms:
Copying an access profile appends an _1 to the name.
Conditions:
This occurs on every copy operation on an access profile.
Impact:
This is a cosmetic issue that does not impact system functionality.
Workaround:
To workaround this: 1. Copy the profile. 2. Edit bigip.conf to remove the _1 from the profile name. 3. Issue the command: tmsh load sys config.
Fix:
Copying an access profile no longer appends an _1 to the name unless it is needed, for example, when copying a profile whose name already exists.
564427-3 : Use of iControl call get_certificate_list_v2() causes a memory leak.
Component: TMOS
Symptoms:
Use of iControl call get_certificate_list_v2() causes a memory leak.
Conditions:
This occurs when using the Management::KeyCertificate::get_certificate_list_v2 method in iControl.
Impact:
memory leak.
Workaround:
Restarting httpd helps reduce memory, but it must be restarted periodically to clear up the memory issues.
Fix:
Use of Management::KeyCertificate::get_certificate_list_v2 method in iControl no longer causes a memory leak.
564371-2 : FQDN node availability not reset after removing monitoring
Component: Local Traffic Manager
Symptoms:
If you are using FQDN nodes that are being monitored, the node status will remain set to whatever it was before the monitor was removed.
Conditions:
This occurs when removing monitoring from FQDN nodes
Impact:
The expected behavior is that the node status becomes 'unknown'. This could make it so FQDN nodes are permanently marked down or up.
Workaround:
None
Fix:
FQDN node status will now change to Unknown if monitoring is removed.
564263-3 : PEM: TMM asserts when Using Debug Image when Gy is being used
Component: Policy Enforcement Manager
Symptoms:
TMM assert leading to restart.
Conditions:
When a policy P1 is installed over Gx with a reference to rating group R1 and later when an update is received over Gx to remove P1 and add policy P2 which also referring to same rating group R1 then TMM will core when Policy P2 is being removed.
Impact:
TMM restart and disruption of service.
Workaround:
PCRF should make sure add and remove policies are not done in single update.
Fix:
Issue has been fixed now.
564262-4 : Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
Component: Access Policy Manager
Symptoms:
Tunnel server component of Edge client crashes, and user cannot establish VPN.
Conditions:
-DNS names cannot be resolved on client system. -PAC file used to determine proxy server uses JavaScript DNS resolution function.
Impact:
Tunnel server crashes and user cannot establish VPN.
Workaround:
Enable DNS resolution on client or do not use DNS resolution JavaScript functions in PAC file.
Fix:
Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.
564253-5 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
Firefox v44.0 and later does not allow loading of Netscape Plugin Application Programming Interface (NPAPI) plugins, which are not signed by Firefox.
Conditions:
Using APM with Firefox v44.0 and later.
Impact:
Firefox v44.0 and later cannot establish network access or perform endpoint checking.
Workaround:
- Use Firefox v43.0 and earlier on all platforms. - Use Safari on Mac systems and Microsoft Internet Explorer on Microsoft Windows systems.
Fix:
Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.
563475-3 : ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
Component: TMOS
Symptoms:
ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. If dynamic offloading is enabled in the fastl4 profile, flows that collide in the ePVA will ping/pong in and out of the ePVA due to immediate eviction and re-offloading. Flows that are evicted due to collisions are reported in the epva_flowstat stats, tot.hash_evict.
Conditions:
A fastl4 profile with PVA Offload Dynamic enabled and two flows that result in a hash collision, resulting in an evicted flow.
Impact:
Flows that collide will be re-offloaded, evicted, and then re-offloaded again within a short time span. It is unknown if there is a direct impact, but in some cases a delay in processing packets on a connection may occur.
Workaround:
Disable PVA Offload Dynamic in the fastl4 profile. Another option would be to disable PVA Flow Evict in the fastl4 profile.
Fix:
The system now handles flows involved in hash collisions such that ePVA dynamic offloading no longer results in immediate eviction and re-offloading of flows.
563474-2 : SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile
Component: Access Policy Manager
Symptoms:
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns a zero value for an APM access profile that has been edited but not yet applied, which should instead return a non-zero value. config # snmpwalk -v2c 127.0.0.1 -c public F5-BIGIP-APM-MIB::apmPmStatConfigSyncState F5-BIGIP-APM-MIB::apmPmStatConfigSyncState."/Common/my-test-access" = Counter64: 0
Conditions:
The access profile has been edited but not yet applied.
Impact:
SNMP users cannot discriminate the status of an APM access profile: applied or not applied.
Workaround:
None available.
Fix:
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState now returns the correct non-zero value.
563237 : ASM REST: name for ipIntelligenceReference is incorrect
Component: Application Security Manager
Symptoms:
The reference name for a Security Policy's ip-intelligence configuration is not consistent with F5 REST standards; which dictate that a reference name starts with a lower case letter. In the return for a policy resource the following is seen: ... 'IpIntelligenceReference': { 'link': 'https://localhost/mgmt/tm/asm/policies/<POLICY ID>/ip-intelligence' ... This should be 'ipIntelligenceReference' This has already been corrected in versions 12.0.0 and later.
Conditions:
ASM REST is used to access IP Intelligence for Security Policies.
Impact:
Reference names are inconsistent and confusing.
Workaround:
If an API client wishes to $expand the resource wanted in a way that works against all versions, the pre-expanded name can be used. ?$expand=ip-intelligence
Fix:
We corrected an inconsistent reference name. 'IpIntelligenceReference' is now 'ipIntelligenceReference'.
562959-2 : In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
Component: TMOS
Symptoms:
In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
Conditions:
This occurs when there is some issue processing the packet going through IPsec tunnel.
Impact:
Tmm restart without core due to internal connection timeout.
Workaround:
None.
Fix:
IPsec now only sends packets intended for IPsec over the tunnel.
562928 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
Component: TMOS
Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.
Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.
Impact:
TCP connections do not complete the three way handshake and traffic does not pass.
Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.
Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.
562775-2 : Memory leak in iprepd
Component: Application Security Manager
Symptoms:
The IP reputation daemon (iprepd) has a small leak of around ~8 to ~16 bytes every 5 minutes.
Conditions:
This occurs when the BIG-IP box is licensed with IPI Subscription, and iprepd is running.
Impact:
Memory increases slowly until the kernel out-of-memory kills the iprepd process.
Workaround:
None.
Fix:
This release fixes a memory leak in the IP reputation daemon (iprepd).
562308-2 : FQDN pool members do not support manual-resume
Component: Local Traffic Manager
Symptoms:
FQDN pool members do not support manual-resume, but allow its configuration.
Conditions:
Attempting to use manual-resume for FQDN pool members.
Impact:
FQDN pool members do not honor manual-resume setting.
Workaround:
Do not configure manual-resume on FQDN pool members.
Fix:
FQDN pool members do not support manual-resume, and BIG-IP no longer allows its configuration.
562292-1 : Nesting periodic after with parking command could crash tmm
Component: Local Traffic Manager
Symptoms:
If an iRule contains a periodic after command, and within this there is another periodic after command whose contents park, it can lead to tmm crashes.
Conditions:
A periodic after command is used, and within this there is another periodic after command whose contents park.
Impact:
tmm crashes.
Workaround:
Do not nest after commands with parking command.
Fix:
TMM no longer crashes with iRules that contain a periodic after command, which itself contains a periodic after command whose contents park. These iRules now complete as expected.
562122-5 : Adding a trunk might disable vCMP guest
Component: TMOS
Symptoms:
If a vCMP guest is running when a trunk is added, the guest might fail until vCMP is restarted.
Conditions:
-- vCMP guest running -- Trunk added.
Impact:
Guest failure. vCMP restart required.
Workaround:
Restart vCMP.
Fix:
Adding a trunk no longer disables vCMP guests.
561976 : Values of high-water and low-water mark for 'apd' pending request queue might not handle requests completely.
Component: Access Policy Manager
Symptoms:
Under heavy authentication requests from tmm with a slow or down back-end authentication server, the apd accept connection queue could get full, resulting in apd logs: AD module: authentication with '1439805563539620 failed: Too many open files
Conditions:
- Incoming authentication request to apd (from tmm) is very high. - Back-end authentication server is slow or down.
Impact:
Authentication failures; might bring authentication rate down to zero.
Workaround:
Adjust the value of connhwm, connlwm and soconnmax values using tmsh commands. - To set the value to 1024, use the following command: sysctl -w net.core.somaxconn=1024. - Change Low water mark first using the following command: tmsh modify sys db apm.apd.connlwm value 480. - Change highwater mark next using the following command: tmsh modify sys db apm.apd.connhwm value 512.
Fix:
Values of high-water and low-water mark for the 'apd' pending request queue now handle requests as expected.
561433-3 : TMM Packets can be dropped indiscriminately while under DOS attack
Component: Advanced Firewall Manager
Symptoms:
When we have a loaded tmm which cannot consume packets fast enough, then packets could be dropped while DMAing from the HW.
Conditions:
This could happen for a variety of reasons which cause tmm to be loaded.
Impact:
Packets will be dropped indiscriminately.
Workaround:
none
Fix:
We've now added a sys db tunable (sys db dos.scrubtime) which can be set to drop DoS attack packets in HW more aggressively. This will prevent other non-attack packets from being dropped indiscriminately.
560962-2 : OpenSSL Vulnerability CVE-2015-3196
Component: TMOS
Symptoms:
ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message. (CVE-2015-3196)
Conditions:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/55/sol55540723.html
Impact:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/55/sol55540723.html
Workaround:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/55/sol55540723.html
Fix:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/55/sol55540723.html
560948-2 : OpenSSL vulnerability CVE-2015-3195
Component: TMOS
Symptoms:
OpenSSL mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.
Conditions:
Use of the OpenSSL command line tool by users with advanced shell access.
Impact:
The BIG-IP / BIG-IQ / Enterprise Manager system does not accept untrusted input that would match the type required to exploit this vulnerability. This vulnerability is exposed on the BIG-IP / BIG-IQ / Enterprise Manager only when the OpenSSL utility is used from the BIG-IP / BIG-IQ / Enterprise Manager command line to process PKCS or CMS applications.
Workaround:
To mitigate this vulnerability, you should limit command line access to only trusted users.
Fix:
Resolved OpenSSL vulnerability CVE-2015-3195.
560685 : TMM may crash with 'tmsh show sys conn'.
Component: Local Traffic Manager
Symptoms:
Although unlikely, the 'tmsh show sys conn' command may cause the tmm process to crash when displaying connections.
Conditions:
Although the conditions under which this occurs are not well understood, this is a rarely occurring issue.
Impact:
The tmm restarts.
Workaround:
The only workaround is to not issue the command: tmsh show sys conn.
Fix:
Running the command 'tmsh show sys conn' no longer causes TMM to crash when displaying connections.
560607-3 : Resource Limitation error when removing predefined policy which has multiple rules
Component: Policy Enforcement Manager
Symptoms:
Resource Limitation error when removing a predefined policy which has multiple rules referring to the same rating group.
Conditions:
- Gx and Gy are configured for the session - All rules refer to the same rating group
Impact:
Unable to remove an existing policy
Workaround:
none
Fix:
Policies can be removed and updated regardless of rules or rating group limitations.
560423-2 : VxLAN tunnel IP address modification is not supported
Component: TMOS
Symptoms:
VxLAN tunnel local and remote tunnel IP address change is not supported.
Conditions:
If a user tries to change the local and/or remote tunnel IP address, the configuration handler will fail the configuration change.
Impact:
The user must delete and recreate the VxLAN tunnel in order to change the tunnel local and/or remote address. Tunnel deletion also requires removing references to the tunnel, for example the tunnel self IP address and routes pointing to the tunnel, before the tunnel can be deleted. Those self IP addresses and routes must be re-added after recreating the tunnel with changed IP address parameters. This can be error-prone, especially if the number of tunnels is extremely large.
Workaround:
Delete existing VxLAN tunnel, and add a new tunnel with the modified tunnel IP address parameters.
Fix:
Modifying VxLAN tunnel IP addresses now works. Only tunnels that have been created with a multicast flooding type and have a multicast remote IP address are supported.
560220-1 : Missing partition and subPath fields for some objects in iControl REST
Component: TMOS
Symptoms:
When using iControl REST, the return output of some objects does not include the partition and subPath properties. Also the name property contains the full path instead of only the object name.
Conditions:
This occurs when running BIG-IP systems with 11.6.0 HF6 installed.
Impact:
This breaks custom scripts that rely on those properties.
Workaround:
Do not use custom scripts to gather the partition and subPath properties of objects on BIG-IP systems with 11.6.0 HF6 installed.
560180-2 : BIND Vulnerability CVE-2015-8000
Component: TMOS
Symptoms:
An error in the parsing of incoming responses allows some records with an incorrect class to be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries. (CVE-2015-8000)
Conditions:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/34/sol34250741.html
Impact:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/34/sol34250741.html
Workaround:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/34/sol34250741.html
Fix:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/34/sol34250741.html
559933-2 : tmm might leak memory on vCMP guest in SSL forward proxy
Component: Local Traffic Manager
Symptoms:
In SSL forward proxy configuration on vCMP guest tmm might slowly leak memory when subjected to SSL Hello messages containing server name extension (SNI) that is not configured on the virtual server.
Conditions:
This occurs with the following conditions are met: -- SSL forward proxy configuration. -- SSL hello with SNI extension.
Impact:
tmm might leak memory
Workaround:
None.
Fix:
tmm no longer leaks leak memory on the vCMP guest in SSL forward proxy configurations.
559584-2 : tmsh list/save configuration takes a long time when config contains nested objects.
Component: TMOS
Symptoms:
A configuration containing a number of nested objects takes a long time to list or save. For example, the tmsh listing time for a ~2 MB config can exceed 30 seconds.
Conditions:
Following is an example of nested objects in a config. If the config contains thousands of such virtual servers, it might take longer than 30 seconds to run either of the following commands: -- tmsh list ltm virtual. -- tmsh save config. ltm virtual vs { destination 10.10.10.10:http ip-protocol tcp mask 255.255.255.255 profiles { ::: nested object http { } http_security { } tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 26 } .
Impact:
When commands take longer than 30 seconds to complete, iControlREST times out.
Workaround:
None.
Fix:
A configuration containing a number of nested objects no longer takes a long time to list or save, so iControlREST no longer times out. Note: You might still encounter this issue in configurations that have greater than ~6000 nested objects, which is the largest number tested.
559382-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
Component: Policy Enforcement Manager
Symptoms:
CCR-I requests from PEM to PCRF contain subscriber ID type is set to 6 (UNKNOWN) for DHCP subscribers instead of NAI.
Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP that uses a PCRF for policy determination.
Impact:
May impact the way policies are provided from the PCRF.
Workaround:
none
Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.
558870-3 : Protected workspace does not work correctly with third party products
Component: Access Policy Manager
Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines. 2) Microsoft OneDrive does not work correctly inside protected workspace.
Conditions:
Norton Internet Security 22.x is installed on user's desktop. Protected workspace is used.
Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace. Files cannot be synced to OneDrive.
Workaround:
There is no workaround.
Fix:
User can now launch Internet Explorer or Firefox inside protected workspace.
558642-1 : Cannot create the same navigation parameter in two different policies
Component: Application Security Manager
Symptoms:
Cannot create the same navigation parameter in two different policies. A validation issue blocks the user from adding a navigation parameter that is already defined in a different security policy.
Conditions:
This occurs after adding navigation parameter X to one policy, and then attempting to add the same parameter to another policy.
Impact:
Cannot add navigation parameter X to another policy after adding it to the first policy.
Workaround:
None.
Fix:
The system now supports adding the same navigation parameter to different security policies.
558631-2 : APM Network Access VPN feature may leak memory
Component: Access Policy Manager
Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.
Conditions:
The APM Network Access feature is configured and VPN connections are being established.
Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.
Workaround:
No workaround short of not using the APM Network Access feature.
Fix:
The APM Network Access VPN feature no longer leaks memory.
558573-2 : MCPD restart on secondary blade after updating Pool via GUI
Component: TMOS
Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster. When this occurs, errors similar to the following will be logging from the secondary blades: -- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found. -- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.
Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.
Impact:
Daemon restarts, disruption of traffic passing on secondary blades.
Workaround:
Perform pool updates via the tmsh command-line utility.
Fix:
Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.
558517-3 : Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.
Component: Local Traffic Manager
Symptoms:
Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf. After upgrading the bigip.conf still has the old #TMSH-VERSION header. This is behavior is an intended behavior in 12.1.0, so it is not a bug; the configuration is still loaded in memory properly. The TMSH-VERSION string will be updated the next time a save sys config command is issued.
Conditions:
This occurs only when upgrading BIG-IP software in the following situations: -- From 11.6.0 base version, or from 11.6.0 HF1 through 11.6.0 HF5 (or any engHF built on these versions) to final 11.6.0 HF6. -- From 11.5.3 base version, or from 11.5.3 HF1 or 11.5.3 HF2 (or any engHF for these versions) to 11.5.3 HF2 engHF2 or 11.5.3 HF2 engHF45.
Impact:
Monitors send/recv strings contain extra escape characters, for example: \\r, \\n etc. Post upgrade the monitors containing escaped characters will fail.
Workaround:
Manually/by script remove the additional escaping within the send/recv strings.
Fix:
The system no longer appends extra escape characters to monitor send/receive strings after upgrading.
558053-2 : Pool's 'active_member_cnt' attribute may not be updated as expected.
Component: Local Traffic Manager
Symptoms:
If a pool has no associated monitors, new pool members added to the pool do not increment the active_member_cnt even if traffic will be passed to it. In other cases, for FQDN pool members, the active_member_cnt does not update in user-down scenarios, or other state transitions.
Conditions:
1) Configure a pool without a monitor, and make use of an iRule that attempts to use the 'active_member_cnt' attribute. 2) Configure a pool with FQDN nodes and change the state to user-down, and check the active_member_cnt via an iRule or GUIshell.
Impact:
Although this does not impact load balancing and is not visible in the GUI or tmsh, it is exposed as a consumable attribute in iRules, which can impact your scripts.
Workaround:
member_count returns total members with no status information.
Fix:
Pool's 'active_member_cnt' attribute is now updated as expected, even for pools that have no assigned monitors.
557783-2 : TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr
Component: Local Traffic Manager
Symptoms:
TMM might use a link-local IPv6 address when attempting to reach an external global address for traffic generated from TMM (for example, dns resolver, sideband connections, etc.).
Conditions:
- ECMP IPv6 routes to a remote destination where the next hop is a link local address. Typically this occurs with dynamic routing. - Have configured a virtual server that generates traffic from TMM (for example, dns resolver, sideband connections, etc.).
Impact:
Traffic might fail as its egresses from a link-local address instead of a global address.
Workaround:
It might be possible to work around if the dynamic routing peer can announce the route from a global address instead of a link local. Use of static routes might also work around the issue.
Fix:
TMM now uses the correct IPv6 global address when generating traffic to a remote address using ECMP routes via link-local next-hops.
557680-1 : Fast successive MTU changes to IPsec tunnel interface crashes TMM
Component: TMOS
Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.
Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.
Impact:
TMM cores. This might result in site unavailability.
Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.
Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).
557675-3 : Failover from PEM to PCRF can cause session lookup inconsistency
Component: Policy Enforcement Manager
Symptoms:
A small number of PEM sessions can be looked up only by their session-ip, but not by their subscriber-id.
Conditions:
Using PEM, failover to PCRF.
Impact:
Fails to find sessions needed for traffic processing.
Workaround:
none
Fix:
The code change provides an internal fixup for incorrect sessions.
557645-3 : On VIPRION 2200 and 2400 platforms, internal HA communication between devices will occasionally fail.
Component: Local Traffic Manager
Symptoms:
Internal device-to-device communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
Conditions:
Using VIPRION 2200 and 2400 platforms with more than one blade, when there is a mismatch between how the software and how the hardware selects the IP addresses, hosts, VLANs, etc., to communicate with local host processes. Some selections of IP addresses and config sync VLANs have not exhibited issues; in others the issue is more pervasive.
Impact:
Periodic reported failures in host-to-host communication. This could affect representation in the GUI, config sync, and other HA related communication. Depending on configurations, some percentage of these might fail on VIPRION 2200 and 2400 platforms with more than one blade.
Workaround:
None.
Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.
557519 : TMM may core when disabling HTTP in an iRule on a virtual server with HTTP and FastL4 profiles
Component: Local Traffic Manager
Symptoms:
In certain scenarios TMM may core if disabling HTTP in CLIENT_ACCEPTED on a virtual server that is configured with FastL4 and HTTP profiles.
Conditions:
-- Virtual server configured with HTTP and Fast L4 profiles. -- iRule attached to the VIP that disables HTTP in CLIENT_ACCEPTED event. -- Traffic is reset abruptly while passing through this VIP.
Impact:
TMM may core and the systems may failover.
Workaround:
Several options exist: - Use TCP and HTTP profiles instead of Fast L4. - Do not disable the HTTP profile via iRules.
Fix:
TMM no longer cores when handling traffic on FastL4/HTTP virtual servers that disable HTTP via iRules.
556568-2 : TMM can crash with ssl persistence and fragmented ssl records
Component: Local Traffic Manager
Symptoms:
Unusual fragmented ssl records may be handled incorrectly resulting in tmm crash.
Conditions:
Ssl persistence and fragemented ssl records.
Impact:
TMM crash, leading to possible network outage.
Workaround:
Possibly switch to different persistence type.
Fix:
The error in parsing fragmented ssl records has been resolved.
556560-2 : DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
Component: Local Traffic Manager
Symptoms:
DNS messages which contain an OPT record followed by more than one record in the additional section will become malformed when they pass through a virtual with an assigned DNS profile.
Conditions:
A DNS message contains and OPT record in the Additional section, the message is compressed, and more than one record follow the OPT record.
Impact:
This issue impacts all DNS messages that contain an OPT record followed by more than one record. The DNS handling code expects a message containing an OPT record to have 0 or 1 TSIG record following the OPT record in the additional record section of a message. The RFCs permit the OPT record to be placed anywhere in the additional record section of a DNS message, with the exception of a TSIG record. If a TSIG record is present, it must always be last. If no TSIG record is present, then an OPT record can be last. The RFCs do not restrict a query from containing records in the additional record section of the message. When a DNS query or response is passed through the TMM DNS message handler, and that message contains an OPT record followed by more than one record, and those records that follow the OPT record contain compression pointers to other records that also follow the OPT record, then the message becomes mangled.
Workaround:
Disable DNS compression on the resolver, or configure the resolver to place OPT records at the end of the additional section (except TSIG records which must always be last).
Fix:
DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted. The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers. The subsequent code paths which depend on the OPT record's position now work as expected.
556383-1 : Multiple NSS Vulnerabilities
Component: TMOS
Symptoms:
Mozilla Network Security Services vulnerabilities CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183.
Conditions:
CVE-2015-7181 The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a "use-after-poison" issue. CVE-2015-7182 Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data. CVE-2015-7183 Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.
Impact:
When these vulnerabilities are exploited, an attacker may be able to cause a denial-of-service (DoS) attack or execute arbitrary code. While this vulnerable code exists in BIG-IP, BIG-IQ, and Enterprise Manager products, the use case is limited for affected NSS libraries. There are no known remote access vectors, and local exposure is limited. To trigger an attack using a custom binary, an attacker would need to have directly logged in to the BIG-IP, BIG-IQ, or Enterprise Manager system using a shell.
Workaround:
Only permit management access to F5 products over a secure network, and limit shell access to trusted users.
Fix:
Applied Mozilla Network Security Services vulnerabilities patches for CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183.
556380-2 : mcpd can assert on active connection deletion
Component: TMOS
Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.
Conditions:
Removal of all peers while a connection is handling a transaction.
Impact:
MCPD asserts and restarts.
Workaround:
No workaround is necessary. MCPD restarts.
Fix:
Connection tear down checks for active connections and does not result in an assert when removing all peers while a connection is handling a transaction.
556284-5 : iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
Component: TMOS
Symptoms:
GTM/LC config sync fails with error in /var/log/gtm and /var/log/ltm similar to the following: Monitor /Common/my_http_monitor parent not found
Conditions:
There is a customized GTM monitor on one member of a high availability configuration, but not on others.
Impact:
Config sync fails. On the device that does not have the monitor, the system logs a parent-not-found message into /var/log/gtm.
Workaround:
None.
Fix:
GTM/LC sync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition.
556103-3 : Abnormally high CPU utilization for external monitors
Component: Local Traffic Manager
Symptoms:
High CPU utilization for external monitors that use SSL.
Conditions:
External monitor using SSL.
Impact:
Abnormally high CPU utilization.
Workaround:
None.
Fix:
This release improves the handling of external monitors that use SSL so that CPU utilization no longer increases.
555686-5 : Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
Component: TMOS
Symptoms:
Some OPT-0015 copper small form-factor pluggable (SFP) transceiver might cause an internal bus to hang.
Conditions:
This happens only when the following conditions are met: -- 10000-series appliances. -- At reboot, at a restart of the bcm56xxd daemon, or when a copper SFP is enabled or disabled. -- There is at least one copper SFP present in the appliance. -- Interfaces are spread between hardware muxes. That means some SFPs are in ports 1.1-1.8 and other SFPs are in ports 1.9-1.16.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up. Enable and disable of copper SFPs may not work.
Workaround:
None.
Fix:
The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.
555507-2 : Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
Component: Access Policy Manager
Symptoms:
Under certain conditions, SSO plugin can overrun memory not owned by the plugin. Symptoms could be different based on the owner of overrun memory.
Conditions:
This occurs when the following conditions are met: 1. The BIG-IP system is configured and used as SAML Identity Provider. 2. Single Logout (SLO) protocol is configured on an attached SP connector. 3. At least one user executed SAML WebSSO profile.
Impact:
Symptoms might differ based on the owner of overrun memory. Potentially, tmm could restart as a result of this issue.
Workaround:
Disable SAML SLO: remove SLO request and SLO response URLs from configuration in appropriate SAML SP connectors.
Fix:
SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues: The BIG-IP system is configured and used as a SAML Identity Provider. Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector. At least one user executed SAML webSSO profile.
555457-5 : Reboot is required, but not prompted after F5 Networks components have been uninstalled
Component: Access Policy Manager
Symptoms:
Attempt to establish a VPN connection from a Windows 10, Windows 8.1, Windows 7, or Vista desktop fails if F5 Networks components have been removed previously and the desktop was not rebooted. Typically this issue can be identified by these log records: <snip> DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP) DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP) DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter <--- Two F5 Devices DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter (7) <--- Two F5 Devices DIALER, 48, \driverstatechecker.cpp, 155, GetVPNDriverRASDeviceName, found device, F5 Networks VPN Adapter <snip> DIALER, 1, \urdialer.cpp, 1573, CURDialer::OnRasCallback(), RAS error (state=RASCS_OpenPort, error=633: The modem (or other connecting device) is already in use or is not configured properly.)
Conditions:
Windows desktop. Existing F5 components uninstalled. Reboot was not performed after uninstall.
Impact:
End users cannot establish a VPN connection from Windows-based clients.
Workaround:
Reboot the affected Windows desktop.
Fix:
After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected.
555435-2 : AD Query fails if cross-domain option is enabled and administrator's credentials are not specified
Component: Access Policy Manager
Symptoms:
AD Query fails in cross-domain environment, when AAA AD Server has no administrator credentials configured and user's logon name is different from pre-win2k name
Conditions:
- AD Query is configured in an Access Policy. - The administrator's credentials are not specified at AAA AD Server configuration page (that is in use by AD Query). - The domain logon name is different from pre-win2k name.
Impact:
AD Query fails
Workaround:
The administrator should provide AD administrator credentials at AAA AD Server configuration page.
Fix:
AD Query now completes as expected if cross-domain option is enabled and administrator's credentials are not specified.
555369-3 : CGNAT memory leak when non-TCP/UDP traffic directed at public addresses
Component: Carrier-Grade NAT
Symptoms:
When rejecting non-TCP/UDP inbound traffic a small amount of memory is leaked with each packet. Depending on the volume of such traffic this may be a slow or fast leak.
Conditions:
CGNAT configured with inbound connections enabled or hairpinning enabled Non-TCP/UDP traffic with a destination in the LSN Pool address space
Impact:
TMM might eventually run out of available memory. The aggressive mode sweeper might be triggered, causing connections to be killed. Eventually TMM restarts.
Workaround:
None.
Fix:
This release fixes a memory leak that occurred When rejecting non-TCP/UDP inbound traffic.
555057-3 : ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
Component: Application Security Manager
Symptoms:
When using ASM REST to remove a signature set association from a policy (DELETE), the set is removed from all policies in the system.
Conditions:
ASM REST is used to remove a signature set association from a policy. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets/<ID>
Impact:
All policies will lose their association to that signature set. This may leave some policies not enforcing all the Attack Signatures that they are expected to.
Workaround:
A DELETE can be issued to the collection endpoint: /mgmt/tm/asm/policies/<ID>/signature-sets utilizing the $filter parameter to delete only the desired sets. Ex. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets?$filter=id eq '<ID>'
Fix:
When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.
555006-3 : ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
Component: Application Security Manager
Symptoms:
The lastUpdateMicros field is meant to be updated if a user changes a custom signature, but it is not.
Conditions:
REST client is used to look at/filter the signatures collection (/mgmt/tm/asm/sigantures)
Impact:
Checking for updated signatures does not return the expected result.
Workaround:
None.
Fix:
REST: The lastUpdateMicros field is now correctly updated after updating a user defined signature.
554993-2 : Profile Stats Not Updated After Standby Upgrade Followed By Failover
Component: Access Policy Manager
Symptoms:
1. The current active sessions, current pending sessions, and current established sessions counts shown in commands 'tmsh show /apm profile access' and 'tmctl profile_access_stat' become zero after failover. 2. The system posts an error message to /var/log/apm: 01490559:3: 00000000: Access stats encountered error: SessionDB operation failed (ERR_NOT_FOUND).
Conditions:
This issue happens when the following conditions are met: 1. The HA configuration is running a release prior to 11.5.3 HF2, 11.6.0 HF6, or 12.0.0. 2. A standby unit is upgraded to version 11.5.3 HF2, 11.6.0 HF6, or 12.0.0. 3. Failover is triggered.
Impact:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats remain zero after failover.
Workaround:
Upgrade all devices in the HA configuration to the same release and reboot them simultaneously.
Fix:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats now report correctly after failover.
554967-3 : Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
Component: Local Traffic Manager
Symptoms:
A resolver sending a query with a small EDNS0 UDP buffer limit can lead to packet truncation. These response packets are flagged as truncated in the header, but the OPT record might be cut/missing leading some resolvers to consider the packet malformed.
Conditions:
Primarily via dynamic settings such as iRules on DNS_RESPONSE events adding new records, or DNSSEC record signing with responses over UDP.
Impact:
Some resolvers regard OPT-less truncated packets as malformed and cease follow-up requests via TCP or a larger EDNS0 UDP limit.
Workaround:
none
Fix:
Truncated DNSSEC or iRule DNS packets are RFC-compliant.
554899-2 : MCPD core with access policy macro during config sync in HA configuration
Component: Access Policy Manager
Symptoms:
In high availability config sync, the destination mcpd might crash if the user does the following steps: 1. Manually edit bigip.conf file at source to remove an access policy item (my-ap-1_mac_mymac1) that calls a macro, from the original access policy (my-ap-1) to another access policy (my-ap-2); 2. Load the modified config into running config; 3. Delete the original access policy (my-ap-1) before manually starting the config sync. The modified source configuration is sent to the destination during the manual incremental config sync, resulting in destination mcpd logging an error message: err mcpd[5441]: 01020036:3: The requested access_policy_name (/Common/my-ap-1) was not found. Immediately following the error message, the destination mcpd will crash and generate a core file.
Conditions:
Config sync is manual incremental, and the user manually edits /config/bigip.conf to modify the source configuration such that an access policy item with a macrocall is removed from the original access policy to another access policy, and then the original access policy is deleted, all before the manual config sync is started.
Impact:
During config sync, the destination BIG-IP system's mcpd crashes and restarts.
Workaround:
After removing the access policy item with a macrocall from the original access policy to another access policy and loading into the source running the configuration, do not delete the original access policy. Instead, start the config sync right away. After this first config sync is successful, delete the original access policy at the source, and then start the second config sync to finish the operation.
Fix:
MCPD no longer cores with access policy macro during config sync in high availability configuration.
554774-2 : Persist lookup across services might fail to return a matching record when multiple records exist.
Component: Local Traffic Manager
Symptoms:
Persist lookup across services might fail to return a matching record when multiple records exist.
Conditions:
Persistence profile with 'match-across-services' enabled, and the configuration contains multiple records that correspond to the same pool.
Impact:
Connection routed to unexpected pool member.
Workaround:
None.
Fix:
The operation now continues searching persistence records when 'match-across-services' is enabled until the operation finds a record that corresponds to the same pool.
554769-4 : CPM might crash when TCLRULE_HTTP_RESPONSE is triggered.
Component: Local Traffic Manager
Symptoms:
TMM might crash if CONNFLOW_FLAG_L7_POLICY is not set in the connection flow flags, but the system still tries to call Centralized Policy Matching (CPM).
Conditions:
This occurs when TCLRULE_HTTP_RESPONSE is triggered from the server-side, if the server-side does not process the policy, and the connection flow flags do not have CONNFLOW_FLAG_L7_POLICY set.
Impact:
TMM/(CPM Module) might crash.
Workaround:
None.
Fix:
The system now adds the flag check of CONNFLOW_FLAG_L7_POLICY if it is not already set, so there is no crash in TMM or Centralized Policy Matching (CPM).
554761-5 : Negotiated TCP timestamps not maintained on syncookie flows
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, the BIG-IP system does not maintain TCP timestamps on a connection, even though timestamps have been negotiated, when syncookie mode is activated.
Conditions:
-- L7 virtual server with a TCP profile with Timestamps enabled. -- syncookie mode has been activated.
Impact:
Connection might be reset by a client TCP stack, e.g., netbsd/freebsd, that requires timestamps to be maintained when negotiated.
Workaround:
Choose or create a TCP profile that has timestamps disabled, which prevents the connection from being reset.
Fix:
TCP Timestamps are now maintained on all negotiated flows.
554626-1 : Database logging truncates log values greater than 1024
Component: Access Policy Manager
Symptoms:
The Logging agent truncates log values greater than 1024. If the log value size is greater than 4060, the field is empty or null.
Conditions:
Logging into local database with log values (such as session variables) greater than 1024. If this size is too high (greater than 4060), the field displays as empty or null in reports.
Impact:
The reporting UI displays null or empty fields when the logged value is too large in size, such as a huge session variable.
Workaround:
No workaround.
Fix:
This release handles large single log values.
554609-4 : Kernel panics during boot when RAM spans multiple NUMA nodes.
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) crashes in the kernel during early boot.
Conditions:
This occurs when the following conditions are met: * VE is running on Hyper-V. * VE RAM is configured in a such a way that it spans multiple NUMA nodes.
Impact:
Kernel panic during boot.
Workaround:
No workaround.
Fix:
The kernel now properly aligns memory on multiple NUMA nodes, so there is no kernel panic during boot.
554563-3 : Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
Component: TMOS
Symptoms:
Class of Service Queues (cosq) egress drop statistics are counted against both Drops In and Drops Out interface statistics.
Conditions:
This occurs for all cosq drops in response to excess egress traffic and MMU egress congestion.
Impact:
Any CoS queue egress drop is also counted against ingress drop stats, which could be interpreted incorrectly as doubled total drop stats.
Workaround:
None.
Fix:
The Drops In interface statistics no longer includes Class of Service Queues (cosq) egress drop counts, which is correct behavior.
554367-1 : BIG-IQ ASM remote logger: Requests are not be logged.
Component: Application Security Manager
Symptoms:
BIG-IQ ASM does not log requests for the first remote logger configured on the system.
Conditions:
No remote logger has been previously configured for ASM.
Impact:
No requests are sent to remote logger that was just configured.
Workaround:
This issue resolves itself after a few seconds when the remote destination is responsive.
Fix:
An issue with requests not being logged after configuring a new remote logger for BIG-IQ ASM has been fixed.
554340-4 : IPsec tunnels fail when connection.vlankeyed db variable is disabled
Component: TMOS
Symptoms:
When connection.vlankeyed db variable is disabled, if the data traffic coming out of IKEv1 tunnels that needs to be secured using IKEv2 tunnels lands on tmm's other than tmm0, it will be dropped. The system establishes the IKEv2 tunnel but the data traffic will not be secured.
Conditions:
This issue is seen when the interesting data traffic lands on tmm's other than tmm0. The reason for this issue is due to incorrectly creating a flow on another TMM that is the owner of the outbound SA (IKEv2 tunnel).
Impact:
The system drops the data traffic to be secured using IPsec and connections fail.
Workaround:
Disable the cmp in the virtual server configuration.
Fix:
Flow creation at the TMM that owns the outbound SA for the IKEv2 tunnel is properly handled. TMM can handle the inner traffic from IKEv1 tunnel and secure it over another IKEv2 tunnel.
554228-5 : OneConnect does not work when WEBSSO is enabled/configured.
Component: Access Policy Manager
Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.
Conditions:
WEBSSO and OneConnect.
Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.
Workaround:
None.
Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections.
554041-5 : No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client loses all connectivity and an option to establish VPN is not available.
Conditions:
All of the following conditions must apply. 1) Edge Client is installed in "Always Connected" mode. 2) The Connectivity profile on server has location DNS list entries. 3) One of the DNS locations matches the DNS suffix set on the local network adapter.
Impact:
Client shows "LAN Detected" in the UI and does not try to connect to VPN. All traffic to and from the user's machine is blocked.
Workaround:
This issue has no workaround at this time.
Fix:
Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks.
553902-2 : Multiple NTP Vulnerabilities
Component: TMOS
Symptoms:
CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196
Conditions:
CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG) CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA) CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS) CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS) CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS) CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS) CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS) CVE-2015-7849 trusted key use-after-free. (Cisco TALOS) CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS) CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable) CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat) CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University) CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable)
Impact:
Exploitation of some of these vulnerabilities may allow an attacker to cause a denial-of-service (DoS) condition.
Workaround:
See Bugs/Links below for Mitigation http://support.ntp.org/bin/view/Main/NtpBug<number> Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG) Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA) Bug 2921 CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS) Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS) Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS) Bug 2918 CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS) Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS) Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS) Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS) Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable) Bug 2902: CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat) Bug 2901: CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University) Bug 2899: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable)
Fix:
Applied patches for CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196
553734-1 : Issue with assignment of non-string value to Form.action in javascript.
Component: Access Policy Manager
Symptoms:
Exception in javascript code.
Conditions:
Attempt to assign non-string value to a Form.action in javascript code.
Impact:
Web application misfunction.
Workaround:
There is no workaround at this time.
Fix:
The issue is fixed for non string value types.
553688-4 : TMM can core due to memory corruption when using SPDY profile.
Component: Local Traffic Manager
Symptoms:
TMM corefiles containing memory corruption within 112-byte memory cache.
Conditions:
Virtual server using a SPDY profile encounters an internal error while processing a SPDY packet.
Impact:
Possible outage and tmm restart.
Workaround:
None.
Fix:
This release contains a fix that prevents a double free on error within the SPDY component.
553649-3 : The SNMP daemon might lock up and fail to respond to SNMP requests.
Component: TMOS
Symptoms:
The SNMP daemon might lock up and fail to respond to SNMP requests.
Conditions:
If the SNMP configuration on the BIG-IP changes and the SNMP daemon restarts. This is a timing issue that might appear intermittently.
Impact:
The BIG-IP system stops responding to SNMP requests. You then cannot monitor the BIG-IP system via SNMP.
Workaround:
If the SNMP daemon is locked up, restart it by issuing the following command: bigstart restart snmpd.
Fix:
The SNMP daemon no longer locks up and become unresponsive when it is restarted.
553613-3 : FQDN nodes do not support session user-disable
Component: Local Traffic Manager
Symptoms:
FQDN nodes do not support session user-disable.
Conditions:
Configure a monitor with recv-disable string, and set node to session user-disabled. Monitor does not mark the node down for draining persistent connections.
Impact:
Unable to use session drain.
Workaround:
None.
Fix:
FQDN nodes now support session user-disable
553576-3 : Intermittent 'zero millivolt' reading from FND-850 PSU
Component: TMOS
Symptoms:
In rare instances, certain BIG-IP platforms may erroneously generate power supply error messages that indicate zero milli-voltage. Specific symptoms include: - SNMP alert 'bigipSystemCheckAlertMilliVoltageLow' detected. - Front panel Alarm LED is blinking amber. - Errors such as the following are logged: emerg system_check[<#>]: 010d0017:0: Power supply #<x> meas. main outpu: milli-voltage (0) is too low. [where <x> is the power supply location (either 1 or 2)] - Errors such as the following may also be logged: -- err chmand[<#>]: 012a0003:3: Sensor read fault for Power supply #<x> meas. main outpu : File sensor/LopSensSvc.cpp Line 1453. -- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>). -- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>). Note that this condition may affect either PSU 1 or PSU 2.
Conditions:
This may occur intermittently on BIG-IP 10000-/12000-series appliances (including 10000s/10200v, 10050s/10250v, 10055/10255, 10350v and 12250v models) with FND850 model DC power supplies.
Impact:
There is no impact; these error messages are benign.
Workaround:
None.
Fix:
Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.
553330-3 : Unable to create a new document with SharePoint 2010
Component: Access Policy Manager
Symptoms:
VPN users are unable to create a new document with SharePoint 2010 An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid
Conditions:
Create a new document using the"New Document button".
Impact:
User cannot create a new document with SharePoint 2010.
Workaround:
none
Fix:
You can create a new document with Microsoft SharePoint 2010.
553174-4 : Unable to query admin IP via SNMP on VCMP guest
Component: TMOS
Symptoms:
The admin IP address is not returned via ipAdEntAddr.
Conditions:
Query admin IP via SNMP on VCMP guest via ipAdEntAddr.
Impact:
Unable to obtain admin IP address via SNMP for VCMP guests.
Workaround:
none
Fix:
ipAdEntAddr will now return the admin IP address on a VCMP guest.
553146-2 : BD memory leak
Component: Application Security Manager
Symptoms:
BD memory increases. May reach a kernel OOM killer scenario
Conditions:
Usually a policy with missing content profile on a post request that causes the POST to be parsed wrongly and issue many parameters violations.
Impact:
Bad memory consumption of the system, swap memory usage, crashes.
Workaround:
Apply correct content profiles (XML etc) as usually valid requests should not have that many parameters in them. Otherwise apply the "apply value signature" on big POSTs.
Fix:
We fixed a memory leak in the Enforcer.
553063-1 : Epsec version rolls back to previous version on a reboot
Component: Access Policy Manager
Symptoms:
If administrator has installed multiple EPSEC packages, after a reboot the EPSEC version rolls back to the previously installed version.
Conditions:
The BIG-IP system needs to be rebooted for this issue to be seen, and multiple EPSEC packages must have been installed on the system before the reboot.
Impact:
OPSWAT version rolls back without prompting or logging. This might open up the end-point security issues that are supposed to be fixed by the latest installed OPSWAT package.
Workaround:
The workaround is to upload a dummy file in Sandbox. 1. Go to Access Policy :: Hosted Content :: Manage Files. 2. Upload any dummy file, even a 0 byte file. Change the security level to 'session'. After this change, even if you reboot or shutdown-restart, the EPSEC version does not revert.
Fix:
The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart.
552931-4 : Configuration fails to load if DNS Express Zone name contains an underscore
Component: Local Traffic Manager
Symptoms:
A configuration with a DNS Express Zone with an underscore in the name does not load, even though the gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
Conditions:
-- Configuration setting gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none. -- DNS Express Zone exists with an underscore in the name.
Impact:
Cannot load the LTM configuration when restarting BIG-IP system when DNS Express Zones that have an underscore character in the name.
Workaround:
Force the GTM configuration to load by sequentially running the following commands: tmsh load sys config gtm-only. tmsh load sys config.
Fix:
All FQDNs may now contain underscore character. The BIG-IP system now correctly load configurations that contain DNS Express Zones with underscores in the name.
552865-4 : SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
Component: Local Traffic Manager
Symptoms:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, handshake might fail if the client sends an invalid signed Certificate Verify message.
Conditions:
When SSL client certificate mode is request, and the client sends an invalid signed Certificate Verify message to the BIG-IP system.
Impact:
The handshake does not ignore the invalid signed certificate verify message, and handshake might fail. SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. Regardless of whether the Certificate and Certificate Verify message is valid, the handshake should ignore the Certificate Verify signature error and let the handshake continue.
Workaround:
None.
Fix:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.
552585-3 : AAA pool member creation sets the port to 0.
Component: TMOS
Symptoms:
When the AAA server pool member is created (for Radius mode BOTH and for AD), the port is set to 0 (Any) as there are more than one ports for that pool member.
Conditions:
Create AAA pool member while creating an AAA RADIUS server or Active Directory server. The created pool member does not support the ability of having multiple port numbers and for that reason is updated with 0 (Any) as the port number for the pool member. If the user continues to modify using the Admin UI, the port changes made using tmsh will be overwritten again to 0.
Impact:
AAA pool member port is set to 0 (Any) rather than the port specified in the GUI. This is correct as the pool member does not support more and 1 port number.
Workaround:
552498-1 : APMD basic authentication cookie domains are not processed correctly
Component: Access Policy Manager
Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to pool members.
Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.
Impact:
Cookies assigned during the authentication handshake might not be sent to pool members.
Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.
Fix:
Domain fields in Set-Cookie headers found in 401 responses are processed correctly.
552488-1 : Missing upgrade support for AFM Network DoS reports.
Component: Application Visibility and Reporting
Symptoms:
When upgrading, the statistics of AFM Network DoS reports are not migrated correctly to the new version, leading to loss of data about the Client-IP addresses.
Conditions:
Upgrade from versions 11.4.x or 11.5.x to versions 11.6.x or 12.0.x.
Impact:
The IP Addresses information of AFM Network DoS is lost. However, new activity is collected correctly.
Workaround:
There is no workaround for this issue.
Fix:
This release provides upgrade support for AFM Network DoS reports.
552481 : Disk provisioning error after restarting ASM service.
Component: TMOS
Symptoms:
Disk provisioning error after restarting ASM service. In newer BIG-IP software versions ASM uses a different application volume name. Older BIG-IP software versions identify the application volume as being owned by ASM, and allows ASM to be provisioned and start. However, in the older versions, ASM create the application volume so there will be two ASM application volumes. If ASM is restarted with bigstart or tmsh, or if the BIG-IP system is rebooted, provisioning does not allow ASM to start.
Conditions:
ASM provisioned on both pre-v12.0.0 and post-v12.0.0 versions.
Impact:
ASM does not start, and bigstart status asm indicates a disk provisioning error.
Workaround:
Follow these steps: 1. Boot into the most recent version of BIG-IP software. 2. Run the command: tmsh modify sys provision asm level none. 3. Wait for unprovision to complete (do so by monitoring /var/log/asm). 4. Run the command: tmsh delete sys disk application-volume asmdata1. 5. Run the command: tmsh modify sys provision asm level nominal.
Fix:
ASM starts successfully with no disk provisioning error after restarting ASM service using newer BIG-IP software.
552352-2 : tmsh list display incorrectly for default values of gtm listener translate-address/translate-port
Component: Global Traffic Manager
Symptoms:
tmsh list displays incorrectly for default values of GTM listener translate-address/translate-port settings.
Conditions:
Using the tmsh list command to show translate-address/translate-port for GTM listener.
Impact:
tmsh list gtm listener does not display 'translate-address'/'translate-port' when it is set to enabled, but the command does show the values when it is set to disabled. The tmsh list gtm listener command should not show the default settings. This becomes an issue when used with the TMSH merge command, where the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. This might eventually result in failing traffic.
Workaround:
Use tmsh list with 'all-properties' instead.
Fix:
GTM Listener's translate-address and translate-port field are now always displayed in TMSH commands. This is because there are different defaults in GTM Listeners than the LTM virtual servers. When used with the TMSH merge command, the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. By always displaying this attribute, no matter what the value is, the merge will always be handled appropriately.
552198-5 : APM App Tunnel/AM iSession Connection Memory Leak
Component: Wan Optimization Manager
Symptoms:
A memory leak occurs when APM application tunnels or AM iSession connections are aborted while waiting to be reused.
Conditions:
The iSession profile reuse-connection attribute is true. A large number of iSession connections are aborted while waiting to be reused.
Impact:
Available memory might be significantly reduced when a large number of iSession connections waiting to be reused are aborted.
Workaround:
Disable the iSession profile reuse-connection attribute. Restart TMM.
Fix:
This release fixes an APM App Tunnel/AM iSession connection memory leak.
552151-2 : Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
Component: Local Traffic Manager
Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3.
Conditions:
This occurs when the system encounters errors during hardware compression handling. This occurs on the BIG-IP 5000-, 7000-, 10000-, and 12000-series platforms, and on VIPRION B22xx blades.
Impact:
Compression is (eventually) performed by software. This can result in high CPU utilization.
Workaround:
Disable compression if CPU usage is too high.
Fix:
Improved the device exception handling so that errors are correctly propagated to compression clients, thus preventing the progressive failure of the compression engine, and stopping the offload to software compression (which was driving up the CPU).
552139-2 : ASM limitation in the pattern matching matrix builtup
Component: Application Security Manager
Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.
Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.
Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).
Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.
Fix:
Fixed a limitation in the attack signature engine.
551927-2 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
Component: TMOS
Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, ltm sends packets to the client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.
Conditions:
fastl4 profile and asymetric routing on client side
Impact:
Return traffic could use the wrong vlan
Workaround:
none
Fix:
Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN
551767-3 : GTM server 'Virtual Server Score' not showing correctly in TMSH stats
Component: Global Traffic Manager
Symptoms:
GTM server 'Virtual Server Score' is not showing correct values in TMSH stats. Instead, stats shows zero value.
Conditions:
You have a virtual server configured with a non-zero score.
Impact:
tmsh show gtm server server-name detail lists 'Virtual Server Score' as zero. Note that there is no impact to actual load balancing decisions. Those decisions take into account the configured score. This is an issue only with showing the correct information and stats.
Workaround:
None.
Fix:
TMSH now shows the correct value for 'Virtual Server Score' when you have a virtual server configured with a non-zero score.
551764-3 : [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
Component: Access Policy Manager
Symptoms:
Successful execution of an Access Policy will result in the client receiving a HTTP status 500 error response when clientless mode is set. This error response is generated by APMD. This is a regression condition that occurs when the fix for bug 374067 is included.
Conditions:
-- The system has the fix for bug 374067. -- Clientless mode is enabled. -- BIG-IP platform is chassis platform. -- The administrator does not override the Access Policy response with iRule command.
Impact:
Client receives an invalid response.
Workaround:
None.
Fix:
Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.
551742-2 : Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
Component: TMOS
Symptoms:
In rare occurrences, BIG-IP hardware is susceptible to parity errors due to unknown source. This bug mitigates parity errors that occur in the SOURCE_VP table of the switch hardware, indicated with the following message in the ltm log: Sep 15 12:12:12 info bcm56xxd[8066]: 012c0016:6: _soc_xgs3_mem_dma: SOURCE_VP.ipipe0 failed(NAK)
Conditions:
This occurs only on the BIG-IP 10000s/10200v/10250v platforms, and on the VIPRION B4300/B4340N and B2250 blades. The exact trigger of the parity error is unknown at this time.
Impact:
This impacts several series of BIG-IP products with hardware parity error mitigation capabilities.
Workaround:
Rebooting BIG-IP hardware should clear issues caused by hardware parity errors.
Fix:
A hardware parity error issue has been fixed.
551661-2 : Monitor with send/receive string containing double-quote may fail to load.
Component: TMOS
Symptoms:
When a monitor string contains backslash double-quote but does not contain a character which requires quoting, one level of escaping is lost each save/load.
Conditions:
If the string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Monitors are marked down due to expected string not matching or incorrect send string. Potential load failure.
Workaround:
You can use either of the following workarounds: -- Modify the content the BIG-IP system retrieves from the web server for the purposes of health monitoring, so that double quotes are not necessary. -- Use an external monitor instead.
Fix:
If the monitor send-recv strings contain a double-quote ", character the system now adds quotes to the input.
551614-2 : MTU Updates should erase all congestion metrics entries
Component: Local Traffic Manager
Symptoms:
MTU updates erase cwnd cache entries, but not ssthresh or RTT, while an MTU update generally indicates a path change, meaning that these values might be invalid.
Conditions:
TCP cached congestion metrics from a previous connection, and subsequently receives an ICMP PMTU message.
Impact:
Connection might use invalid congestion metrics.
Workaround:
Disable cmetrics-cache, accept the suboptimal cached values, or write an iRule to purge the entry after path change.
Fix:
MTU updates now erase all congestion metrics entries, which is correct behavior.
551010-7 : Crash on unexpected WAM storage queue state
Component: WebAccelerator
Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.
Conditions:
WAM configured on virtual with request queuing enabled
Impact:
Crash
Workaround:
none
Fix:
Gracefully recover from unexpected WAM storage queue state
550694-3 : LCD display stops updating and Status LED turns/blinks Amber
Component: TMOS
Symptoms:
The LCD display may stop updating and the Status LED may turn Amber and begin blinking on BIG-IP 2000, 4000, 5000, 7000, or 10000-series appliances.
Conditions:
The Status LED turns Amber if the LED/LCD module stops receiving updates from the BIG-IP host, and begins blinking Amber if the LED/LCD module does not receive updates from the BIG-IP host for three minutes or longer. This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled. Due to changes in BIG-IP v11.5.0 and later, the frequency and likelihood of this condition is greatly reduced, but may still occur under rare conditions.
Impact:
When this condition occurs, the front-panel LCD display does not display the current BIG-IP host status, and the Status LED blinks Amber. There is no impact to BIG-IP host operations, and no disruption to traffic.
Workaround:
This condition can be cleared by either of the following actions: 1. Press one of the buttons on the LCD display to navigate the LCD menus. 2. Issue the following command at the BIG-IP host console: /sbin/lsusb -v -d 0451:3410. Either action generates USB traffic, which triggers recovery from the USB stalled transfer condition.
Fix:
Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 2000, 4000, 5000, 7000, 10000 or 12000-series appliances.
550689-2 : Resolver H.ROOT-SERVERS.NET Address Change
Component: Local Traffic Manager
Symptoms:
The IPv4 and IPv6 addresses for H.ROOT-SERVERS.NET are changing on December 1st 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). The old addresses will be good for 6 months after the change, and then the IPv4 address will go completely offline, and the IPv6 address is subject to go offline as well. More details http://h.root-servers.org/renumber.html
Conditions:
DNS Resolver uses hard-coded root hints for H.ROOT-SERVERS.NET.
Impact:
Incorrect address for a root-server means no response to that query.
Workaround:
There are 12 other root-servers that also provide answers to TLD queries, so this is cosmetic, but the addresses still need to be updated to respond to the change.
Fix:
Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). For more information, see H-Root will change its addresses on 1 December 2015, available here: http://h.root-servers.org/renumber.html.
550536-3 : Incorrect information/text (in French) is displayed when the Edge Client is launched
Component: TMOS
Symptoms:
Incorrect information/text (in French) is displayed when the Edge Client is launched.
Conditions:
Edge client is used in French locale.
Impact:
User sees grammatically incorrect text in French. This is a cosmetic error that has no impact on system functionality.
Workaround:
None.
Fix:
The correct information/text (in French) is now displayed when the Edge Client is launched.
549800-2 : Renaming a virtual server with an attached plugin can cause buffer overflow
Component: Local Traffic Manager
Symptoms:
Renaming a virtual server (essentially, moving one virtual server to a new location, which effectively renames it) might cause buffer overflow and potentially result in Failover.
Conditions:
The database variable 'mcpd.mvenabled' must be set to 'true'. Also, when moving a virtual server, the new name must be longer than the original name.
Impact:
Buffer overflow and potentially failover.
Workaround:
Do not use the move command. Instead, issue a delete followed by a create command in a transaction.
Fix:
Renaming a virtual server now works as expected, and does not results in buffer overflow or failover.
549782-1 : XFV driver can leak memory
Component: Local Traffic Manager
Symptoms:
When the interface goes down, memory is not correctly freed.
Conditions:
the leak happens when the interface goes down
Impact:
Over a long enough period of time the BIGIP can go out of memory and TMM needs to be restarted.
Workaround:
none
Fix:
The driver was corrected so that when the interface is brought down, all the xfrags currently in the ring buffer are freed.
549588-2 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
Component: Access Policy Manager
Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.
Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.
Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.
Workaround:
No Workaround
Fix:
EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.
549543-3 : DSR rejects return traffic for monitoring the server
Component: TMOS
Symptoms:
System DB variable 'tm.monitorencap' controls whether the server monitor traffic is encapsulated inside DSR tunnel. If it is set to 'enable', monitor traffic is encapsulated, and return traffic is without the tunnel encapsulation. In such a case, the return traffic is not mapped to the original monitor flow, and gets rejected/lost.
Conditions:
System DB variable 'tm.monitorencap' is set to 'enable', and DSR server pool is monitored.
Impact:
Monitor traffic gets lost, and server pool is marked down.
Workaround:
None.
Fix:
The DSR tunnel flow now sets the correct underlying network interface, so that the return monitor flow can match the originating flow, which results in the DSR monitor working as expected.
549406-5 : Destination route-domain specified in the SOCKS profile
Component: Local Traffic Manager
Symptoms:
The SOCKS profile route-domain setting is supposed to control which route domain is used for destination addresses. It is currently used to identify the listener/tunnel interface to use when forwarding the traffic, but does not set the route domain on the destination address used by the proxy to determine how to forward the traffic.
Conditions:
When the virtual server receives a SOCKS request and the route-domain is not the default (0).
Impact:
SOCKS connection fails immediately and the system returns the following message to the client: Results(V5): General SOCKS server failure (1). Traffic is forwarded correctly only when the destination is route-domain 0. Other route domains might result in error messages and possible failed traffic.
Workaround:
Use a destination route-domain of 0 when working with the SOCKS profile.
Fix:
The system now uses the destination route-domain specified in the SOCKS profile. This allows the SOCKS profile to work correctly when the destination is not in route-domain 0.
549393-3 : SWG URL categorization may cause the /var file system to fill.
Component: Application Visibility and Reporting
Symptoms:
Secure Web Gateway (SWG) URL categorization may cause the /var file system to fill. This might manifest in the following ways. 1. The /var file system is full or approaching 100% utilization, as shown in the following example: # df -h /var Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg--db--vda-app.ASWADB.set.1.mysqldb 12G 11G 576M 95% /var/lib/mysql 2. The database and index files for SWG URL categorization have grown very large, as shown in the following example: -- /var/lib/mysql/AVR/AVR_DIM_APM_SWG_URL.MYD: 8.1G <--- Database! -- /var/lib/mysql/AVR/AVR_DIM_APM_SWG_URL.MYI: 765M <--- Index!
Conditions:
SWG is provisioned and configured to perform URL classification, and a large amount of web traffic is being proxied by the SWG system.
Impact:
This results in the following impacts: - SWG-related operations dependent on MySQL may fail. - Once the /var file system reaches 100% utilization, other BIG-IP system functions that are dependent on the MySQL system may also experience issues.
Workaround:
The issue can be worked around by resetting the AVR statistics. You can find information on how to reset AVR statistics in SOL14956: Resetting BIG-IP AVR statistics, available at https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14956.html. Impact of procedure: The procedure removes all Analytics data and resets the MySQL database.
Fix:
Secure Web Gateway (SWG) URL categorization no longer causes the /var file system to fill.
549283-3 : Add a log message to indicate transition in the state of Gx and Gy sessions.
Component: Policy Enforcement Manager
Symptoms:
Without a state transition indicator, it is difficult to determine if the Gx and Gy session is active and UP on the BIG-IP device.
Conditions:
Gx or Gy state transitions need to occur.
Impact:
Difficult to identify and debug issues related to Gx and Gy state transitions.
Workaround:
None needed. This is an improvement.
Fix:
Added a log message to indicate the state transitions for Gx and Gy sessions.
549108-1 : RDP resource 'Custom parameters' fail to accept parameters containing spaces or colon in the value
Component: Access Policy Manager
Symptoms:
Some RDP parameters may contain whitespaces or colon in the value, e.g.: loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.RDSFarm The configuration utility will throw a validation error "01070734:3: Configuration error: apm resource remote-desktop rdp: Parse error on line 0: <parameter>"
Conditions:
This occurs when using RDP parameters containing spaces or colon in the value.
Impact:
Administrator is unable to configure the RDP resource as desired.
Workaround:
None.
Fix:
RDP parameters parsing has been refined to support values containing colons or whitespaces.
548796-2 : Avrd is at CPU is 100%
Component: Performance
Symptoms:
When the Application Visibility and Reporting (AVR) module is being used, the avrd daemon can consume all CPU. The avrd log will contain error messages similar to Semaphore DB_Publisher_ready is not set, for xxxx seconds
Conditions:
This can occur when using the AVR module.
Impact:
Avrd gets to 100% CPU and stays there even when no traffic is being passed, which will impact system performance
Workaround:
Restarting tmm will temporarily mitigate this problem
Fix:
Avrd is no longer susceptible to consuming all CPU indefinitely even when traffic is not being passed.
548680-2 : TMM may core when reconfiguring iApps that make use of iRules with procedures.
Component: Local Traffic Manager
Symptoms:
TMM may core when reconfiguring iApps that make extensive use of iRules with procedures.
Conditions:
During the reconfiguration of more than one iApp by switching templates, prior and new templates to contain iRules with procedures of the same name. After the second or later reconfiguration TMM may core.
Impact:
TMM may core.
Workaround:
Modify iApp template to generate procedures that have a unique name per iApp.
Fix:
TMM no longer cores when reconfiguring more than one iApp that contains iRule procedures of the same name.
548678-2 : ASM blocking page does not display when using SPDY profile
Component: Local Traffic Manager
Symptoms:
The ASM blocking page will not be displayed when using the SPDY profile.
Conditions:
Virtual configured with ASM and spdy profile and request is blocked by ASM.
Impact:
Request blocked page is not displayed.
Workaround:
If possible, disable the SPDY profile on virtual servers configured to use ASM.
Fix:
ASM will now correctly display its blocking page when the SPDY profile is enabled and an ASM blocking rule is triggered.
548563-2 : Transparent Cache Messages Only Updated with DO-bit True
Component: Local Traffic Manager
Symptoms:
When a transparent cache stores a message with DNSSEC OK (DO) bit TRUE and its TTL expires, the message is only updated when a new message arrives with DO-bit TRUE.
Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.
Impact:
When the DO-bit TRUE's cached message TTL expires, the general impact is DO-bit FALSE queries will be proxied until the message cache is updated with DO-bit TRUE.
Workaround:
None.
Fix:
The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.
548361 : Performance degradation when adding VDI profile to virtual server
Component: Access Policy Manager
Symptoms:
Performance degradation when adding VDI profile to virtual server
Conditions:
This occurs when using the VDI profile
Impact:
0.3s latency increase comparing with previous result
Workaround:
none
Fix:
Fixed 0.3s latency between client and server SSL hello if VDI profile is added to virtual server.
548239-3 : BGP routing using route-maps cannot match route tags
Component: TMOS
Symptoms:
When a route-map is used to redistribute routes into BGP, matching on the route tag fails.
Conditions:
Dynamic routing using BGP, redistribution into BGP using a route-map, route-map matches route tag.
Impact:
BGP may not get all prefixes from other routing protocols.
Workaround:
None.
Fix:
Route-maps used with BGP now correctly match route tags.
547732-1 : TMM may core on using SSL::disable on an already established serverside connection
Component: Local Traffic Manager
Symptoms:
TMM process may crash if the SSL::disable iRule command is used on a serverside with the connection already establised.
Conditions:
Use of SSL::disable on a ssl, serverside established connection.
Impact:
TMM cores.
Workaround:
Do not use SSL::disable on an event where the serverside connection is already established.
Fix:
TMM no longer cores on using SSL::disable on an already established serverside connection, it will now log a warning Connection error: hud_ssl_handler:605: disable profile (80)
547537-3 : TMM core due to iSession tunnel assertion failure
Component: Wan Optimization Manager
Symptoms:
TMM core due to "valid isession pcb" assertion failure in isession_dedup_admin.c.
Conditions:
Deduplication endpoint recovery occurs on a BIG-IP that has duplication is enabled.
Impact:
TMM generates a core file and restarts.
Workaround:
none
Fix:
An iSession tunnel initialization defect has been corrected.
547532-2 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
Component: TMOS
Symptoms:
Error messages similar to this are present in the ltm log: -- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found. -- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
Conditions:
A chassis-based system with multiple blades. A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).
Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.
Workaround:
Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.
Fix:
Ensured that the complete state for addresses in the default route domain is propagated to secondary blades.
547000-4 : Enforcer application might crash on XML traffic when out of memory
Component: Application Security Manager
Symptoms:
Enforcer application might crash on XML traffic when out of memory.
Conditions:
This occurs when the system is out of memory.
Impact:
The BIG-IP system might temporarily fail to process traffic.
Workaround:
None.
Fix:
This release fixes a scenario where the system might crash when the XML parser ran out of memory.
546747-2 : Occasional SSL connection handshake failure when one ClientHello is sent in multiple packets
Component: Local Traffic Manager
Symptoms:
Sometimes BIGIP responds with a fatal-handshake alert and closes the SSL session for a new connection When a ClientHello record is split between two or more packets.
Conditions:
This occurs when a SSL ClientHello record gets split between two or more packets.
Impact:
New SSL connection can't be established.
Workaround:
No workaround.
Fix:
SSL connection can be successfully brought up regardless how many packets are used to send one ClientHello record.
546640 : tmsh show gtm persist <filter option> does not filter correctly
Component: Global Traffic Manager
Symptoms:
Following commands fail to return results even if there are matching records: # tmsh show gtm persist level wideip # tmsh show gtm persist target-type pool-member
Conditions:
This only happens when running the tmsh commands listed in the Symptoms.
Impact:
It is not possible to get a granular detail for persist stats.
Workaround:
Use GUI.
Fix:
Filters for the tmsh show gtm persist command now apply the filters correctly.
546082-5 : Special characters might change input.
Component: iApp Technology
Symptoms:
Special characters by users might change the intended data.
Conditions:
Use of special characters.
Impact:
Incorrect or unwanted response.
Workaround:
None.
Fix:
Updated data handling to properly account for special characters.
545985-3 : ICAP 2xx response (except 200, 204) is treated as error
Component: Service Provider
Symptoms:
An ICAP status code from the ICAP server of 2xx (other than 200 or 204) is treated as an error, causing the reset of the ICAP connection and the service-down-action to be performed on the parent virtual server (as configured in the requestadapt or responseadapt profile). The RFC 3507 requires the ICAP client (BigIP) to handle the response normally (ie. like 200).
Conditions:
The ICAP server returns a 2xx status code that is not defined explicitly for ICAP.
Impact:
Transsactions involving an ICAP server that returns a non-IACP 2xx response do not work, and the service-down action is performed.
Workaround:
If possible, have the ICAP server return status code 200.
Fix:
An ICAP status code from the ICAP server of 2xx (other than 200 or 204) is treated as a normal 200 status code, thus the encapsulated HTTP request or response is returned to the HTTP client or server.
545810-1 : ASSERT in CSP in packet_reuse
Component: Local Traffic Manager
Symptoms:
Causes TMM to crash
Conditions:
happens with CSP module when configured on local loopback.
Impact:
Crash and restart of TMM
Workaround:
None
Fix:
Fixed the logic in determining if we are an L7 loopback connection. This way CSP receives only packets that it owns and can be re-used
545786-4 : Privilege escalation vulnerability CVE-2015-7393
Component: Centralized Management
Symptoms:
The SUID root dcoep application (/shared/mgmt/ep/dcoep) allows local, authenticated users with access to an advanced shell the capability to elevate privileges to root.
Conditions:
Local, authenticated user with advanced shell access and capability to execute shell commands.
Impact:
Local, authenticated user with advanced shell access may be able to elevate privileges to root.
Workaround:
Vulnerable dcoep application (/shared/mgmt/ep/dcoep) is replaced by a empty file which can't be executed.
Fix:
Vulnerable dcoep application (/shared/mgmt/ep/dcoep) is replaced by a empty file which can't be executed.
545783-3 : TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool
Component: Carrier-Grade NAT
Symptoms:
TMM crashes when forwarding an inbound connection and the flow sweeper tries to update the flow before the forwarding operation completes.
Conditions:
A small or over utilized LSN pool that creates inbound entries that require forwarding.
Impact:
TMM crashes
Workaround:
Add more IP addresses to the LSN pool.
Fix:
TMM no longer crashes when forwarding inbound connections configured with an LSN pool
544913-6 : tmm core while logging from TMM during failover
Component: TMOS
Symptoms:
TMM crash and coredump while logging to remote logging server when an HA failover occurs.
Conditions:
The problem might occur when: 1. A log message is created as the result of errors that can occur during log-connection establishment. 2. An error occurs while attempting to connect to the remote logging server. 3. The Primary HA member fails over. The crash occurs on the HA member which was the Primary member prior to the failover.
Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.
Workaround:
Two possible workarounds are available: 1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs. 2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.
Fix:
Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.
544481-5 : IPSEC Tunnel fails for more than one minute randomly.
Component: TMOS
Symptoms:
IPsec IKEv1: DPD ACK may be dropped when excessive DPD message exchange. This causes the IPsec tunnel to fail.
Conditions:
Excessive DPD message exchange.
Impact:
Connection resets.
Workaround:
None.
Fix:
Excessive DPD message exchange no longer causes the IPsec tunnel to fail.
544375-1 : Unable to load certificate/key pair
Component: Local Traffic Manager
Symptoms:
After creating SSL profile, 'could not load key/certificate file' appears in /var/log/ltm with profile name. Unable to connect to virtual with SSL profile.
Conditions:
Certificate uses sha1WithRSA or dsaWithSHA1_2 signature algorithm.
Impact:
Unable to load certificate.
Workaround:
None.
Fix:
Can now load certificates with sha1WithRSA or dsaWithSHA1_2 signature algorithm.
544028-5 : Verified Accept counter 'verified_accept_connections' might underflow.
Component: Local Traffic Manager
Symptoms:
Verified Accept counter 'verified_accept_connections' might underflow.
Conditions:
When the verified accept setting on a TCP profile is changed for an active virtual server.
Impact:
When the counter underflows, new connections on any verified-accept enabled virtual server are dropped. The counter will never recover.
Workaround:
Avoid changing the verified accept setting on a TCP profile for an active virtual server.
Fix:
This release corrects the issue in which the Verified Accept counter 'verified_accept_connections' might underflow.
543924 : Update kernel to latest public RHEL6.4 kernel: 2.6.32-358.61.1.el6
Component: TMOS
Symptoms:
This is a major update from RHEL6.4 2.6.32-358.23.2 used in 11.6.0 releases (including all 11.6.0 hotfixes). This includes many critical bugfixes and vulnerability fixes as of the last published kernel Redhat Security Advisory: https://rhn.redhat.com/errata/RHSA-2015-1030.html Note that there are some additional vulnerability fixes beyond RHSA-2015-1030.html which have been backported from upstream RHEL6 kernels: 6.5, 6.6 and 6.7. This does not include later 6.4 kernel updates from Redhat which are only available for Redhat AUS customers: https://rhn.redhat.com/errata/RHSA-2015-1211.html https://rhn.redhat.com/errata/RHSA-2015-1643.html https://rhn.redhat.com/errata/RHBA-2015-1843.html https://rhn.redhat.com/errata/RHBA-2015-2005.html https://rhn.redhat.com/errata/RHSA-2016-0004.html
Conditions:
This is a kernel-related update.
Impact:
Addresses many critical bugfixes and vulnerability fixes.
Workaround:
None needed.
Fix:
Updated kernel to 2.6.32-358.61.1.el6 [RHEL6.4].
543222-3 : apd may crash if an un-encoded session variable contains "0x"
Component: Access Policy Manager
Symptoms:
when a session variable value contains "0x" (for example 'value0x not encoded'), apd process treat the value as HEX-encoded and tries to decode it. decoding the not-encoded string causes apd to crash
Conditions:
session variable contains substring "0x"
Impact:
apd crash
Workaround:
None
Fix:
With this release: 1. Only values starting from 0x are treated as hex-encoded. 2. If hex decoding fails, apd does not crash.
543220-1 : Global traffic statistics does not include PVA statistics
Component: Local Traffic Manager
Symptoms:
Global traffic statistics shown in the GUI and in TMSH are not correct.
Conditions:
Hardware acceleration enabled.
Impact:
Statistics discrepancy in global traffic statistics.
Workaround:
None.
Fix:
Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH.
542724-1 : If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash
Component: Local Traffic Manager
Symptoms:
If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash.
Conditions:
This occurs when the following conditions are met: - There is an OCSP request in progress. - There is a configuration change. - The handshake is aborted. - The HTTP response for the OCSP request indicates a status code that is not 200.
Impact:
TMM might crash.
Workaround:
None.
Fix:
TMM no longer crashes if there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions.
542640-2 : bigd intentionally cores when it should shutdown cleanly
Component: Local Traffic Manager
Symptoms:
Bigd can core instead of graceful shutdown under certain error conditions where a core is not needed.
Conditions:
Anything that caused bigd to shutdown under abnormal conditions.
Impact:
Bigd crash, core file created. Note that the shutdown scenario was already under error conditions, so this is not a sign that something has broken or failed outside that condition that caused the shutdown.
Workaround:
Fix:
Made bigd more selective about the situations where it self-cores on abnormal shutdown.
542564-3 : bigd detection and logging of load and overload
Component: Local Traffic Manager
Symptoms:
The bigd process cannot detect overload, and does not log its load status. This makes it difficult to determine whether bigd is close to its limits.
Conditions:
The bigd process might reach limits when there is very high load with high probe rate (monitor instances per second).
Impact:
bigd might fail to service monitors in a timely fashion, when under extreme load, which might result in 'flapping' nodes/pool members (where the node/pool member goes down and back up even though the server itself has not gone down).
Workaround:
-- Increase the probe interval for monitors so they probe less often. -- Switch from more 'expensive' monitors (e.g., https) to simpler monitors (e.g., http, tcp, tcp half-open, icmp).
Fix:
This release provides modifications to peak performance to significantly reduce the chance of node flapping. In addition, the ability to monitor bigd load has been added. Because bigd is not integrated with tmstats, the system logs load stats to the debug log file, /var/log/bigdlog. When debug logging is turned on, stats are mixed with the debug output. Load stats can be emitted independently with the following sys db var: modify sys db bigd.debug.timingstats value enable. With this db variable enabled, the system emits bigd load data to the debug log periodically (every 15 seconds per bigd process). The columns correspond to these stats: - load (0-100%) 1-minute mean. - load (0-100%) 5-minute mean. - number of monitor instances active for this bigd process. - number of active file descriptors, 30-second average, this process. - peak number of active file descriptors past 30 seconds, this process. In addition, the system logs warning messages to /var/log/ltm when bigd reaches 80%, 90%, and 95% load levels. The system logs an overload error to /var/log/ltm when bigd detects it is overloaded. The load level indicating overload is in the bigd.overload.latency sys db variable, which is set to 98% load, by default.
542511-2 : 'Unhandled keyword ()' error message in GUI and/or various ASM logs
Component: Application Security Manager
Symptoms:
'Unhandled keyword ()' error message may appear in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log. In the case of learning manager, it causes a crash of the latter. Learning manager process is then restarted ~15 seconds later.
Conditions:
ASM provisioned. Session Awareness Tracking is enabled.
Impact:
Uninformative errors in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log. Learning manager process restart.
Fix:
ASM REST: The system correctly recognizes that the validationFiles field has not changed in value and does not fail the call.
541571-3 : FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, ephemeral nodes that are force-deleted may not repopulate as expected.
ditions.
Impact:
See https://support.f5.com/kb/en-us/solutions/public/k/35/sol35358312.html
Workaround:
None.
Fix:
Rare HSB lockup on a 3900, 6900, 8900, 8950, 11000, 11050, PB100 or PB200 platform no longer occurs.
541852-1 : ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails
Component: Application Security Manager
Symptoms:
The "validationFiles" is not allowed to be modified via a PATCH call and will fail validation. Even if validationFiles is passed back in unmodified, the call still fails.
Conditions:
An ASM REST client attempts to PATCH the mgmt/tm/asm/policies/<ID>/xml-profiles/<ID> endpoint using "validationFiles"
Impact:
The XML Profile cannot be modified
Workaround:
The user can PATCH the object without supplying this field. However if there were Validation Files before, then Bug 541406 will affect them, removing the existing Validation Files. The XML validation file association task would then need to be run again.
Fix:
ASM REST: The system correctly recognizes that the validationFiles field has not changed in value and does not fail the call.
541571-3 : FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, ephemeral nodes that are force-deleted may not repopulate as expected.
Conditions:
Sync group, multiple FQDNs resolving to different IP addresses. FQDNs deleted and re-created, with IP addresses swapped from deleted nodes to re-created ones.
Impact:
Ephemeral nodes may not repopulate as expected.
Workaround:
None.
Fix:
FQDN ephemeral nodes are now repopulated after being force-deleted and re-created with different IP addresses.
541569-3 : IPsec NAT-T (IKEv1) not working properly
Component: TMOS
Symptoms:
The incorrect source port is chosen for the IPsec/IKE NAT-T UDP encapsulated traffic. When IKE decides to float port when NAT device is detected, it should use port 4500 for both its source port and destination port.
Conditions:
NAT traversal is enabled on the IKE Peer configuration object and NAT device is detected during IKE negotiation.
Impact:
When NAT-T is enabled, IPsec tunnel cannot be established.
Workaround:
None.
Fix:
Now, when NAT-T is enabled, IPsec tunnel can be established as expected.
541406-1 : ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request
Component: Application Security Manager
Symptoms:
Updating an XML Profile via ASM REST with a partial body (ex. just an updated description) removes all attached WSDL validation files as if it had also received: "validationFiles": []
Conditions:
XML Profiles that utilize validation files are updated via REST
Impact:
If the full validation files structure is not re-iterated in the body, then the entire list of WSDL validation files will be emptied. This will cause the XML Schema to not be validated properly during enforcement.
Workaround:
Run the validation file association task again after updating the XML Profile
Fix:
ASM REST now correctly updates only specified fields on a PATCH request.
540996-2 : Monitors with a send attribute set to 'none' are lost on save
Component: TMOS
Symptoms:
Monitors that have a send, recv, or recv-disable attribute set to 'none' are lost on configuration save.
Conditions:
Saving a configuration containing a monitor configured with a send, recv, or recv-disable attribute set to 'none'.
Impact:
Monitor may send unexpected string.
Workaround:
None.
Fix:
Monitor send, recv, and recv-disable attributes now retains a 'none' value on configuration save.
540871-1 : Update/deletion of SNMPv3 user does not work correctly
Component: TMOS
Symptoms:
After creation of an SNMPv3 user via the GUI, SNMP operations for that user do not work if the admin subsequently modifies the user. Deletion of the SNMPv3 user also does not work correctly.
Conditions:
Save (even without modification) an SNMPv3 user after creation, or delete an SNMPv3 user.
Impact:
SNMP operations for that user do not work if the admin subsequently modifies the user. TMSH reports a deleted user as gone, but net-snmp does not process the deletion.
Workaround:
None.
Fix:
Using the GUI to update/delete SNMPv3 users now works as expected.
540849-7 : BIND vulnerability CVE-2015-5986
Component: TMOS
Symptoms:
An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure. This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query. (CVE-2015-5986)
Conditions:
BIND vulnerability CVE-2015-5986
Impact:
A remote attacker may be able to cause a denial-of-service (DoS) attack on the BIG-IP system's local instance of BIND by using a specially crafted DNS request in configurations that expose BIND to requests from untrusted users. If the BIND process (named) terminates or stops responding, the bigstart process will automatically restart the impacted daemon.
Workaround:
To mitigate this issue, if DNS recursion is not required, you can disable recursion in the BIND configuration. Additionally, when DNS recursion is required, you can limit exposure to the vulnerability by configuring an ACL to restrict DNS recursion to trusted users. For additional information, refer to SOL7055: Enabling DNS recursion in the named configuration on a BIG-IP GTM system.
Fix:
Resolved BIND vulnerability CVE-2015-5986. See AskF5 Solution Article SOL17227: BIND vulnerability CVE-2015-5986, available here https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17227.html.
540846-7 : BIND vulnerability CVE-2015-5722
Component: TMOS
Symptoms:
Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key. (CVE-2015-5722)
Conditions:
BIND vulnerability CVE-2015-5722
Impact:
A remote attacker may be able to cause a denial-of-service (DoS) attack on the BIG-IP system's local instance of BIND by using a specially crafted DNS request in configurations that expose BIND to requests from untrusted users. If the BIND process (named) terminates or stops responding, the bigstart process will automatically restart the impacted daemon. Note: Recursive servers are at greatest risk from this defect, but some circumstances may exist in which the attack can be successfully exploited against an authoritative server.
Workaround:
If you require DNSSEC validation, there is no mitigation for this issue. However, if you have manually enabled the DNSSEC validation feature in the BIND configuration but do not require DNSSEC validation, you can mitigate this vulnerability by disabling/removing this feature in/from the BIND configuration. For more information about BIND's DNSSEC validation, refer to the official documentation BIND DNSSEC Guide from Internet Systems Consortium (ISC). Note: The previous link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.
Fix:
Resolved BIND vulnerability CVE-2015-5722. See AskF5 solution article SOL17181: BIND vulnerability CVE-2015-5722, available here https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17181.html.
540767-2 : SNMP vulnerability CVE-2015-5621
Component: TMOS
Symptoms:
It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables.
Conditions:
See SOL17378: https://support.f5.com/kb/en-us/solutions/public/17000/300/sol17378.html
Impact:
A remote, unauthenticated attacker could use this flaw to crash snmpd or, potentially, execute arbitrary code on the system with the privileges of the user running snmpd. (CVE-2015-5621)
Workaround:
This exposure can be mitigated by following the guidelines at SOL17378: https://support.f5.com/kb/en-us/solutions/public/17000/300/sol17378.html
Fix:
SNMP has been updated to net-snmp-5.5-54.el6_7.1 per RHSA-2015:1636-01. Moderate: net-snmp security update
540571-2 : TMM cores when multicast address is set as destination IP via iRules and LSN is configured
Component: Carrier-Grade NAT
Symptoms:
TMM may core when an iRule changes the destination address of a connection to use a multicast address such as 224.0.0.1. When the BIG-IP system looks up the route, it returns an internal route with no interface designed for use with multicast traffic. LSN expects to find an interface and crashes when it attempts to use the non-existent interface.
Conditions:
- CGNAT enabled and LSN pools configured on active virtual server that accepts traffic. - On the same virtual server, an iRule is configured that changes the destination IP to a multicast address in the 224.0.0.0/24 network.
Impact:
TMM crashes, interrupting traffic flow.
Workaround:
There are two workarounds: -- Remove the offending iRule that is sending traffic to the 224.0.0.0/24 network. -- Prevent traffic from using that destination in the iRule.
Fix:
TMM no longer cores when multicast address is set as destination IP via iRules and LSN is configured. Now, the system fails connections when the route's IFC is null, which is correct behavior.
540568-2 : TMM core due to SIGSEGV
Component: Local Traffic Manager
Symptoms:
TMM may core due to a SIGSEGV.
Conditions:
Occurs rarely. Specific conditions unknown. See related Bug 540571.
Impact:
TMM crashes, interrupting traffic flow.
Workaround:
None.
Fix:
Fixed an intermittent tmm core related to Bug 540571.
540484-2 : "show sys pptp-call-info" command can cause tmm crash
Component: Carrier-Grade NAT
Symptoms:
Core when "show sys pptp-call-info" is called.
Conditions:
On BIGIP with fastl4 virtual server forwarding PPTP GRE traffic, TMSH "show sys pptp-call-info" command can cause crash in TMM.
Impact:
TMSH "show sys pptp-call-info" command.
Workaround:
Do not issue "show sys pptp-call-info" command on BIGIP forwarding PPTP GRE traffic.
Fix:
Fixed crash from incorrectly matching PPTP ALG traffic in forwarding fastl4 virtual server.
540473-6 : peer/clientside/serverside script with parking command may cause tmm to core.
Component: Local Traffic Manager
Symptoms:
When the peer/clientside/serverside iRule contains parking commands, tmm might core upon connection reuse.
Conditions:
1. The iRule used in peer/clientside/serverside contains a parking command. 2. The connection is reused. This might occur in OneConnect configurations, for example.
Impact:
tmm might core.
Workaround:
Do not use parking commands in cases where the system might reuse the connection.
Fix:
When the peer/clientside/serverside iRule contains parking commands, tmm no longer cores upon connection reuse.
540390-2 : ASM REST: Attack Signature Update cannot roll back to older attack signatures
Component: Application Security Manager
Symptoms:
There is no way to roll back to an older attack signature update using the REST interface
Conditions:
REST is used to manage Attack Signature Updates on a BIG-IP device, and an older version than the currently installed file is desired to be installed.
Impact:
REST clients have no way to fully manage Attack Signature Updates for the BIG-IP
Workaround:
The GUI can be used to roll back to an earlier version
Fix:
The REST API now includes support for the "allowOlderTimestamp" field to the update-signatures task in order to allow rolling back to an older attack signature update using the REST interface. POST https://<host>/mgmt/tm/asm/tasks/update-signatures/ { "allowOlderTimestamp": true, <Rest of body as usual> }
539822-4 : tmm may leak connflow and memory on vCMP guest.
Component: TMOS
Symptoms:
tmm may leak connflow and memory on vCMP guests.
Conditions:
This occurs on a vCMP guest when only one tmm is provisioned on the blade.
Impact:
tmm leaks memory and might eventually crash from an out-of-memory condition.
Workaround:
Provision more than one tmm.
Fix:
tmm no longer leaks connflows and memory on vCMP guests when only one tmm is provisioned.
539784-4 : HA daemon_heartbeat mcpd fails on load sys config
Component: TMOS
Symptoms:
A particular stage of validation can take longer than the ha-daemon heartbeat interval, and while nothing is actually wrong, the system responds as if there is an unresponsive daemon, so the system restarts it.
Conditions:
iRules must be present in the configuration that the system is loading.
Impact:
MCPd restarts.
Workaround:
On the BIG-IP system, run the command: tmsh mod sys daemon-ha mcpd heartbeat disabled.
Fix:
Added additional heartbeats during validation, so HA daemon_heartbeat mcpd no longer fails on load sys config.
539270-6 : A specific NTLM client fails to authenticate with BIG-IP
Component: Access Policy Manager
Symptoms:
Specific NTLM client (such as Android Lync 2013) fails to authenticate with BIG-IP as it sends a particular NTLMSSP_NEGOTIATE which BIG-IP was not able to parse properly and throws an error. This effectively stops the authentication process, and this particular client never completes the authentication.
Conditions:
Specific NTLM client. It is not clear whether this issues affect a particular version of Android Lync 2013 or a particular Android version.
Impact:
Cannot complete the authentication, hence, not allowed to access protected resources.
Workaround:
No workaround exists for the affected clients.
Fix:
The BIG-IP system now processes NTLM requests for affected Lync clients, and users of the client are able to authenticate.
539229-7 : EAM core while using Oracle Access Manager
Component: Access Policy Manager
Symptoms:
Authentication with Oracle Access Manager can result in an exception while checking whether authentication is required. This is an intermittent issue.
Conditions:
This event can be triggered while using the Oracle Access Manager.
Impact:
An unhandled exception will cause EAM to core and possible access outage.
Workaround:
No workaround
Fix:
EAM handles exceptions gracefully during the authentication process when Oracle Access Manager is used.
539130-6 : bigd may crash due to a heartbeat timeout
Component: Local Traffic Manager
Symptoms:
bigd crashes and generates a core file. The system logs entries in /var/log/ltm that are similar to the following: sod[5853]: 01140029:5: HA daemon_heartbeat bigd fails action is restart. This issue is more likely to occur if /var/log/ltm contains entries similar to the following: info bigd[5947]: reap_child: child process PID = 9198 exited with signal = 9.
Conditions:
External monitors that run for a long time and are killed by the next iteration of the monitor. For example, the LTM external monitor 'sample_monitor' contains logic to kill a running monitor if it runs too long.
Impact:
bigd crashes and generates a core file. Monitoring is interrupted.
Workaround:
None.
Fix:
External monitors that run for a long time and are killed by the next iteration of the monitor now recover without bigd crashing and generating a core file.
Behavior Change:
bigd now logs child process exit messages in /var/log/bigdlog (so bigd.debug must be enabled) rather than in /var/log/ltm. This allows the logging to be controllable. Successful command exits are also logged for completeness since this the log messages only appears when debugging is enabled.
538837-1 : REST: Filtering login pages or parameters by their associated URL does not work
Component: Application Security Manager
Symptoms:
When attempting to filter the collection of configured login pages by their URL, the full list is returned instead of the desired results. The same problem exists for URL level Parameters.
Conditions:
The login-pages or parameters collection endpoints are queried with the following $filter: $filter=url/name eq '<URL NAME>'
Impact:
Incorrect results are returned to the REST client
Workaround:
None.
Fix:
REST $filter for associated URLs on login-pages and parameters endpoints now works correctly.
538784-3 : ICAP implementation incorrect when HTTP request or response is missing a payload
Component: Service Provider
Symptoms:
The ICAP request sent to the ICAP server always contains a payload even if the HTTP request or response to be modified does not contain one.
Conditions:
HTTP request or response does not contain a payload.
Impact:
If an HTTP request or response to be modified does not contain a payload, the ICAP client sends a zero-byte HTTP payload instead.
Workaround:
None.
Fix:
The system now correctly identifies an empty HTTP payload and sends the appropriate ICAP header, identifying that there is no HTTP payload included.
538722-3 : Configurable maximum message size limit for restjavad
Component: Centralized Management
Symptoms:
if the client issues a request to iControl REST that results in a large amount of data (approx 200 MB), restjavad goes into an out-of-memory condition when attempting to serialize the response prior to returning it to the client.
Conditions:
A message is received by restjavad that is larger than the total free heap space. The most common cause is that the system sends a broard query to icrd, which returns a very large response (approx 200 MB).
Impact:
restjavad becomes unresponsive until it is rebooted.
Workaround:
This fix exposes the maximum message size limit and allows a Network operator to change it by posting to a new configuration worker. An example is included below. The actual value varies by installation - load, average message size etc. Set it too low and the clients will receive 5xx errors even though there is sufficient memory. Set it too high and dangerously-large messages do not get dropped and might cause an out-of-memory exception. 5 MB is a recommended starting value. An example of setting the maximum message body size to 5kB (5000 bytes) on a machine called 'green.' The password needs to be changed appropriately. curl -s -k -u admin:PASSWORD -H "Content-Type: application/json" -H 'Connection: keep-alive' -X PUT "https://green/mgmt/shared/server/messaging/settings/8100" -d '{"maxMessageBodySize": "5000" }'.
Fix:
There is now a configurable maximum message size limit for restjavad. Restjavad still reaches an out-of-memory condition if it receives very large messages (approx 200 MB), but there is now an option of setting a 'hard cap' that causes restjavad to discard these large messages, preventing the out-of-memory condition.
538663-3 : SSO token login does not work due to remote role update failures.
Component: TMOS
Symptoms:
SSO token login does not work due to remote role update failures.
Conditions:
SSO between Enterprise Manager (EM) and a BIG-IP system using a third party authentication system, such as LDAP.
Impact:
Incorrect role assignment causing SSO login to not work. The system posts messages similar to the following: -- notice mcpd[6165]: 01070829:5: Input error: Remote user message dropped (adm184789 in [All]) because duplicate partition. -- err mcpd[6165]: 01070827:3: User login disallowed: User (adm184789) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.
Workaround:
Login using remote user credentials on the BIG-IP system. This properly updates the role for the remote user.
Fix:
SSO token login now works with the correct role assignments to a remote user.
538639-3 : P-256 ECDH performance improvements
Component: Local Traffic Manager
Symptoms:
Recent changes in the TLS clients to only use perfect forward secrecy (PFS) ciphersuites in default configuration may degrade TLS handshake rate on BIG-IP, may cause higher CPU utilization on the BIG-IP, or both. An example of a recent change is Apple iOS's App Transport Security changes to only enable ECDH ephemeral ciphersuites (the ciphersuites with the ECDHE suffix).
Conditions:
Large portion of TLS client only offers *ECDHE* ciphersuites in their TLS CLientHello, the average size of the TLS session is small (e.g. in kilobytes), and the TLS session resumption is not used. In other words, the conditions such that the TLS handshakes likely negotiate ECDHE ciphersuites with short sessions.
Impact:
With this improvement, the TLS handshake rate with a ciphersuite ECDHE-RSA-AES128-GCM-SHA256 is expected to be ~50% higher on hardware platforms without Intel Cave Creek acceleration (released in 2015 and earlier). Internal testing has shown variations in the improvement between 20% and 80% with this enhancement. The comparison is against the current 12.0.x (or 11.6.x) release. The performance of ECDSA with P-256 was also improved. Conversely, previous versions of the BIG-IP will have correspondingly lower performance, or worse for older releases.
Workaround:
Order ciphersuite selection so that ECDH ciphersuites are least preferred. One method to accomplish this is to ensure that the clientssl profile's cipherstring contains 'ecdhe:ecdhe_ecdsa' at the end of the list. This will only matter/needed when non-PFS cipherssuites are allowed in the profile and are offered by the client.
Fix:
Performance improvements for P-256 ECDH and ECDSA algorithms.
538603-2 : TMM core file on pool member down with rate limit configured
Component: Local Traffic Manager
Symptoms:
TMM may produce a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.
Conditions:
This occurs when the following conditions are met: - service-down-action reselect. - rate limit specified. - traffic load balanced to pool members. - traffic is over the rate for all pool members. - all pool members go down.
Impact:
TMM cores.
Workaround:
Remove rate-limit configuration.
Fix:
TMM no longer produces a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.
538195-1 : Incremental Manual sync does not allow overwrite of 'newer' ASM config
Component: Application Security Manager
Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration. This precluded the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.
Conditions:
Devices are set up in an Incremental Manual Sync ASM-enabled group.
Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.
Workaround:
Make a spurious change on the device that has an older configuration and then push the changes to the peer.
Fix:
Older ASM configurations can now be pushed to a peer in an incremental sync manual device group.
538024-3 : Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load
Component: TMOS
Symptoms:
Configuration fails to load with an error similar to the following: A port number or service name is missing for '/Common/any6%2.0'. Please specify a port number or service name using the syntax '/Common/any6%2.0:<port>'.
Conditions:
Configuration contains a virtual with destination address in the form of: any6%<route domain>.<port>.
Impact:
Configuration load failure.
Workaround:
None.
Fix:
The BIG-IP system now uses the correct port delimiter when parsing destination addresses containing a named wildcard service and non-default route domain.
537988-5 : Buffer overflow for large session messages
Component: Local Traffic Manager
Symptoms:
System with multiple blades may crash when when configured with functionality that utilizes SessionDB.
Conditions:
On a multi-blade machine, send an MPI message larger than 64K between blades (typically a session message).
Impact:
Core or potential data corruption.
Workaround:
None.
Fix:
There is no longer a buffer overflow for large session messages.
537964-4 : Monitor instances may not get deleted during configuration merge load
Component: Local Traffic Manager
Symptoms:
After performing a configuration merge load (for example, "tmsh load sys config merge ...") that changes an existing pool's monitor, old monitor instances may not get deleted. This can result in a system generating monitor requests that are no longer part of the configuration. It can also result in the system logging messages such as the following: err mcpd[8793]: 01070712:3: Caught configuration exception (0), Can't find monitor rule: 42.
Conditions:
Pools with monitors configured must exist. The merge load must replace the pool's monitor.
Impact:
Multiple monitor instances may be active on some pool members. This may result in incorrect monitoring status.
Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following: 1. Save and re-load the configuration to correct the incorrect information in mcpd: tmsh save sys config partitions all && tmsh load sys config partitions all 2. Restart bigd: On an appliance: bigstart restart bigd On a chassis: clsh bigstart restart bigd
Fix:
Ensure that all relevant monitor instances are deleted when replacing a pool's monitor.
537435-1 : Monpd might core if asking for export report by email while monpd is terminating
Component: Application Visibility and Reporting
Symptoms:
Core file is created by monpd if you try to export a report by email while monpd is terminating.
Conditions:
Very rare case that can happen if user asks to export report by email in the middle of monpd's graceful termination (due to restart or other reason) will cause core dump (not graceful termination).
Impact:
None
Workaround:
Fixed to code to avoid this behavior.
Fix:
Exporting a report by email in the middle of monpd's graceful termination (due to restart or other reason) will no longer cause a core dump.
536690-4 : Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)
Component: Local Traffic Manager
Symptoms:
When using features that require a process on the host to connect to a specific tmm within a chassis, those connections sometimes fail. This can result in improper behavior of the feature, such as failure to create sessions in APM.
Conditions:
Using a module and feature that requires host-tmm communication within a chassis. Requires that the fix to ID 499430 be present.
Impact:
Possible service failure, such as disallowing entry to APM.
Workaround:
none
Fix:
Host-to-tmm connections within a chassis no longer fail.
535759-3 : SMTP monitor marks a server down if the server does not close connections after a quit command is received
Component: Local Traffic Manager
Symptoms:
The SMTP monitor marks a server down even when the server responds with a 250 message to the HELO command. Monitor debug output might show the following error messages: -- ERROR: failed to complete the transfer, error code: 28 error message: Time-out. -- ERROR: failed to complete the transfer, error code: 56 error message: Recv failure: Connection reset by peer.
Conditions:
The monitored server does not close the TCP connection (does not send a FIN) after receiving a QUIT command from the client.
Impact:
The monitored server is always marked down.
Workaround:
None.
Fix:
SMTP monitor now closes the TCP connection (sends a FIN) after receiving a QUIT command from the client, so an SMTP monitor does not mark a server down when it is available.
535246-6 : Table values are not correctly cleaned and can occupy entire disk space.
Component: Application Visibility and Reporting
Symptoms:
AVR data in MySQL might grow to fill all disk space.
Conditions:
This might occur when DNS table receives a large number of entries that are not being evicted when they are no longer needed.
Impact:
MySQL stops responding. Site might experience down time due to full disk.
Workaround:
If monitoring disk space and AVR data takes more than 70% of the space, reset AVR data by running the following commands sequentially: -- touch /var/avr/init_avrdb. -- bigstart restart monpd.
Fix:
In this release, the system handles AVR data in MySQL so that database size no longer grows beyond a certain point.
535188-3 : Response Pages custom content with \n instead of \r\n on policy import.
Component: Application Security Manager
Symptoms:
After importing policy with custom content on the Default Response Page, new lines are changed from \r\n to \n and it shouldn't.
Conditions:
1. Create New Policy. 2. Go to Security : Application Security : Policy : Response Pages 3. On Default Response Page, change Response Type to 'Custom Response'. 4. Add 'Enters' to the 'Response Body' and save it. (for example: <html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: <%TS.request.ID()%></body></html>). 5. View the REST state of the response page and see that the new lines presented by '\r\n'. 6. Export the policy to XML. 7. Import the policy back (replace the old policy). 8. Now the 'new lines' in the content of the response page presented by '\n' instead of '\r\n'.
Impact:
After importing policy with custom content on Default Response Page, new lines are changed from \r\n to \n and it shouldn't.
Workaround:
In GUI, Go to Security : Application Security : Policy : Response Pages, remove and add the 'Enters' and click on 'Save' for the default response page.
Fix:
After importing a policy with custom content on the Default Response Page, new lines are no longer changed from \r\n.
535101-1 : Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile.
Component: Carrier-Grade NAT
Symptoms:
LSN configured in PBA mode can cause tmm to core if a connection needs to obtain resources from a remote tmm process. This occurs most frequently during heavy load or when there is a small translation space(low number of translation addresses) configured on the PBA lsnpool.
Conditions:
- LSN with PBA mode configured. - udp_gtm_dns profile configured on the virtual server handling traffic. - Heavy traffic or small translation space.
Impact:
tmm cores and BIGIP can no longer handle traffic. Connections are interrupted.
Workaround:
Remove udp_gtm_dns profile from the virtual server, and replace it with fast L4.
Fix:
LSN pool configured with PBA mode no longer crashes with heavy load and udp_gtm_dns profile configured.
534804-2 : TMM may core with rate limiting enabled and service-down-action reselect on poolmembers
Component: Local Traffic Manager
Symptoms:
TMM may produce a core file when calculating the rate limit in certain circumstances.
Conditions:
VIP/pool configuration contains: - Pool configured with + Action On Service Down is set to Reselect - Pool members configured with + Connection Rate Limit is set If all pool members go down, this can trigger the core
Impact:
TMM will core.
Workaround:
Remove rate limit configuration.
Fix:
TMM no longer cores in certain conditions with rate limiting and service-down-action reselect on poolmembers
534633-3 : OpenSSH vulnerability CVE-2015-5600
Component: TMOS
Symptoms:
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
Conditions:
SSH access is enabled.
Impact:
Remote attackers may be able to conduct brute-force attacks or cause a denial-of-service (DoS) by way of the ssh -oKbdInteractiveDevices option.
Workaround:
To mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to trusted users.
Fix:
In this release, the system only query each keyboard-interactive device once per authentication request regardless of how many times it is listed. This is correct behavior. (CVE-2015-5600)
534582-4 : HA configuration may fail over when standby has only base configuration loaded.
Component: TMOS
Symptoms:
The active unit may fail over when only the base configuration is loaded on a standby system, and HA communications in the HA configuration is interrupted.
Conditions:
Only base configuration loaded on standby and HA communications are disrupted.
Impact:
Potential site outage.
Workaround:
Configure HA to use multiple network interfaces. Avoid loading only the base configuration on HA configurations.
Fix:
HA configuration no longer fails over when a standby system has only the base configuration loaded.
534458-6 : SIP monitor marks down member if response has different whitespace in header fields.
Component: Local Traffic Manager
Symptoms:
In certain circumstances the SIP monitor may incorrectly mark a SIP pool member down. This is due to the comparison the monitor makes of the standard header fields in the SIP monitor request to the response.
Conditions:
SIP monitor and response differ in the use of whitespace in the header fields, for example, 'field:value' and 'field: value'.
Impact:
Unable to monitor the SIP pool member accurately using the standard SIP monitor because the pool member will be marked down.
Workaround:
Use other types of monitors, e.g., UDP.
Fix:
SIP monitor now correctly processes monitor responses when the use of whitespace in header fields differ.
534457-2 : Dynamically discovered routes might fail to remirror connections.
Component: Local Traffic Manager
Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.
Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.
Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.
Workaround:
Provide a static route instead of dynamic routes.
Fix:
Remirroring L4 connections using dynamic routes works correctly. (Note that when using dynamic routes it is not guaranteed that the active and standby systems will use the same routes; if the same routing is required on both active and standby fails over, there might be some dropped connections.)
534246-2 : rest_uuid should be calculated from the actual values inserted to the entity
Component: Application Security Manager
Symptoms:
BIG-IP computes the case-sensitive rest_uuid values for HTTP headers but stores the headers as case-insensitive.
Conditions:
This is an example: 1. Go to Security>>Application Security>>Headers>>HTTP Headers. 2. Choose 'Custom...' for the name of the header. 3. Create a custom header as follows use name 'Abc' with Capital letter. 4. Remember the ID generated in the JSON element. 5. Delete the header. 6. Create a new custom header and use the name 'abc'. Actual Results: The ID of 'abc' and the ID of 'Abc' are different.
Impact:
Two identical normalized values may have different rest_uuid.
Workaround:
N/A
Fix:
The REST "id" field is now calculated from the actual values inserted to the entity, and not on the user-input values.
534090-2 : Node.js vulnerability CVE-2015-5380
Component: Local Traffic Manager
Symptoms:
The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence. (CVE-2015-5380)
Conditions:
Running one of the vulnerable versions. For more information, see SOL17238: Node.js vulnerability CVE-2015-5380, available here: https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17238.html.
Impact:
For the f5-rest-node package on both the BIG-IP and BIG-IQ systems: A locally authenticated attacker with access to the command line may be able to cause a partial denial-of-service (DoS) to the system through exploitation of this issue. For the BIG-IQ UI node package: A remote attacker may be able to cause a denial of service (DoS) to the system through exploitation of this issue.
Workaround:
There is no mitigation for this vulnerability. However, F5 recommends that you permit management access to affected F5 products only over a secure network, and limit shell access to trusted users. For more information about securing access to BIG-IP systems, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x) and SOL13092: Overview of securing access to the BIG-IP system.
Fix:
Node.js vulnerability CVE-2015-5380
534076-2 : SNMP configured trap-source might not be used in v1 snmp traps.
Component: TMOS
Symptoms:
As a result of a known issue, SNMP v1 traps with configured trap-source might fail to use the configured address, and will use the default management port IP address instead.
Conditions:
- SNMP v1 traps and destination configured. - trap-source configured.
Impact:
Traps will have the incorrect agent-addr set, and SNMP configured trap-source might not be used.
Workaround:
None.
Fix:
SNMP v1 traps now correctly use the configured trap-source.
534052-3 : VLAN failsafe triggering on standby leaks memory
Component: Local Traffic Manager
Symptoms:
Memory is leaked when VLAN failsafe is active and sending ICMP probes.
Conditions:
VLAN failsafe active and sending ICMP probes on standby and configured with failsafe-action failover.
Impact:
Memory leak causing aggressive sweeper and eventually TMM crash on standby.
Workaround:
None.
Fix:
Memory is no longer leaked when VLAN failsafe is active and sending ICMP probes.
533826-5 : SNMP Memory Leak on a VIPRION system.
Component: TMOS
Symptoms:
The snmpd image increases in size on a VIPRION system.
Conditions:
Run continuous snmpbulkwalk operations.
Impact:
The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building.
Workaround:
To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.
Fix:
The snmpd image no longer increases in size on a VIPRION system processor.
533820-5 : DNS Cache response missing additional section
Component: Local Traffic Manager
Symptoms:
Resolver cache lookups are missing authority and additional sections.
Conditions:
Resolver cache lookups could be missing the authority and additional sections for A and AAAA queries if the DO bit is also not set.
Impact:
If the requesting client needs the information that would normally be included in the authority or additional sections, it would have to make additional queries to acquire that data.
Workaround:
none
Fix:
The resolver cache now correctly includes the information available for the authority and additional sections if the information is available.
533790-4 : Creating multiple address entries in data-group might result in records being incorrectly deleted
Component: TMOS
Symptoms:
Using the GUI to create multiple address entries in data-group might result in records being incorrectly deleted
Conditions:
Creating multiple address entries in data-group
Impact:
Cannot add/remove IP addresses from existing data groups without affecting existing IP addresses through GUI.
Workaround:
Use TMSH to add/remove IP addresses from existing data groups.
Fix:
You can now use the GUI to add/remove IP addresses from a data-group IP address list without affecting other IP addresses.
533658-5 : DNS decision logging can trigger TMM crash
Component: Global Traffic Manager
Symptoms:
Applying load balance decision logging to the DNS profile can cause TMM to crash when a query is load balanced to a last resort pool that is unavailable.
Conditions:
-- DNS load balance decision logging is enabled on the DNS profile, A Wide IP is configured with a last resort pool. -- The last resort pool is unavailable. -- A query is load balanced to the last resort pool.
Impact:
TMM crashes and restarts.
Workaround:
Disable decision logging for the DNS profile, or discontinue use of the last resort pool feature.
Fix:
DNS decision logging no longer causse TMM to crash when a last resort pool is configured for a Wide IP, that last resort pool is unavailable, and a query is load balanced to that last resort pool.
532911-2 : Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates.
Component: Local Traffic Manager
Symptoms:
Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates.
Conditions:
In server SSL profiles with 'Untrusted Certificate Response Control' set to ignore. When backend server sends self-signed untrusted certificate.
Impact:
The ltm log displays this error: Peer cert verify error: unable to verify the first certificate.
Workaround:
None.
Fix:
Ignore X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE certificate validation error message when serverssl profile sets 'Untrusted Certificate Response Control' to ignore.
532107-2 : [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted
Component: Local Traffic Manager
Symptoms:
If RTT value for nameserver cache reached the maximum value as 120000, even after executing 'delete ltm dns cache nameserver', BIG-IP still keeps the past maximum RTT value.
Conditions:
The RTT for the nameserver cache reached the maximum value of 120000.
Impact:
This can cause dns response failure.
Workaround:
Change size for nameserver-cache-count to reset the nameserver cache. # tmsh modify /ltm dns cache resolver my_dns_cache nameserver-cache-count 16536
Fix:
Maximum RTT value for nameserver cache is now deleted when the nameserver cache is deleted, which is correct behavior.
531986-3 : Hourly AWS VE license breaks after reboot with default tmm route/gateway.
Component: TMOS
Symptoms:
In AWS Hourly instances, if a default gateway is added, the hourly license may fail, causing BIG-IP to fail to come up to a running state. Error messages will resemble the following: Jul 6 19:26:14 ip-10-0-0-104 err mcpd[22186]: 01070734:3: Configuration error: MCPProcessor::check_initialization: Jul 6 19:26:17 ip-10-0-0-104 err mcpd[22186]: 010717ff:3: [Licensing]: Failure in establishing instance identity.
Conditions:
Hourly instance in AWS with default tmm route added.
Impact:
BIG-IP VE will fail to fully start, rendering the instance unusable.
Workaround:
Temporary removal of default tmm route resolves this problem. The tmm route can be added back once MCPD is in the running state.
Fix:
The problem with default tmm route breaking Hourly licenses has been resolved. The default tmm route no longer affects the license check on Hourly billing Virtual Edition.
531983-5 : [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added
Component: Access Policy Manager
Symptoms:
Routing table is not updated correctly in connected state when new adapter is added to the system.
Conditions:
SSL VPN tunnel is established and new adapter is added to the system. For example, Wi-Fi connected when tunnel is established already over Ethernet adapter.
Impact:
Routing table might be corrupted.
Workaround:
Restart OS X.
Fix:
Routing table now updates correctly when new adapter is added to the system while SSL VPN tunnel is already established over an network adapter.
531809-2 : FTP/SMTP traffic related bd crash
Component: Application Security Manager
Symptoms:
Protocol Security: The Enforcer may crash upon FTP or SMTP traffic using remote logging.
Conditions:
FTP/SMTP traffic and remote logging assigned. Crash happens on a rare occasion.
Impact:
bd crash, traffic disturbance.
Workaround:
Remove the remote logging from FTP/SMTP.
Fix:
Protocol Security: The Enforcer no longer crashes upon FTP or SMTP traffic using remote logging.
531705-2 : List commands on non-existent iRules incorrectly succeeds.
Component: TMOS
Symptoms:
In certain cases, issuing an iControl REST or tmsh list rule command on a non-existent iRule can return successfully with an empty list. Instead it should return an error that the specified iRule does not exist.
Conditions:
If any iRule happens to exist in a different folder than the current folder context.
Impact:
The user is unable to rely on receiving an error from tmsh or iControl REST if they query for iRules that do not exist.
Workaround:
There is no workaround.
Fix:
Issuing a list command for a non-existent iRule now successfully returns an error.
530952-1 : MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'
Component: Application Visibility and Reporting
Symptoms:
MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'. Errors in monpd.log similar to the following: [DB::mysql_query_safe, query failed] Error (error number 1615) executing SQL string ...
Conditions:
This is due to a MySql bug. For information, see 'Prepared-Statement fails when MySQL-Server under load', available here: http://bugs.mysql.com/bug.php?id=42041
Impact:
Monpd loses functionality
Workaround:
Restart monpd.
Fix:
Error number 1615, 'Prepared statement needs to be re-prepared', no longer occurs in the monpd.log.
530761-1 : TMM crash in DNS processing on a TCP virtual
Component: Local Traffic Manager
Symptoms:
TMM can crash while processing DNS requests on a TCP virtual server.
Conditions:
A TCP DNS virtual server combined with a DNS iRule that suspends and a client that closes its connection before receiving a response to its DNS request.
Impact:
TMM restarts.
Workaround:
While no true workaround exists, the situation can be avoiding by removing any one of the conditions above.
Fix:
TMM now properly handles DNS requests through a TCP virtual where the client closes the connection during iRule processing.
530622-1 : EAM plugin uses high memory when serving very high concurrent user load
Component: Access Policy Manager
Symptoms:
EAM plugin cannot sustain high concurrent user load and will be killed by memory monitors. EAM is cored and restarted. Any requests coming during restart will not be served.
Conditions:
We found this issue in stress testing and reported by customers during high concurrent user load.
Impact:
As a result, EAM cored and restarted; users cannot authenticate during process restart.
Workaround:
No workaround.
Fix:
There was a memory usage issue in the EAM plugin that was caused by a huge object allocation for each connection. This issue is fixed by reducing the default size of client cert and payload arrays.
530598-1 : Some Session Tracking data points are lost on TMM restart
Component: Application Security Manager
Symptoms:
Session Tracking data points, that are added by ASM upon traffic, based on Session Tracking thresholds configuration, are lost when TMM restarts.
Conditions:
ASM Provisioned. Session Tracking feature is ON.
Impact:
Session Tracking data points may be added by ASM upon traffic. These are data points with action 'Block-All'. These data points are lost when TMM restarts.
Workaround:
None.
Fix:
This release fixes the Session Tracking data points persistence, so that the 'Block-All' Session Tracking data points, which are added by ASM upon traffic, are not lost when TMM restarts.
530505-4 : IP fragments can cause TMM to crash when packet filtering is enabled
Component: Local Traffic Manager
Symptoms:
TMM can crash when an IP fragment is received and packet filtering is enabled.
Conditions:
This issue can occur when packet filtering is enabled and an IP fragment is received on the non-owning TMM. To determine if packet filtering is enabled, then the packetfilter setting can be queried by using the 'tmsh list sys db packetfilter' command.
Impact:
TMM crashes when it attempts to forward the fragment to the owning TMM. Traffic interruption while TMM restarts.
Workaround:
Disable packet filtering.
Fix:
When packet filtering is enabled and an IP fragment is received on the non-owning TMM, TMM forwards the IP fragment without issue.
530242-3 : SPDAG on VIPRION B2250 and B2250F blades might cause traffic imbalance among TMMs
Component: TMOS
Symptoms:
When SPDAG is turned on VIPRION B2250 and B2250F blades, the traffic imbalance among TMMs might be observed.
Conditions:
Enable SPDAG on VIPRION B2250 and B2250F blades.
Impact:
The traffic imbalance can lower the throughput of VIPRION B2250 and B2250F blades.
Workaround:
Adding or removing a A112 blade might mitigate the imbalance.
Fix:
A new DAG hash is added for SPDAG on VIPRION B2250 and B2250F blades, which can resolve the SPDAG traffic imbalance. The new DAG hash can be turned on by setting tmm tcl variable, dag::use_p8_sp_hash, to yes. Add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes.
530133-3 : Support for New Platform: BIG-IP 10350 FIPS
Component: TMOS
Symptoms:
Support for New Platform: BIG-IP 10350 FIPS, effective in 11.5.4 HF1
Conditions:
This details the new platform name.
Impact:
This is an added platform. There is no impact to the product.
Workaround:
None needed.
Fix:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.
Behavior Change:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.
529977-1 : OSPF may not process updates to redistributed routes
Component: TMOS
Symptoms:
When routes redistributed into OSPF are rapidly added and removed, OSPF may not reflect all of the updates in its LSA database.
Conditions:
External routes, such as kernel or static, redistributed into OSPF being rapidly added and removed. This my happen when using Route Health Injection and enabling/disabling a virtual address.
Impact:
The OSPF may have stale or missing LSAs for redistributed routes.
Workaround:
Identify the OSPF process ID for the affected route domain using "ps | grep ospfd" and terminate it using the kill command. This disrupts dynamic routing using OSPF.
Fix:
The OSPF LSA database correctly reflects the state of redistributed routes after rapid updates.
529920-7 : Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit
Component: Local Traffic Manager
Symptoms:
TMM crashes on the standby unit.
Conditions:
This is a standby-only failure. Connection mirroring on a OneConnect virtual server can lead to a TMM crash during connection establishment.
Impact:
TMM restarts, and the standby is not available for failover. When the standby unit comes back up it does not have the mirrored flows from the active unit, so failover results in loss of those connection flows.
Workaround:
None.
Fix:
Connection mirroring on a OneConnect virtual server now successfully recovers from a TMM crash during connection establishment, so no mirrored connection flows are lost.
529903-1 : Incorrect reports on multi-bladed systems
Component: Application Visibility and Reporting
Symptoms:
Reports on multi-bladed systems might contain incorrect data, if the blades are active at different times, and do not share the same level of history. A report appears on a different time range than expected.
Conditions:
Example: A setup with 3 blades, and 2 are down while the active 1 receives traffic for a full day. Later the 2 down blades go up. The resulting report for 'last day' contains data only for the previous hour, even though traffic has been passing through it for the last day.
Impact:
Report not as expected.
Workaround:
None.
Fix:
Reports on multi-bladed systems are now displayed correctly even when the blades are active at different times, and do not share the same level of history.
529900-1 : AVR missing some configuration changes in multiblade system
Component: Application Visibility and Reporting
Symptoms:
Some DB variables affect the behavior of AVR, but if they are modified in a multiblade system, then not all blades will be aware of the change, which later leads to errors in functionality.
Conditions:
Multiblade system, having one of the following changes: 1. New primary blade is selected. 2. Change to AVR max number of entities in the DB.
Impact:
Data might not be loaded into the DB, or not be queried correctly.
Workaround:
Restart of monpd solves the problem.
Fix:
Configuration changes in multiblade systems are now treated correctly.
529899-1 : Installation may fail with the error "(Storage modification process conflict.)".
Component: Local Traffic Manager
Symptoms:
On chassis, installation may fail with the error "(Storage modification process conflict.)".
Conditions:
This happens when deleting a boot location and then quickly installing new software to that boot location.
Impact:
Minimal; the installation can be restarted.
Workaround:
Delete the failed volume and restart the installation.
Fix:
On chassis, there was one possible case where the installation would occasionally fail with the error "(Storage modification process conflict.)". This case has been fixed.
529897-1 : Diameter monitor logging displays hex when monitor failing instead of the AVP which the monitor is failing on.
Component: Local Traffic Manager
Symptoms:
Failed diameter monitor logging displays hex instead of the AVP on which the monitor failed.
Conditions:
Logging is enabled on a pool member which is being checked by a diameter monitor, and the monitor is failing.
Impact:
Difficult to determine the reason for the diameter monitor failure.
Workaround:
None.
529634-2 : Crash observed with HSL logging
Component: Policy Enforcement Manager
Symptoms:
In some cases, we see a crash with HSL logging.
Conditions:
Configure a HSL endpoint with session reporting. This crash is observed when multiple sessions are configured with hsl session reporting.
Impact:
Tmm cores.
Workaround:
Fix:
The crash was due to variables shared across threads. Changed this to a per thread variable.
529610-1 : On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db
Component: Application Security Manager
Symptoms:
When session tracking actions are enabled in ASM policy, an HTTP request may be blocked based on HTTP session or username and illegal traffic that has been sent from this session. The blocked request is reported in the security events log, but there is no option to release the username using the Configuration utility.
Conditions:
High availability (HA) setup, and ASM with Session tracking actions enabled.
Impact:
Usernames and HTTP sessions are blocked by ASM without an option to release them from the Configuration utility.
Workaround:
Stop and start tmm on all devices in the HA group by running the following commands: -- bigstart stop tmm -- bigstart start tmm
Fix:
Using the Configuration utility, BIG-IP system administrators can now release blocked usernames and sessions. This is done on the Session Tracking Status screen.
529535-4 : MCP validation error while deactivating a policy that is assigned to a virtual server
Component: Application Security Manager
Symptoms:
When deactivating a security policy via REST, and the policy is assigned to a virtual server, then BIG-IP reports the following error: ---------------------------- "MCP Validation error - 01071726:3: Cannot deactivate policy action '/Common/<VS_name>'. It is in use by ltm policy '/Common/<L7_policy_name>'.", ---------------------------- However, the security policy becomes inactive and remains assigned to virtual server. This will cause the virtual server to stop processing network traffic, and there will be the following errors in 'bd.log': ---------------------------- BD_MISC|ERR |Jun 24 12:53:35.698|17566|src/acc_reject_policy.c:0165|Account id 10 has no reject policy configured. Cannot get data ----------------------------
Conditions:
ASM provisioned, with a security policy assigned to a Virtual Server, then the security policy is deactivated via the REST API
Impact:
An inactive security policy remains assigned to a Virtual Server
Workaround:
Deactivate the security policy via GUI at: 'Security :: Application Security : Security Policies : Active Policies':
Fix:
The deactivation of a security policy using the REST API now removes the association of the deactivated policy from the virtual server, resulting in no errors and consistent configuration state.
529509-6 : BIND Vulnerability CVE-2015-4620
Component: TMOS
Symptoms:
A flaw was found in the way BIND performed DNSSEC validation.
Conditions:
Red Hat Product Security has rated this update as having Important security impact. Due to F5 architecture and design this has restricted impact and only impacts GTM and only in a non-default configuration.
Impact:
An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure. (CVE-2015-4620)
Workaround:
Fix:
A in DNSSEC validation has been fixed.
529484-4 : Virtual Edition Kernel Panic under load
Component: TMOS
Symptoms:
Virtual Edition instances may crash with a kernel panic under heavy traffic load.
Conditions:
Virtual Edition instances passing 10 Gbps of traffic on interfaces that support LRO.
Impact:
When the issue occurs the Virtual Edition instance will reboot.
Workaround:
Disable LRO on the underlying hypervisor, if possible.
Fix:
Virtual Edition instances now stays active when instances passing 10 Gbps of traffic on interfaces that support LRO.
529460-7 : Short HTTP monitor responses can incorrectly mark virtual servers down.
Component: Global Traffic Manager
Symptoms:
Despite successful probe response, BIG-IP DNS marks virtual server down.
Conditions:
HTTP server sends HTTP response that is shorter than 64 bytes.
Impact:
Virtual servers are incorrectly marked down.
Workaround:
Modify server response or use a TCP monitor.
Fix:
BIG-IP DNS HTTP/1.x monitor probe now requires 17, rather than 64 bytes of response payload, so HTTP monitor responses HTTP response that is shorter than 64 bytes no longer incorrectly mark virtual servers down.
528987-3 : Benign warning during formatting installation
Component: TMOS
Symptoms:
The system posts a benign warning during formatting installation: warning: array conf_write could not find data disk.
Conditions:
This occurs during formatting installation.
Impact:
This is a benign error message that does not indicate an issue with the system. You can safely ignore it.
Workaround:
None needed. This is a cosmetic message.
Fix:
This benign warning during formatting installation has been eliminated: warning: array conf_write could not find data disk.
528808-3 : Source NAT translation doesn't work when APM is disabled using iRule
Component: Access Policy Manager
Symptoms:
Source NAT translation does not happen and server-side connection fails.
Conditions:
ACCESS::disable iRule is added to the virtual server.
Impact:
Proxy's server-side connection fails.
Workaround:
Do not use the ACCESS::disable iRule command.
Fix:
Restore the source address translation correctly even if an iRule has disabled APM.
528739-1 : DNS Cache could use cached data from ADDITIONAL sections in ANSWER responses.
Component: Local Traffic Manager
Symptoms:
DNS Caching could use cached data from ADDITIONAL sections of previous lookups in the ANSWER section of responses.
Conditions:
This occurs when using DNS Caching
Impact:
The data from the ADDITIONAL section should not be used in the ANSWER section of DNS responses. The data could be stale or incorrect.
Workaround:
None
Fix:
The DNS Cache now correctly ignores data from the ADDITIONAL section when constructing the ANSWER section.
528407-4 : TMM may core with invalid lasthop pool configuration
Component: Local Traffic Manager
Symptoms:
In certain circumstances, TMM may core if the unit is configured with an invalid, non-local lasthop pool,
Conditions:
1) BIG-IP system with VIP and lasthop pool with non-local pool member. 2) Sys db tm.lhpnomemberaction set to 2.
Impact:
TMM cores and fails over.
Workaround:
Configure lasthop pool to use local members/addresses.
Fix:
TMM no longer cores with an invalid lasthop pool configuration.
528276-7 : The device management daemon can crash with a malloc error
Component: TMOS
Symptoms:
The device management daemon can core if a timeout condition occurs during an iControl query. The daemon recovers and proceeds with the operation.
Conditions:
A timeout can occur during an iControl query and in some instances this can cause a core.
Impact:
The daemon crashes and recovers.
Workaround:
This issue has no workaround at this time.
Fix:
The device management daemon no longer causes a crash when a timeout condition occurs during an iControl query.
528031-3 : AVR not reporting the activity of standby systems.
Component: Application Visibility and Reporting
Symptoms:
When working in Active/Standby configurations, the standby system is completely ignored when generating an AVR report. The standby system might have been an active system in the past, so its statistics should also be counted.
Conditions:
Configuration with Active and Standby systems.
Impact:
Some historical activity might not be reported by AVR.
Workaround:
None.
Fix:
We added device group support, and the user can now choose the device group to query from.
528007-6 : Memory leak in ssl
Component: Local Traffic Manager
Symptoms:
An intermittent memory leak was encountered in SSL
Conditions:
This can occur under certain conditions when using Client SSL profiles
Impact:
The amount of memory leaked is quite small, but over time enough memory would leak that TMM would have to reboot.
Workaround:
none
Fix:
An intermittent memory leak in SSL was fixed
527149-3 : FQDN template node transitions to 'unknown' after configuration reload
Component: Local Traffic Manager
Symptoms:
A FQDN node that was available becomes 'unknown' after configuration load or reload.
Conditions:
This occurs in configurations containing FQDN nodes.
Impact:
An FQDN node template stays 'unknown' after configuration load or reload. This does not affect resolution or generation of ephemeral nodes.
Workaround:
None needed. This is cosmetic only.
Fix:
A FQDN node that was available now stays available after configuration load or reload.
527027-4 : DNSSEC Unsigned Delegations Respond with Parent Zone Information
Component: Local Traffic Manager
Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.
Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.
Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.
Workaround:
None
Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.
527024-3 : DNSSEC Unsigned Delegations Respond with Parent Zone Information
Component: Local Traffic Manager
Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.
Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.
Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.
Workaround:
None
Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.
527011-6 : Intermittent lost connections with no errors on external interfaces
Component: Local Traffic Manager
Symptoms:
Intermittent lost connections to virtual servers or pool nodes with no observable errors on external interfaces. Errors are observed on internal interfaces using 'tmos show net interface -hidden'
Conditions:
Normal operation. This can occur on BIG-IP 8950, 11000, and 11050 platforms.
Impact:
Lost connections
Workaround:
None.
Fix:
An issue with intermittent lost connections with no errors on the external interface has been corrected.
526817-4 : snmpd core due to mcpd message timer thread not exiting
Component: TMOS
Symptoms:
snmpd might occasionally experience a thread deadlock conditions and would be restarted (with a core dump) by sod.
Conditions:
This can occur during a SNMP configuration change.
Impact:
snmpd occasionally becomes unresponsive for the duration of the configured snmpd heartbeat timeout.
Workaround:
After a SNMP configuration change on the BIG-IP system, the deadlock timing issue can avoided by manually restarting snmpd.
Fix:
snmpd no longer becomes unresponsive for the duration of the configured snmpd heartbeat timeout during configuration changes.
526699-6 : TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.
Component: Global Traffic Manager
Symptoms:
A BIG-IP DNS system configured with an iRule that makes use of the command nodes_up in its ip_address :: port version might lead to a crash.
Conditions:
- BIG-IP DNS iRule processing traffic with nodes_up IP/Port command. - IP/Port references an invalid LTM virtual server. - Client sends requests to the BIG-IP DNS wide IP.
Impact:
TMM might crash.
Workaround:
Specify correct IP/Port in the nodes_up iRule command
Fix:
TMM no longer crashes when using an incorrect IP/Port in a nodes_up BIG-IP DNS iRule.
526637-4 : tmm crash with APM clientless mode
Component: Access Policy Manager
Symptoms:
A condition that occurs when using APM in clientless mode can cause a rare tmm crash
Conditions:
Only occurs on 11.5 and later, and while using clientless mode 3. This crash has been very difficult to reproduce.
Impact:
Causes a crash, but it is very rare.
Workaround:
none
Fix:
tmm will no longer crash in APM clientless mode; it now sends a reset.
526162-7 : TMM crashes with SIGABRT
Component: Application Security Manager
Symptoms:
TMM crashes with SIGABRT (sod crashes the tmm). This error appears in the LTM logs: HA daemon_heartbeat tmm fails action is go offline down links and restart
Conditions:
IP reputation is turned on, and the IP reputation database is reloaded.
Impact:
TMM crash, traffic dropped.
Workaround:
This issue has no workaround at this time.
Fix:
We fixed a rare scenario where TMM was halted when the IP reputation daemon was loading a new IP reputation database.
526031-2 : OSPFv3 may not completely recover from "clear ipv6 ospf process"
Component: TMOS
Symptoms:
Open Shortest Path First version 3(OSPFv3) Link link-state advertisements (LSAs) may not be re-originated from the BIG-IP system if a neighboring router sends the LSA back to the BIG-IP system.
Conditions:
Blade failover occurs on a chassis, 'clear ipv6 ospf process' is run, or ospf6d crashes.
Impact:
Routes from Link LSAs generated by the BIG-IP may be missing in the OSPFv3 network.
Workaround:
Disable OSPFv3 on the BIG-IP system until the Link LSA has been purged from the network. To do so, remove OSPFv3 from the route domain for approximately 10 seconds and then add it back.
Fix:
Link LSAs are correctly re-originated by the BIG-IP system when the LSAs are sent to the BIG-IP by a neighbor router.
525989-2 : A disabled blade is spontaneously re-enabled
Component: Local Traffic Manager
Symptoms:
If a secondary blade in a 'ready' state becomes primary and then quickly is disabled, it does not send a cluster packet for ten seconds. A new primary, therefore, is not elected for ten seconds (the heartbeat timeout), instead of the expected time (immediately). The other blades, including the new primary, never receive the message that the blade was set to disabled, so the blade is be re-enabled without the user requesting it.
Conditions:
This occurs only if the blade disable operations occur very shortly after the primary blade is moved.
Impact:
A blade that the user expects to be disabled is spuriously re-enabled. User interfaces to access configuration, such as tmsh and the GUI might hang for the ten-second interval. The system posts an error message similar to the following: load_config_files: '/usr/bin/tmsh -n -g load sys config partitions all base' - failed. -- Unexpected Error: Saving and loading configuration is only allowed on the primary slot.
Workaround:
Wait ten seconds after disabling a blade before disabling another blade.
Fix:
A previously disabled blade is no longer spuriously re-enabled if the primary blade is moved around quickly.
525958-11 : TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
Component: Local Traffic Manager
Symptoms:
In a specific combination of events TMM may core.
Conditions:
This occurs when the following conditions are met: - Load balancing a flow to an ip_tuple (e.g., the Tcl 'node' command). - That address is not directly connected. - The matched route is a gateway pool that contains a pool member that is not reachable.
Impact:
System may failover.
Workaround:
Ensure correct routing to all destinations with reachable next hops.
Fix:
TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop.
525882-2 : SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate.
Component: Local Traffic Manager
Symptoms:
SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate causing TMM memory leakage over time.
Conditions:
clientssl in use with the client presenting a certificate for verification.
Impact:
TMM memory leak.
Workaround:
None.
Fix:
Client certificate verification now releases all references and the memory leak no longer occurs.
525672-2 : tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup.
Component: Local Traffic Manager
Symptoms:
tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup.
Conditions:
- Virtual server (vs1) configured with SSL forward proxy. - vs1 is attached to an iRule which has following events and actions: CLIENT_ACCEPTED does TCP::collect, CLIENT_DATA does TCP::release. CLIENTSSL_CLIENTHELLO does SNI lookup.
Impact:
Double SNI lookup happens instead of single lookup. tmm memory leak and eventual out-of-memory.
Workaround:
None.
Fix:
SSL with forward proxy no longer leaks memory.
525478-2 : Requests for deflate encoding of gzip documents may crash TMM
Component: WebAccelerator
Symptoms:
When searching for documents in the gzip cache, if a document has been cached with gzip encoding but a non-deflate compression method (i.e., CM != 0x08) and the client has requested deflate compression, TMM may crash.
Conditions:
-- WAM/AAM enabled on VIP. -- HTTP compression enabled on VIP. -- Document served with gzip encoding and non-deflate compression. -- Document has entered the gzip cache. -- Client HTTP request specifies deflate encoding.
Impact:
TMM crash.
Workaround:
Ensure that only the deflate method is used in gzip-compressed documents that will be cached by WAM/AAM. With most web servers this is the default behavior and cannot be changed. Alternatively, remove the 'Accept-Encoding: deflate' header using an iRule so that no clients can request deflate encoding.
Fix:
Correctly handles requests for deflate compression of cached gzip documents with non-deflate compression methods.
525322-7 : Executing tmsh clientssl-proxy cached-certs crashes tmm
Component: Local Traffic Manager
Symptoms:
tmm crash while executing "tmsh clientssl-proxy cached-certs" command
Conditions:
ssl forward proxy virtual with a clientssl profile name longer than 32 characters which includes the partition name as well. (/Common/<profilename> -> has length more than 32 chars).
Impact:
tmm crash
Workaround:
Keep the profile name lengths less than 32 chars, or do not run the command until fixed.
Fix:
The "tmsh clientssl-proxy cached-certs" command will now run successfully with profile name lengths longer than 32 characters.
525232-1 : PHP vulnerability CVE-2015-4024
Component: TMOS
Symptoms:
PHP vulnerability CVE-2015-4024.
Conditions:
Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome. (CVE-2015-4024)
Impact:
This vulnerability may allow attackers to cause a denial-of-service (DoS) using crafted form data that triggers an improper order-of-growth outcome. Note: This vulnerability is exploitable only through the BIG-IP control plane (non-Traffic Management Microkernel (TMM) related tasks).
Workaround:
To mitigate this vulnerability, F5 recommends that you expose management access only on trusted networks.
Fix:
Fixed PHP vulnerability CVE-2015-4024.
524960-2 : 'forward' command does not work if virtual server has attached pool
Component: Local Traffic Manager
Symptoms:
The iRule 'forward' command does not result in connections being routed to the proper destination if the virtual server has an attached pool.
Conditions:
Virtual server with: - Pool. - iRule that issues 'forward' commands.
Impact:
Connections are routed to pool member instead of destination determined by network routes.
Workaround:
Remove pool assigned to virtual server and select the pool using an iRule with a 'pool' command when 'forward' command is not issued.
Fix:
'forward' command releases previously selected pool member to enabled connection to be routed based on packet destination, as expected.
524641-1 : Wildcard NAPTR record after deleting the NAPTR records
Component: Local Traffic Manager
Symptoms:
There is a dns query issue when adding/deleting a NAPTR record through the Zonerunner.
Conditions:
After deleting a specific NAPTR record, the previously added wildcard NAPTR record will fail for wildcard dig queries and the system does not show the correct subdomains.
Impact:
Wildcard NAPTR record call fails after deleting the NAPTR records.
Workaround:
None.
Fix:
Wildcard NAPTR record call now completes successfully after deleting the NAPTR records.
524605-2 : Requests/responses may not be fully delivered to plugin in some circumstances
Component: Local Traffic Manager
Symptoms:
If a plugin disables itself when encountering a request or response it is not interested in, subsequent requests or responses on the same connection may not be fully delivered to the plugin, causing the plugin and/or user application to function incorrectly.
Conditions:
The one known case where this occurs is when the WebSafe module is deployed and user applications being processed on WebSafe connections make use of POST requests.
Impact:
WebSafe connections may not function correctly. The problem is intermittent and depends on both the application and browser behaviors.
Workaround:
None.
Fix:
Plugins now receive the full request/response when additional requests/responses on the same connection after encountering a request/response it is not interested in.
524300-2 : The MOS boot process appears to hang.
Component: TMOS
Symptoms:
When a BIG-IP 2000 series or BIG-IP 4000 series device is booted into MOS (either manually or as a result of a user running the image2disk utility), the MOS boot process appears to hang. In reality, MOS boots successfully, but loses its connection to the BIG-IP system's serial console.
Conditions:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS.
Impact:
If you booted into MOS manually, you cannot carry out the tasks that you had set out to do. You must reset the device (either physically or via the AOM menu) to recover it. If the system booted into MOS automatically (as a result of a user running the image2disk utility to perform a clean installation), the installation completes successfully and the system reboots correctly at the end of the installation. However, you cannot see and follow the re-imaging process because of this issue. In this case, you can watch the (seemingly hung) serial console until the system reboots by itself.
Workaround:
You can work around this issue by performing a temporary installation of BIG-IP version 12.0.0 to a new boot slot. No further action is required. This temporary installation of BIG-IP version 12.0.0 can be deleted once completed. This temporary installation of version 12.0.0 has the effect of upgrading MOS to a version which resolves this issue.
Fix:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS now retains its connection to the serial console.
523995-2 : IPv4 link-local addresses can cause TMM crash when used in conjunction with ECMP routes
Component: Local Traffic Manager
Symptoms:
TMM can crash and ECMP routes via IPv4 link-local addresses may not work correctly.
Conditions:
This happens only for specific IP range with dynamic routing and multiple next hops.
Impact:
TMM crash
Workaround:
Avoid using 169.254 prefix.
Fix:
ECMP routes are working correctly and TMM does not crash
523867-3 : 'warning: Failed to find EUDs' message during formatting installation
Component: TMOS
Symptoms:
The following message may appear on the console: warning: Failed to find EUDs warning: Failed to get volume id for EUD
Conditions:
This warning occurs during a formatting installation.
Impact:
No impact. The message was intended to be logged at the 'info' level.
Workaround:
N/A
Fix:
The 'warning: Failed to find EUDs' diagnostic message during installation has been changed from a warning to info
523854-1 : TCP reset with RTSP Too Big error when streaming interleaved data
Component: Service Provider
Symptoms:
RTSP connection containing interleaved streams is aborted mid-stream, causing loss of data. This occurs when there is packet loss and retransmission due to an unrelaible connection. A RST is sent by BigIP with cause "Too big". There is an RTSP profile parameter Maximum Header Size. When the RTSP filter receives a burst of reassembled stream data that exceeds this size, it aborts with that RST cause. When this parameter is raised above the value of parameter Maximum Queued Data, that parameter is exceeded and the RST cause is "Hudfilter abort". When both parameters are raised much higher, an abort is less likely, but can still occur with cause "Out of memory" (which is a false report as the system is not out of memory).
Conditions:
RTSP profile configured. Interleaved stream. Packet retransmissions due to an unreliable connection.
Impact:
RTSP traffic is interrupted or dropped TCP session is reset with a cause of "Too Big" or "Hudfilter abort".
Workaround:
Set both the Maximum Header Size and Maximum Queued Data values to a value greater than 64K. This reduces the likelihood of failure, but is only a partial workaround.
Fix:
RTSP interleaved traffic passes reliably, even over an unreliable connection experiencing packet retransmission.
523471-2 : pkcs11d core when connecting to SafeNet HSM
Component: Local Traffic Manager
Symptoms:
Very occasionally, using the SafeNet hardware security module (HSM) results in a pkcs11d core.
Conditions:
This occurs when the SafeNet HSM is used. Because of the rare and intermittent nature of the issue, other required conditions are not known.
Impact:
pkcs11d cores, and HSM-based SSL traffic fails. This occurs as a result of the SafeNet library. It is not a BIG-IP system-specific issue.
Workaround:
None.
Fix:
The SafeNet library has been updated, and pkcs11d no longer cores intermittently.
522997-3 : Websso cores when it tries to shutdown
Component: Access Policy Manager
Symptoms:
Websso core file is generated when it is in the process of shutting down.
Conditions:
Websso can be shutdown and restarted for many reasons. For example, when provisioning happens or when a mcpd or tmm process restarts.
Impact:
The impact is minimal because Websso cores during shutdown and will be restarted correctly.
Workaround:
No workaround
Fix:
Websso now handles shutdown events gracefully, and no core file is generated.
522871-1 : [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)
Component: TMOS
Symptoms:
Nested wildcard deletion deletes all of the objects (matched or not matched).
Conditions:
Use deletion in a nested TMSH command. For example: tmsh modify gtm server GTM1 virtual-servers delete {f*} This deletes all virtual servers even if none of the servers match. The same issue applies to pool members.
Impact:
All objects are deleted, instead of those targeted for delete.
Workaround:
None.
Fix:
Nested wildcard deletion now deletes matched objects only.
522837-1 : MCPD can core as a result of another component shutting down prematurely
Component: TMOS
Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.
Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.
Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.
Workaround:
None.
Fix:
Ensured that connections are not deleted twice when shutting down, so mcpd no longer cores.
522791-2 : HTML rewriting on client might leave 'style' attribute unrewritten.
Component: Access Policy Manager
Symptoms:
In some cases, the 'style' attribute of HTML tag containing CSS styles is not rewritten.
Conditions:
This happens when HTML is added to a page using document.write or assignment to innerHTML.
Impact:
Images added with inline CSS styles are not displayed. Direct requests to the backend are sent from browser.
Workaround:
Use an iRule to rewrite the 'style' attribute before adding HTML to the page.
Fix:
The HTML 'style' attribute is correctly rewritten for any tag.
522332-1 : Configuration upgrade of httpclass which has the 'hosts' attribute done incorrectly
Component: TMOS
Symptoms:
A config with the deprecated 'httpclass' which has the 'hosts' attribute, on an upgrade to later version, gets converted to an LTM policy with the attributes 'http-host host values <value>'.
Conditions:
Needs a config with the 'httpclass' in it, which has the hosts attribute. F5 has replaced the HTTP Class profile with the introduction of the Local Traffic Policies feature in BIG-IP 11.4.0. During an upgrade to BIG-IP 11.4.0, if your configuration contains an HTTP Class profile, the BIG-IP system attempts to migrate the HTTP Class profile to an equivalent local traffic policy. You can find more information in SOL14409: The HTTP Class profile is no longer available in BIG-IP 11.4.0 and later, available here: https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14409.html.
Impact:
The policy tries to match only the 'host' part of the HTTP Host header. The policy should be trying to match 'all' (that is, 'host' and 'port') instead. Note: F5 has replaced the HTTP Class profile with the introduction of the Local Traffic Policies feature in BIG-IP 11.4.0. During an upgrade to BIG-IP 11.4.0, if your configuration contains an HTTP Class profile, the BIG-IP system attempts to migrate the HTTP Class profile to an equivalent local traffic policy.
Workaround:
Manually edit the config after upgrade to convert 'http-host host' to 'http-host all', for example: http-host host <====== values { tempbus.ladpc.net.il:3433 } } to http-host all <====== values { tempbus.ladpc.net.il:3433 } }
Fix:
Fixed the upgrade script to convert using the attribute 'all' instead of 'host'
521336-6 : pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core
Component: Local Traffic Manager
Symptoms:
The retry of pkcs11d initialization might post misleading error messages and eventually result in a pkcs11d core.
Conditions:
When pkcs11d retries to wait for other services such as tmm or mcpd.
Impact:
After the system reboots, the /var/log/ltm shows initialize errors and the /var/log/daemon.log shows pkcs11_initialize messages: -- err pkcs11d[6247]: 01680002:3: Pkcs11 Initialize error (this is misleading; pkcs11d is actually retrying). -- err pkcs11d[6247]: Nethsm: pkcs11_initialize C_GetSlotList error 0x00000000, number of slots 0.
Workaround:
Retry pkcs11d restart when tmm and mcpd are both ready.
Fix:
The retry of pkcs11d initialization no longer posts misleading error messages when pkcs11d retries to wait for other services such as tmm or mcpd.
521144-5 : Network failover packets on the management interface sometimes have an incorrect source-IP
Component: TMOS
Symptoms:
After reboot, network failover packets might be transmitted with an internal source address, on the 127/8 network.
Conditions:
This problem might occur if the members of a device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.
Impact:
If there are intervening firewalls or routers that drop packets with improper/unroutable source addresses, then the members of the device group cannot communicate on this channel.
Workaround:
Remove the management-route from tmsh, and add a static route to the Linux kernel routing table. For example: # tmsh delete sys management-route 10.208.101.0/24 # tmsh save sys config # echo "10.208.101.0/24 via 10.208.102.254 dev eth0" > /etc/sysconfig/network-scripts/route-eth0 # reboot
Fix:
Network failover packets on the management interface now have the correct source-IP when device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.
520732-3 : XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty
Component: Application Security Manager
Symptoms:
Default entities (File types, Parameters, URLs, Cookies, Signatures, Redirection Domains and Brute Force Log-In URLs) are added to the policy upon XML policy import.
Conditions:
ASM policy with entities of some type (File types, Parameters, URLs, Cookies, Signatures, Redirection Domains and Brute Force Log-In URLs) deleted (all entities of that type). Export it to XML and then import that XML back - the default entities are added.
Impact:
XML policy import adds default entities if the relevant element list (in policy XML doc) is specified and empty.
Workaround:
The relevant element list (in the policy XML doc), that is specified and empty, should be completely removed (from the policy XML doc).
Fix:
ASM no longer adds default entities if the relevant element list (in the policy XML document) is specified and empty.
520380-6 : save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory
Component: TMOS
Symptoms:
Unit demonstrates behaviors consistent with out-of-memory condition. 'top' and 'ps' may show multiple tmsh processes waiting to run.
Conditions:
Enable auto-sync and save-on-auto-sync.
Impact:
Low memory condition may result in system instability.
Workaround:
None.
Fix:
Enabled auto-sync and save-on-auto-sync no longer causes out-of-memory condition.
520105-3 : Possible segfault during hardware accelerated compression.
Component: Local Traffic Manager
Symptoms:
Segfault and core-dump of tmm when using gzip, deflate, or zlib hardware accelerated compression compress or decompress operations.
Conditions:
Requests for compression on the hardware accelerator can cause a segfault.
Impact:
Tmm restarts when issue is encountered.
Workaround:
Disable hardware accelerated compression.
Fix:
Cancelled flow contexts involving a compression context no longer segfault when the in-flight operation completes.
520088-2 : Citrix HTML5 Receiver does not properly display initial tour and icons
Component: Access Policy Manager
Symptoms:
When trying to connect with Citrix HTML5 Receiver, the initial tour screen does not display properly.
Conditions:
APM is configured for Citrix replacement mode and Citrix HTML5 Receiver client 1.4-1.6 is used.
Impact:
Issues with GUI user experience. User is presented with an improperly formatted page without icons.
Workaround:
1. Open /config/bigip.conf for edit. 2. Replace 'content-type text/plain' with 'content-type text/css' in HTML5Client(.*).css sections. 3. Replace 'content-type text/plain' with 'content-type text/javascript' in HTML5Client(.*).js sections/ 4. Save the file. 5. From the console, type the following command: tmsh load sys config.
Fix:
Now APM correctly sets content type of CSS and JavaScript files when configuring Citrix HTML5 client bundle.
519257-2 : cspm script isn't injected in text/html chuncked response
Component: Application Visibility and Reporting
Symptoms:
The BIG-IP Client Side Performance Monitoring (CSPM) script does not get injected in chunked response causing the "Page load time" feature to not work properly.
Conditions:
This happens for chunked (large) web pages.
Impact:
The "Page load time" feature does not work properly and page load time stats do not exist for these responses.
Workaround:
None known
Fix:
Page load time is displayed correctly even for chunked responses.
519217-4 : tmm crash: valid proxy
Component: Local Traffic Manager
Symptoms:
tmm might crash in extremely rare circumstances when a virtual server is used during an update. Standard process is for virtual servers to be unavailable until the configuration update is complete; there are extremely rare circumstances when it is possible for a connection to use a virtual server before it is ready.
Conditions:
This requires that traffic is running during a configuration update, including a config sync from an HA peer. There must be a virtual server or configuration that uses a second virtual server while traffic is running: these include vip-on-vip using iRules and WAM prefetch, but might include other internal conditions.
Impact:
Traffic disruption, possible failover to another device if HA is configured. If using keepalive or other means to keep the connection alive, then a long amount of time might pass between the creation of the invalid flow and any impact from the error.
Workaround:
None.
Fix:
If a virtual server is used during an update (that is, before the virtual server is ready), an error message is now posted to tmm log files, and a small amount of memory is used each time this message is logged.
519216-4 : Abnormally high CPU utilization from external SSL/OpenSSL monitors
Component: TMOS
Symptoms:
The BIG-IP system may experience high CPU utilization when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.
Conditions:
External SSL monitors using OpenSSL. This includes but is not limited to EAV, ldap, sip, soap, firepass, snmpdca, real-server, wmi, virtual-location. Builtin monitors are not affected, e.g., https, inband.
Impact:
High CPU utilization reported with potential performance degradation.
Workaround:
To work around this issue, you can use a different type of monitor to obtain pool member availability status. Impact of workaround: Performing the recommended workaround should not have a negative impact on your system.
Fix:
The CPU utilization is reduced when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.
518550-3 : Incorrect value of form action attribute inside 'onsubmit' event handler in some cases
Component: Access Policy Manager
Symptoms:
Incorrect value of 'action' form attribute may be used inside 'onsubmit' event handlers if original 'action' is an absolute path.
Conditions:
HTML form with absolute path in 'action' attribute; 'onsubmit' event handler for this form.
Impact:
Web application may work incorrectly.
Workaround:
There is no general workaround. But if 'action' value can be converted to relative path or to full URL (with host), this can be done using iRule.
Fix:
Now value of form 'action' attribute is correct inside event handlers.
518275-2 : The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file
Component: Local Traffic Manager
Symptoms:
During the handshake, an SSL alert is sent. The same alert is then sent repeatedly leading to resource-related issues such as increased memory usage and TMM cores. With db variable log.ssl.level set to Debug, the log might then fill with the alert message.
Conditions:
An SSL alert is sent during the handshake.
Impact:
Resource-depletion leading to TMM core and interruption of service.
Workaround:
None.
Fix:
During the handshake, an SSL alert is sent. In this release, the same alert is sent only once, so there are no resource-related issues such as increased memory usage and TMM cores.
517846-2 : View Client cannot change AD password in Cross Domain mode
Component: Access Policy Manager
Symptoms:
View Client cannot change Active Directory password in Cross Domain mode.
Conditions:
1. Access policy for View Client uses Cross Domain authentication. 2. View Client user trying to log into APM belongs to a different AD domain than the one configured in AD Auth agent (cross-domain auth). 3. User's password is expired.
Impact:
User cannot change expired password, so cannot use VMware View.
Workaround:
None.
Fix:
View Client can now change AD password in Cross Domain mode, as expected.
517465-4 : tmm crash with ssl
Component: Local Traffic Manager
Symptoms:
Under some rare conditions, a problem with SSL might cause TMM to crash.
Conditions:
An SSL alert is sent during the SSL handshake.
Impact:
Service interrupted.
Workaround:
None known
Fix:
A tmm crash related to alerts during a SSL handshake failure has been fixed.
517388-7 : Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.
Component: TMOS
Symptoms:
The system recognizes and displays to the user a few relative distinguished names (RDNs): division name, state name, locality name, organization name, country name, and common name.
Conditions:
RDNs other than those in the subject/issuer are not parsed correctly.
Impact:
Parsing the DN (for subject or issuer) might combine fields that result in RDN values that are longer than allowed. This causes issues when trying to store these in Enterprise Manager (EM) database.
Workaround:
None.
Fix:
All relative distinguished names (RDNs) are now parsed as expected. Previously, the system correctly parsed RDNs for division name, state name, locality name, organization name, country name, and common name. Now, the system correctly parses all RDNs.
517282-7 : The DNS monitor may delay marking an object down or never mark it down
Component: Local Traffic Manager
Symptoms:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.
Conditions:
A DNS monitor with no configured recv string and the monitor receives an ICMP error other than port unreachable.
Impact:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.
Workaround:
Supply an appropriate recv string to the monitor definition: tmsh modify ltm monitor dns mydns recv 10.1.1.1 Or add another monitor to the object: tmsh modify ltm pool dnspool monitor min 2 of { mydns gateway_icmp }
Fix:
DNS monitor should mark server down when getting ICMP admin prohibited error. This is correct behavior.
517209-7 : tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable
Component: TMOS
Symptoms:
The tmsh save sys config file /var/tmp or /shared/tmp or a relative path to these directories (for example, /config/../shared/tmp) saves the scf with the specified real path. However, since the /var/tmp directory is used internally by BIG-IP daemons, some functionality may be rendered unusable till the /var/tmp symlink to /shared/tmp is restored.
Conditions:
Saving the sys config file /var/tmp or /shared/tmp (or a relative patch to one of these directories).
Impact:
Some system functionality may be rendered unusable.
Workaround:
Use the following commands to delete the scf and restore the symlink: -- rm -f /var/tmp. -- ln -s /shared/tmp /var/. -- bigstart restart.
Fix:
The /var/tmp or /shared/tmp are now invalid paths for the tmsh save sys config file command.
517053-2 : bigd detection and logging of load and overload
Component: Local Traffic Manager
Symptoms:
When BIG-IP is configured with a very large number of monitor instances (multiple thousands) probing at relatively fast intervals, BIG-IP may not be able to keep up with its servicing load. This can be indicated by pool members being marked down/up (flapping) that were not actually having connectivity problems.
Conditions:
Heavy monitor instance probe rate (monitor instance probes per second).
Impact:
When overloaded, bigd is unable to probe consistently which may result in odd or unpredictable pool member up/down behavior.
Workaround:
The main way to mitigate overload issues is either to reduce the number of monitor instances, to increase the probe time to probe less often, and/or to switch monitored pool members/nodes to simpler, lower-overhead monitor (i.e. ICMP instead of HTTP, or HTTP instead of HTTPS).
Fix:
This particular fix does not change the problem or mitigation steps. Rather, it helps detect when overloading has occurred. When it has been determined that overloading has occurred, a message will be logged to /var/log/ltm to indicate this. By default, the overload message will be triggered if the main 1/10 second (100 ms) loop takes, on average, more than 150 ms to service. This overload threshold value can be adjusted with the new Bigd.Overload.Latency sys db variable. The variable indicates the number of ms latency at which servicing the 100 ms main loop is considered overload. In addition, main loop latency logging has been added to /var/log/bigdlog. The latency information will be logged every 15 seconds. The main loop latency information will be logged whenever Bigd.Debug is enabled, or if the new sys db variable Bigd.Debug.TimingStats is enabled. The new Bigd.Debug.TimingStats variable allows the main loop latency stats to be emitted even if other debug information, which can be quite verbose, is suppressed. The main loop latency information is such: insts, avg-5m mean-5m stddev5, avg-1m mean-1m stddev1 insts: # of active monitor instances being monitored avg-5m: weighted decaying average loop latency over 5 minutes mean-5m: mean average loop latency over 5 minutes stddev5: standard deviation of loop latency over 5 minutes avg-1m: weighted decaying average loop latency over 1 minute mean-1m: mean average loop latency over 1 minute stddev1: standard deviation of loop latency over 1 minute Once again, these average/mean values are measuring the 100 ms service loop, which under normal circumstances should always complete in close to 100 ms. When the value rises above 100 ms, that means we are not able to service all our monitor instances in a timely fashion.
517020-5 : SNMP requests fail and subsnmpd reports that it has been terminated.
Component: TMOS
Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.
Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.
Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.
Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.
Fix:
SNMP requests handling has been improved to ensure that requests no longer fail after a number of days.
516816-4 : RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
Component: Local Traffic Manager
Symptoms:
RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
Conditions:
The key cert pair type matches one of the following combinations: 1. RSA key/DSA-signed cert. 2. RSA key/ECDSA-signed cert.
Impact:
When this kind of key/cert pair is configured in a Client SSL profile that is used by a virtual server, the SSL handshake to the virtual server fails.
Workaround:
Do not use this kind of 'hybrid' key/cert pair in the Client SSL profile. Instead, use the combination such as RSA key/RSA-signed cert, EC key/ECDSA-signed cert, or DSA key/DSA-signed cert.
Fix:
An RSA key with DSA-signed or ECDSA-signed cert no longer fails the SSL handshake. You can now configure those in the Client SSL profile and the SSL handshake completes as expected.
516322-7 : iApp association removed from virtual server
Component: TMOS
Symptoms:
Merging a config via tmsh load sys config merge or iControl Management.ChangeControl.put_config, where the system updates a partition /Common and modifies an LTM persistence profile (source_addr) associated with an iApp disassociates an iApp from a virtual server.
Conditions:
iApp, virtual server, and persistence profile are configured and associated prior to merge.
Impact:
This removes iApp association with the virtual server.
Workaround:
Modify any associated virtual server as well.
Fix:
Modifying a persistence profile while updating partition /Common during a merge config no longer disassociates the iApp from the virtual server.
515759-3 : Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
Component: Local Traffic Manager
Symptoms:
tmm memory growth over time.
Conditions:
Conditions leading to this issue include: one or more virtual servers, NATs, SNATs, or LSNs with more than four VLANS in a vlan allow or vlan deny list.
Impact:
tmm memory usage can grow over time eventually causing memory exhaustion.
Workaround:
Mitigation: Minimize the number of VLANs in the VLAN list for virtual servers, NATs, SNATs and LSNs. Minimize the number of configurations changes to Self-IPs, virtual servers, NATs, SNATs and LSNs.
Fix:
Configuration objects with more than four vlans in vlan list no longer causes memory utilization to increase over time.
514313-1 : Logging profile configuration is updated unnecessarily
Component: Application Security Manager
Symptoms:
Logging profile configuration is updated in the ASM data plane unnecessarily, due to changes in pool member state.
Conditions:
Pool member state changes frequently.
Impact:
Unnecessary logging profile configuration updates are sent to ASM data plane.
Workaround:
Fix:
Logging profile configuration is updated in the ASM data plane only when it is modified, and not unnecessarily.
514061-4 : False positive scenario causes SMTP transactions to hang and eventually reset.
Component: Application Security Manager
Symptoms:
Upon specific SMTP traffic, connection hangs and eventually resets.
Conditions:
SMTP profile with 'protocol security' turned on is attached to the virtual server, and the response is processed in bulk.
Impact:
Connection hangs and eventually resets.
Workaround:
None.
Fix:
This release fixes a scenario in which SMTP transactions were hanging and blocked upon specific traffic.
513974-7 : Transaction validation errors on object references
Component: TMOS
Symptoms:
MCP validation error when adding/removing reference and adding/deleting an object in the same transaction.
Conditions:
During device group config sync, iControl transactions, and tmsh operations. For example, delete and create the same virtual server and specify a profile/VLAN, or remove a profile from a virtual server and then delete the profile in the same transaction.
Impact:
Validation error. The system posts an error similar to the following: transaction failed: 01020066:3: The requested virtual server profile (/Common/vs1 /Common/http1) already exists in partition Common. When deleting, the message is: 01020036:3: The requested virtual server profile (/Common/vs1 http1) was not found.
Workaround:
The removal of the object reference must be done in a separate transaction. For example, if you want to delete a profile that is being used, create one transaction removing it from virtual servers, then a second transaction deleting the profile.
Fix:
The system now supports adding/removing a reference and the object in a single transaction.
513659-3 : AAM Policy not all regex characters can be used via the GUI
Component: TMOS
Symptoms:
Cannot specify certain regex syntax when configuring Client IP for 'Matching' or 'Validation' rules in an AAM Policy.
Conditions:
Adding regex characters such as \, [, ], ^, $ to an existing policy. Parentheses appear to be allowed, but do not save the information correctly.
Impact:
Cannot use the GUI to configure the policy with certain regex strings. The system posts the following error message: The field Value has invalid characters.
Workaround:
Use tmsh, and escape special wild-card characters with '\': For example at add 10.[0-9]$: modify wam policy Drafts/test_policy nodes modify { t1 { matching modify { client-ip { values replace-all-with { 10.\[0-9\]$ } } } } }.
513213-5 : FastL4 connection may get RSTs in case of hardware syncookie enabled.
Component: Local Traffic Manager
Symptoms:
Occasionally, ACK is sent to server without SYN, connection get RST.
Conditions:
1) FastL4 virtual server. 2) Hardware syncookie enabled. 3) Might more commonly occur with forwarding virtual servers. 4) Often happens when egress router has ARP timeout.
Impact:
Some connections will be dropped.
Workaround:
Configure a static ARP to all neighbors (routers) to avoid most issues.
Fix:
An issue with hardware syncookies and FastL4 connections has been resolved.
513142-3 : FQDN nodes with a default monitor may cause configuration load failure
Component: Local Traffic Manager
Symptoms:
Attempting to load a configuration containing FQDN nodes, a default-node-monitor and non-Common partitions can fail due to invalid partition reference.
Conditions:
Node in a non-Common partition and a default-node-monitor configured.
Impact:
Configuration fails to load. The system posts an error message similar to the following: 01070726:3: Node /Common/name.of.fqdn.node in partition Common cannot reference monitored object /Common/name.of.fqdn.node /Common/partition1 in partition another_partition.
Workaround:
If possible, use FQDN nodes only in the Common partition.
Fix:
FQDN nodes with a default monitor no longer cause configuration load failure.
512130-4 : Remote role group authentication fails with a space in LDAP attribute group name
Component: TMOS
Symptoms:
Remote role group authentication fails if there is a space in attribute name of remote-role role-info.
Conditions:
This occurs when the auth remote-role role-info attribute name contains a space character.
Impact:
LDAP authentication fails.
Workaround:
Remove space characters from LDAP attribute group name. Another option is to use '\20' in place of spaces in the remote-role's role-info member-of attribute, for example: memberOf=CN=Some Big Group,CN=Users,DC=DOMAIN,DC=COM becomes: memberOf=CN=Some\20Big\20Group,CN=Users,DC=DOMAIN,DC=COM
Fix:
Remote role group authentication now succeeds as expected with a space in LDAP attribute group name.
512119-2 : Improved UDP DNS packet truncation
Component: Local Traffic Manager
Symptoms:
UDP responses from the DNS cache were not truncated properly. This is primarily seen in DNS tools, such as dig or Wireshark that would mark the response as malformed. Regular resolver clients handled the responses correctly noting the tc bit in the response header.
Conditions:
UDP DNS responses larger than the size requested by the client, typically 512 bytes.
Impact:
Packets may be flagged as malformed by DNS packet analyzers. There are no known issues with regular DNS client resolvers.
Workaround:
None
Fix:
The DNS Cache now properly fills in response data and handles truncation as expected.
512069-2 : TMM restart while relicensing the BIG-IP using the base license.
Component: Policy Enforcement Manager
Symptoms:
TMM restart while relicensing the BIG-IP on base license expiration.
Conditions:
- Provisioning the following modules: LTM, AFM, PEM, CGNAT, ASM, FPS, APM, AVR, GTM - Base license should have expired
Impact:
Results in a TMM restart
Workaround:
Fix:
TMM restart has been resolved. Relicensing is not an issue.
511893-5 : Client connection timeout after clicking Log In to Access Policy Manager on a Chassis
Component: Access Policy Manager
Symptoms:
Clients connecting via Edge Client or Network Access to Access Policy Manager running on a chassis will experience a connection timeout after clicking Log In
Conditions:
1. Two or more blades chassis with APM provisioned 2. Create Portal Access/NA. start > logon page > portal resource (portal webtop, resource)> Allow. 3. Create access session using browser.
Impact:
Access session never finishes and browser does not render portal.
Workaround:
None
Fix:
BIG-IP Access Policy Manager running on a chassis will correctly process the client's Log In command.
511527-2 : snmpd segmentation fault at get_bigip_profile_user_stat()
Component: TMOS
Symptoms:
snmpd can core dump due to segmentation fault with the error snmpd[<pid>]: segfault at 0 ip <ip> sp 00000000ff8bec50 error 4 in bigipTrafficMgmt.so
Conditions:
An uncommon race condition.
Impact:
None. snmpd is automatically restarted.
Workaround:
Fix:
A check was added to gracefully handle the race condition and prevent core dump.
511057-5 : Config sync fails after changing monitor in iApp
Component: Local Traffic Manager
Symptoms:
Unable to modify a pool monitor and delete it in the same transaction.
Conditions:
A pool must have the monitor associated with it before the tmsh transaction, and must be the same as the monitor being deleted in the transaction.
Impact:
Unable to submit multiple changes in a single transaction.
Workaround:
Modify the pool monitor and delete it in separate transactions.
Fix:
Monitor modification and deletion can now happen in the same transaction.
510923-2 : TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered.
Component: Policy Enforcement Manager
Symptoms:
TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered.
Conditions:
Disabled the secondary blade.
Impact:
TMM crashes and reboot is triggered.
Workaround:
None.
Fix:
TMM no longer crashes after the secondary blade is disabled.
510559-6 : Add logging to indicate that compression engine is stalled.
Component: TMOS
Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3. If the compression engine stalls, there is no logging-trail to indicate there is a problem.
Conditions:
This occurs when the system encounters errors during hardware compression handling and the compression engine stalls.
Impact:
Compression completely stalls, or CPU can be driven up by software-based compression. No indication of what the issue is.
Workaround:
Disable compression, or select 'software only' compression.
Fix:
Previously, if the compression engine stalled, there would be no logging-trail to indicate there was a problem. This release adds logging and stats for detecting a compression engine stall.
510381-3 : bcm56xxd on A108 (B4300 blade) might core when restarting due to bundling config change.
Component: TMOS
Symptoms:
A race condition exists where bcm56xxd might core while restarting due to a bundling configuration change if it is still processing other config messages from MCP
Conditions:
Interface bundling change requiring a restart while still processing configuration messages.
Impact:
Unnecessary core file produced since the daemon is restarting anyway.
Workaround:
None.
Fix:
Fixed possible race condition which resulted in a bcm56xxd core.
510264-1 : TMM core associated with smtps profile.
Component: Local Traffic Manager
Symptoms:
tmm can core when the smtps profile is enabled.
Conditions:
This is an intermittent core seen when the smtps profile is enabled.
Impact:
traffic disruption from TMM core.
Workaround:
n/a
Fix:
tmm will no longer core from using the smtps profile.
509641-3 : Ephemeral pool members may not inherit attributes from FQDN parent
Component: Local Traffic Manager
Symptoms:
Newly resolved pool members do not have the appropriate attributes (priority, connlimit, etc.).
Conditions:
Parent FQDN has non-default attributes and a new ephemeral member is resolved.
Impact:
Ephemeral pool members have unexpected attributes.
Workaround:
Fix:
Ephemeral pool member now correctly inherits attributes from parent node upon resolution.
509284-2 : Improved reliability of a module interfacing with HSM
Component: Local Traffic Manager
Symptoms:
Assuming that tmm has crashed and auto-restarted, traffic may stop for profiles with HSM keys.
Conditions:
This can occur when using HSM keys, and TMM crashes.
Impact:
Encrypted traffic will not be processed, even after daemons restart.
Workaround:
Restart TMM, e.g. with 'bigstart restart tmm pkcs11d'
Fix:
Fixed a race condition that may prevent proper initialization of an inter-process communication between TMM and pkcs11d.
508057-1 : MySQL Vulnerability CVE-2015-0411
Component: TMOS
Symptoms:
CVE-2015-0411 Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption.
Conditions:
Running one of the vulnerable versions. For more information, see SOL16355: Multiple MySQL vulnerabilities, available here: https://support.f5.com/kb/en-us/solutions/public/16000/300/sol16355.html.
Impact:
The CVE numbers included in this advisory are reported to allow (through undisclosed mechanisms) a remote unauthorized attacker to perform read and write MySQL access, receive privilege escalation, or cause a denial-of-service (DoS) of the MySQL service and potentially stop critical data plane services. However, the BIG-IP and Enterprise Manager systems have default mitigations in place through local user authentication requirements and tcp_wrappers (BIG-IP 10.x / EM 2.x) and iptables (BIG-IP 11.x / EM 3.x) that downgrade the access vector for these vulnerabilities limited to local and authenticated users. Important: Enabling the Remote Access feature on Enterprise Manager will modify the tcp_wrappers (2.x) and iptables (3.x) rules to allow database access. As a result, the vulnerable access vector for these vulnerabilities is upgraded back to remote and unauthenticated. The Enterprise Manager Remote Access feature is disabled by default. If you have enabled the Remote Access feature, refer to the Disabling the Remote Access feature procedure in the Recommended Actions section.
Workaround:
Disabling the Remote Access feature Impact of recommended action: You will no longer be allowed to remotely access the MySQL statistical database. Log in to the Enterprise Manager Configuration utility. Click Enterprise Management. Navigate to Options : Statistics : Remote Access. Clear the Allow Remote Access check box. Click Save Changes.
Fix:
CVE-2015-0411
507611-4 : On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
Component: Local Traffic Manager
Symptoms:
BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
Conditions:
BGP, TCP-MD5 on BIG-IP 2000- and 4000-series platforms.
Impact:
BGP session is not established.
Workaround:
Disable TCP-MD5 for neighbor.
Fix:
BGP sessions with TCP MD5 enabled now establish connection to neighbors as expected on BIG-IP 2000- and 4000-series platforms.
507410-2 : Possible TMM crash when handling certain types of traffic with SSL persistence enabled
Component: Local Traffic Manager
Symptoms:
When SSL persistence is used on a virtual, if the SSL session contains unexpected traffic the TMM might crash.
Conditions:
SSL persistence is enabled on a virtual server, and the SSL session contains unexpected traffic.
Impact:
TMM crash
Workaround:
Do not use SSL persistence.
Fix:
SSL persistence will not crash regardless of the SSL traffic seen.
507109-4 : inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade
Component: Local Traffic Manager
Symptoms:
The inherit-certkeychain attribute of a child Client SSL profile can unexpectedly change after upgrade.
Conditions:
This issue occurs when all of the following conditions are met: -- You create a Client SSL profile that does not inherit the certificate, key, and chain certificate settings from the parent profile. -- You upgrade to BIG-IP 11.5.1 (HF6 or later), 11.5.2, 11.5.3, or 11.6.0.
Impact:
An incorrect cert key chain is used in the profile.
Workaround:
Manually fix the Client SSL profile.
Fix:
The certificate, key, and chain certificate settings in a Client SSL profile no longer change after an upgrade.
505089-4 : Spurious ACKs result in SYN cookie rejected stat increment.
Component: Local Traffic Manager
Symptoms:
Sending unsolicited ACK to a virtual server increments the counter 'Total Software Rejected' from tmsh show ltm virtual 'name_of_virtual_server' when syn cookie status is not activated.
Conditions:
This has been observed under the following conditions: 1. The client sends a SYN, the LTM sends an SYN/ACK and then the client sends a bad ACK. 2. A client sends an ACK for a connection that does not exist in the connection table (either it never existed or had been closed).
Impact:
Potentially inaccurate statistics in tmsh show ltm virtual.
Workaround:
None.
Fix:
In this release, the system increments the syncookie reject stat only if a bad ACK could correspond to a syncookie the system issued.
505071-5 : Delete and create of the same object can cause secondary blades' mcpd processes to restart.
Component: TMOS
Symptoms:
A single transaction containing both a delete and a create of the same object can, for certain types of objects, cause the secondary blades' mcpd processes to restart because of validation failure. The validation error appears similar to the following: 01020036:3: The requested object type (object name) was not found.
Conditions:
This has been seen to occur when an APM policy agent logon page is modified, and the error reports that its customization group cannot be found. In BIG-IP v11.6.0 HF6 and BIG-IP v11.5.4 and BIG-IP v11.5.4 HF1, this can also occur when an iApp creates a virtual server.
Impact:
mcpd restarts on every secondary blade, causing most other system services to restart as well. This might result in a temporary loss of traffic on all secondary blades. After mcpd restarts, the new configuration is accepted and the system returns to normal operation.
Workaround:
None.
Fix:
For certain types of objects, an incorrect message was sent to the secondary blades' mcpd processes if an object of that type was deleted and then recreated within a single transaction. This caused mcpd to restart on every secondary blade. The correct message is now sent, even for this type of object.
504545-2 : FQDN: node without service checking reported as 'service checking enabled, no results yet'
Component: Local Traffic Manager
Symptoms:
When an FQDN Node has no Node Default or Node Specific monitor associated, the ephemeral nodes' status is 'Unknown (enabled)- Node address service checking is enabled but result is not available yet.' A standard node configured without a monitor has the correct status: 'Unknown (enabled) - Node address does not have service checking enabled.'
Conditions:
FQDN node created with one or more valid records returned for the FQDN, and no node default or node-specific health monitor configured.
Impact:
Cannot determine actual state of pool member.
Workaround:
None.
Fix:
FQDN node without service checking has the correct status: 'Unknown (enabled) - Node address does not have service checking enabled.'
504508-5 : IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled
Component: TMOS
Symptoms:
When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.
Conditions:
An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled
Impact:
IPsec tunnel goes down, traffic stops.
Workaround:
Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.
Fix:
IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.
503696-1 : BD enforcer updates may be stuck after BD restart
Component: Application Security Manager
Symptoms:
If BD enforcer restarts during an update, the current configuration update will get stuck and no further updates will be performed.
Conditions:
BD enforcer restarts during an update.
Impact:
The current configuration update will get stuck and no further updates will be performed.
Workaround:
bigstart restart asm
Fix:
BD enforcer updates continue to process correctly even after BD restart.
503600-6 : TMM core logging from TMM while attempting to connect to remote logging server
Component: TMOS
Symptoms:
TMM crash and coredump while logging to remote logging server.
Conditions:
The problem might occur when a log message is created as the result of errors that can occur during log-connection establishment. The crash specifically occurs when an error occurs while attempting to connect to the remote logging server.
Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.
Workaround:
Two possible workarounds are available: 1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs. 2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.
Fix:
TMM no longer crashes and coredumps while logging to remote logging server.
503246-4 : TMM crashes when unable to allocate large amount of provisioned memory
Component: TMOS
Symptoms:
TMM panics and core dumps when unable to allocate the full amount of provisioned memory for each TMM instance.
Conditions:
The situation may occur when TMM starts (or restarts) while a process is still holding into large amounts of memory and TMM is unable to allocate the provisioned memory.
Impact:
crash and core dump.
Workaround:
none
Fix:
The fix is a change in the TMM startup process
502841-2 : REST API hangs due to icrd startup issues
Component: TMOS
Symptoms:
The symptoms are that iControl REST requests can go un-responded or come back with bad responses.
Conditions:
icrd starts much before restjavad
Impact:
Unusable REST API.
Workaround:
The workaround is to restart the icrd service after ascertaining that restjavad is running - 'bigstart status restjavad' followed by 'bigstart restart icrd'.
Fix:
Now the icrd service will wait until the restjavad service is completely up and responding.
502480-1 : Mirrored connections on standby device do not get closed when Verified Accept is enabled
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, the BIG-IP may cause mirrored connections on the standby device to persist.
Conditions:
- Mirror enabled on the Virtual server - Verified accept enabled on the TCP profile
Impact:
Resource leak on the standby device which could cause an outage
Workaround:
Do not enable verified accept on mirrored flows.
Fix:
Mirrored connections to the standby device will now be properly closed on the standby.
500786-6 : Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile
Component: Local Traffic Manager
Symptoms:
When a FastL4/BIGTCP virtual with HTTP profile is used, certain kinds of traffic may cause huge memory growth and result in out-of-memory situation.
Conditions:
If the FastL4 virtual with HTTP profile handles HTTP cloaking traffic, that starts up as HTTP and then switches over to non-HTTP data, memory growth could grow unbounded due to lack of flow control. This may lead to out of memory conditions eventually.
Impact:
Out of memory conditions affecting the availability/stability of the BIG-IP system.
Workaround:
1.) Avoid using FastL4 with HTTP profile, unnecessarily. 2.) If it could not be avoided, use FastL4 + HTTP-Transparent profile combination instead AND set http-transparent profile attribute enforcement.pipeline to "pass-through". This would allow HTTP filter to run in "passthrough" mode. Hence avoid the excessive momery consumption.
Fix:
Use FastL4 + HTTP-Transparent profile combination AND set http-transparent.enforcement.pipeline to "pass-through". This enables HTTP filter to run in "passthrough" mode. Hence avoid the excessive momery consumption.
499430-2 : Standby unit might bridge network ingress packets when bridge_in_standby is disabled
Component: Local Traffic Manager
Symptoms:
On a standby unit with a vlangroup configured with multiple VLAN members and bridge_in_standby attribute set to false, the unit might still bridge network ingress packets across the vlangroup, if those packet happen to match the host monitor traffic flows.
Conditions:
This occurs when the following conditions are met: Configure a vlangroup with multiple VLAN members in HA configuration and set vlangroup's bridge_in_standby attribute to false. Configure monitors to use non-default monitor rules (ICMP, etc.).
Impact:
This results in a traffic bridging loop among active and standby unis. Excessive traffic load might take down monitors on the BIG-IP system.
Workaround:
None.
Fix:
Standby unit no longer bridges network ingress packets when bridge_in_standby is disabled. This is correct behavior.
496679-5 : After renaming /cm device, load fail 'foreign key index (default_device_fk)'.
Component: TMOS
Symptoms:
After renaming a CM device object, subsequent configuration loads may fail because the 'default-device' on traffic-group objects is not automatically updated.
Conditions:
Renaming a device object.
Impact:
Although the configuration can be saved, it fails when being loaded (for example, in response to a ConfigSync operation, during software upgrade, or when running the command: tmsh load sys config).
Workaround:
Modify any traffic-group default-device attributes that refer to the old device name.
Fix:
Renaming a device also renames the associated traffic-group's default device, so configuration load now completes successfully.
495865-2 : iApps/tmsh cannot reconfigure pools that have monitors associated with them.
Component: TMOS
Symptoms:
iApps are unable to reconfigure pools that have monitors associated with them.
Conditions:
Using tmsh or iApps in the GUI to re-configure the pool monitor (for example, changing the monitor from 'http' to 'none').
Impact:
Monitor change does not occur. GUI or tmsh might post an error similar to the following: Monitor rule not found.
Workaround:
None.
Fix:
Users can now remove a monitor from a pool / set it to 'none' through tmsh or a GUI iApp transaction.
495744-1 : Some user defined ASM reports are not loading correctly after upgrade from 11.4 upwards
Component: Application Visibility and Reporting
Symptoms:
Some fields of user defined filters from older versions cannot be loaded in the new version, after an upgrade.
Conditions:
Custom user filter is defined. Most common when Source Client IP field is set.
Impact:
Filters cannot be applied correctly due to values not being recognized.
Workaround:
Before upgrade, the filters should be manually saved, and later on re-created on the new version.
Fix:
A better value upgrade has been implemented, and a warning message is displayed to the user about the situation.
494796 : Unable to create GTM Listener with non-default protocol profile.
Component: Global Traffic Manager
Symptoms:
When attempting to create a GTM Listener with anything besides a default protocol profile causes a duplicate profile error.
Conditions:
Create a GTM Listener with a protocol profile other than udp_gtm_dns or tcp.
Impact:
GTM listener creation does not complete.
Workaround:
Create a GTM Listener using a default protocol profile, and then modify the protocol profile settings.
Fix:
You can now create GTM Listener with non-default protocol profile.
494070-2 : BIG-IP DNS cannot use a loopback address with fallback IP load balancing
Component: Global Traffic Manager
Symptoms:
BIG-IP DNS cannot use a loopback address with fallback IP load balancing.
Conditions:
BIG-IP DNS pool using fallback IP load balancing.
Impact:
Cannot configure a loopback address using fallback IP load balancing.
Workaround:
None.
Fix:
Now, a BIG-IP DNS Pool fallback IP address can be localhost.
492460-3 : Virtual deletion failure possible when using sFlow
Component: TMOS
Symptoms:
This error message might occur intermittently when trying to delete a virtual server: 01070265:3: The Virtual Server (vs_name) cannot be deleted because it is in use by a sflow http data source (ds_name).
Conditions:
sFlow is in use.
Impact:
Virtual may fail to be deleted.
Workaround:
None.
Fix:
This error message used to occur intermittently when trying to delete a virtual and using sFlow: 01070265:3: The Virtual Server (vs_name) cannot be deleted because it is in use by a sflow http data source (ds_name). This no longer occurs.
492122-5 : Now Windows Logon Integration does not recreate temporary user for logon execution each time
Component: Access Policy Manager
Symptoms:
Temporary user 'f5 Pre-Logon User' is created and deleted each time it is used which prevents the performance of domain operations like adding that user to specific domain group or setting properties because the SSID changes every time.
Conditions:
This happens when both of these conditions exist: 1. Windows Logon Integration is used. 2. Enforce access policy execution option is selected.
Impact:
As a result, it is impossible to manage the temporary user 'f5 Pre-Logon User'.
Workaround:
Fix:
Now the 'f5 Pre-Logon User' is created only once, which allows a Domain or System Administrator to manage it, because the SSID does not change. When the user is no longer required (that is, when the logon process is complete), 'f5 Pre-Logon User' is disabled and remains disabled until the next usage.
491727-2 : Upgrade can fail to load config due to tcp profile no longer allowing time-wait-timeout of 4294967295 (indefinite).
Component: TMOS
Symptoms:
Upgrade to v11.6.0 can fail with the following error message: 01070712:3: The value (-1) is outside the acceptable value set [value equal to or less than 600000] for time_wait_timeout in type TCP Profile for item <tcp_profile_name> Unexpected Error: Loading configuration process failed.
Conditions:
A tcp profile exists with tcp_long_timeout equal to 4294967295 (indefinite).
Impact:
Upgrade to v11.6.0 fails and leaves device in INOPERATIVE state.
Workaround:
Change tcp_long_timeout prior to upgrade to a value in the range from 0 to 600000 inclusive OR, if already upgraded, edit bigip.conf to set tcp_long_timeout to a value in the range from 0 to 600000 inclusive and run "tmsh load sys config".
Fix:
BIG-IP configurations now load successfully after an upgrade if the TCP profile's Time Wait value is set to 4294967295
491371-1 : CMI: Manual sync does not allow overwrite of 'newer' ASM config
Component: Application Security Manager
Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration. This precludes the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.
Conditions:
Devices are set up in a Manual Sync ASM-enabled group.
Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.
Workaround:
Make a spurious change on the device that has an older config and then push the changes to the peer.
Fix:
An older ASM configuration can now be manually pushed to a peer in a device group.
491352-3 : Added ASM internal parameter to add more XML memory
Component: Application Security Manager
Symptoms:
It is not possible to add more than 1.2 GB of memory to the XML parser.
Conditions:
More than 1.2 GB of XML memory is needed.
Impact:
XML out of memory messages, traffic dropped.
Workaround:
Fix:
We added the internal parameter additional_xml_memory_in_mb that enables an additional amount of XML memory (in MB).
491185-1 : URL Latencies page: pagination limited to 180 pages
Component: Application Visibility and Reporting
Symptoms:
When there is a lot of information in URL Latencies with paging being available for more than 180 pages, no data is being displayed when switching to any of the pages above 180
Conditions:
URLs count exceeds 1800
Impact:
Not all URLs will be visible
Workaround:
Filtering can be used to limit the number of results below 1800.
Fix:
Number of reported URLs is now limited to 1000 (100 pages), consistent with other reporting pages.
491080-5 : Memory leak in access framework
Component: Access Policy Manager
Symptoms:
When multiple concurrent attempts are made to access a resource protected by APM, one of these attempts proceeds to policy execution and the rest get a message stating that session evaluation is in progress. The page that delivers this message has a unique identifier in the URL that causes the caching of this page to be ineffective. Multiple cache entries are created and these entries present themselves as a leak.
Conditions:
Use of APM. Multiple concurrent accesses to a resource protected by a virtual server with an APM profile attached. Note that no prior established sessions must exist for that client for this to happen.
Impact:
A memory leak occurs.
Workaround:
None.
Fix:
The APM page caching now omits the unique identifier in the key. As a result, a single page, or a small fixed number of pages, can serve a multitude of clients without an increase in memory usage.
490999-2 : Subscriber-level AVR statistics display the subscriber-type as "Unknown" for subscribers created using Radius Acct-Start
Component: Application Visibility and Reporting
Symptoms:
Subscriber-level AVR statistics display subscriber-type as "Unknown" instead of "Dynamic" for subscribers created using a RADIUS Accounting-Start message.
Conditions:
Subscriber should be created using a Radius Acct-Start message.
Impact:
Incorrect subscriber-type in subscriber-level AVR statistics.
Workaround:
none
Fix:
Populate the correct subscriber-type in subscriber-level AVR statistics.
490801-2 : mod_ssl: missing support for TLSv1.1 and TLSv1.2
Component: TMOS
Symptoms:
This is due to using older versions of httpd (which includes mod_ssl ...). Newer versions of httpd as of 2.2.15-39 include the necessary support for TLSv1.1 and TLSv1.2.
Conditions:
Any older versions of httpd which are not upgraded to 2.2.15-39 or selectively patched for the mod_ssl component will not be able to provide support for TLSv1.1 and TLSv1.2. Note that in older releases, there is a dependency on openssl 1.0.1 for a backport of the mod_ssl changes to actually support TLSv1.1 and TLSv1.2.
Impact:
No support is provided for TLSv1.1 and TLSv1.2.
Workaround:
Upgrade to one of the following: 12.0.0-hf1 - includes changes to mod_ssl 12.1.0 - includes update to httpd 2.2.15-39
Fix:
Upgrade to httpd 2.2.15-39 (from el6.6) provides the needed changes to mod_ssl to support TLSv1.1 and TLSv1.2.
490537-6 : Persistence Records display in GUI might cause system crash with large number of records
Component: TMOS
Symptoms:
Using the GUI to view Persistence Records statistics in GUI when there are a large number of records might crash the system. (Persistence Records are available for LTM and GTM by navigating to Statistics :: Module Statistics, clicking on Local Traffic, DNS Delivery, or DNS GSLB and then selecting 'Persistence Records' for Statistics Type.)
Conditions:
This occurs when viewing statistics in the GUI for a large number of Persistence Records (approximately 1 million, but the number might be lower depending on network configuration and capacity).
Impact:
The system runs out of memory and fails over.
Workaround:
Use TMSH to see Persistence Records and associated statistics: tmsh show sys conn. For LTM and GTM Delivery: tmsh show ltm persistence persist-records. For GTM GSLB: tmsh show gtm persist destination | level | target-name | key | max-results | target-type.
Fix:
Persistence Records are no longer visible by default in the GUI. You can turn on visibility of Persistence Records using a db variable. When you enable the db variable, the GUI-specific out-of-memory condition might occur if you have a large number of records. In that case, you should use TMSH to see Persistence Records and associated statistics using the command tmsh show ltm persistence persist-records. To set the db variable: -- for LTM Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.localtraffic.persistencerecords value true. -- for DNS Delivery Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.dnsdelivery.persistencerecords value true. -- for DNSGSLB, run the command: modify sys db ui.statistics.modulestatistics.dnsgslb.persistencerecords value true.
489957-9 : RADIUS::avp command fails when AVP contains multiple attribute (VSA).
Component: Service Provider
Symptoms:
The RADIUS::avp command fails when AVP contains multiple attributes (VSA) within an AVP.
Conditions:
One AVP contains multiple attributes (VSA).
Impact:
RADIUS::avp command fails.
Workaround:
None.
Fix:
RADIUS::avp command now completes successfully when AVP contains multiple attribute (VSA).
489816-1 : F5 Enterprise MIB attribute sysTmmStatMemoryTotal returning zero
Component: Performance
Symptoms:
An SNMP query for F5 Enterprise MIB attribue sysTmmStatMemoryTotal and several others were returning zero values after upgrading to v11.6.0 HF6 or higher.
Conditions:
Always
Impact:
These values are incorrect.
Workaround:
Similar queries can be made to equivalent MIB attributes provided in units of kilobytes using SNMP type Gauge. In the case of sysTmmStatMemoryTotal, sysTmmStatMemoryTotalKb can be queried.
Fix:
For the affected MIB attributes in 11.6.0 HF6 and higher, zero values are no longer returned. Units of measurements continue to be in bytes using SNMP attribute type Counter64.
489451-3 : TMM might panic due to OpenSSL failure during handshake generation
Component: Local Traffic Manager
Symptoms:
TMM might panic due to OpenSSL failure during handshake generation.
Conditions:
Low memory. Software-based SSL handshake generation.
Impact:
TMM outage.
Workaround:
Fix:
The system now checks for OpenSSL failures during SSL handshake generation, so TMM no longer panics.
489379-1 : Bot signature is not matched
Component: Advanced Firewall Manager
Symptoms:
Bot signature is not matched although its content appears in request.
Conditions:
Configure several bot signatures and send request that contain the signature. Some signature may not be matched.
Impact:
Signature that should be matched and blocked may reach the application.
Workaround:
This issue has no workaround at this time.
Fix:
All configured signature are now matched.
489329-6 : Memory corruption can occur with SPDY/HTTP2 profile(s)
Component: Local Traffic Manager
Symptoms:
A virtual server using either the SPDY or HTTP2 profiles can experience random memory corruption due to a double free of memory.
Conditions:
SPDY/HTTP2 filter is configured on the virtual.
Impact:
This results in a TMM crash in random components due to memory corruption.
Workaround:
Do not use SPDY2/HTTP2 profiles.
Fix:
A memory corruption in the SPDY/HTTP2 profiles has been fixed.
488921-2 : BIG-IP system sends unnecessary gratuitous ARPs
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends unnecessary gratuitous ARPs for its virtual IP addresses and self IP addresses.
Conditions:
When the virtual server status transitions from online to offline status or vice versa.
Impact:
The BIG-IP system sends out a large number of unwanted gratuitous ARPs if the virtual server changes its status rapidly. If devices connected to the BIG-IP system have rate limits configured, the devices might start ignoring the ARPs sent by the BIG-IP system, which might cause the devices to miss the critical gratuitous ARPs sent on HA failover. This might affect HA functionality.
Workaround:
Fix:
The system no longer sends unnecessary gratuitous ARPs when pool member state changes cause virtual server status changes.
488811-5 : F5-prelogon user profile folder are not fully cleaned-up
Component: Access Policy Manager
Symptoms:
When a user logs on using Network Logon in Windows, it triggers access policy execution, and the policy creates a temporary user, f5 Pre-Logon User. This causes the operating system to create a profile folder on the computer. After several executions, these folders start to accumulate because they are not removed properly after policy execution is complete. Each time the access policy runs, it creates a user folder of the form f5 Pre-Logon User.<HOSTNAME>.xyz in the C:\Users folder.
Conditions:
A user logs on to the computer using Network Logon in Windows. (Windows Logon Integration)
Impact:
Disk runs out of space and user is confused.
Workaround:
To work around the problem, delete folders manually.
488015-1 : Multiple PHP vulnerabilities
Component: TMOS
Symptoms:
CVE-2014-3668 Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation. CVE-2014-3669 Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value. CVE-2014-3670 The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function. The vulnerabilities described in this article have been resolved, or do not affect any F5 products. There will be no further updates, unless new information is discovered.
Conditions:
Running one of the vulnerable versions. For more information, see SOL15866: Multiple PHP vulnerabilities CVE-2014-3668, CVE-2014-3669, and CVE-2014-3670, available here: https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15866.html
Impact:
None. No F5 products are affected by this vulnerability.
Workaround:
None needed.
Fix:
Multiple PHP vulnerabilities CVE-2014-3668, CVE-2014-3669, and CVE-2014-3670.
484453-6 : Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand)
Component: TMOS
Symptoms:
When the log filter is configured to filter at the 'Informational' log level, the logs can get filled with 'client /var/run/lopd.chmand.lopuns already registered' messages when registering with either the Lights Out Processor daemon (lopd) or the CAN daemon (cand). These messages appear in the log every two seconds on systems with lopd, or every 20 seconds on systems with cand.
Conditions:
This occurs when using a remote syslog logging filter with the 'Severity' field set to 'Informational'.
Impact:
Logs fill with messages. These messages are related to communication with the Lights Out Processor daemon (lopd) or with the CAN daemon (cand), and are completely benign, so you can safely ignore them.
Workaround:
Change the remote syslog logging level to 'Notice'.
Fix:
Reduced the log level for registering with the LOP (lights out processor) and CAN daemon (cand) to the debug level.
483719-2 : vlan-groups configured with a single member VLAN result in memory leak
Component: Local Traffic Manager
Symptoms:
If a vlan-group contains only a single member VLAN, tmm begins to leak memory as observed in 'tmctl memory_usage_stat'.
Conditions:
Configure a vlan-group with a single member VLAN.
Impact:
Continuous memory leaks might eventuallyresult in traffic disruptions.
Workaround:
Remove vlan-groups containing a single member VLAN or configure at least two member VLANs per vlan-group
Fix:
Single-member vlan-groups no longer leak memory.
482373-3 : Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction
Component: TMOS
Symptoms:
A create followed by a delete of a virtual server in a transaction fails
Conditions:
A virtual server must be deleted in the same transaction as another virtual server being created where both share the same destination address. This applies to operations performed via iControl REST and tmsh.
Impact:
Transaction may fail
Workaround:
Use create and delete in separate transactions
Fix:
Transactions where virtual servers are deleted and re-created with the same virtual IP address will now complete successfully.
482177-4 : Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO
Component: Access Policy Manager
Symptoms:
Accessing SharePoint web application portal with SSO configured for path /* (as part of portal access resource item) first will break IdP intiated Security Assertion Markup Language (SAML) single sign-on (SSO).
Conditions:
Having SharePoint Portal Access resource as well as SAML resource on full webtop. Access SharePoint application by clicking first on SharePoint icon on full webtop and then SAML resource causes SAML SSO to break.
Impact:
End user will see 404 NotFound page.
Workaround:
Disable SSO to Portal Access application SharePoint.
Fix:
Accessing a SAML resource on the webtop after a SharePoint resource no longer causes SSO to break.
481530-1 : Signature reporting details for sensitive data violation
Component: Application Security Manager
Symptoms:
ASM blocks some requests that match signatures of the 'XPath Injection' attack type, but specific details regarding the violations are not visible for the affected requests as the signatures match sensitive parameters.
Conditions:
Request with sensitive data, a signature match inside the sensitive data.
Impact:
You cannot view or learn about violations in the GUI for signatures that match on sensitive parameters.
Workaround:
Suggestions of how to acquire the sig id: 1. Attach a custom remote logger that includes the violation details field and the support id. Note: You can configure only these two. 2. Turn on the ATTACK_SIG logger module for the bd.log and grep for 'Matched SIGID:' messages. 3. Remove the sensitive configuration. Note: This might not work for your environment.
Fix:
Signature names that are matched inside sensitive data are now shown in the violation details in the Configuration utility.
481328-2 : Many 'tmsh save sys config gtm-only partitions all' stack memory issue.
Component: Global Traffic Manager
Symptoms:
Suitably large GTM configurations can take longer to save to the bigip_gtm.conf file than the configured timeout.
Conditions:
This occurs when GSLB automatic configuration save is enabled, many changes are made that require configuration save, and the gtm.global-settings.general.automatic-configuration-save-timeout is less than the length of time it takes to save the configuration to file.
Impact:
Making numerous changes might lead to multiple instances of the save operation running simultaneously. Large memory consumption, potentially leading to a crash.
Workaround:
Set gtm.global-settings.general.automatic-configuration-save-timeout to a larger value or disable automatic configuration saving for GTM / GSLB.
Fix:
Simultaneous GTM configuration saves no longer occur, so memory is not consumed for them.
480246-4 : Message: Data publisher not found or not implemented when processing request
Component: TMOS
Symptoms:
The system posts messages in ltm log similar to the following: err mcpd[7172]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (20594).
Conditions:
This occurs on a bladed system from an snmp query against blade_voltage_stat.
Impact:
For bladed systems, the system does not report the blade voltage. For systems that are not bladed system, there is no publisher for this query. This message is cosmetic for non-bladed systems, and you can safely ignore it.
Workaround:
None.
Fix:
The main query processing file was not included during build-time. The file has been added and the stats should now show as expected.
480071-2 : Backslashes in policy rule added/duplicated when modified in GUI.
Component: TMOS
Symptoms:
Policy no longer matches rule after modification via the GUI.
Conditions:
This occurs when the policy rule contains literal backslash.
Impact:
The policy does not match the expected condition.
Workaround:
Use tmsh to make policy changes.
Fix:
Backslashes in policy rule are now correctly escapsed when modified in GUI.
478351-1 : Changing management IP can lead to bd crash
Component: Application Security Manager
Symptoms:
A bd crashes after a management IP change.
Conditions:
Remote logger is configured, high traffic volume and a configuration changed for the management IP.
Impact:
The impact of this issue is a system outage as the bd restarts.
Workaround:
This issue has no workaround at this time.
Fix:
We fixed a crash that could happen when management IP configuration was changed.
477769-2 : TMM crash (panic) in AFM pktclass code (Assertion 'classifier ref non-zero' failed.) when virtual server has SPDY or HTTP Prefetching enabled along with AFM Rules.
Component: Advanced Firewall Manager
Symptoms:
TMM will crash (panic) in AFM pktclass code with following signature: Assertion 'classifier ref non-zero' failed.
Conditions:
For this to happen, following conditions must be met: - AFM is enabled. - Virtual Server has AFM Rules (policy). - Either SPDY profile OR HTTP prefetching enabled. - Then the AFM Rule (policy) on this Virtual Server is modified.
Impact:
TMM will restart causing traffic disruption.
Workaround:
None.
Fix:
TMM crash (panic) is fixed now and TMM no longer panics in scenarios with SPDY or HTTP Prefetching enabled.
476567-5 : fastL4: acceleration state is incorrectly reported on show sys conn
Component: Local Traffic Manager
Symptoms:
The results of the command show sys conn shows both-sides of two connections are accelerated, which means there should be four accelerated flows. But the ePVA accelerated flow count only shows three accelerated flows, which is what is expected with this combination of IP/port addresses.
Conditions:
This occurs when using FastL4 and acceleration.
Impact:
The system reports incorrect status.
Workaround:
Fix:
The system now updates accelerated status after the flow has been successfully inserted into the ePVA, so the correct state is reported.
476564-5 : ePVA FIX: no RST for an unaccelerated flow targeting a network virtual
Component: Local Traffic Manager
Symptoms:
A network virtual server configured with guaranteed acceleration fails to receive a RST for a flow that is not accelerated. They see a RST when targeting a host virtual. This results in the client sending packet retransmissions continuously, since the client has no indication that the connection was closed.
Conditions:
This occurs with guaranteed latency.
Impact:
The system drops flows.
Workaround:
Fix:
The system now sends RST in guaranteed mode for an ePVA flow when the packet is received in software.
476386-2 : DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 should only be supported for tls1.2
Component: Local Traffic Manager
Symptoms:
DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 are visible for other protocols, but are only supported for TLS1.2.
Conditions:
These should only show up under TLS1.2 but they are visible for other protocols.
Impact:
Selecting these might have unexpected results.
Workaround:
None.
Fix:
Resolved issue to ensure that DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 is supported only for TLS1.2.
475701-2 : FastL4 with FIX late-bind enabled may not honor client-timeout
Component: Local Traffic Manager
Symptoms:
When insufficient initial data is received, the FastL4 fix late-bind timeout recovery action is not taken (no RST sent with disconnection and no default pool use with fallback).
Conditions:
FastL4 profile with FIX late-bind enabled and insufficient data is received.
Impact:
The client-timeout feature does not work. Client connections seem to hang, and RST is not sent (when timeout-recovery disconnect) or the connection does not continue with standard FastL4 behavior (when timeout-recovery fallback) if enough initial data does not arrive within the client-timeout.
Workaround:
Setting tcp-handshake-timeout to a value that is greater than client-timeout might allow this to work.
Fix:
FastL4 with FIX late-bind enabled now honors client-timeout.
474252-1 : Applying ASM security policy repeatedly fills disk partition on a chassis
Component: Application Security Manager
Symptoms:
Applying ASM security policy repeatedly on a chassis will cause /var disk partition to fill.
Conditions:
ASM security policy is applied repeatedly on a chassis.
Impact:
/var disk partition is filled.
Workaround:
Delete the contents of /var/ts/var/cluster/send.
Fix:
An ASM security policy can be repeatedly applied on a chassis without filling the disk partition.
473415-1 : ASM Standalone license has to include URL and HTML Rewrite
Component: TMOS
Symptoms:
After an upgrade to 11.6.0, the system now reports 'URI Translation (Not Licensed)', yet the license package has not changed. There was no issue when running 11.4.1 with an ASM Standalone license and using the URL Rewrite functionality with URI Translation (under Local Traffic :: Profiles :: Services :: Rewrite).
Conditions:
This occurs when the following conditions are met: -- Running 11.6.0. -- ASM Standalone license. -- URL Rewrite functionality with URI Translation.
Impact:
An ASM Standalone license generated for 11.6.0 does not include ltm_rewrite_uri. Therefore, regardless of what is configured in a rewrite profile, the profile is inoperative when assigned to a virtual server.
Workaround:
None available.
Fix:
In this release, ltm_rewrite_html and ltm_rewrite_url are enabled when mod_asm is enabled, so the system functions as expected for URL Rewrite functionality with URI Translation operations.
472696-1 : Multiple Mozilla Network Security Services vulnerabilities
Component: TMOS
Symptoms:
CVE-2014-1544 Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.
Conditions:
Running one of the vulnerable versions. For more information, see SOL16716: Multiple Mozilla Network Security Services vulnerabilities, available here: https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16716.html.
Impact:
The vulnerable code exists on the system; however, it is not used in a way that exposes the vulnerability.
Workaround:
To mitigate this vulnerability, you should only permit management access to F5 products over a secure network and restrict command line access for affected systems to the trusted users. For more information, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x) and SOL13092: Overview of securing access to the BIG-IP system.
Fix:
Multiple Mozilla Network Security Services vulnerabilities
472532-4 : Cipher dhe-rsa-aes256-sha256 is missing from the SSL cipher list
Component: Local Traffic Manager
Symptoms:
Cipher dhe-rsa-aes256-sha256 is missing from the ssl cipher list.
Conditions:
This issue occurs under all conditions.
Impact:
The impact of this issue is that the user will be unable to connect with the specified cipher.
Workaround:
N/A
Fix:
Cipher id 0x006b (dhe-rsa-aes256-sha256) has been added.
472446-2 : Customization Group Template File Might Cause Mcpd to Restart
Component: Access Policy Manager
Symptoms:
A config sync or tmsh transaction might fail and make mcpd restart if the config sync or tmsh transaction includes a misconfigured object and simultaneously includes a customization group template file.
Conditions:
The config sync or tmsh transaction includes a misconfigured object and includes a customization group template file.
Impact:
The config sync or tmsh transaction fails, and mcpd exits. Note: Avoid configurations that put customization group template file objects through a config sync or tmsh transaction, when that transaction might contain an object configured with an invalid value. This results in a configuration error. Here is one example of the types of messages you might see when this occurs: -- info mcpd[12395]: 01071528:6: Device group '/Common/f5omb' sync inconsistent, Incremental config sync may not be complete on one or more devices in this devicegroup, Sync status may not be consistent until incremental config sync is complete. -- err mcpd[12395]: 01070734:3: Configuration error: Cannot apply template as cache path for (customization template file logon.inc customization group /Common/ap_deptSharePt_act_logon_page_ag) cannot be empty. -- err mcpd[12395]: 01070596:3: An unexpected failure has occurred, - apm/validation/APMCustomizationFileObject.cpp, line 1825, exiting... -- info sod[5467]: 010c0009:6: Lost connection to mcpd - reestablishing. -- err zxfrd[12033]: 0153e0f7:3: Lost connection to mcpd.
Workaround:
None.
Fix:
A configuration error in config sync or tmsh transaction is now handled correctly.
471467 : gtmparse segfaults when loading wideip.conf because of duplicate virtual server names
Component: Global Traffic Manager
Symptoms:
gtmparse segfaults when loading wideip.conf with duplicate virtual server names, or whose names differ only by spaces.
Conditions:
wideip.conf contains duplicate virtual server name definitions, or the virtual server names are unique only because of leading or trailing spaces.
Impact:
gtmparse segfaults during a wideip.conf load, causing GTM configuration load to fail.
Workaround:
Change virtual server definitions so that there are no duplicate named virtual servers. Note that adding only leading or trailing spaces does not result in a unique virtual server name.
Fix:
gtmparse will now throw descriptive errors when encountering duplicate vs names in wideip.conf, for example: ./gtm/wideip.conf:61: "opt_vs_long_def: vs set name vs_1 on vs 10.221.43.28:1545 failed, duplicate name exists" at character '1545' in line: name "vs_1" address 10.221.43.28:1545
471318-1 : AD/LDAP group name matching should be case-insensitive
Component: Access Policy Manager
Symptoms:
AD/LDAP Group Name mapping fails due to the case sensitive matching. It should be case insensitive.
Conditions:
This occurs when using AD/LDAP Group name mapping.
Impact:
Cannot find the intended group.
Workaround:
None.
Fix:
AD/LDAP Group Name mapping now is using case-insensitive comparison. This is correct behavior.
470842-1 : Apache Axis vulnerability CVE-2012-5784
Component: TMOS
Symptoms:
Apache Axis 1.4 and earlier does not verify that the server host name matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. The Apache axis.jar file included with iControl Assembly 11.2 and earlier is vulnerable to CVE-2012-5784.
Conditions:
Running one of the vulnerable versions. For more information, see SOL14371: Apache Axis vulnerability CVE-2012-5784, available here: https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14371.html.
Impact:
Affected systems may be vulnerable to a man-in-the-middle attack where attackers spoof SSL servers through an arbitrary valid certificate.
Workaround:
If you are using iControl Assembly 11.2 and earlier, the Apache axis.jar file is vulnerable to CVE-2012-5784. To eliminate this vulnerability, upgrade to iControl Assembly 11.3. To do so, download the latest version of the iControl Assembly package at https://devcentral.f5.com/community/group/aft/1172123/asg/2. Note: A separate DevCentral login is required to access this content; you will be redirected to authenticate or register (if necessary).
Fix:
Apache Axis vulnerability CVE-2012-5784
470715-5 : Excessive IP fragmentation on tmm_bp vlan causes ftp data loss with vlan name >= 16 characters long
Component: Local Traffic Manager
Symptoms:
When a vlan name is >= 16 characters including the /Common/ folder name prefix, the internal packet size will exceed the configured MTU size of 1582 on the MPI channel. This causes excessive IP fragmentation on tmm_bp vlan and high cpu usage. In some cases it can also cause packet loss.
Conditions:
Vlan names (16 characters or longer) are being used. This length also counts the name of the partition.
Impact:
This can cause excessive IP fragmentation on tmm_bp vlan and high cpu usage. In some cases it would also cause packet loss.
Workaround:
Use shorter vlan names.
Fix:
A new db variable vlan.backplane.mtu has been added to configure tmm_bp vlan mtu size, and the new default backplane MTU is set to to 1640.
Behavior Change:
A new db variable vlan.backplane.mtu has been added to configure tmm_bp vlan mtu size, and the new default backplane MTU is set to to 1640.
470559 : TMM crash after traffic stress with rapid changes to Traffic capturing profiles
Component: Application Visibility and Reporting
Symptoms:
Rare condition of TMM crash due to traffic stress with rapid changes made to Traffic capturing profiles.
Conditions:
1. Traffic capturing feature is on, under heavy traffic. 2. Modifications are being made to traffic capturing configuration.
Impact:
This can occasionally cause TMM to crash.
Workaround:
Turn off traffic capturing feature, or minimize making changes to the Traffic capturing profile while under heavy load.
Fix:
A rare condition was fixed where TMM crashed due to traffic stress with rapid changes made to Traffic capturing profiles.
469512-3 : TMM aborted by SOD due to heartbeat failure when trying to load huge firewall policies.
Component: Advanced Firewall Manager
Symptoms:
TMM gets terminated by SOD daemon due to heartbeat failure.
Conditions:
This might occur intermittently when trying to load huge firewall policies.
Impact:
This might (intermittently) trigger TMM abort by DOS due to heartbeat failure.
Workaround:
Disable TMM heartbeat.
Fix:
TMM is no longer terminated by SOD due to heartbeat failure (when trying to load huge firewall policies).
469033 : Large big3d memory footprint.
Component: Global Traffic Manager
Symptoms:
The big3d process might take up a large amount of memory.
Conditions:
Using GTM in various configurations.
Impact:
Large big3d memory footprint. This is a configuration- and usage-dependent issue.
Workaround:
None.
Fix:
Reduced big3d memory footprint.
467256-2 : Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat
Component: Access Policy Manager
Symptoms:
If there were multiple EPSEC packages installed on a BIG-IP system and if a UCS backup is taken subsequently, that UCS backup will contain all the files causing the UCS to become huge. Installing this UCS may fail due to disk space limitations.
Conditions:
For this issue, multiple EPSEC packages have to be installed in the system and the UCS of this system is created.
Impact:
UCS fails to install due to its large size.
Workaround:
One can do the following: 1. Delete the EPSEC package from the GUI. 2. Then go the /config/filestore/files_d/Common_d/epsec_package_d/ Find the extra files for which there is no corresponding entry in /config/bigip.conf. 3. Delete those extraneous files manually using rm.
Fix:
When you delete EPSEC packages using the GUI, APM now correctly deletes the corresponding EPSEC ISO file from the filestore (/config/filestore/files_d/Common_d/epsec_package_d/). Before creating archives, administrators are now required to delete non-active EPSEC packages using the GUI to make sure that non-active EPSEC ISO files are not included in the archives. Although this issue has been resolved for newly downloaded EPSEC ISO files, you might still need to perform some cleanup: 1. You must remove previous leftover EPSEC ISO files as follows: a. Delete the EPSEC package from the GUI: Select System > Software Management > Antivirus Check Updates; select an existing EPSEC package from the list and click Delete. b. Go to /config/filestore/files_d/Common_d/epsec_package_d/ and find files for which there is no corresponding entry in /config/bigip.conf. c. Delete those extraneous files manually using the rm command. 2. You cannot import huge previously created UCS archives. Instead, you should delete non-active EPSEC packages prior to creating a UCS. 3. If you want to include only one (active) EPSEC ISO in a UCS archive, you must first delete non-active EPSEC packages using the GUI.
462598-4 : Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.
Component: Access Policy Manager
Symptoms:
When the APM Access renderer or renderer pool (used for serving internal pages) goes down for an unknown reason, tmm goes into retry loop and sod kills the tmm.
Conditions:
For the problem to occur, at the very least, APM must be in use. The problem showed up in the past with a mangled iRule in place.
Impact:
This condition causes a crash due to an unresponsive TMM and will trigger a failover.
Workaround:
This has only been observed with an incorrectly formed iRule. So it is likely that fixing an associated iRule to operate as intended will resolve the problem. If this occurs without an associated iRule, there is no workaround.
Fix:
Now when an APM renderer or renderer pool (used for serving internal pages) goes down, APM detects the unavailability and sends a TCP Reset to the client.
462258-8 : AD/LDAP server connection failures might cause apd to stop processing requests when service is restored
Component: Access Policy Manager
Symptoms:
AD/LDAP server connection failures might cause APM apd to stop processing requests when service is restored. These symptoms accompany the problem: - Too many file descriptors open by apd. - 'Too many open files' error messages in the log file. - Running qkview to gather diagnostic data reveals the information similar to the following in 'netstat -pano' from qkview: tcp 270 0 127.0.0.1:10001 10.10.225.85:53212 ESTABLISHED 12191/apd off (0.00/0/0) tcp 269 0 127.0.0.1:10001 10.10.225.4:56305 ESTABLISHED 12191/apd off (0.00/0/0) tcp 272 0 127.0.0.1:10001 10.10.57.10:57508 CLOSE_WAIT 12191/apd off (0.00/0/0) tcp 0 0 127.1.1.1:56230 127.7.0.1:389 ESTABLISHED 12191/apd keepalive (1909.72/0/0) The last line with timer 'keepalive (1909.72/0/0)' indicates that apd has been waiting for a response for too long. Other lines with Recv-Q '272' indicate that apd is not reading incoming requests as expected (specifically, that the internal worker queue is overloaded because all threads are waiting for the one hanging thread to be processed).
Conditions:
This occurs between the connect and search phases of the AD/LDAP server connection operation, most likely when a AAA Server is configured to use pool as a backend. In this case, apd can always connect locally to layered virtual server, but the pool monitor has a server availability check interval, so a lag in the request to an unavailable server might cause apd to hang.
Impact:
Potential connection failures to backend server.
Workaround:
Fix:
Active Directory and LDAP server connection operations time out in 3 minutes, so a thread does not block any other, and service can recover as soon as the connection to the backend is restored.
461084-3 : Kerberos Auth might fail if client request contains Authorization header
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header prior to the "HTTP 401" challenge, authentication fails.
Conditions:
An auth request to the BIG-IP systems contains Authorization header; Kerberos Auth is configured.
Impact:
Authentication can fail and the client might see a login prompt again when the IP address changes.
Workaround:
None
Fix:
Client's Kerberos auth will succeed now.
460946-2 : NetHSM key is displayed as normal in GUI
Component: Local Traffic Manager
Symptoms:
A NetHSM' key type is displayed as 'normal' in the GUI when it should be displayed as 'nethsm'.
Conditions:
When a key is created using NetHSM.
Impact:
The 'Security Type' field of the key's property appears to be 'Normal,' when it should be NetHSM.
Workaround:
Fix:
NetHSM key is displayed as normal in GUI as NetHSM, as expected.
458348-2 : RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.
Component: Local Traffic Manager
Symptoms:
Packets originating from the RESOLV:: iRule commands and sFlow are not routed correctly when using non-default CMP hashing on external and internal VLANs.
Conditions:
External and internal VLANs have, respectively, src-ip and dst-ip cmp hashing configured.
Impact:
Packets are dropped.
Workaround:
Fix:
RESOLV:: iRule commands and sFlow now function correctly when using non-default CMP hashing.
455762-1 : DNS cache statistics incorrect
Component: Local Traffic Manager
Symptoms:
DNS Cache statistics might skew high due to shared information between TMMs incrementing the same statistic multiple times.
Conditions:
Any DNS Cache might see this issue.
Impact:
DNS Cache Statistics are listed as higher than they should have been.
Workaround:
This issue has no workaround.
Fix:
DNS Cache Statistics are no longer being incremented multiple times for the same action.
452482-7 : HTTP virtual servers with cookie persistence might reset incoming connections
Component: Local Traffic Manager
Symptoms:
Incoming TCP connection to HTTP virtual server receives RST during 3-way handshake
Conditions:
Incoming connection matches existing cookie persistence record and would be persisted to a pool member whose connection limit has been reached.
Impact:
TCP connection fails.
Workaround:
Fix:
Cookie persistence records are ignored when the connection limit of the persisted pool member has been reached. This results in incoming connections to be offloaded to another pool member (if available).
452443-2 : DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured
Component: Local Traffic Manager
Symptoms:
DNS cache resolver or validating resolver does not function properly and fails to resolve DNS requests.
Conditions:
BIG-IP system is using non-default cmp hashes configured on its egress VLANs.
Impact:
It is difficult to both use non-default cmp hashes on system VLANs and use a DNS cache resolver on the same BIG-IP system.
Workaround:
Configure a separate VLAN for the cache resolver's use that uses the default cmp hash. Set the system's default route to direct resolver traffic to this VLAN. This VLAN can be placed in a new route domain, if other features require route domain zero's default route pointing elsewhere.
Fix:
DNS cache resolver or validating resolver now functions properly, successfully resolving DNS requests when using non-default cmp hashes configured on its egress VLANs.
452439-5 : TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads
Component: Local Traffic Manager
Symptoms:
There is a bug caused by race condition in the library used by the AFM Sweep/flood feature. When the Sweep/flood feature is enabled, if one TMM process has multiple threads, one thread may attempt to access the memory released by another thread at some time. In this situation, TMM may crash due to access an invalid memory segment.
Conditions:
(1) AFM sweep/flood enabled (2) A single TMM process has multiple threads. (3) race condition occurs
Impact:
TMM crash, site at risk
Workaround:
Disable thread or disable sweep/flood
Fix:
TMM will not crash when enabling DOS sweep/flood detection feature regardless of threading.
449453-5 : Loading the default configuration may cause the mcpd process to restart and produce a core file.
Component: TMOS
Symptoms:
Loading the default configuration may cause the mcpd process to restart and produce a core file.
Conditions:
This issue occurs when the following condition is met: After you successfully load a UCS file that was created on a different system, you attempt to restore the system to factory defaults by loading the default configuration. When you load the default configuration, if the mcpd process is unable to decrypt the master-key, or attributes exist that were encrypted with a key other than the current master-key, the mcpd process restarts and produces a core file. These situations may occur if an RMA has occurred and you install a UCS from one device to another device of the same type, if the device unit key becomes corrupted, or if the master key file (/config/bigip/kstore/master) becomes corrupted.
Impact:
The BIG-IP system may temporarily fail to process traffic and fail over if configured as part of a high-availability system.
Workaround:
None.
Fix:
Fixed crashes in mcpd and other daemons when the master-key cannot be decrypted, or when attributes exist that were encrypted with a key other than the current master-key. These situations may occur when a RMA occurs, when moving a UCS from one device to another device of the same type, if the device unit key becomes corrupted, or if the master key file (/config/bigip/kstore/master) becomes corrupted.
446526-7 : TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.
Component: Local Traffic Manager
Symptoms:
When a TCP virtual server, or a UDP virtual server without datagram-LB mode enabled, runs an iRule which suspends itself, and the traffic that virtual server is handling is destined for the DNS cache, subsequent responses attempting to execute an iRule crash TMM because the first response is suspended. Those subsequent responses should be queued before attempting to execute the iRule.
Conditions:
Configuration contains TCP virtual server, or a UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules.
Impact:
TMM restarts.
Workaround:
Enable datagram-LB mode on the UDP profile. There is no workaround in the case of TCP.
Fix:
TMM no longer restarts when configuration contains TCP virtual server, or a UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules.
442871-2 : BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) instances created using OpenStack interfaces may fail to detect the Kernel-based Virtual Machine (KVM) hypervisor.
Conditions:
This issue occurs when all of the following conditions are met: -- You are deploying a BIG-IP VE instance on a KVM hypervisor. -- You are using the OpenStack interface tool set to perform the deployment.
Impact:
As a result of this issue, you may encounter one or more of the following symptoms: -- The BIG-IP VE instance fails to start. -- When starting the BIG-IP VE instance, diagnostic messages may indicate that the hypervisor is not recognized.
Workaround:
To work around this issue, you can modify your OpenStack compute nodes to run all instances as KVM. To do so, perform the following procedure: Note: The workaround assumes that your compute nodes use KVM as the default hypervisor. Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Log in to the OpenStack compute node as the root user. 2. Using an editor, create a file in the /etc/nova directory named release. 3. Add the following content to the new file: [Nova] vendor = Red Hat product = Bochs package = RHEL 6.3.0 PC 4. Restart all services or reboot the compute note. 5. Redeploy a new BIG-IP VE instance using the OpenStack interface tool set.
Fix:
BIG-IP VE instances created using OpenStack interfaces now detect the KVM hypervisor. Important: If you performed the steps to work around this issue (as described in the known issue for this bug), removing the workaround might require a license change.
441058 : TMM can crash when a large number of SSL objects are created
Component: Local Traffic Manager
Symptoms:
Administrative operations which trigger a full reload of SSL cert, key, or CRL files can cause TMM to abort. TMM will miss its heartbeat, at which time it will be killed by sod daemon via SIGABRT.
Conditions:
Configuration contains a large number of SSL certs, keys and/or CRLs.
Impact:
TMM crash, leading to possible network outage.
Workaround:
Remove any unused SSL objects from configuration.
Fix:
The system now loads the virtual IP addresses and associated SSL Certs/Keys in batches, so that TMM config load no longer exceeds its allowed CPU time.
439559-2 : APM policy sync resulting in failover device group sync may make the failover sync fail
Component: TMOS
Symptoms:
If an APM policy sync puts the new policy on a member of a sync-failover device group then the sync of the sync-failover group may fail.
Conditions:
* At least three devices in trust. * Two devices in a sync-failover device group. * Two devices in a sync-only device group suitable for APM policy sync. * The policy is synchronized from a device that is not in the sync-failover device group.
Impact:
Sync will fail, but full load sync will then succeed.
Workaround:
Using a full load sync (the force option on the GUI sync page) will work.
Fix:
If an APM policy sync puts the new policy on a member of a sync-failover device group then the sync of the sync-failover group used to fail. This now succeeds.
433466-4 : Disabling bundled interfaces affects first member of associated unbundled interfaces
Component: TMOS
Symptoms:
When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1).
Conditions:
Disabling bundled interfaces affects first member of associated unbundled interfaces.
Impact:
Traffic unable to pass due to ports 'Down' status.
Workaround:
Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.
Fix:
Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces.
424831-6 : State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover
Component: Local Traffic Manager
Symptoms:
Failovers between devices in a HA pair might result in an unexpected disruption of traffic (for instance, if virtual servers are configured for mirroring). Persistence / session table information would similarly be missing on the newly-active system.
Conditions:
Platform that supports hardwired failover, configured for hardwired failover. (Note: this excludes chassis-based platforms, as well as VCMP guests and VEs) Network failover disabled.
Impact:
- Failovers may result in unexpected disruption of traffic that failed to be mirrored. - Session database (SessionDB things, iRule session table, persistence table, etc) will not be mirrored, as expected, which may result in unknown unexpected traffic failures.
Workaround:
Enable network failover, then restart all TMMs. Note: workaround will temporarily disrupt traffic.
Fix:
State Mirroring now works for HA configurations that use only hardwired (serial) failover, without network failover.
421012-3 : scriptd incorrectly reports that it is running on a secondary blade
Component: TMOS
Symptoms:
scriptd might indicate that it is running on a secondary blade, even when the process is running on a primary blade or an appliance. The error condition generates this log message: 014f000f:7: Becoming secondary cluster member
Conditions:
The conditions under which this occurs are not well understood, but it is a rare occurrence.
Impact:
Perpetual iCall handlers do not run, so scripts running under the control of a daemon do not run.
Workaround:
Issue the command 'bigstart restart scriptd' on an affected blade or device.
Fix:
scriptd no longer incorrectly reports that it is running on a secondary blade when it is not.
418890-2 : OpenSSL bug can prevent RSA keys from rolling forward
Component: Local Traffic Manager
Symptoms:
When trying to upgrade from version 10.x to version 11.x, SSL keys can fail to roll forward. The roll-forward process does not handle what appears to be an OpenSSL bug (tested through OpenSSL 1.0.1c).
Conditions:
This occurs when rolling forward RSA keys from version 10.x to 11.x.
Impact:
Rather than receiving the expected decrypt failure unable to load Private Key with a bad decrypt, approximately 0.3% respond differently, where the return is non-zero and does not contain 'bad decrypt'. In this case, the system considers the key bad even though it is fine.
Workaround:
None.
Fix:
All SSL keys from version 10.x can be loaded correctly using the UCS file.
413708-5 : BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.
Component: TMOS
Symptoms:
When SNMP IPv6 UDP queries are directed from client to self-ip, response from the BIG-IP system does not preserve source port. An ephemeral source port will be used, instead of the source port 161.
Conditions:
SNMP IPv6 UDP query only.
Impact:
SNMP query fails.
Workaround:
Fix:
A problem of SNMP IPv6 UDP response from the BIG-IP system with an ephemeral source port has been solved.
406001-3 : Host-originated traffic cannot use a nexthop in a different route domain
Component: Local Traffic Manager
Symptoms:
If a route uses a nexthop in a different route domain, traffic originating from the host will not be forwarded to that nexthop.
Conditions:
Multiple route domains, gateway route that matches traffic using a nexthop in a different route domain.
Impact:
Nodes reached by the route cannot be monitored.
Workaround:
none
Fix:
Host-originated traffic can now use a nexthop in a different route domain.
405635-2 : Using the restart cm trust-domain command to recreate certificates required by device trust.
Component: TMOS
Symptoms:
The device trust manages the certificates and keys SSL connections require between devices used for configuration synchronization. You should always have the necessary certificates and keys. If they are not present, device trust fails.
Conditions:
This might occur after manually removing the 'cm' stanzas from the config file, and reloading the configuration.
Impact:
No certificates and keys exist. If there are no certificates and keys, device trust cannot be set up, and the system cannot complete the SSL connections necessary for config synchronization.
Workaround:
To recreate the certs and keys, run the command: restart cm trust-domain.
Fix:
This release contains a new tmsh command 'restart cm trust-domain' to restart device trust in this circumstances.
401893-3 : Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies
Component: TMOS
Symptoms:
You will be unable to use the tilde (~) character in the fields Response Headers Allowed and Encrypt Cookies when using the GUI.
Conditions:
Attempting to use the tilde character in HTTP Profile fields Response Headers Allowed and Encrypt Cookies in HTTP Profiles.
Impact:
The GUI errors out with an error: Bad Characters. Only the following special characters are allowed: period, dash and underscore (.-_). Multiple arguments should be separated by spaces."
Workaround:
Use tmsh to create/update HTTP Profile fields Response Headers Allowed and Encrypt Cookies that need a tilde character.
Fix:
The tilde character can now be used in HTTP Profile fields Response Headers Allowed and Encrypt Cookies.
389328-7 : RSA SecurID node secret is not synced to the standby node
Component: Access Policy Manager
Symptoms:
When RSA SecurID node secret files are created on the active node, the files are not synced to the standby node. As a result, user will not be able to log on after switchover.
Conditions:
RSA node secret files are created on the active node after the first successful authentication.
Impact:
Service will be inaccessible after switchover.
Workaround:
1. Copy node secret files /config/aaa/ace/Common/<rsa_securid_aaa_server>/sdstatus.12 and /config/aaa/ace/Common/<rsa_securid_aaa_server>/securid from the active node to the same directory on the standby node. 2. Wait for at least 30 seconds 3. Execute the command "tmsh save sys config" to commit the changes to disk.
Fix:
The SecurID node secret file monitoring algorithm was updated so that a new node secret file can be detected. Also, aced now authenticates with mcpd so that any node secret file object changes will be accepted by the mcpd.
388274-3 : LTM pool member link in non-Common partition is wrong in Network Map.
Component: TMOS
Symptoms:
Pool member link in the non-Common partition in Network Map is broken.
Conditions:
This occurs for pool members that exist in a partition other than Common.
Impact:
Pool member name contains unusual characters.
Workaround:
None.
Fix:
LTM pool member link in the non-Common partition is now in the correct Network Map.
382157-3 : Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats
Component: TMOS
Symptoms:
Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats.
Conditions:
Running the following command returns data inconsistent with sflow statistics: snmpwalk -v2c -c public localhost F5-BIGIP-SYSTEM-MIB::sysVlanStatTable.
Impact:
Incorrect interpretation of vlan stats. As a result of fixing this issue, F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.
Workaround:
None.
Fix:
The IF-MIB::ifXTable was implemented to use the same stats as sflow. The F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsolete.
Behavior Change:
F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.
372473-2 : mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes
Component: Local Traffic Manager
Symptoms:
A message beginning with 'mcp error: 0x1020003' may be logged to /var/log/tmm when TMM crashes.
Conditions:
TMM crashes.
Impact:
This is an MCP error that is logged erroneously upon TMM shutdown, and does not indicate an issue with MCP.
Workaround:
None.
Fix:
The message is no longer logged when TMM crashes.
365219-2 : Trust upgrade fails when upgrading from version 10.x to version 11.x.
Component: TMOS
Symptoms:
Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log: -- com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:425): Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:200)}. -- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust.
Conditions:
Upgrading high availability version 10.x configurations that use the factory default admin password.
Impact:
Trust upgrade for version 10.x high availability configuration fails.
Workaround:
Change the default admin password in the 10.x configuration before upgrading to 11.0.0.
Fix:
Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment.
341928-4 : CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM.
Component: Local Traffic Manager
Symptoms:
TMM daemon crashes with accompanying log message: Assertion 'cmp dest set on incorrect listener type' failed.
Conditions:
A CMP enabled virtual targets (e.g. via 'virtual' iRule command) a CMP disabled virtual.
Impact:
Failover or network outage.
Workaround:
Avoid use of CMP disabled virtual servers.
Fix:
A CMP redirected looped virtual (i.e., VIP targeting VIP on different cluster node) no longer crashes TMM.
291469-2 : SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.
Component: TMOS
Symptoms:
The SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.
Conditions:
The following error message is reported in the /var/log/messages file: snmpd[1748]: Error allocating more space for arpcache. Cache will continue to be limited to 2048 entries.
Impact:
The ARP entries up to the boundary are returned. Any ARP entries after the boundary is reached are not returned.
Workaround:
None.
Fix:
Memory validation now allows arpcache to expand, so The SNMP query no longer fails to return ARP entries when the ARP table exceeds 2,048 entries.
223884 : Module not licensed message appears when APM is provisioned and APML is licensed.
Component: TMOS
Symptoms:
Module not licensed message appears when APM is provisioned and APML is licensed.
Conditions:
APM is provisioned and APML is licensed.
Impact:
It appears as if APML isn't licensed when it is.
Workaround:
Ignore the message.
Fix:
Module not licensed message will not appear when APM is provisioned and APML is licensed.
Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release
Note: F5 has recently changed the bug numbering scheme in our bug tracking database. Now all bugs have a single version assigned to them and so bugs can now have sub bugs denoted by a '-' and then the sub bug number, i.e. 404716-4 with 404716 being the parent bug. The release notes for previous rollups will also reflect this change so some bugs may now contain a sub bug prefix.
TMOS Fixes
| ID Number | Severity | Description |
| 473033-5 | 1-Blocking | Datastor Now Uses Syslog-ng |
| 507312-1 | 1-Blocking | icrd segmentation fault |
| 544980-3 | 1-Blocking | Small /var when deploying from OVF for BETTER and BEST |
| 520466-2 | 1-Blocking | Ability to edit iCall scripts is removed from resource administrator role |
| 527630-1 | 1-Blocking | CVE-2015-1788 : OpenSSL Vulnerability |
| 477218-5 | 1-Blocking | Simultaneous stats query and pool configuration change results in process exit on secondary. |
| 506034-3 | 1-Blocking | NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298) |
| 535806-2 | 1-Blocking | Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE |
| 473105 | 2-Critical | FastL4 connections reset with pva-acceleration set to guaranteed |
| 523434 | 2-Critical | mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object |
| 534630-5 | 2-Critical | Upgrade BIND to address CVE 2015-5477 |
| 507602-1 | 2-Critical | Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled |
| 470813-1 | 2-Critical | Memory corruption in f5::rest::CRestServer::g_portToServerMap |
| 540846-5 | 2-Critical | Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c |
| 420107-2 | 2-Critical | TMM could crash when modifying HTML profile configuration |
| 471860-3 | 2-Critical | Disabling interface keeps DISABLED state even after enabling |
| 540849-5 | 2-Critical | An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c |
| 513454-3 | 2-Critical | An snmpwalk with a large configuration can take too long |
| 506199-4 | 2-Critical | VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles |
| 513382-1 | 2-Critical | Resolution of multiple OpenSSL vulnerabilities |
| 468473-2 | 2-Critical | Monitors with domain username do not save/load correctly |
| 509503-4 | 2-Critical | tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration |
| 479460-5 | 2-Critical | SessionDb may be trapped in wrong HA state during initialization |
| 429018-2 | 2-Critical | tmipsecd cores when deleting a non-existing traffic selector |
| 493791-2 | 2-Critical | iApps do not support FQDN nodes |
| 529509-5 | 2-Critical | CVE 2015-4620 BIND vulnerability |
| 516618-5 | 2-Critical | CVE-2013-7424 |
| 364978-1 | 2-Critical | Active/standby system configured with unit 2 failover objects |
| 497078-1 | 2-Critical | Modifying an existing ipsec policy configuration object might cause tmm to crash |
| 438674-5 | 2-Critical | When log filters include tamd, tamd process may leak descriptors |
| 504496-3 | 2-Critical | AAA Local User Database may sync across failover groups |
| 510979-1 | 2-Critical | Password-less SSH access after tmsh load of UCS may require password after install. |
| 529510-2 | 2-Critical | Multiple Session ha state changes may cause TMM to core |
| 464870-7 | 2-Critical | Datastor cores and restarts. |
| 513916-5 | 3-Major | String iStat rollup not consistent with multiple blades |
| 524326-4 | 3-Major | Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips |
| 514726-4 | 3-Major | Server-side DSR tunnel flow never expires |
| 497564-2 | 3-Major | Improve High Speed Bridge diagnostic logging on transmit/receive failures |
| 518039-1 | 3-Major | BIG-IQ iApp statistics corrected for partition use cases |
| 507853-1 | 3-Major | MCP may crash while performing a very large chunked query and CPU is highly loaded |
| 520640-2 | 3-Major | The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method. |
| 493246-2 | 3-Major | SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot |
| 473348-6 | 3-Major | hbInterval value not set to 300 sec after upgrad. |
| 491716-2 | 3-Major | snmp_similint_test_15370.py failed because of bug fix 483508 |
| 518283 | 3-Major | Cookie rewrite mangles 'Set-Cookie' headers |
| 470756-6 | 3-Major | snmpd cores or crashes with no logging when restarted by sod |
| 509504-5 | 3-Major | Excessive time to save/list a firewall rule-list configuration |
| 442871-1 | 3-Major | BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor |
| 523125 | 3-Major | Disabling/enabling blades in cluster can result in inconsistent failover state |
| 441297-3 | 3-Major | LACP trunk remains down after restarting mcpd on 2000/4000 series platforms |
| 509782-3 | 3-Major | TSO packets can be dropped with low MTU |
| 416388-1 | 3-Major | vCMPD will not reattach to guest |
| 534251-1 | 3-Major | Live update with moving config breaks password-less ssh access |
| 509037-1 | 3-Major | BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type |
| 458104-3 | 3-Major | LTM UCS load merge trunk config issue |
| 359774-6 | 3-Major | Pools in HA groups other than Common |
| 517580-3 | 3-Major | OPT-0015 on 10000-series appliance may cause bcm56xxd restarts |
| 483104-3 | 3-Major | vCMP guests report platform type as 'unknown' |
| 493213-1 | 3-Major | RBA eam and websso daemons segfaulting while provisioning |
| 489084-1 | 3-Major | Validation error in MCPD for FQDN nodes |
| 506041-2 | 3-Major | Folders belonging to a device group can show up on devices not in the group |
| 468837-5 | 3-Major | SNAT translation traffic group inheritance does not sync across devices |
| 524753-1 | 3-Major | IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip |
| 523922-4 | 3-Major | Session entries may timeout prematurely on some TMMs |
| 383784-5 | 3-Major | Remote Auth user names containing blank space cannot login through TMSH. |
| 481648-8 | 3-Major | mib-2 ipAddrTable interface index does not correlate to ifTable |
| 491556-7 | 3-Major | tmsh show sys connection output is corrected |
| 513294-8 | 3-Major | LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances |
| 519510-3 | 3-Major | Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware |
| 524490-4 | 3-Major | Excessive output for tmsh show running-config |
| 499260-3 | 3-Major | Deleting trust-domain fails when standby IP is in ha-order |
| 533458-4 | 3-Major | Generate core file on HSB lockup |
| 528310 | 3-Major | Upgrade failure when CertKeyChain exists in non-Common partition |
| 528881 | 3-Major | NAT names with spaces in them do not upgrade properly |
| 527021-1 | 3-Major | BIG-IQ iApp statistics corrected for empty pool use cases |
| 498992-6 | 3-Major | Troubleshooting enhancement: improve logging details for AWS failover failure. |
| 484706-2 | 3-Major | Incremental sync of iApp changes may fail |
| 410398-3 | 3-Major | sys db tmrouted.rhifailoverdelay does not seem to work |
| 504494-2 | 3-Major | Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups. |
| 516669-1 | 3-Major | Rarely occurring SOD core causes failover. |
| 533257-2 | 3-Major | tmsh config file merge may fail when AFM security log profile is present in merged file |
| 527537 | 3-Major | CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled |
| 473088-4 | 3-Major | Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile |
| 495526-1 | 3-Major | IPsec tunnel interface causes TMM core at times |
| 510159-1 | 3-Major | Outgoing MAP tunnel statistics not updated |
| 517178-2 | 3-Major | BIG-IP as SAML Service Provider cannot process some messages from simplesamlphp under certain conditions |
| 515667-4 | 3-Major | Unique truncated SNMP OIDs. |
| 510119-4 | 3-Major | HSB performance can be suboptimal when transmitting TSO packets. |
| 464252-2 | 3-Major | Possible tmm crash when modifying html pages with HTML profile. |
| 355661-3 | 3-Major | sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address |
| 501437-3 | 3-Major | rsync daemon does not stop listening after configsync-ip set to none |
| 455264-3 | 3-Major | Error messages are not clear when adding member to device trust fails |
| 480679-1 | 3-Major | The big3d daemon does not receive config updates from mcpd |
| 500234-4 | 3-Major | TMM may core during failover due to invalid memory access in IPsec components |
| 530773 | 3-Major | per-request policy logs frequently in apm logs |
| 527145-4 | 3-Major | On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown. |
| 524791-3 | 3-Major | non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0 |
| 519068-3 | 3-Major | device trust setup can require restart of devmgmtd |
| 505045-1 | 3-Major | MAP implementation not working with EA bits length set to 0. |
| 544888-5 | 3-Major | Idle timeout changes to five seconds when using PVA full acceleration. |
| 526419-1 | 3-Major | Deleting an iApp service may fail |
| 224903-5 | 3-Major | CounterBaseGauge64 MIB values will not work with Network Management Systems |
| 529640 | 3-Major | Improvements in building Cloud images |
| 362267-3 | 3-Major | Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors |
| 514724-1 | 3-Major | crypto-failsafe fail condition not cleared when crypto device restored |
| 507575-1 | 3-Major | An incorrectly formated NAPTR creation via iControl can cause an error. |
| 497304-1 | 3-Major | Unable to delete reconfigured HTTP iApp when auto-sync is enabled |
| 519372 | 3-Major | vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files. |
| 502238-3 | 3-Major | Connectivity and traffic interruption issues caused by a stuck HSB transmit ring |
| 464024-4 | 3-Major | File descriptor leak when running some TMSH commands through scriptd |
| 527094-1 | 3-Major | iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata. |
| 522282-1 | 3-Major | iApp templates are visible with only vCMP provisioned. |
| 405752-1 | 3-Major | Monitors sourced from specific source ports can fail |
| 443298-2 | 4-Minor | FW Release: Incorporate Victoria2 LOP firmware v1.20 |
| 473163-2 | 4-Minor | RAID disk failure and alert.conf log message mismatch results in no trap |
| 465317-1 | 4-Minor | Failure notice from "/usr/bin/set-rsync-mgmt-fw close" seen on each boot |
| 492163-3 | 4-Minor | Applying a monitor to pool and pool member may cause an issue. |
| 515345-1 | 4-Minor | NTP Vulnerability |
| 524185 | 4-Minor | Unable to run lvreduce |
| 464043-3 | 4-Minor | Integration of Firmware for the 2000 Series Blades |
| 475647-2 | 4-Minor | VIPRION Host PIC firmware version 7.02 update |
| 523863-2 | 4-Minor | istats help not clear for negative increment |
| 356658-2 | 5-Cosmetic | Message logged when remote authenticated users do not have local account login |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 522784-2 | 1-Blocking | After restart, system remains in the INOPERATIVE state |
| 420341-6 | 1-Blocking | Connection Rate Limit Mode when limit is exceeded by one client also throttles others |
| 505222-2 | 2-Critical | DTLS drops egress packets when traffic is large |
| 530963-4 | 2-Critical | BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms |
| 474601-5 | 2-Critical | FTP connections are being offloaded to ePVA |
| 503343-7 | 2-Critical | TMM crashes when cloned packet incorrectly marked for TSO |
| 497299-5 | 2-Critical | Thales install fails if the BIG-IP system is also configured as the RFS |
| 514108-1 | 2-Critical | TSO packet initialization failure due to out-of-memory condition. |
| 431283-7 | 2-Critical | iRule binary scan may core TMM when the offset is large |
| 552937-1 | 2-Critical | HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail. |
| 533388-1 | 2-Critical | tmm crash with assert "resume on different script" |
| 536984 | 2-Critical | Ensure min_path_mtu is functioning as designed. |
| 426328-8 | 2-Critical | Updating iRule procs while in use can cause a core |
| 492352-3 | 2-Critical | Mismatch ckcName between GUI and TMSH can cause upgrade failure |
| 499422-1 | 2-Critical | An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm. |
| 402412-8 | 2-Critical | FastL4 tcp handshake timeout is not honored, connection lives for idle timeout. |
| 523079-2 | 2-Critical | Merged may crash when file descriptors exhausted |
| 528432-2 | 2-Critical | Control plane CPU usage reported too high |
| 502443-4 | 2-Critical | After enabling a blade/HA member, pool members are marked down because monitoring starts too soon. |
| 510837-2 | 2-Critical | Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. bigip sends bad client key exchange. |
| 505331-1 | 2-Critical | SASP Monitor may core |
| 538255 | 2-Critical | SSL handshakes on 4200/2200 can cause TMM cores. |
| 539344-1 | 2-Critical | SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list |
| 527477-4 | 2-Critical | Slot 2 is inactive after reboot |
| 450814-10 | 2-Critical | Early HTTP response might cause rare 'server drained' assertion |
| 531576-1 | 2-Critical | tmm memory leak in traffic handling |
| 506304-2 | 2-Critical | UDP connections may stall if initialization fails |
| 481677-2 | 2-Critical | A possible TMM crash in some circumstances. |
| 481162-2 | 2-Critical | vs-index is set differently on each blade in a chassis |
| 478257-7 | 3-Major | Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed |
| 496758-5 | 3-Major | Monitor Parameters saved to config in a certain order may not construct parameters correctly |
| 521522-3 | 3-Major | Traceroute through BIG-IP may display destination IP address at BIG-IP hop |
| 517556-3 | 3-Major | DNSSEC unsigned referral response is improperly formatted |
| 497742-3 | 3-Major | Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address |
| 447043-3 | 3-Major | Cannot have 2 distinct 'contains' conditions on the same LTM policy operand |
| 479674-1 | 3-Major | bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors. |
| 495557-1 | 3-Major | Ephemeral node health status may report as 'unknown' rather than the expected 'offline' |
| 226892-13 | 3-Major | Packet filter enabled, default action discard/reject and IP fragment drop |
| 503384-1 | 3-Major | SMTP monitor fails on multi line greeting banner in SMTP server |
| 352925-2 | 3-Major | Updating a suspended iRule and TMM process restart |
| 476097-1 | 3-Major | TCP Server MSS option is ignored in verified accept mode |
| 510638-1 | 3-Major | [DNS] Config change in dns cache resolver does not take effect until tmm restart |
| 503979-1 | 3-Major | High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server. |
| 474356-1 | 3-Major | Client SSL on partition other than /Common does not load if no key/cert/inherit-certkeychain |
| 422107-8 | 3-Major | Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set |
| 515322-1 | 3-Major | Limit the number of extra callbacks scheduled from inside the cache resolver |
| 460627-3 | 3-Major | SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists |
| 495836-2 | 3-Major | SSL verification error occurs when using server side certificate. |
| 512148-1 | 3-Major | Self IP address cannot be deleted when its VLAN is associated with static route |
| 514246-3 | 3-Major | connflow_precise_check_begin does not check for NULL |
| 515817-2 | 3-Major | TMM may not reset connection when receiving an ICMP error |
| 551612 | 3-Major | BIGIP SSL does not support sending multiple certificate verification requests to cavium at the same time in 11.6.0. |
| 348000-1 | 3-Major | HTTP response status 408 request timeout results in error being logged. |
| 490429-2 | 3-Major | The dynamic routes for the default route might be flushed during operations on non-default route domains. |
| 522147-2 | 3-Major | 'tmsh load sys config' fails after key conversion to FIPS using web GUI |
| 501516-5 | 3-Major | If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted. |
| 375887-4 | 3-Major | Cluster member disable or reboot can leak a few cross blade trunk packets |
| 515072-4 | 3-Major | Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased |
| 512383-3 | 3-Major | Hardware flow stats are not consistently cleared during fastl4 flow teardown. |
| 525557 | 3-Major | FQDN ephemeral nodes not repopulated after deleted and re-created |
| 504105-4 | 3-Major | RRDAG enabled UDP ports may be used as source ports for locally originated traffic |
| 465052-6 | 3-Major | Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing |
| 521408-3 | 3-Major | Incorrect configuration in BigTCP Virtual servers can lead to TMM core |
| 530829 | 3-Major | UDP traffic sent to the host may leak memory under certain conditions. |
| 485472-3 | 3-Major | iRule virtual command allows for protocol mismatch, resulting in crash |
| 488600-2 | 3-Major | iRule compilation fails |
| 465607-7 | 3-Major | TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP. |
| 478439-6 | 3-Major | Unnecessary re-transmission of packets on higher ICMP PMTU. |
| 510720-1 | 3-Major | iRule table command resumption can clear the header buffer before the HTTP command completes. |
| 490713-3 | 3-Major | FTP port might occasionally be reused faster than expected |
| 510921-1 | 3-Major | Database monitors do not support IPv6 nodes |
| 465590-9 | 3-Major | Mirrored persistence information is not retained while flows are active |
| 521774-3 | 3-Major | Traceroute and ICMP errors may be blocked by AFM policy |
| 516598-1 | 3-Major | Multiple TCP keepalive timers for same Fast L4 flow |
| 506282-1 | 3-Major | GTM DNSSEC keys generation is not sychronized upon key creation |
| 512062-2 | 3-Major | A db variable to disable verification of SCTP checksum when ingress packet checksum is zero |
| 530431 | 3-Major | FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts |
| 488581 | 3-Major | 'SSL::disable clientside' inside HTTP_REQUEST causes tmm core if crypto is in progress |
| 520540-1 | 3-Major | HTTP Basic authentication may cause the TMM to crash if the header is too large |
| 507529-1 | 3-Major | Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow |
| 521538-2 | 3-Major | Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known |
| 447874-5 | 3-Major | TCP zero window suspends data transfer |
| 504306-2 | 3-Major | https monitors might fail to re-use SSL sessions. |
| 462714-2 | 3-Major | Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server |
| 478617-6 | 3-Major | Don't include maximum TCP options length in calculating MSS on ICMP PMTU. |
| 504899-2 | 3-Major | Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one) |
| 374339-4 | 3-Major | HTTP::respond/redirect might crash TMM under low-memory conditions |
| 342013-6 | 3-Major | TCP filter doesn't send keepalives in FIN_WAIT_2 |
| 422087-5 | 3-Major | Low memory condition caused by Ram Cache may result in TMM core |
| 517790-1 | 3-Major | When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped |
| 516320-2 | 3-Major | TMM may have a CPU spike if match cross persist is used. |
| 524666-3 | 3-Major | DNS licensed rate limits might be unintentionally activated. |
| 518020-11 | 3-Major | Improved handling of certain HTTP types. |
| 471059-4 | 3-Major | Malformed cookies can break persistence |
| 487696-3 | 3-Major | Number of CPU allocated for ASM guests |
| 505059-1 | 3-Major | Some special characters are not properly handled for username and password fields in TCL monitors |
| 364994-7 | 3-Major | Disabling OneConnect must be done on Client and Server sides |
| 454692-4 | 4-Minor | Assigning 'after' object to a variable causes memory leaks |
| 442647-5 | 5-Cosmetic | IP::stats iRule command reports incorrect information past 2**31 bits |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 515797-1 | 2-Critical | Using qos_score command in RULE_INIT event causes TMM crash |
| 513464-1 | 2-Critical | Some autodiscovered virtuals may be removed from pools. |
| 471819-2 | 2-Critical | The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled. |
| 517083-1 | 3-Major | Some autodiscovered virtuals may be removed from pools. |
| 516680-2 | 3-Major | ZoneRunner might fail when loading valid zone files. |
| 465951-2 | 3-Major | If net self description size =65K, gtmd restarts continuously |
| 516685-2 | 3-Major | ZoneRunner might fail to load valid zone files. |
| 515033 | 3-Major | [ZRD] A memory leak in zrd |
| 496775-3 | 3-Major | [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for bigip monitor |
| 479142-1 | 3-Major | Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD) |
| 515030-1 | 3-Major | [ZRD] A memory leak in Zrd |
| 353556-4 | 4-Minor | big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed |
| 479084-1 | 4-Minor | ZoneRunner can fail to respond to commands after a VE resume. |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 524004-1 | 2-Critical | Adding multiple signatures concurrently via REST |
| 513822-1 | 2-Critical | ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page |
| 511196-1 | 2-Critical | UMU memory is not released when remote logger can't reach its detination |
| 524428-1 | 2-Critical | Adding multiple signature sets concurrently via REST |
| 520280-1 | 2-Critical | Perl Core After Apply Policy Action |
| 532030-3 | 3-Major | ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI |
| 519053-1 | 3-Major | Request is forwarded truncated to the server after answering challenge on a big request |
| 526856-1 | 3-Major | "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency |
| 516522-1 | 3-Major | After upgrade from any pre-11.4.x to 11.4.x (or later) the configured redirect URL location is empty |
| 520585-2 | 3-Major | Changing Security Policy Application Language Is Not Validated or Propagated Properly |
| 486829-1 | 3-Major | HTTP Protocol Compliance options should not be modified during import/upgrade |
| 523201-2 | 3-Major | Expired files are not cleaned up after receiving an ASM Manual Synchronization |
| 531539-1 | 3-Major | A brute force attack is not detected in NTLM under some conditions |
| 523260-1 | 3-Major | Apply Policy finishes with coapi_query failure displayed |
| 527861 | 3-Major | When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive. |
| 467930-1 | 3-Major | Searching ASM Request Log for requests with specific violations |
| 518201-1 | 3-Major | ASM policy creation fails with "ASMConfig exception ... Policy ... already exists" after upgrade |
| 523261-1 | 3-Major | ASM REST: MCP Persistence is not triggered via REST actions |
| 514117-1 | 4-Minor | Store source port higher than 32767 in Request Log record |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 518663-1 | 3-Major | Client waits seconds before page finishes load |
| 519022-2 | 3-Major | Upgrade process fails to convert ASM predefined scheduled-reports |
| 499315-1 | 3-Major | Added "Collect full URL" functionality. |
| 531526-2 | 3-Major | Missing entry in SQL table leads to misleading ASM reports |
| 485251-1 | 3-Major | AVR core witch include tmstat backtrace |
| 525708-1 | 3-Major | AVR reports of last year are missing the last month data |
| 472117-2 | 3-Major | Analytics scheduled report: "predefinedReportName" and "multiLeveledReport" are mutually exclusive |
| 479334-5 | 3-Major | monpd/ltm log errors after Hotfix is applied |
| 530356-2 | 3-Major | Some AVR tables that hold ASM statistics are not being backed up in upgrade process. |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 482266-3 | 1-Blocking | Network Access can't be established for Windows 10 |
| 488736-5 | 1-Blocking | Fixed problem with iNotes 9 Instant Messaging |
| 439880-2 | 1-Blocking | NTLM authentication does not work due to incorrect NetBIOS name |
| 482241-1 | 1-Blocking | Windows 10 cannot be properly detected |
| 492149-3 | 1-Blocking | Inline JavaScript with HTML entities may be handled incorrectly |
| 405769-3 | 1-Blocking | APM Logout page is not protected against CSRF attack. |
| 532340-1 | 2-Critical | When FormBased SSO or SAML SSO are configured, tmm may restart at startup |
| 514220-1 | 2-Critical | New iOS-based VPN client may fail to create IPv6 VPN tunnels |
| 525562-1 | 2-Critical | Debug TMM Crashes During Initialization |
| 509490-2 | 2-Critical | [IE10]: attachEvent does not work |
| 518260-1 | 2-Critical | Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message |
| 517988-2 | 2-Critical | TMM may crash if access profile is updated while connections are active |
| 526754-2 | 2-Critical | F5unistaller.exe crashes during uninstall |
| 520145-3 | 2-Critical | [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy |
| 520298-2 | 2-Critical | Java applet does not work |
| 519864-3 | 2-Critical | Memory leak on L7 Dynamic ACL |
| 506223-2 | 2-Critical | A URI in request to cab-archive in iNotes is rewritten incorrectly |
| 507681-5 | 2-Critical | Window.postMessage() does not send objects in IE11 |
| 493993-6 | 2-Critical | TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module |
| 523313-1 | 2-Critical | aced daemon might crash on exit |
| 492287-1 | 2-Critical | Support Android RDP client 8.1.3 with APM remote desktop gateway |
| 480272-6 | 2-Critical | During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID |
| 527799-9 | 2-Critical | OpenSSL library in APM clients updated to resolve multiple vulnerabilities |
| 531483-2 | 3-Major | Copy profile might end up with error |
| 500938-3 | 3-Major | Network Access can be interrupted if second NIC is disconnected |
| 540778-3 | 3-Major | Multiple SIGSEGV with core and failover with no logged indicator |
| 475403-2 | 3-Major | Tunnel reconnect with v2.02 does not occur |
| 492305-1 | 3-Major | Recurring file checker doesn't interrupt session if client machine has missing file |
| 471117-4 | 3-Major | iframe with JavaScript in 'src' attribute not handled correctly in IE11 |
| 533566-1 | 3-Major | Support for View HTML5 client v3.5 shipped with VCS 6.2 |
| 526578-1 | 3-Major | Network Access client proxy settings are not applied on German Windows |
| 532761 | 3-Major | APM fails to handle compressed ICA file in integration mode |
| 452010-3 | 3-Major | RADIUS Authentication fails when username or password contain non-ASCII characters |
| 531883-2 | 3-Major | Windows 10 App Store VPN Client must be detected by BIG-IP APM |
| 462514-1 | 3-Major | Support for XMLHttpRequest is extended |
| 494637-2 | 3-Major | localdbmgr process in constant restart/core loop |
| 531529-1 | 3-Major | Support for StoreFront proxy |
| 525429-4 | 3-Major | DTLS renegotiation sequence number compatibility |
| 526514-1 | 3-Major | Open redirect via SSO_ORIG_URI parameter in multi-domain SSO |
| 518981-2 | 3-Major | RADIUS accounting STOP message may not include long class attributes |
| 523431-2 | 3-Major | Windows Cache and Session Control cannot support a period in the access profile name |
| 494565-4 | 3-Major | CSS patcher crashes when a quoted value consists of spaces only |
| 483286-3 | 3-Major | APM MySQL database full as log_session_details table keeps growing |
| 501494-1 | 3-Major | if window.onload is assigned null, then null should be retrieved |
| 526084-3 | 3-Major | Windows 10 platform detection for BIG-IP EDGE Client |
| 521506-2 | 3-Major | Network Access doesn't restore loopback route on multi-homed machine |
| 525384-2 | 3-Major | Networks Access PAC file now can be located on SMB share |
| 513969-3 | 3-Major | UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running |
| 513098-1 | 3-Major | localdb_mysql_restore.sh failed with exit code |
| 483501-1 | 3-Major | Access policy v2 memory leak during object deletion in tmm. |
| 531541-1 | 3-Major | Support Citrix Receiver 4.3 for Windows in PNAgent mode |
| 509677-1 | 3-Major | Edge-client crashes after switching to network with Captive Portal auth |
| 532096-2 | 3-Major | Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used |
| 519966-2 | 3-Major | APM "Session Variables" report shows user passwords in plain text |
| 521773-2 | 3-Major | Memory leak in Portal Access |
| 482269-8 | 3-Major | APM support for Windows 10 out-of-the-box detection |
| 516839-3 | 3-Major | Add client type detection for Microsoft Edge browser |
| 526492-2 | 3-Major | DNS resolution fails for Static and Optimized Tunnels on Windows 10 |
| 520205-3 | 3-Major | Rewrite plugin could crash on malformed ActionScript 3 block in Flash file |
| 530800-1 | 3-Major | Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use. |
| 474779-1 | 3-Major | EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails. |
| 492701-3 | 3-Major | Resolved LSOs are overwritten by source device in new Policy Sync with new LSO |
| 512245-7 | 3-Major | Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname |
| 483792-5 | 3-Major | when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources |
| 473488-6 | 3-Major | In AD Query agent, resolving of nested groups may cause apd to spin |
| 426209-2 | 3-Major | exporting to a CSV file may fail and the Admin UI is inaccessible |
| 522878-1 | 3-Major | Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access. |
| 520390-1 | 3-Major | Reuse existing option is ignored for smtp servers |
| 488105-3 | 3-Major | TMM may generate core during certain config change. |
| 340406-10 | 3-Major | Localization of BIG-IP Edge Client™ for Macintosh |
| 534755-1 | 3-Major | Deleting APM virtual server produces ERR_NOT_FOUND error |
| 512345-2 | 3-Major | Dynamic user record removed from memcache but remains in MySQL |
| 523327-2 | 3-Major | In very rare cases Machine Certificate service may fail to find private key |
| 528727-1 | 3-Major | In some cases HTML body.onload event handler is not executed via portal access. |
| 446860-4 | 3-Major | APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 |
| 523305-1 | 3-Major | Authentication fails with StoreFront protocol |
| 526617-1 | 3-Major | TMM crash when logging a matched ACL entry with IP protocol set to 255 |
| 515943-2 | 3-Major | "Session variables" report may show empty if session variable value contains non-English characters |
| 520705-5 | 3-Major | Edge client contains multiple duplicate entries in server list |
| 423282-8 | 3-Major | BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence |
| 473255-3 | 3-Major | Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement. |
| 517441-5 | 3-Major | apd may crash when RADIUS accounting message is greater than 2K |
| 524909-2 | 3-Major | Windows info agent could not be passed from Windows 10 |
| 490830-4 | 3-Major | Protected Workspace is not supported on Windows 10 |
| 442698-10 | 3-Major | APD Active Directory module memory leak in exception |
| 472256-3 | 3-Major | tmsh and tmctl report unusually high counter values |
| 468137-6 | 3-Major | Network Access logs missing session ID |
| 466745-3 | 3-Major | Cannot set the value of a session variable with a leading hyphen. |
| 523222-6 | 3-Major | Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending. |
| 521835-2 | 3-Major | [Policy Sync] Connectivity profile with a customized logo fails |
| 539013-6 | 3-Major | DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases |
| 482251-3 | 3-Major | Portal Access. Location.href(url) support is added |
| 431467-1 | 3-Major | Mac OS X support for nslookup and dig utilities to use VPN DNS |
| 528726-3 | 3-Major | AD/LDAP cache size reduced |
| 475735-4 | 3-Major | Failed to load config after removing peer from sync-only group |
| 500450-1 | 3-Major | ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso. |
| 513283-1 | 3-Major | Mac Edge Client doesnt send client data if access policy expired |
| 481663-5 | 3-Major | Disable isession control channel on demand. |
| 478751-6 | 3-Major | OAM10g form based AuthN is not working for a single/multiple domain. |
| 510709-1 | 3-Major | Websso start URI match fails if there are more than 2 start URI's in SSO configuration. |
| 513545-1 | 3-Major | '-decode' option produce incorrect value when it decodes a single value |
| 457760-5 | 3-Major | EAM not redirecting stdout/stderr from standard libraries to /var/log/apm |
| 537000-2 | 3-Major | Installation of Edge Client can cause Windows 10 crash in some cases |
| 520118-2 | 3-Major | Duplicate server entries in Server List. |
| 529392-2 | 3-Major | Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script |
| 513953-1 | 3-Major | RADIUS Auth/Acct might fail if server response size is more than 2K |
| 511854-4 | 3-Major | Rewriting URLs at client side does not rewrite multi-line URLs |
| 513706-2 | 3-Major | Incorrect metric restoration on Network Access on disconnect (Windows) |
| 402793-12 | 3-Major | APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients |
| 530697-2 | 3-Major | Windows Phone 10 platform detection |
| 509722-1 | 3-Major | BWC traffic blocked |
| 519198-3 | 3-Major | [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user |
| 408851-7 | 3-Major | Some Java applications do not work through BIG-IP server |
| 532522-3 | 3-Major | CVE-2015-1793 |
| 528768-1 | 3-Major | Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication |
| 531910-1 | 3-Major | apmd, apd, localmgr random crash |
| 518432 | 3-Major | [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation |
| 537614-1 | 3-Major | Machine certificate checker fails to use Machine cert check service if Windows has certain display languages |
| 517564-1 | 3-Major | APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port |
| 528675-2 | 3-Major | BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired |
| 482699-4 | 3-Major | VPE displaying "Uncaught TypeError" |
| 461189-5 | 3-Major | Generated assertion contains HEX-encoded attributes |
| 472062-3 | 3-Major | Unmangled requests when form.submit with arguments is called in the page |
| 523390-2 | 3-Major | Minor memory leak on IdP when SLO is configured on bound SP connectors. |
| 458450-2 | 3-Major | Memory allocation metadata corruption when debugging log is enabled on ECA |
| 504031-1 | 3-Major | document.write()/document.writeln() redefinition does not work |
| 481987-6 | 3-Major | Allow NTLM feature to be enabled with APM Limited license |
| 518573 | 3-Major | The -decode option should be added to expressions in AD and LDAP group mapping. |
| 519415-3 | 3-Major | apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual ) |
| 495336-1 | 3-Major | Logon page is not displayed correctly when "force password change" is on for local users |
| 520642-3 | 3-Major | Rewrite plugin should check length of Flash files and tags |
| 516462-2 | 3-Major | Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines |
| 526677-1 | 3-Major | VMware Horizon HTML5 View access client can not connection when using View Connection Server running version 6.1.1 |
| 526275-1 | 3-Major | VMware View RSA/RADIUS two factor authentication fails |
| 514912-3 | 3-Major | Portal Access scripts had not been inserted into HTML page in some cases |
| 483020-1 | 3-Major | [SWG] Policy execution hang when using iRule event in VPE |
| 480761-1 | 3-Major | Fixed issue causing TunnelServer to crash during reconnect |
| 478492-7 | 3-Major | Incorrect handling of HTML entities in attribute values |
| 533723-4 | 4-Minor | [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag. |
| 507321-3 | 4-Minor | JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields |
| 486661-3 | 4-Minor | Network Access should provide client IP address on reconnect log records |
| 478261-2 | 4-Minor | WinInet handle leak in Edge Client on Windows |
| 510459-1 | 4-Minor | In some cases Access does not redirect client requests |
| 517872-1 | 4-Minor | Include proxy hostname in logs in case of name resolution failure |
| 513201-6 | 4-Minor | Edge client is missing localization of some English text in Japanese locale |
| 478658-6 | 4-Minor | Window.postMessage() does not send objects |
| 473685-1 | 4-Minor | Websso truncates cookie domain value |
| 523158-2 | 4-Minor | In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails |
| 524756 | 4-Minor | APM Log is filled with errors about failing to add/delete session entry |
| 497627-3 | 4-Minor | Tmm cores while using APM network Access and no leasepool is created on bigip. |
| 482145-3 | 4-Minor | Text in buttons not centered correctly for higher DPI settings |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 522231-3 | 3-Major | TMM may crash when a client resets a connection |
| 521455-2 | 3-Major | Images transcoded to WebP format delivered to Edge browser |
Wan Optimization Manager Fixes
| ID Number | Severity | Description |
| 480910 | 3-Major | A TCP profile with 'Rate Pace" or "Tail Loss Probe" enabled fails to successfully establish a connection. |
| 497389-1 | 3-Major | Extraneous dedup_admin core |
| 442884-1 | 3-Major | TMM assert "spdy pcb initialized" in spdy_process() |
| 485182-2 | 3-Major | wom_verify_config does not recognize iSession profile in /Common sub-partition |
Service Provider Fixes
| ID Number | Severity | Description |
| 516057-3 | 2-Critical | Assertion 'valid proxy' can occur after a configuration change with active IVS flows. |
| 503652-4 | 2-Critical | Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit. |
| 521556-1 | 2-Critical | Assertion "valid pcb" in TCP4 with ICAP adaptation |
| 480311-1 | 3-Major | ADAPT should be able to work with OneConnect |
| 478920 | 4-Minor | SIP::discard is not invoked for all request messages |
| 489957-5 | 4-Minor | RADIUS::avp command fails when AVP contains multiple attribute (VSA). |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 506286-1 | 2-Critical | TMSH reset of DOS stats |
| 524748-1 | 2-Critical | PCCD optimization for IP address range |
| 534886-1 | 3-Major | AFM Security checks were not being done for DNS over TCP |
| 531761-1 | 3-Major | Web navigation flow may be reset when main page responds with non-HTML content |
| 509600-1 | 3-Major | Global rule association to converted policy is lost on one device in HA configuration. |
| 509934-1 | 3-Major | Blob activation fails due to counter revision |
| 525522 | 3-Major | Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains |
| 510224-2 | 3-Major | All descriptions for address-list members are flushed after the address-list was updated |
| 532022-1 | 3-Major | tmm can crash when the reply pkt to a service flow request is a DoS pkt |
| 481706-2 | 3-Major | AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP |
| 530865-2 | 3-Major | AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists) |
| 526774 | 3-Major | Search in FW policy disconnects GUI users |
| 523465-2 | 3-Major | Log an error message when firewall rule serialization fails due to maximum blob limit being hit. |
| 515112-1 | 3-Major | Delayed ehash initialization causes crash when memory is fragmented. |
| 526277-1 | 3-Major | AFM attack may never end on AVR dos overview page in a chassis based BIGIP |
| 509919-2 | 3-Major | Customer may experience incorrect counter update for SelfIP traffic on cluster |
| 521763-1 | 3-Major | Attack stopped and start messages should not have source/dst ip addresses in log messages |
| 491165-1 | 4-Minor | Legal IP addresses sometimes logged in Attack Started/Stopped message. |
| 533808-1 | 4-Minor | Unable to create new rule for virtual server if order is set to "before"/"after" |
| 528499 | 4-Minor | AFM address lists are not sorted while trying to create a new rule. |
| 510226-2 | 4-Minor | All descriptions for ports-list's members are flushed after the port-list was updated |
| 533336-2 | 4-Minor | Display 'description' for port list members |
| 495432-2 | 5-Cosmetic | Add new log messages for AFM rule blob load/activation in datapath. |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 524780-1 | 1-Blocking | TMM crash when quering the session information |
| 525175-1 | 1-Blocking | Fix a crash issue when querying SSP with multi-ip. |
| 533929 | 1-Blocking | PEM::subscriber info irule command can cause tmm core |
| 522933-1 | 1-Blocking | diam_app_process_async_lookup may cause TMM crash |
| 491771-2 | 2-Critical | Using catch to supress 'invalid command' errors resulting from invalid use of [] around a parking command in a proc can cause TMM to panic |
| 527016-1 | 2-Critical | CLASSIFICATION_DETECTED irule event results in tmm core |
| 534018-1 | 2-Critical | Memory leak while running some of PEM::session and PEM::subscriber commands. |
| 519506-1 | 2-Critical | Flows dropped with initiate data from sever on virtual servers with HTTP |
| 533203 | 2-Critical | TMM may core on resuming iRule if the underlying flow has been deleted. |
| 534490 | 2-Critical | Fixed TMM crash when IRULE configuration is modified. |
| 528715-1 | 2-Critical | rare tmm crash when ipother irule parks |
| 524374-1 | 2-Critical | TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule |
| 533734-1 | 2-Critical | DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION |
| 523296-1 | 2-Critical | TMM may core when using iRule custom actions in PEM policies |
| 528787-1 | 3-Major | PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code. |
| 541592-1 | 3-Major | PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions |
| 521655-2 | 3-Major | Session hangs when trying to switch state to provisioned |
| 499778-1 | 3-Major | A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs |
| 522141-1 | 3-Major | Tmm cores while changing properties of PEM policies and rules. |
| 529414-1 | 3-Major | PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon |
| 504627-1 | 3-Major | Valid sessions won't be deleted any more due to session inactivity. |
| 524198-1 | 3-Major | PEM: Invalid HSL log generated when when session with static subscriber deleted. |
| 522579-1 | 3-Major | TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM |
| 527725-1 | 3-Major | BigIP crash caused by PSC::ip_address iRule is fixed |
| 526368-1 | 3-Major | The number of IPv4 addresses per Gx session exceeds the limit of 1 |
| 525860-2 | 3-Major | PEM: Duplicate sessions formed with same IP |
| 527289-1 | 3-Major | TMM crashes with core when PSC::ip_address iRule is used to list IPs |
| 521683-1 | 3-Major | PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs |
| 524409-1 | 3-Major | Fix TMSH show and reset-stats commands for multi-ip sessions defect. |
| 471926-1 | 3-Major | Static subscriber sessions lost after bigstart restart |
| 528247-1 | 3-Major | PEM: New Requested units empty for when used units matches granted service units |
| 522934 | 3-Major | Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy |
| 527292-1 | 3-Major | BigIP crash caused by PSC::user_name iRule is fixed |
| 525633-1 | 3-Major | Configurable behavior if PCRF returns unknown session ID in middle of session. |
| 534323-1 | 3-Major | Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr. |
| 528238-1 | 3-Major | Quota Policy Added multiple times will lead to reset of Subscriber flows |
| 526786-1 | 3-Major | Session lookup fails |
| 537034 | 3-Major | PEM: CPU spike seen when irule is used to update non existent sessions |
| 527076-1 | 3-Major | TMM crashes with core when PSC::policy iRule is used to set more than 32 policies |
| 533513-1 | 3-Major | Data plane Listener summary does not show LSN translation correctly |
| 525416-1 | 3-Major | List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed. |
| 522140-1 | 3-Major | Multiple IP is not added through iRule after setting the state of a session to provision by iRule |
| 526295-3 | 3-Major | BigIP crashes in debug mode when using PEM irule to create session with calling-station-id and called-station-id |
| 539677-1 | 4-Minor | The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file |
Carrier-Grade NAT Fixes
| ID Number | Severity | Description |
| 533562-1 | 2-Critical | Memory leak in CGNAT can result in crash |
| 490893-4 | 2-Critical | Determinstic NAT State information incomplete for HSL log format |
| 515646-1 | 2-Critical | TMM core when multiple PPTP calls from the same client |
| 509108-1 | 2-Critical | CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber |
| 494743-1 | 2-Critical | Deterministic NAT translation cannot reverse-map after blade failure on p8 |
| 494122-2 | 2-Critical | Deterministic NAT state information from HSL is not useable on p8 |
| 480119-2 | 3-Major | Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message. |
| 500424-2 | 3-Major | dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error |
| 505097-1 | 3-Major | lsn-pool backup-member not propagated to route table after tmrouted restart |
| 504021-1 | 3-Major | lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled |
| 486762-1 | 3-Major | lsn-pool connection limits may be invalid when mirroring is enabled |
| 455020-1 | 3-Major | RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout |
Manufacturing Fixes
| ID Number | Severity | Description |
Fraud Protection Services Fixes
| ID Number | Severity | Description |
| 520090-1 | 2-Critical | FPS plugin |
| 526124 | 2-Critical | Parameter matching inconsistency |
| 531994-1 | 2-Critical | Case-sensitivity on upgrade |
| 532002 | 3-Major | False-Positive Phishing alert in Safari on iPad |
| 527476 | 3-Major | Some FPS alerts logged without User GUID |
| 529573 | 3-Major | CSS attribute name |
| 503461-1 | 3-Major | Intermittent Javascript failure on Safari on Mac |
| 530867-1 | 3-Major | New Dyre Signature added to Generic Malware Detection |
| 524032-1 | 3-Major | Control sending alerts during the source integrity learning process |
| 513860-1 | 3-Major | Incomplete support for special characters in input field names |
| 525283-1 | 3-Major | Add obfuscator tuning tools |
| 527075 | 3-Major | Update domain availability default settings |
| 529587 | 4-Minor | Errornous JS injections |
| 527085 | 4-Minor | User-agent in alerts |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Description |
| 514236-1 | 3-Major | [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses |
Centralized Management Fixes
| ID Number | Severity | Description |
| 525595 | 1-Blocking | Fix memory leak of inbound sockets in restjavad |
| 509273 | 2-Critical | hostagentd consumes memory over time |
| 521272 | 3-Major | Fixed memory leak in restjavad's Authentication Token worker |
| 533307 | 3-Major | Increasing memory usage due to continual creation of authentication tokens |
iApplications Fixes
| ID Number | Severity | Description |
| 495525-1 | 4-Minor | iApps fail when using FQDN nodes in pools |
Cumulative fix details for BIG-IP v11.6.0 Hotfix 6 that are included in this release
552937-1 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
Component: Local Traffic Manager
Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.
Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.
Impact:
TMM core.
Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.
Fix:
The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.
551612 : BIGIP SSL does not support sending multiple certificate verification requests to cavium at the same time in 11.6.0.
Component: Local Traffic Manager
Symptoms:
In 11.6.0, when SSL sends multiple certificate verification requests to cavium at the same time, the handshake is disconnected with "bad certificate".
Conditions:
SSL sends multiple certificate verification request.
Impact:
SSL does not support this case and the SSL handshake is disconnected with "bad certificate".
Workaround:
Fix:
Fix certificate signature verification problem. In 11.6.0, SSL can only send one certificate signature verification to crypto at one time, so checking hs->crypto value. If it is FALSE, no pending request, then SSL sends the request. Otherwise, wait for the pending request finish.
544980-3 : Small /var when deploying from OVF for BETTER and BEST
Component: TMOS
Symptoms:
The size of /var volume is 500MB instead of 3GB for BETTER and BEST offerings.
Conditions:
BIGIP VE BETTER and BEST vm_bundle images.
Impact:
Not enough space in /var.
Workaround:
/var can be resized to 3GB. From tmsh, run: modify /sys disk directory /var new-size 3145728 then reboot.
Fix:
Fixed the build process to generate BETTER and BEST images with /var of 3GB.
544888-5 : Idle timeout changes to five seconds when using PVA full acceleration.
Component: TMOS
Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.
Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.
Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.
Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.
Fix:
Once the TCP connection reaches established state, the idle timeout is now set to the value found in the associated profile. By default the profile timeout value is 300 seconds.
541592-1 : PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions
Component: Policy Enforcement Manager
Symptoms:
Radius Start, Stop does not trigger any diameter traffic except DWR/DWA.
Conditions:
Diameter virtual reconfiguration and possibly any virtual configuration change might trigger this behavior.
Impact:
Subscriber sessions created by radius are not provisioned by the PCRF. Sessions that are deleted are also not reported to PCRF or Usage reports are also not reported.
Workaround:
Restarting TMM is the only work around for now.
Fix:
Issue has been fixed now. Even if diameter configuration is changed there should be no impact on CCR-I/U/T being stopped.
540849-5 : An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c
Component: TMOS
Symptoms:
An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure
Conditions:
BIND Versions affected: 9.9.7 -> 9.9.7-P2, 9.10.2 -> 9.10.2-P3
Impact:
A server which encounters this error will terminate due to a REQUIRE assertion failure, resulting in denial of service to clients
Workaround:
N/A
Fix:
Upgrade BIND to latest: 9.9.7-P3
540846-5 : Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
Component: TMOS
Symptoms:
Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c
Conditions:
BIND Versions affected: 9.9.0->9.9.7-P2, 9.10.0->9.10.2-P3
Impact:
It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key
Workaround:
N/A
Fix:
Upgrade BIND to latest: 9.9.7-P3
540778-3 : Multiple SIGSEGV with core and failover with no logged indicator
Component: Access Policy Manager
Symptoms:
A multimodule HA pair under high load experiences 3 failover events.
Conditions:
Configure HA pair for GBB multimodule testing (AFM, ASM, APM, GTM, LTM) and apply high concurrent load.
Impact:
Instability in HA. The current HA config under test has not had a unit remain active for more than ~12 hours.
Workaround:
None.
Fix:
Fix to free memory with same length as used for alloc using umem_alloc.
539677-1 : The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file
Component: Policy Enforcement Manager
Symptoms:
/etc/wr_urldbd/bcsdk.cfg is not included in the .ucs file when saving the configuration.
Conditions:
using tmsh to save sys ucs <file_name>. The /etc/wr_urldbd/bcsdk.cfg is not saved in the file
Impact:
URLcat webroot configuration is not included in the ucs
Workaround:
no workaround
Fix:
After the fix, now tmsh save ucs command will save the /etc/wr_urldbd/bcsdk.cfg in the .ucs file
539344-1 : SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list
Component: Local Traffic Manager
Symptoms:
If a SPDY child flow is aborted while stalled, the SPDY stream cleanup does not remove the stream from the SPDY PCB's stalled list, thus leaving the freed stream in the list.
Conditions:
SPDY child flow is aborted while stalled
Impact:
Aborted flow is not removed from the SPDY PCB's stalled list
Workaround:
N/A
Fix:
Do not keep a reference to a freed stream
539013-6 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
Component: Access Policy Manager
Symptoms:
DNS resolution stops working on a Windows 10 desktop when the VPN connection is established.
Conditions:
This occurs when the client system meets all of the following conditions: - Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.0.167-HF1. - Running Windows 10. - Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.
Impact:
User cannot access resources by DNS name.
Workaround:
Disable disconnected NICs that have a statically assigned IPv4 configuration.
Fix:
After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration.
538255 : SSL handshakes on 4200/2200 can cause TMM cores.
Component: Local Traffic Manager
Symptoms:
When processing SSL handshakes in the crypto acceleration hardware, a 4200/2200 can experience a TMM core.
Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware.
Impact:
TMM cores.
Workaround:
This issue has no workaround at this time.
Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.
537614-1 : Machine certificate checker fails to use Machine cert check service if Windows has certain display languages
Component: Access Policy Manager
Symptoms:
Machine certificate checker agent fails to use machine certificate checker service for Windows if it has certain display language, for example Polish. In failed case logs contain: 2015-08-04,18:37:59:042, 924,756,, 1, , 330, CCertCheckCtrl::CheckPrivateKey, EXCEPTION caught: CCertCheckCtrl::CheckPrivateKey - EXCEPTION 2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 85, UCredMgrService::RpcConnect, EXCEPTION - Failed to set binding handle's authentication, authorization and security QOS info (RPC_STATUS: 1332) 2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 88, RPCConnector::Connect, EXCEPTION caught: UCredMgrService::RpcConnect - EXCEPTION 2015-08-04,18:38:00:618, 924,756,, 1, \MCClient.h, 86, MCClient::Verify, Failed to perform PRC-call:error=1702
Conditions:
Windows with non-english display language Machine certificate checker is supposed to use Machine Certificate Checker service
Impact:
Machine certificate checker cannot be passed using Machine cert service.
Workaround:
Switch display language to English.
Fix:
Machine certificate checker service works now with a display language other than English.
537034 : PEM: CPU spike seen when irule is used to update non existent sessions
Component: Policy Enforcement Manager
Symptoms:
CPU spikes seen and remains high which will lead to TMM core eventually.
Conditions:
Irule is used to update session with policies for a session which are non existent.
Impact:
CPU Spike, TMM going down will cause service down time.
Workaround:
Make sure Irule are not used to update session for which session not existent.
Fix:
Issue is fixed now. No more CPU spike seen even if irule exists to update non existent sessions.
537000-2 : Installation of Edge Client can cause Windows 10 crash in some cases
Component: Access Policy Manager
Symptoms:
connecting to an APM box which has support for Windows 10 can cause the OS to crash. After reboot the next attempt will be successful
Conditions:
- Windows 10 - APM box supporting Windows 10 - user installed F5 VPN driver from an APM box, not supporting Windows 10
Impact:
User can lose some data
Workaround:
Before connecting old VPN driver instances must be manually removed using Device Manager
Fix:
Installation of Edge Client on Windows 10 does not cause system crash anymore
536984 : Ensure min_path_mtu is functioning as designed.
Component: Local Traffic Manager
Symptoms:
A route metrics mtu value lower than min_path mtu could be set
Conditions:
A mtu lower than min_path_mtu.
Impact:
The expected db variable min_path_mtu was not be correctly followed with unexpected results in certain conditions.
Workaround:
Fix:
Resolved error to ensure min_path_mtu is enforced as lowest mtu value as designed.
535806-2 : Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
Component: TMOS
Symptoms:
Not enough free disk space for live install of 12.0.0.
Conditions:
Initial install of BIG-IP VE GOOD 11.5.3. Upgrade to 12.0.0
Impact:
Unable to install 12.0.0 on 2nd slot.
Workaround:
Grow the virtual disk before installing 12.0.0.
Fix:
Increase the size of virtual disk of 11.5.3
534886-1 : AFM Security checks were not being done for DNS over TCP
Component: Advanced Firewall Manager
Symptoms:
We had disabled DNS Query Filtering and DNS DoS checks for DNS over TCP.
Conditions:
DNS over TCP and either DNS DoS configured or DNS Query filtering configured.
Impact:
Query Filtering and DNS DoS feature was not present for DNS over TCP.
Workaround:
Use DNS over UDP.
Fix:
We have now enabled DNS Query filtering and DNS DoS checks regardless of the L4 protocol.
534755-1 : Deleting APM virtual server produces ERR_NOT_FOUND error
Component: Access Policy Manager
Symptoms:
When a APM virtual server is deleted on the active, the following error message will be seen in the APM log on the standby. "Failed to delete profile stats namespaces"
Conditions:
This issue happens when a APM virtual is deleted on the active and the change is subsequently synced to the standby
Impact:
There is no functional impact.
Workaround:
Fix:
Access Filter now ignores the ERR_NOT_FOUND error when deleting the profile stats namespace.
534630-5 : Upgrade BIND to address CVE 2015-5477
Component: TMOS
Symptoms:
See SOL https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.html for complete information. BIND will issue a REQUIRE assert and exit under certain conditions. It will automatically be restarted by bigstart.
Conditions:
A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting denial of service.
Impact:
DNS resolutions that are answered by the on box BIND server may be interrupted.
Workaround:
Please see F5 Solution SOL16909.
Fix:
BIND was upgraded, which addresses this vulnerability. F5 is less vulnerable than the industry rating due to system design.
534490 : Fixed TMM crash when IRULE configuration is modified.
Component: Policy Enforcement Manager
Symptoms:
IRULE configuration modification may result in TMM crash.
Conditions:
When IRULE configuration is modified.
Impact:
TMM may crash
Workaround:
N/A
Fix:
Fixed TMM crash when IRULE configuration is modified.
534323-1 : Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.
Component: Policy Enforcement Manager
Symptoms:
Session will be deleted and re-created when we update a new IP addr along with the original IP addr in the session.
Conditions:
It happens when we try to update a new IP addr with the existing IP addr for an existing session.
Impact:
Session replaced when updating a new IP along with the existing IP address.
Workaround:
Fix:
Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.
534251-1 : Live update with moving config breaks password-less ssh access
Component: TMOS
Symptoms:
Authorized_keys file changed with link to /var/ssh/admin/authorized_keys but file in /var/ssh/... not created.
Conditions:
Use clean tmos-bugs-staging based VM. Do Live install. Do change boot location via GUI with 'Install Configuration' = 'Yes'
Impact:
breaks password-less ssh access
Workaround:
If save and load sys ucs before live install then file will be created in /var/.. and successfully moved to new volume.
534018-1 : Memory leak while running some of PEM::session and PEM::subscriber commands.
Component: Policy Enforcement Manager
Symptoms:
When running an irule that has PEM::session info commands, it was observed that the memory consumption by the PEM module kept going up till and the system eventually ran out of memory.
Conditions:
Create an irule that has PEM::session info commands that run asynchronously and attach it to one of the virtuals in use.
Impact:
System runs out of memory.
Workaround:
Fix:
The memory leak while executing the commands - <PEM::session info /PEM::subscriber info/PEM::session config policy/PEM::subscriber config policy> has been fixed. The leak only occurs when these commands run asynchronously.
533929 : PEM::subscriber info irule command can cause tmm core
Component: Policy Enforcement Manager
Symptoms:
Running an irule script that contains the PEM::subscriber info command can result in a tmm core. If the command runs synchronously, the core will not be observed.
Conditions:
The core occurs only if the PEM::subscriber info command runs asynchronously.
Impact:
Tmm always cores when this irule command is executed.
Workaround:
Fix:
PEM::subscriber info commands no longer cause tmm to core.
533808-1 : Unable to create new rule for virtual server if order is set to "before"/"after"
Component: Advanced Firewall Manager
Symptoms:
Not able to create a new rule for virtual server when the order is set to "before"/"after".
Conditions:
Happens only when the order is set to "before"/"after"
Impact:
Unable to create a new rule from the virtual server page
Workaround:
533734-1 : DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION
Component: Policy Enforcement Manager
Symptoms:
Packet traces show DHCPv6 packets arriving via IP6 IP4 tunnel, are forwarded to the VIP but the packet is not forwarded to the backend server on VIPRION.
Conditions:
DHCPv6 packets arriving via IPv6 Ipv4 tunnel interface on a multi-blade VIPRION system.
Impact:
The DHCP packet is not forwarded to the backend server
Workaround:
Use single blade system
Fix:
The fix is to process DHCP packet at local blade if it comes from tunnel interface instead of dropping them.
533723-4 : [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
Component: Access Policy Manager
Symptoms:
The client-side HTML rewriter rewrites content within the "textarea" tag.
Conditions:
Web-application dynamically creates HTML content on the client side that contains the textarea tag.
Impact:
Web-application misfunction is possible.
Workaround:
There is no workaround at this time
Fix:
Content rewriting is suppressed on the client side for the textarea tag.
533566-1 : Support for View HTML5 client v3.5 shipped with VCS 6.2
Component: Access Policy Manager
Symptoms:
The upcoming release of VMware Horizon View Connection Server 6.2 introduces a few changes to the View HTML5 client. This fix catches up with those changes to provide seamless support at APM side.
Conditions:
BIG-IP APM configured as PCoIP proxy and set up against VMware VCS 6.2 with HTML5 client installed.
Impact:
Launching View HTML5 client from APM webtop may not work properly.
Workaround:
Fix:
Support for View HTML5 client v3.5 shipped with VCS 6.2
533562-1 : Memory leak in CGNAT can result in crash
Component: Carrier-Grade NAT
Symptoms:
tmm leaks "cmp" memory, resulting in crash. "tmctl memory_usage_stat" will show very high "cmp" memory utilization.
Conditions:
Configure "hairpin mode" or "inbound connection handling" set to "automatic".
Impact:
BIG-IP will run out of memory and crash
Workaround:
Avoid "hairpin mode" or "inbound connection handling" set to "automatic".
Fix:
Memory leak has been fixed.
533513-1 : Data plane Listener summary does not show LSN translation correctly
Component: Policy Enforcement Manager
Symptoms:
When configuring a new data plane virtual server group, and CGNAT is licensed, you have the ability to select an address translation value of LSN, and then select an LSN pool. This is accepted and configured correctly, but when viewing the data plane group after this point, the address translation type shows as "{{renderSnatValue(listenerVs}}", and should show as "LSN"
Conditions:
Create a CGNAT LSN pool. Create a new PEM data plane listener, set the address translation to LSN, select the pool, save, then view the resulting group summary .
Impact:
Data plane Listener summary does not show LSN translation correctly
Workaround:
none
Fix:
Correct the UI so that it handles the LSN address translation type correctly.
533458-4 : Generate core file on HSB lockup
Component: TMOS
Symptoms:
When an HSB lockup occurs, limited data is available for root cause analysis.
Conditions:
An HSB lockup.
Impact:
Generate core file on an HSB lockup.
Workaround:
none
533388-1 : tmm crash with assert "resume on different script"
Component: Local Traffic Manager
Symptoms:
In a rare race condition involving stalled server-side TCP connections on which a RST is received and a asynchronously executing client-side iRule for event CLIENT_CLOSED the tmm can crash with assert "resume on different script".
Conditions:
The conditions under which this assert/crash is triggered are hard to reproduce.
Impact:
tmm crashes and restarts. Traffic while stop flowing while tmm is restarting.
Workaround:
Avoid asynchronously executing CLIENT_CLOSED iRules (e.g. those that use 'after' or 'table' or 'session' commands - this is not an exhaustive list).
Fix:
tmm no longer crashes with assert "resume on different script"
533336-2 : Display 'description' for port list members
Component: Advanced Firewall Manager
Symptoms:
Descriptions for port list's members are not displayed in GUI
Conditions:
Create a port list with 'description' set for its members (using tmsh). When the portlist list page is accessed from GUI, the description set for the members (on tmsh) is not displayed.
Impact:
Users will not be able to see the description
Workaround:
Use tmsh to view the description for portlist members on tmsh
Fix:
Descriptions for port list members are now displayed in the GUI.
533307 : Increasing memory usage due to continual creation of authentication tokens
Component: Centralized Management
Symptoms:
The AuthTokenWorker creates new indexed state objects. Some are unable to be deleted because they are shared between instances. Generations of tokens build up, however the generational scavenger only runs when disk space is tight. Restjavad can run out of memory before the scavenger ever gets to run.
Conditions:
Tokens shared between instances
Impact:
Generations of tokens build up
Workaround:
N/A
Fix:
Add another trigger to the generational scavenger such that it also triggers when memory is tight as well as when disk space is tight.
533257-2 : tmsh config file merge may fail when AFM security log profile is present in merged file
Component: TMOS
Symptoms:
During a config file merge into an existing config may fail with "unknown-property" message.
Conditions:
The customers who have default configuration parameters may be affected.
Impact:
All releases and modules are affected.
Workaround:
The offending parameter may be deleted from the merge file, however this may result in the value for the deleted parameter not set correctly in the existing config.
Fix:
Fixed a problem with tmsh config file merge failing when AFM security log profile is present in merged file.
533203 : TMM may core on resuming iRule if the underlying flow has been deleted.
Component: Policy Enforcement Manager
Symptoms:
TMM may core
Conditions:
A flow is deleted (RST from the other end is one way) while an iRule operating on that flow is parked. On resumption, the iRule accesses freed memory.
Impact:
Datapath resets
Workaround:
Do not use iRules that may cause parking.
Fix:
Don't forward any messages if the connflow is aborted while the irule is parked. Also set the pem pcb to NULL after being freed
532761 : APM fails to handle compressed ICA file in integration mode
Component: Access Policy Manager
Symptoms:
Citrix application or desktop cannot be started in integration mode with Citrix StoreFront 3.0
Conditions:
APM is configured for StoreFront 3.0 proxy and HTTP compression is enabled on the StoreFront server.
Impact:
Citrix application or desktop cannot be started.
Workaround:
Fix:
Now APM supports Citrix StoreFront 3.0 in integration mode with HTTP compression enabled on the StoreFront server.
532522-3 : CVE-2015-1793
Component: Access Policy Manager
Symptoms:
Resolved vulnerabilities in OpenSSL. CVE-2015-1793
Conditions:
CVE-2015-1793
Impact:
CVE-2015-1793
Workaround:
Fix:
OpenSSL library in APM clients updated to resolve vulnerabilities in OpenSSL. CVE-2015-1793
532340-1 : When FormBased SSO or SAML SSO are configured, tmm may restart at startup
Component: Access Policy Manager
Symptoms:
Under unlikely circumstances, tmm threads may run into synchronization issue at startup initialization, causing BIG-IP Failover
Conditions:
- SAML SSO or Form Based SSO are configured. - TMM is in process of starting (during reboot or for any other reason).
Impact:
Impact is BIG-IP will failover at start time. If tmm has successfully started - no further impact will be observed.
Workaround:
Remove Form Based SSO, and SAML objects from configuration.
Fix:
A thread synchronization issue that caused tmm startup issues has been fixed.
532096-2 : Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used
Component: Access Policy Manager
Symptoms:
Machine Certificate Checker (client side) is not backward compatible with BIG-IP 11.4.1 and earlier when MatchFQDN rule is used
Conditions:
Machine Certificate checker agent uses MatchFQDN rule in Access Policy of BIG-IP version 11.4.1 and earlier. New BIG-IP Edge Client (version greater than 11.4.1) is used against old BIG-IP.
Impact:
Machine Certificate checker agent may fail. Policy goes wrong way.
Workaround:
Fix:
Fixed issue causing Machine Certificate checker agent backward incompatibility.
532030-3 : ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI
Component: Application Security Manager
Symptoms:
When importing a policy that utilizes a custom signature set, ASM checks whether that signature set is already exists on the system. If it does not exist, then it creates a new set. When a set is created via REST it does not correctly set an internal field that does get set via creation by the GUI or XML import. This causes unexpected behavior and extra signatures being created when a REST client, such as BIG-IQ, attempts to co-ordinate changes across devices utilizing import via XML and REST calls.
Conditions:
A Custom filter-based signature set is created by the GUI and then attached to a security policy. The security is exported in XML format. On a different device an identical signature set is created via REST. The security policy is then imported on that device.
Impact:
Extraneous signature sets are created, and false differences appear with regards to which signature sets are attached to which policies across multiple devices.
Workaround:
As a workaround, custom filter-based signature sets should be created only via REST or only via GUI across multiple devices.
Fix:
Custom filter-based signature sets created using REST or the Configuration utility now have the same internal settings and match for XML security policy export/import.
532022-1 : tmm can crash when the reply pkt to a service flow request is a DoS pkt
Component: Advanced Firewall Manager
Symptoms:
tmm can crash
Conditions:
If a service flow (or any flow which does not have a listener) sends a request out and we get back a packet which needs to be counted towards a network DoS vector, it can cause the tmm to crash.
Impact:
tmm might crash
Workaround:
Don't configure AFM DoS vectors.
Fix:
A crash bug in DoS protection has been fixed.
532002 : False-Positive Phishing alert in Safari on iPad
Component: Fraud Protection Services
Symptoms:
Very intermittent issue of false positive phishing alerts seen in alerts dashboard, all coming from ipads.
Conditions:
ipad accesses page with Websafe phishing protection.
Impact:
False positive phishing alert.
Workaround:
None
Fix:
Obfuscator updated to work around a bug in Apple's Safari javascript engine.
531994-1 : Case-sensitivity on upgrade
Component: Fraud Protection Services
Symptoms:
Case-sensitive setting of the default profile is saved in bigip.conf
Conditions:
Save button was pressed in GUI before upgrade.
Impact:
Upgrade failure.
Workaround:
Remove case-sensitive from bigip.conf manually.
Fix:
We fixed in GUI a Save issue that caused upgrade failure of the default profile.
531910-1 : apmd, apd, localmgr random crash
Component: Access Policy Manager
Symptoms:
APMD, APD, and localmgr crash upon invalid mcpd request with certain DB variables.
Conditions:
This problem rarely happens: mcpd sends null db variables conncrtl.
Impact:
APMD, APD, and localmgr will crash.
Workaround:
There is no workaround.
Fix:
The problem was fixed by variable protection in related modules.
531883-2 : Windows 10 App Store VPN Client must be detected by BIG-IP APM
Component: Access Policy Manager
Symptoms:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box via client type agent
Conditions:
Windows 10 App Store VPN Client, BIG-IP APM , client type agent
Impact:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box
Workaround:
Fix:
Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box via client type agent
531761-1 : Web navigation flow may be reset when main page responds with non-HTML content
Component: Advanced Firewall Manager
Symptoms:
In some web applications, the navigation flow may break (connection reset) if a main URL (login page, for example) is responding with a content that is not an HTML one, or if the response is dynamic, and occasionally not an HTML one.
Conditions:
Proactive Bot Defense is enabled on a DOS profile that is attached to a Virtual Server, and one of the main URLs of the web application (login page, home page, etc.) occasionally responds with a non-HTML content, blank content, or redirect response with no body.
Impact:
Users may experience a connection reset while navigating through the website, usually after several minutes.
Workaround:
Fix:
Connection resets are no longer experienced on normal web navigation of a site that is protected by the Proactive Bot Defense mechanism, and and one of the main pages of the web application occasionally responds with a non-HTML content.
531576-1 : tmm memory leak in traffic handling
Component: Local Traffic Manager
Symptoms:
In certain scenarios TMM may suffer from a memory leak while handling certain types of TCP traffic.
Conditions:
Undisclosed conditions for packet processing.
Impact:
TMM will leak memory.
Workaround:
Fix:
TMM no longer leaks memory while processing certain types of TCP traffic.
531541-1 : Support Citrix Receiver 4.3 for Windows in PNAgent mode
Component: Access Policy Manager
Symptoms:
Citrix Receiver for Windows 4.3 fails to authenticate in PNAgent mode in both integration and replacement configurations.
Conditions:
APM is configured for Citrix integration or replacement and Citrix Receiver for Windows 4.3 is used in PNAgent mode.
Impact:
Citrix Receiver for Windows 4.3 fails to authenticate.
Workaround:
Use Citrix Receiver for Windows 4.1 or 4.2. Launch applications from Web.
Fix:
Now APM supports Citrix Receiver 4.3 for Windows in PNAgent mode.
531539-1 : A brute force attack is not detected in NTLM under some conditions
Component: Application Security Manager
Symptoms:
A NTLM configured login page. The username arrives in UTF-16 (as curl sends it) or in another encoding that can't be converted. The login fails.
Conditions:
The NTLM login is not recognized as failed login.
Impact:
The brute force mitigation will not work in this case.
Workaround:
Fix:
We fixed an issue regarding login pages with the NTLM authentication type.
531529-1 : Support for StoreFront proxy
Component: Access Policy Manager
Symptoms:
Citrix Receivers fail to auth when APM is configured in the integration mode against Citrix StoreFront 3.0 in ICA patching mode
Conditions:
APM configured in the integration mode
Impact:
Storefront responds with "error-bad-request" error on ExplicitForms request from APM
Workaround:
N/A
Fix:
Support Citrix StoreFront 3.0 in ICA patching proxy mode
531526-2 : Missing entry in SQL table leads to misleading ASM reports
Component: Application Visibility and Reporting
Symptoms:
Some reports of ASM violations were generated with missing activity.
Conditions:
When there are many entities to report and some are getting aggregated, then the aggregated activity was not reported.
Impact:
Misleading reports of ASM activity.
Workaround:
The workaround is to manually insert the missing entry to mysql. The exact values that need to be inserted vary from one customer to another and require mysql dump to be created and the PD team to inspect it, in order to decide which values should be inserted. It is better that customers upgrade to a fixed version rather than trying to work around it.
Fix:
Aggregated activity is now reported even when there are many entities to report and some are aggregated.
531483-2 : Copy profile might end up with error
Component: Access Policy Manager
Symptoms:
Copy profile might end up with error about two items are sharing the same agent
Conditions:
Very rare - long policy names, similar name parts
Impact:
Minor - customer would need to choose different name for new policy
Workaround:
Fix:
Issue resolved
530963-4 : BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
Component: Local Traffic Manager
Symptoms:
The BIG-IP does not verify every byte in the Finished message of an TLS handshake but does properly validate the MAC of the Finished message.
Conditions:
* The BIG-IP platform contains a Cavium SSL accelerator card but the affected TLS connection is not accelerated by the Cavium SSL accelerator card. The following list some examples when a TLS connection is not accelerated by the Cavium card: * The ciphers used by the TLS connection are not fully accelerated in the Cavium card. For more information about ciphers that are fully hardware accelerated, refer to SOL13213: SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x) * The BIG-IP platform does not contain a Cavium SSL accelerator card. The following list the BIG-IP platforms that do not contain a Cavium SSL accelerator card: * BIG-IP 2000 platforms * BIG-IP 4000 platforms * BIG-IP Virtual Edition
Impact:
F5 believes the reported behavior does not have security implications at this time.
Workaround:
530867-1 : New Dyre Signature added to Generic Malware Detection
Component: Fraud Protection Services
Symptoms:
Some variants of Dyre were not detected.
Conditions:
Some variants of Dyre were not detected.
Impact:
Some variants of Dyre were not detected.
Workaround:
Receive updated bait signatures from F5 Websafe representative.
Fix:
New Dyre Signature added.
530865-2 : AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)
Component: Advanced Firewall Manager
Symptoms:
Due to a related change in AFM ACL handling, global and route domain rule's were being logged (incorrectly) by the virtual server's AFM log profile (if it exists). This is incorrect since the behavior has always been that Global and Route Domain AFM rule logging is controlled by global-network log profile only.
Conditions:
Global or Route Domain AFM ACL rule matches and logging is enabled. Also, the matched virtual server has a logging profile attached to it.
Impact:
This causes a regression (and inadvertent change in behavior) for Global and Route Domain AFM rule logging.
Workaround:
None
Fix:
With the fix, global and route domain AFM rule logging is controlled by global-network log profile (as has been the case since inception).
530829 : UDP traffic sent to the host may leak memory under certain conditions.
Component: Local Traffic Manager
Symptoms:
Possible memory leak with UDP traffic.
Conditions:
When UDP traffic is sent to the host.
Impact:
If memory leak becomes large enough over time, there could be a reboot.
Workaround:
Block UDP traffic to the host.
Fix:
Memory no longer leaks when UDP traffic is sent to the host.
530800-1 : Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use.
Component: Access Policy Manager
Symptoms:
OWA displays error message when trying to send new email. POST request size is more than 300Kb and POST data contains large "SCRIPT id=F5_helperDataStringsId" tag. Due to this issue request data becomes large enough to be affected by Bug502269 in SSOv2. Therefore if SSOv2 is enabled in this Access Policy, request content will be corrupted and OWA server will respond with '400 Bad Request' code instead of sending email.
Conditions:
Impact:
Users can't send messages in some versions of OWA.
Workaround:
Fix:
Fixed an issue where extra data was added to some OWA2010 requests making it impossible to send messages in configuration with Form-based SSOv2
530773 : per-request policy logs frequently in apm logs
Component: TMOS
Symptoms:
Many logs from per-request policy execution framework are seen in APM logs
Conditions:
SWG is licensed and provisioned and response analytics agent is part of per-request policy.
Impact:
Many logs in APM and excessive logging might impact the performance too.
Workaround:
Remove /Common/All-Images from Response analytics agent in per-request policy.
Fix:
Correctly fixed the issue for excluded contents in response analytics agent, so these logs are not written frequently to APM logs.
530697-2 : Windows Phone 10 platform detection
Component: Access Policy Manager
Symptoms:
Windows Phone 10 platform is not currently detected
Conditions:
Windows Phone 10 platform , BIG-IP APM system
Impact:
Windows Phone 10 platform is not detected correctly by BIG-IP
Workaround:
Fix:
Windows Phone 10 platform is detected correctly now.
530431 : FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts
Component: Local Traffic Manager
Symptoms:
After upgrading to HF5 the ephemeral fqdn node lists are no longer auto-populating.
Conditions:
Use the fqdn nodes feature. Have correctly configured dns name-servers
Impact:
The fqdn nodes feature is unusable and possible upgrades must be rolled back.
Workaround:
This issue has no workaround at this time.
Fix:
FQDN node lists now correctly auto-populate.
530356-2 : Some AVR tables that hold ASM statistics are not being backed up in upgrade process.
Component: Application Visibility and Reporting
Symptoms:
Some AVR tables that hold ASM statistics are not being backed up in the upgrade process when upgrading to a new version with ASM data present in AVR stat tables.
Conditions:
Upgrading to new version.
Impact:
Some ASM data is lost after upgrade.
Workaround:
Fix:
We now correctly back up AVR tables that hold ASM statistics that were previously not backed up when upgrading to a new version.
529640 : Improvements in building Cloud images
Component: TMOS
Symptoms:
Improvements in building Cloud images.
Conditions:
Building Cloud images.
Impact:
Internal
Workaround:
N/A
Fix:
Improvements in building Cloud images.
529587 : Errornous JS injections
Component: Fraud Protection Services
Symptoms:
JS was injected into pages with any "Content-Type" and it broke functionality of some pages.
Conditions:
Page "Content-Type" is not "text/html".
Impact:
Page functionality may be broken.
Workaround:
Fix:
The FPS plugin now injects JavaScript only in responses where the value of the header "Content-Type" starts from "text/html".
529573 : CSS attribute name
Component: Fraud Protection Services
Symptoms:
CSS attribute name was configured in the profile, but not passed to JavaScript where the hard-coded default value was used.
Conditions:
Default value of CSS attribute name is changed in the profile.
Impact:
False positive CSS alerts.
Workaround:
Do not change default value of CSS attribute name.
529510-2 : Multiple Session ha state changes may cause TMM to core
Component: TMOS
Symptoms:
The cause of the crash is due to multiple session ha state changes in session_ha_peer_status in a very short period of time. On the active unit when the peer comes back up the session ha state changes to SESSION_HA_RESEND_NEEDED. This state change requires a call to session_ha_marker_reset to prevent the session sweeper from queueing the session ha marker when it is already in the session ha marker queue. Queueing the marker when it's already queued results in corruption of the queue which is caught by the QUEUEDEBUG_TAILQ_INSERT_TAIL macro.
Conditions:
Multiple session HA state changes
Impact:
TMM cores
Workaround:
N/A
Fix:
Remove session ha maker when peer comes back up.
529509-5 : CVE 2015-4620 BIND vulnerability
Component: TMOS
Symptoms:
A flaw was found in the way BIND performed DNSSEC validation.
Conditions:
Red Hat Product Security has rated this update as having Important security impact. Due to F5 architecture and design this has restricted impact and can only impacts GTM and only in a non-default configuration.
Impact:
An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure. (CVE-2015-4620)
Workaround:
Fix:
Upgrade to the latest version.
529414-1 : PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon
Component: Policy Enforcement Manager
Symptoms:
Some subscriber sessions getting deleted as soon they are created even if there is no trigger to delete these sessions
Conditions:
Fatal-grace time too low and PCRF connection going down for a long period of time and then coming up later.
Impact:
Subscribers traffic is not policed as the corresponding sessions are deleted as soon as they are created.
Workaround:
Make sure Fatal-grace timer is disabled.
Fix:
Issue is fixed now. Fatal Grace time expiry will not cause sessions to be deleted as soon as they are created.
529392-2 : Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script
Component: Access Policy Manager
Symptoms:
Windows 10 and Internet Explorer 11 is not determined in case of DIRECT rule is used to connect to BIG-IP in proxy autoconfig script configured locally.
Conditions:
Local proxy autoconfig scrip, DIRECT rule for BIG-IP virtual server, Internet Explorer 11.
Impact:
Internet Explorer 11 is not detected properly.
Workaround:
Fix:
Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP.
528881 : NAT names with spaces in them do not upgrade properly
Component: TMOS
Symptoms:
When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load.
Conditions:
The BIG-IP system must be configured with NATs that have spaces in their names.
Impact:
The configuration does not load on the upgraded system.
Workaround:
Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ).
528787-1 : PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code.
Component: Policy Enforcement Manager
Symptoms:
PEM responds with RAA with DIAMETER_SUCCESS code even though session has been deleted.
Conditions:
If a session delete is initiated through tmsh or RADIUS when connection is down, the session delete does not seem to be complete. When the connection comes up and RAR is sent immediately with an empty policy,
Impact:
PCRF might be misled as it thinks session exists.
Workaround:
Make sure PCRF sends RAR with at least 1 policy and the PEM will responds with RAA with unable to comply
Fix:
Issue has been fixed now. PEM will send RAA with UNABLE_TO_COMPLY code if session is marked for deleted.
528768-1 : Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication
Component: Access Policy Manager
Symptoms:
The BIG-IP system applies standard fully qualified domain name (FQDN) validation for Active Directory server FQDN. Unfortunately, Microsoft allows non-standard FQDN as well. (https://technet.microsoft.com/en-us/library/cc959336.aspx) At Non RFC strictness level, Active Directory allows additional "_" characters to be used everywhere in the DNS name. AD server that has "_" in its DNS name cannot be used for domain join operation for creating machine account or for authentication AD server for NTLM authentication. Both Multibyte and Any Character strictness level predictably can cause problem to our internal code; we do not support them.
Conditions:
AD server DNS name contains "_".
Impact:
Cannot be used for domain join for machine account creation or for target authentication server for NTLM authentication.
Workaround:
To work around the problem, you can rename the Active Directory server.
Fix:
Now an Active Directory server DNS name that contains an underscore (_) can be used for a machine account and NTLM authentication.
528727-1 : In some cases HTML body.onload event handler is not executed via portal access.
Component: Access Policy Manager
Symptoms:
Internet Explorer 7 (and any newer version in compatibility mode) ignores inline body.onload event handler if it is already assigned in previously executed script. This may prevent execution of user-defined body.onload event handler in some cases if the page is accessed using Portal Access.
Conditions:
The problem occurs under these conditions: Internet Explorer version 7 or newer in compatibility mode, and HTML page with inline body.onload event handler _and_ <script> or <meta> tags before <body> tag.
Impact:
Web application may work incorrectly.
Workaround:
It is possible to change the HTML page in an iRule converting inline body.onload event handler into an explicit JavaScript function assigned to the body.onload event using the attachEvent() call.
Fix:
Now HTML inline body.onload event handler is executed correctly in all cases if the page is accessed through Portal Access.
528726-3 : AD/LDAP cache size reduced
Component: Access Policy Manager
Symptoms:
When AD or LDAP Query module built a group cache, that cache contained an unnecessary attribute that was never used.
Conditions:
AD/LDAP Query module is configured with option that requires building of a local group cache.
Impact:
apd process size grows significantly after group cache is built. If several different caches are maintained at the same time, the process size can hit the 4 GB limit.
Workaround:
Fix:
Removed an unnecessary attribute from cache. As a result, the group cache size and APD process size have been reduced.
528715-1 : rare tmm crash when ipother irule parks
Component: Policy Enforcement Manager
Symptoms:
TMM System may crash under rare condition for traffic that goes through IPOther virtual with an iRule script that parks the data flow. This occurs rarely, and it will only happen if a data flow that goes through IPOther VIP is aborted when an iRule is parked on the same flow. When the iRUle resumes, the IPOther VIP forward the original packet and tmm may crash when PEM uses the freed data of the flow that is already freed.
Conditions:
With PEM licensed/enalbed, associate an iRule script with iRule command that will park (e.g., the table command) against the IPOther virtual. At last, the data traffic that goes through PEM IPOther virtual get aborted.
Impact:
The customer may be impacted by the service interruption due to tmm restart.
Workaround:
A possible workaround is not to use iRule command that will park in the iRule script that is attached to IPOther virtual. For example, there are information that could be retrieved by PEM::session command instead of using table command. If iRule command that will cause parking must be used, then this fix along with the fix of bug 484278.
Fix:
The crash has been fixed and the should no longer be observed.
528675-2 : BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
Component: Access Policy Manager
Symptoms:
Edge Client can stuck in "disconnecting..." state if connected through with captive portal session and captive portal session expired. This happens when BIG-IP EDGE client keep HTTP connection to captive portal probe URL alive.
Conditions:
BIG-IP EDGE Client for Windows connecting to BIG-IP APM on network with active captive portal. Captive portal session expired before user terminate active Network Access connection.
Impact:
When user run into this condition BIG-IP EDGE client for Windows cannot connect to BIG-IP APM server without restart.
Workaround:
User can exit and restart BIG-IP EDGE client.
Fix:
Captive portal detection request modified to properly close HTTP connection.
528499 : AFM address lists are not sorted while trying to create a new rule.
Component: Advanced Firewall Manager
Symptoms:
AFM address lists are not sorted while trying to create a new rule.
Conditions:
Seen only in the rule creation page.
Impact:
AFM address lists are not sorted in the rule creation page.
Workaround:
none
Fix:
AFM address lists are now sorted in the rule creation page.
528432-2 : Control plane CPU usage reported too high
Component: Local Traffic Manager
Symptoms:
The system CPU usage is reported as the higher of the data plane averaqe and the control plane average. In certain cases, the control plane average was being calculated at about double.
Conditions:
When the data plane CPU usage was lower than the control plane CPU usage. This can occur when there is little client traffic flowing through the BIG-IP but the control plane is busy, say installing software.
Impact:
Typically, since client traffic drives data plane CPU usage, control plane CPU usage is less than data plane CPU usage at normal client loads.
Workaround:
This can safely be ignored at low data plane usage and will not be evident when data plane usage increases.
Fix:
The calculation of the control plane CPU usage no longer includes other CPUs.
528310 : Upgrade failure when CertKeyChain exists in non-Common partition
Component: TMOS
Symptoms:
Pre-11.6.0 configuration may fail to load on a BIG-IP system running version 11.6.0 (or greater).
Conditions:
Configuration contains a SSL profile with an explicit Certificate Key Chain in a non-Common partition.
Impact:
This issue leads to a configuration load failure.
Workaround:
This issue has no workaround at this time.
Fix:
Certificate Key Chain will inherit its partition from the parent SSL profile on creation.
528247-1 : PEM: New Requested units empty for when used units matches granted service units
Component: Policy Enforcement Manager
Symptoms:
Requested Service Units field in CCR-U message in Gy will be empty for certain rating group requests in MSCC AVP
Conditions:
If used Service units matches exactly with granted service units. (Extremely rare!)
Impact:
RSU being empty might trigger OCS allocating incorrect granted service unit for the rating group
Workaround:
Work around is to ignore Requested service Unit AVP if zero by the OCS or just use used service units AVP since RSU is empty.
Fix:
This issue is fixed now. RSU will be not be empty even if used service units matches Granted service units AVP.
528238-1 : Quota Policy Added multiple times will lead to reset of Subscriber flows
Component: Policy Enforcement Manager
Symptoms:
Subscriber flows getting reset when session is provisioned to do Gy quota management.
Conditions:
If a same policy with quota management action is added multiple times to the session through RAR (or CCA-u) then after 32 installs, any flow for the session is reset.
Impact:
Flows getting reset means subscribers having issue with using service.
Workaround:
PCRF should make sure that for the session same policy is not being added to multiple times.
Fix:
Issue has been fixed now. Even is same Policy is added multiple Times for the subscriber, flows are not reset.
527861 : When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.
Component: Application Security Manager
Symptoms:
When around 500 entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.
Conditions:
When around 500 entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen.
Impact:
The Configuration utility becomes unresponsive.
Workaround:
None.
Fix:
We limited the number of entities displayed on the "Illegal Meta Character in Value" manual traffic learning screen to a realistic limit in order to prevent the Configuration utility from becoming unresponsive.
527799-9 : OpenSSL library in APM clients updated to resolve multiple vulnerabilities
Component: Access Policy Manager
Symptoms:
Multiple vulnerabilities in OpenSSL library: CVE-2015-4000, CVE-2015-1792, CVE-2015-1791, CVE-2015-1790, CVE-2015-1789, CVE-2015-1788, CVE-2014-8176.
Conditions:
Widows, Linux or Mac OS OX networkaccess connection to BIG-IP APM
Impact:
CVE-2015-4000, CVE-2015-1792, CVE-2015-1791, CVE-2015-1790, CVE-2015-1789, CVE-2015-1788, CVE-2014-8176.
Workaround:
n/a
Fix:
OpenSSL library in APM clients updated to resolve multiple vulnerabilities in OpenSSL. CVE-2015-4000,CVE-2015-1792,CVE-2015-1791,CVE-2015-1790,CVE-2015-1789,CVE-2015-1788,CVE-2014-8176
527725-1 : BigIP crash caused by PSC::ip_address iRule is fixed
Component: Policy Enforcement Manager
Symptoms:
When using PSC::ip_address iRule to get the ip list for DHCP-based subscriber discovery and RADIUS Authentication message, BigIP crashed and restarted.
Conditions:
Using PSC::ip_address iRule to get ip address list in DHCP-based subscriber discovery and RADIUS Authentication messages
Impact:
Causing bigip tmm to restart
Workaround:
527630-1 : CVE-2015-1788 : OpenSSL Vulnerability
Component: TMOS
Symptoms:
https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html
Conditions:
See F5 Solution for complete information. https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html
Impact:
A potential denial-of-service (DoS) by way of a session that uses an Elliptic Curve algorithm against a server that supports client authentication.
Workaround:
527537 : CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled
Component: TMOS
Symptoms:
Elevated CPU with CGNAT when carrying the same load between 11.5 and 11.6
Conditions:
CGNAT lsn-pools high number of concurrent connections persistence = address-port and/or inbound enabled
Impact:
Elevated CPU = reduced capacity
Workaround:
Fix:
Change the sessionDB sweeper to reduce the amount of work it does managing large bins.
527477-4 : Slot 2 is inactive after reboot
Component: Local Traffic Manager
Symptoms:
After reboot slot 2 is not listed as active in the management panel
Conditions:
Reboot chasis
Impact:
Slot 2 is not active
Workaround:
N/A
Fix:
Moved Startup dependencies in order to resolve.
527476 : Some FPS alerts logged without User GUID
Component: Fraud Protection Services
Symptoms:
FPS alerts were sometimes sent without session identifiers, resulting in them becoming anonymous, as no user name could be associated with them.
Conditions:
When malicious words alert is sent before the user logs in, the alert details are not updated with the username after login.
Impact:
Malicious words alerts in alert dashboard may be shown without the username.
Workaround:
None
Fix:
GUID is now sent on all javascript and Plugin alerts.
527292-1 : BigIP crash caused by PSC::user_name iRule is fixed
Component: Policy Enforcement Manager
Symptoms:
When using PSC::user_name iRule to get user name for DHCP-based subscriber discovery and RADIUS Authentication messages, BigIP crashed and restarted. And the log is also showing garbage information.
Conditions:
Using PSC::user_name iRule to get user name in DHCP-based subscriber discovery and RADIUS Authentication messages
Impact:
Causing bigip tmm to restart
Workaround:
Fix:
After the fix, no more crash when using PSC::user_name iRule
527289-1 : TMM crashes with core when PSC::ip_address iRule is used to list IPs
Component: Policy Enforcement Manager
Symptoms:
TMM crashes with core when trying to readPSC::ip_address list
Conditions:
iRule is used to list IPs after setting it with the same iRule
Impact:
TMM crashe
Workaround:
N/A
Fix:
Fix crash caused by PSC::ip_address PSC::user_name iRules
527145-4 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
Component: TMOS
Symptoms:
Occasionally SOD core dumps on shutdown during memory cleanup.
Conditions:
System shutdown. Cannot reproduce the issue reliably, so conditions for the crash are unknown.
Impact:
Minimal additional impact on services because a shutdown was already in process.
Workaround:
None.
Fix:
Daemon no longer cores on shutdown due to internal processing error.
527094-1 : iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata.
Component: TMOS
Symptoms:
GET on tm/ltm/data-group/internal/dg-name might show the following record entries - ... "records": [ ... { "name": "triple", "partition": "single", "subPath": "double", "data": "three" }, ... ] } In actuality, the identifiers of the record are not pathed, and hence the 'partition' and 'subPath' properties do not make any sense.
Conditions:
Performing a GET operation on a device group, for example: GET tm/ltm/data-group/internal/dg-name.
Impact:
Misinformation in the API output. This is a cosmetic issue only. Ignore the 'partition' and 'subPath' properties.
Workaround:
None.
Fix:
iControl REST: the records collection in tm/ltm/data-group/internal/ now shows the correct partition and subPath metadata.
527085 : User-agent in alerts
Component: Fraud Protection Services
Symptoms:
Alerts have no user agent information.
Conditions:
Impact:
Easier debugging
Workaround:
Fix:
User-agent header is now sent in alerts generated by FPS plugin.
527076-1 : TMM crashes with core when PSC::policy iRule is used to set more than 32 policies
Component: Policy Enforcement Manager
Symptoms:
iRules used to set 32 or more polices
Conditions:
iRule containing 32 or more polices
Impact:
TMM crashes with core
Workaround:
N/A
Fix:
Check added to validate number of policies contained in iRule.
527075 : Update domain availability default settings
Component: Fraud Protection Services
Symptoms:
The Domain Availability feature default settings were not the latest from the research team. Sometimes resulted in an ERR_INSECURE_RESPONSE error in the browser's debugging console.
Conditions:
Some varieties of Citadel were not detected.
Impact:
Some varieties of Citadel were not detected.
Workaround:
Receive updated settings from F5 Websafe representative.
Fix:
New defaults were imported.
527021-1 : BIG-IQ iApp statistics corrected for empty pool use cases
Component: TMOS
Symptoms:
BIG-IQ statistics gathering fails for HTTP iApps. The stats are collected periodically by an iCall script. A bug in the script causes a failure when the pool member count = 0.
Conditions:
The virtual has an empty pool (a common use case in SDN).
Impact:
Causes out-of-memory errors in scriptd.
Workaround:
Fix:
BIG-IP iApps now correctly provide statistics to BIG-IQ in empty-pool use cases.
527016-1 : CLASSIFICATION_DETECTED irule event results in tmm core
Component: Policy Enforcement Manager
Symptoms:
If an irule script which uses the CLASSIFICATION_DETECTED is used, then it may result in a tmm core.
Conditions:
Configure an ltm irule with CLASSIFICATION_DETECTED event, and the body of the script contains atleast one irule command that runs asynchronously.
Impact:
If the irule is configured as mentioned above, a tmm core will be observed always.
Workaround:
Fix:
Using the CLASSIFICATION_DETECTED irule event does not cause tmm to core.
526856-1 : "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency
Component: Application Security Manager
Symptoms:
"Use of uninitialized value" appears as a warning rarely upon UCS installation due to ASM signature inconsistency.
Conditions:
UCS file is installed with internal ASM signature inconsistency.
Impact:
"Use of uninitialized value" warning appears in output.
Workaround:
Fix:
"Use of uninitialized value" warning no longer appears upon UCS install.
526786-1 : Session lookup fails
Component: Policy Enforcement Manager
Symptoms:
1. Existing session S1 is created with IP1 and IP2 2. Session get replaced by S2 with IP1 and IP2 address. Delete being called for S1. 3. IP1 will be master so IP2 will be forwarded to remote TMM to set mapping. 4. Remote TMM will lookup for existing mapping for IP2, find session S2. Tries to lookup for Session S2. 5. Before lookup is complete, S2 gets deleted 6.Now callback for S2 lookup will be a failure
Conditions:
Remote TMM will lookup for existing mapping for IP2, find session S2. Tries to lookup for Session S2.
Impact:
Callback fails
Workaround:
N/A
Fix:
Fix IP mapping set when session being replaced gets deleted
526774 : Search in FW policy disconnects GUI users
Component: Advanced Firewall Manager
Symptoms:
GUI disconnects due to a timeout when doing search on the active rules page with a large number of context objects.
Conditions:
wildcard search in active rules page with lots of objects causes GUI to hang
Impact:
Makes the BOX unusable
Workaround:
The query to search for matches was optimized to omit context objects that did not have any rules.
Fix:
The query to search for matches was optimized to omit context objects that did not have any rules.
526754-2 : F5unistaller.exe crashes during uninstall
Component: Access Policy Manager
Symptoms:
f5unistaller.exe crashes, dmp points to a double free in SGetRegistryAsString function
Conditions:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\DisplayName contains 0 length data
Impact:
f5unistaller crashes
Workaround:
Using the crash dump created. PD can determine the value of * from there if data is placed into the DisplayName key - it will no longer trigger this defect
526677-1 : VMware Horizon HTML5 View access client can not connection when using View Connection Server running version 6.1.1
Component: Access Policy Manager
Symptoms:
When an APM & Horizon v6.1.1 deployment is configured to use an APM Full Webtop, the HTML5 client will not correctly launch. A new tab will open and the user will see a HTTP 405 error on that page.
Conditions:
View Connection Server backend is running version 6.1.1.
Impact:
HTML5 Client access will stop working.
Workaround:
Fix:
Starting with the 6.1.1 release of View Connection Server, the communication protocol used by the View HTML5 client has changed. This change breaks BIG-IP APM's HTML5 View client implementation. As such, APM users cannot use this client to access their View Desktop. This fix implements the new View communication protocol to support launch the View HTML5 client from an APM Full Webtop.
526617-1 : TMM crash when logging a matched ACL entry with IP protocol set to 255
Component: Access Policy Manager
Symptoms:
When TMM finds a matching ACL entry while enforcing the ACL, and that ACL entry is configured to produce a log entry as well, and the IP protocol for that packet is 255, then TMM crashes.
Conditions:
1. Log is enabled for that ACL entry. 2. IP protocol is set to 255
Impact:
TMM crash
Workaround:
Disable ACL logging
Fix:
TMM no longer crashes when logging a matching ACL entry for IP datagram with protocol set to 255.
526578-1 : Network Access client proxy settings are not applied on German Windows
Component: Access Policy Manager
Symptoms:
Network Access client proxy settings are not applied on German Windows with Internet Explorer 10 under obscure conditions. If APM address is not in the Trusted Sites List, then this issue has good reproducibility. Windows shows empty fields in proxy settings UI of Internet Explorer.
Conditions:
Client machine has Windows with German localization. Client machine has Internet Explorer 10. APM is not in trusted sites list or other obscure conditions.
Impact:
Network Access works in unexpected way: client ignores proxy settings.
Workaround:
Run IE under administrator Update to IE11
Fix:
Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer.
526514-1 : Open redirect via SSO_ORIG_URI parameter in multi-domain SSO
Component: Access Policy Manager
Symptoms:
The URL which is used to redirect the user from primary auth service to the slave host in multi-domain SSO is base64 encoded
Conditions:
GET request which contains SSO_ORIG_URI and TOKEN can be intercepted
Impact:
Token can be intercepted which could result in a hijacked URL getting created that BIG-IP would accept and redirect to.
Workaround:
N/A
Fix:
Validate the host in SSO_ORIG_URI in multidomain SSO usecase to prevent random unnecessary redirects and attacks
526492-2 : DNS resolution fails for Static and Optimized Tunnels on Windows 10
Component: Access Policy Manager
Symptoms:
When Static and Optimized Tunnels are used on Windows 10 desktop, accessing a backend server by hostname will fail.
Conditions:
1. Windows 10 desktop 2. Static or Optimized Tunnels are used
Impact:
No access to backend servers using hostnames.
Workaround:
none
Fix:
DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10.
526419-1 : Deleting an iApp service may fail
Component: TMOS
Symptoms:
Deleting an iApp service may fail with an error message like this: 01070712:3: Can't load node: 839 type: 4
Conditions:
Unknown.
Impact:
You can't delete an iApp.
Workaround:
Save the configuration. Edit the relevant configuration file to remove the iApp service. Reload the configuration.
Fix:
Deleting an iApp service formerly could fail with an error message like this: 01070712:3: Can't load node: 839 type: 4 This is no longer possible.
526368-1 : The number of IPv4 addresses per Gx session exceeds the limit of 1
Component: Policy Enforcement Manager
Symptoms:
TMM may crash when it detects the number of IPv4 addresses per Gx session exceeds the limit of 1.
Conditions:
Number of IPv4 addresses per Gx session exceeds the limit of 1
Impact:
TMM crash
Workaround:
N/A
Fix:
Reprovision session only if PPE session ID set
526295-3 : BigIP crashes in debug mode when using PEM irule to create session with calling-station-id and called-station-id
Component: Policy Enforcement Manager
Symptoms:
When using PEM irule to create session with calling-station-id and called-station-id, BigIP will crash in debug mode
Conditions:
1. PEM is provisioned. 2. Bigip is running in debug mode 3. PEM iRule is used to create session with calling-station-id and called-station-id
Impact:
Causing the bigip to crash
Workaround:
Creating PEM session with irules that do not have calling-station-id and called-station-id. And add the two attributes using separately using PEM info iRule
Fix:
With the fix, the problematic irule is now working as expected and does not cause any crash.
526277-1 : AFM attack may never end on AVR dos overview page in a chassis based BIGIP
Component: Advanced Firewall Manager
Symptoms:
In a BIGIP chassis, it is possible that the AFM "attack started" event and "attack stopped" event happen on two different slots of the chassis. In that case avrd is not able to detect and report "attack stopped" event and the user would continue to see "attack ongoing" in the DoS Overview Page.
Conditions:
This will only happen in a BIGIP chassis based system with multiple slots, and if the AFM DoS "attack started" and "attack stopped" events are given to different slots.
Impact:
User will get confused when he see that the AFM DoS Overview Page still shows the attack as ongoing when it has actually stopped.
Workaround:
No workaround
Fix:
With this change the bug has been fixed and now the AFM DoS Overview Page will always know when a attack has stopped.
526275-1 : VMware View RSA/RADIUS two factor authentication fails
Component: Access Policy Manager
Symptoms:
VMware View client fails to authenticate with APM configured for RSA/RADIUS two factor authentication.
Conditions:
APM is configured for VMWare View proxy with RSA or RADIUS two factor authentication and VMware View client is used.
Impact:
User sees a confusing error message.
Workaround:
Click "OK" on an error message "The username or password is not correct. Please try again.". Enter valid AD credentials and login again.
Fix:
Now APM correctly handles VMware View RSA/RADIUS two factor authentication.
526124 : Parameter matching inconsistency
Component: Fraud Protection Services
Symptoms:
Sometimes valid parameters from request are not matched to configured protected parameters. May work correctly in one browser while failing to work in another.
Conditions:
Request is bigger than one xfrag and parameter name is divided between two xfrags.
Impact:
Configured parameter won't be matched.
Workaround:
Remove unimportant cookies or add dummy cookies in order to shift parameter name inside the request. May resolve the issue. Differ between browsers.
526084-3 : Windows 10 platform detection for BIG-IP EDGE Client
Component: Access Policy Manager
Symptoms:
The session.client.platform variable contains "Win8.1" for BIG-IP Edge Client on Windows 10.
Conditions:
n/a
Impact:
n/a
Workaround:
n/a
Fix:
BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10.
525860-2 : PEM: Duplicate sessions formed with same IP
Component: Policy Enforcement Manager
Symptoms:
For a single IP address we see 2 sessions in the system when we do pem_sessiondump --list.
Conditions:
Create a static subscriber configuration without the IP address and send radius start to create session with 2 IP address. Delete the master IP (first one) and send radius start with same IP.
Impact:
Duplicate sessions creates confusion as to which session is the active one used for an IP.
Workaround:
Make sure radius stop is received for both the IP addresses before sending a new one.
Fix:
Issues has been fixed now. No more duplicate sessions for the same IP address.
525708-1 : AVR reports of last year are missing the last month data
Component: Application Visibility and Reporting
Symptoms:
Reports are missing the latest data collected for them. Each report-type is missing a different portion of the data which is relatively to the report-type. This issue becomes very noticeable when creating a long-term reports. For example, a 'last-year' report might omit the last month data, 'last-month' report might omit the last week data, etc'
Conditions:
Every report that is done on a long history time range.
Impact:
The presented data can be confusing and misleading.
Workaround:
Fix:
A new data aggregation mechanism was inserted, so that all reports will be included with all activity up to the last hour. There is an option to make it available even for last 5 minutes, although that might lead to too much CPU and disk load every 5 minutes. There is also an option to turn off this new aggregation mechanism, in case a customer is not interested in accurate long-history reports, and the aggregation task that takes place once in an hour is too heavy for his machine.
525633-1 : Configurable behavior if PCRF returns unknown session ID in middle of session.
Component: Policy Enforcement Manager
Symptoms:
Currently if PEM sends CCR-U and PCRF responds with CCA-U (PCRF lost session) , PEM ignores and sends CCR-U. PCRF session is lost, that impliess reboot or failover and it responds to session update requests with unknown session id.
Conditions:
PCRF lost session (reboot/failover) and responds to session update requests with unknown session id.
Impact:
Session being present for a long period of time with PCRF not acknowledging.
Workaround:
It is desirable to delete the session on PEM end (configurable) and also recreate the same session (configurable) so that PCRF can get the context back up. Sys db variables tmm.pem.diameter.application.trigger.delete.onPeer.failure should be set to TRUE if PEM should delete the session based when PCRF complains session ID unknown. tmm.pem.session.ppe.recreate.afterPeerFailure Should be set to true if PEM should recreate the session.
525595 : Fix memory leak of inbound sockets in restjavad
Component: Centralized Management
Symptoms:
restjavad will get out of memory due to inactive sockets piling up in memory. The symptom will be "Out of memory" messages in the /var/logrestjavad.0.log , and any new rest calls will fail. The YURL that fails is random
Conditions:
Occurs after a few hours
Impact:
restjavad becomes inoperative
Workaround:
restjavad must be restarted: bigstart restart restjavad that could be put in a cron script.
525562-1 : Debug TMM Crashes During Initialization
Component: Access Policy Manager
Symptoms:
Debug version of TMM (tmm.debug) generates core file and fails to start up.
Conditions:
This issue happens when running debug version of TMM on a multi-blade chassis/vCMP.
Impact:
The BIG-IP system cannot be functional without TMM being up and running
Workaround:
Revert to use default version of TMM (tmm.default)
Fix:
Removed unnecessary debug assert statements from TMM.
525557 : FQDN ephemeral nodes not repopulated after deleted and re-created
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, ephemeral nodes that are force deleted may not repopulate as expected.
Conditions:
Sync group, multiple FQDNs resolving to same IP address.
Impact:
Ephemeral nodes may not repopulate as expected.
Workaround:
525522 : Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains
Component: Advanced Firewall Manager
Symptoms:
A redirect loop may happen for some users, when the Proactive Bot Defense feature is enabled, and the deployment consists of multiple domains.
Conditions:
Proactive Bot Defense is enabled on a DOS profile that is assigned to a Virtual Server, and the deployment consists of multiple domains.
Impact:
Some users may occasionally be blocked from accessing certain URLs of a website due a redirect loop that could happen. In most cases, a page-refresh attempted by the user will load the page properly.
Workaround:
Applying the following iRule will workaround the problem: when HTTP_REQUEST { if { [HTTP::cookie exists "TSPD_101_R0"] } { if { [HTTP::cookie exists "TSPD_101"] } { HTTP::cookie remove "TSPD_101" } } }
Fix:
Occasional redirect loops caused by the Proactive Bot Defense mechanism no longer occur when multiple domains are deployed.
525429-4 : DTLS renegotiation sequence number compatibility
Component: Access Policy Manager
Symptoms:
OpenSSL library modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.
Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347. The current APM client is compatible with old OpenSSL code, not the new OpenSSL code.
Impact:
The current APM client is not compatible with new OpenSSL libary.
Workaround:
Fix:
Modify OpenSSL library in APM client to let it compatible with both old and new OpenSSL library.
525416-1 : List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed.
Component: Policy Enforcement Manager
Symptoms:
IPs show up in an order that is not expected.
Conditions:
Occurs always
Impact:
Nothing functional.
Workaround:
None
Fix:
Added code to display the IP addresses in the order they were added to the session.
525384-2 : Networks Access PAC file now can be located on SMB share
Component: Access Policy Manager
Symptoms:
Network Access web components or Edge Client fail to download PAC file if it is located on SMB share as file:////pac.file.hoster.local/config.pac.
Conditions:
Network Access with Client Proxy Settings Enabled, PAC file path is set to somewhere on SMB share.
Impact:
Impossible to configure Network Access with PAC file located on SMB share.
Workaround:
Put PAC file to HTTP server, configure Network Access accordingly.
Fix:
Now Network Access components can obtain PAC file from SMB share.
525283-1 : Add obfuscator tuning tools
Component: Fraud Protection Services
Symptoms:
Difficult for F5 consultants to debug Websafe module.
Conditions:
When support for Websafe is requested by customers.
Impact:
Difficult for F5 consultants to debug Websafe module.
Workaround:
None
Fix:
Tools have been added to help consultants fine-tune the FPS obfuscator for better performance.
525175-1 : Fix a crash issue when querying SSP with multi-ip.
Component: Policy Enforcement Manager
Symptoms:
TMM crash when querying SSP with multi-ip configured.
Conditions:
TMM crash when querying SSP with multi-ip configured.
Impact:
TMM crash
Workaround:
N/A
Fix:
Fix TMM crash when querying SSP with multi-ip configured.
524909-2 : Windows info agent could not be passed from Windows 10
Component: Access Policy Manager
Symptoms:
APM endpoint check action "Windows Info agent" was not able to detect Windows 10 clients.
Conditions:
n/a
Impact:
n/a
Workaround:
n/a
Fix:
Now BIG-IP APM support Windows Info action on Windows 10 clients.
524791-3 : non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0
Component: TMOS
Symptoms:
Interrupted poll() function in RemoteMcpConn.cpp functions non_blocking_receive and send is not properly handled.
Conditions:
Run a script processing async transactions in parallel with a script running basic REST calls.
Impact:
Either icrd_child will lock up or various calls will fail with 'operation canceled' response messages.
Workaround:
none
524780-1 : TMM crash when quering the session information
Component: Policy Enforcement Manager
Symptoms:
TMM crash when quering the session information using "tmsh show pem sessiondb subscriber-id "
Conditions:
Using tmsh show pem sessiondb subscriber-id to query session information
Impact:
TMM may crash
Workaround:
N/A
Fix:
Restore the display order of the multiple IP based on the order they are added
524756 : APM Log is filled with errors about failing to add/delete session entry
Component: Access Policy Manager
Symptoms:
APM log is filled with the following error when the issue occurs: May 21 16:34:16 bigip4013mgmt err tmm2[20158]: 01490558:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND)
Conditions:
If a session times out before it completes policy evaluation, APM will still attempt to delete its marker from the established session namespace and, hence, results in ERR_NOT_FOUND error
Impact:
There is no functional impact. However, APM log may become useless if the volume of the error is big.
Workaround:
Fix:
Access Filter now skips session marker deletion if the timed-out session is not in established state.
524753-1 : IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip
Component: TMOS
Symptoms:
IPsec tunnel interface presents IPsec service via the regular network interface. Inherently, the self-IP address should allow external hosts to connect to the BigIP via TCP/UDP to this IP address. However, the connection is hairpinned back to the IPsec tunnel interface.
Conditions:
Create IPsec tunnel interface and assigned a self-IP with "allow-service all" so that the self-IP may accept external connections. At the other end of the IPsec tunnel, try TCP connection using "telnet", observe the "telnet" command fail.
Impact:
BigIP cannot accomplish certain services provided on the BigIP host, such as BGP over TCP.
Workaround:
A iRule can be created to forward the external connection on the IPsec tunnel self-IP to the host IP 127.0.0.1. Example, ltm virtual http_host { destination 10.99.0.11:80 ip-forward ip-protocol tcp mask 255.255.255.255 profiles { fastl4_stateless { } } rules { local_node } source 0.0.0.0/0 translate-address disabled translate-port disabled } ltm rule local_node { when CLIENT_ACCEPTED { node 127.0.0.1 80 } } 10.99.0.11 is the self-IP of the IPsec tunnel interface.
Fix:
BigIP can properly handle TCP/UDP connections to the BigIP over IPsec interface using its tunnel self-IP.
524748-1 : PCCD optimization for IP address range
Component: Advanced Firewall Manager
Symptoms:
Pccd blob size grow too big with large scale policy configuration. Which cause slow compilation and serialization.
Conditions:
large scale policy configuration.
Impact:
Slow compilation/serialization and large pccd blob.
Workaround:
N/A
Fix:
With PCCD ip address range optimization, PCCD will reduce it's compilation/serialization time and blob size.
524666-3 : DNS licensed rate limits might be unintentionally activated.
Component: Local Traffic Manager
Symptoms:
DNS licensed rate limits might be unintentionally activated.
Conditions:
This might occur with a license in which DNS services is unlimited, but BIG-IP DNS (formerly GTM) is limited.
Impact:
DNS licensed rate limits might be unintentionally activated. Rate counters will activate, even though rates are unlimited, which unnecessarily uses CPU cycles. Also, features that indirectly look at rate flags such as hardware DNS, might deactivate improperly even though rates are unlimited.
Workaround:
None.
Fix:
DNS licensed rate limits are now handled as expected.
524490-4 : Excessive output for tmsh show running-config
Component: TMOS
Symptoms:
The tmsh show running-config displays many default configuration items. Although the output does display the user-configuration items as expected, it is not expected to include default configuration items in the output.
Conditions:
tmsh show sys running-config.
Impact:
The presence of excessive default configuration items makes the tmsh show running-config output parsing difficult.
Workaround:
None.
Fix:
tmsh show sys running-config shows minimal default configuration.
524428-1 : Adding multiple signature sets concurrently via REST
Component: Application Security Manager
Symptoms:
Adding multiple ASM signature sets concurrently in REST actions causes deadlock.
Conditions:
Multiple ASM signature sets are added concurrently using REST.
Impact:
Some signature set REST add actions will fail due to deadlock.
Workaround:
Wait until signature set add action has completed in REST before issuing the next add.
Fix:
Multiple signature sets can be added concurrently using REST.
524409-1 : Fix TMSH show and reset-stats commands for multi-ip sessions defect.
Component: Policy Enforcement Manager
Symptoms:
TMSH show and reset-stats commands doesn't work properly for multi-ip sessions.
Conditions:
Sessions are multi-ip sessions with at least on ipv6 addr.
Impact:
reset-stats does not clear individual IP stats
Workaround:
N/A
Fix:
Fix TMSH pem sessiondb show and reset-stats commands with all-properties option. The pem_session_mult_ip_data_stats struct doesn't include the ipv6 prefix length information.
524374-1 : TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule
Component: Policy Enforcement Manager
Symptoms:
TMM may crash under race condition, that if there is PEM flow reporting with format script that contains iRules accessing info from/to different TMMs gets executed when there is already an iRule executed and access different iRules on top of a connection/flow, and the connection/flow is reset. The fix will not execute the format script if it sees an irule is already parked for that flow. As a result, no log message will be sent in this case. In the versions before the fix, the user may have seen a log with stale info, or might see duplicate logs. After the fix, no log will be sent out in the situation described above.
Conditions:
1. PEM flow reporting is enabled with format script that contains iRules access info from/to different TMMs 2. an iRule script that will access info from/to different TMM (that is, it will be parked on the connection/flow) is being executed and parked on the connection/flow 3. the connect/flow is reset 4. the PEM flow reporting with format script in #1 gets executed.
Impact:
TMM may crash which can introduce service interruption
Workaround:
A patch will be needed for such tmm crash under race condition, when PEM flow reporting with format script are required along with iRules.
Fix:
The issue is fixed by making sure that PEM flow reporting with format script will not be executed if it detects another iRule script is already parked on the flow. However, given this is quite rare race condition, the PEM flow reporting with format script will be triggered again when reporting condition (volume or time based) is met and there is no concurrent iRule scripted parked.
524326-4 : Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips
Component: TMOS
Symptoms:
Current configuration validation will allow a user to delete the last (only remaining) IP address on a GTM server. However, since a GTM server cannot be created/loaded without at least one IP address, the configuration will fail to load.
Conditions:
User has deleted the last IP address on a GTM server.
Impact:
Configuration load will fail. If the GTMs are in a sync group, this will also break sync because the config change cannot be loaded by any GTM.
Workaround:
User must either delete the server from the config if it has no more valid IPs, or must add at least one IP to the server's IP address list.
Fix:
Extended MCPD validation to ensure any deleted GTM link/GTM server addresses do not leave parent objects without addresses.
524198-1 : PEM: Invalid HSL log generated when when session with static subscriber deleted.
Component: Policy Enforcement Manager
Symptoms:
Invalid HSL logs generated when static subscriber session is deleted
Conditions:
HSL logging configured in the subscriber policy and static subscriber session is deleted.
Impact:
Invalid HSL log lines will create discrepancy.
Workaround:
Manually filter out these lines from HSL logs.
Fix:
Issues has been fixed now. NO more extra lines in HSL logs.
524185 : Unable to run lvreduce
Component: TMOS
Symptoms:
Unable to run lvreduce due to missing program 'blockdev'
Conditions:
Attempting to reallocate disk resources when upgrading a vCMP
Impact:
Unable to shrink the vmdisks app volume
Workaround:
N/A
Fix:
Move blockdev back to util-linux.rpm from util-linux-extras.rpm
524032-1 : Control sending alerts during the source integrity learning process
Component: Fraud Protection Services
Symptoms:
False positive alerts might be sent while source integrity learning process.
Conditions:
Learn mode is configured for a tag, and URL's content is dynamic.
Impact:
Source integrity low severity alerts will be sent on every mismatch, before a mature valued has learned.
Workaround:
Fix:
The sending of low score alerts during the source integrity learning process is now controlled by a DB variable.
524004-1 : Adding multiple signatures concurrently via REST
Component: Application Security Manager
Symptoms:
Adding multiple ASM signatures concurrently in REST actions causes deadlock.
Conditions:
Multiple ASM signatures are added concurrently using REST.
Impact:
Some signature REST add actions will fail due to deadlock.
Workaround:
Wait until signature add action has completed in REST before issuing the next add.
Fix:
Multiple signatures can be added concurrently using REST.
523922-4 : Session entries may timeout prematurely on some TMMs
Component: TMOS
Symptoms:
In certain scenarios, session entries may not be refreshed when the TMM that owns the entry is used to process the connection.
Conditions:
When the TMM owning the session entry is a different one to the TMM handling the connection and the entry is retrieved, for example via irule, "session lookup uie"; the timeout will be extended. When the TMM owning the entry and the one handling the connection is the same, then the entry may not have its timeout changed and lead to premature removal.
Impact:
Different TMMs may behave differently and cause confusion when using the session table.
Workaround:
None
Fix:
Session table entries now consistently get their timeout values touched in all scenarios.
523863-2 : istats help not clear for negative increment
Component: TMOS
Symptoms:
The help for the istats command line tool was not clear on how to specify a negative increment for a gauge iStat.
Conditions:
Try to increment a gauge iStat by a negative amount using the istats command line tool.
Impact:
Bash shell would print a cryptic error and the help did not clarify how to make it work
Workaround:
Research bash shell options for the cryptic error.
Fix:
The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.
523465-2 : Log an error message when firewall rule serialization fails due to maximum blob limit being hit.
Component: Advanced Firewall Manager
Symptoms:
Prior to fix, if AFM rule serialization fails due to OOM condition in pktclass-daemon, it's not identifiable if the failure is due to Out of Memory condition or the Max Blob limit being reached. Both the errors were logged as OOM in /var/log/ltm
Conditions:
AFM rule serialization fails due to max blob limit
Impact:
Hard to isolate the problem that serialization failed due to max blob limit
Workaround:
None
Fix:
With the fix, AFM rule serialization failure due to max blob limit is logged appropriately in /var/log/ltm making it easier to identify the cause of the failure.
523434 : mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object
Component: TMOS
Symptoms:
mcpd on secondary blades may restart and log an error of the following form: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_http_virtual_data_source) object ID (44). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_http_virtual_data_source status:13)... failed validation with error 17237812.
Conditions:
The exact conditions under which this occurs are not well understood. The immediately triggering event is a change in the cluster's primary blade.
Impact:
All services on an affected blade restart.
Workaround:
None.
Fix:
mcpd on secondary blades may restart and log an sflow_http_virtual_data_source error after a change in the cluster's primary blade.
523431-2 : Windows Cache and Session Control cannot support a period in the access profile name
Component: Access Policy Manager
Symptoms:
An access profile name containing a period will not work when using Windows Cache and Session Control. For example '/Common/test.profile' will not work. When evaluating the access policy, an end-user will be redirected to an error page.
Conditions:
Applies to any APM with Windows Cache and Session Control.
Impact:
Access Profile names cannot include a dot. Invalid name: '/Common/profile.name' Valid name: '/Common/profile_name'
Workaround:
Fix:
One of the PHP files for cache control has a regex that looks for invalid access profile names. This regex had previously flagged any profile name with a period to be invalid. The regex has been updated to allow periods.
523390-2 : Minor memory leak on IdP when SLO is configured on bound SP connectors.
Component: Access Policy Manager
Symptoms:
Several bytes of memory are leaked when SAML SSO is executed on BIG-IP system, configured as an Identity Provider (IdP), when the Service Provider (SP) connector has single logout (SLO) configured.
Conditions:
BIG-IP is used as Identity Provider, and SLO is configured for bound SP Connector.
Impact:
Several bytes of memory are leaked.
Workaround:
To work around the problem, disable SLO on SP connectors.
Fix:
Fixed memory leaks in SAML Identity Provider (IdP) when when SLO is configured in a Service Provider (SP) connector.
523327-2 : In very rare cases Machine Certificate service may fail to find private key
Component: Access Policy Manager
Symptoms:
Non-elevated client component is able to find certificate but not the key, while machine cert service/F5 Elevation Helper fails to find certificate. f5certhelper.txt (helper) or logterminal.txt (in windows\temp folder for service) contains: 1, , 0, , EXCEPTION - CCertInfo::FindCertificateInStore: CertFindCertificateInStore failed with error code: 80092004
Conditions:
IE/Edge Client is not running under Admin user. Special certificate is used.
Impact:
User fails to pass access policy.
Workaround:
Run IE/BIG-IP Edge Client under administrator.
Fix:
Now both service and elevation helper can find those specific certificates.
523313-1 : aced daemon might crash on exit
Component: Access Policy Manager
Symptoms:
When the aced process is going to exit (daemon shutdown/restart), it might generate a core file intermittently.
Conditions:
aced daemon shuts down
Impact:
NA
Workaround:
Fix:
The aced process no longer intermittently generates a core file.
523305-1 : Authentication fails with StoreFront protocol
Component: Access Policy Manager
Symptoms:
Wyse fails to authenticate through APM
Conditions:
Wyse fails to auth through APM when it configured for SF proxy protocol
Impact:
Authentication fails
Workaround:
N/A
Fix:
Support StoreFront Protocol for Wyse client
523296-1 : TMM may core when using iRule custom actions in PEM policies
Component: Policy Enforcement Manager
Symptoms:
TMM shall core
Conditions:
When using custom iRule actions in a PEM policy, triggering a use of the action or modifying the action will cause the TMM to reset.
Impact:
Datapath resets.
Workaround:
Avoid using custom iRule actions in PEM policies.
Fix:
Freeing of memory for storing the custom action was done to a different pool than whence it was allocated; used the correct free routine.
523261-1 : ASM REST: MCP Persistence is not triggered via REST actions
Component: Application Security Manager
Symptoms:
Some REST calls that affect Security policies should be persistent to bigip config files after their completion (create, delete, association to virtual servers, and changing language encoding), but are not.
Conditions:
REST API is being used to manage Security Policies.
Impact:
If the device is restarted configuration may be lost.
Workaround:
Any other action that will persist configuration (like an ASM config change through the GUI, or any LTM configuration change).
Fix:
Configuration is now correctly persisted when required after ASM REST actions.
523260-1 : Apply Policy finishes with coapi_query failure displayed
Component: Application Security Manager
Symptoms:
GUI actions to apply policy appear to fail with an error message regarding coapi_query.
Conditions:
Unknown.
Impact:
The policy is correctly applied locally, the error message occurs after the commit. This error, however, prevents correct behavior for device group synchronization of the change.
Workaround:
Use REST API to apply the policy: POST https://<MGMT_IP>/mgmt/tm/asm/tasks/apply-policy { "policy": { "fullPath": "/Common/<POLICY_NAME>" } }
Fix:
We fixed an error that intermittently caused the Apply Policy action to fail.
523222-6 : Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
Component: Access Policy Manager
Symptoms:
Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending. If an access policy has Redirect ending, the Citrix HTML5 client will fail to start with HTTP 400 error.
Conditions:
Citrix Storefront configured in integration mode through APM.
Impact:
HTML5 client not usable for this sort of integration
Workaround:
Fix:
Fixed Citrix HTML5 handling code so that it works fine with the Redirect endings in access policies.
523201-2 : Expired files are not cleaned up after receiving an ASM Manual Synchronization
Component: Application Security Manager
Symptoms:
If a device only receives full ASM sync files from its peers, it never performs cleanup of files that are no longer needed.
Conditions:
An ASM manual synchronization device group is being used.
Impact:
May eventually lead to disk space exhaustion.
Workaround:
None.
Fix:
Files are now correctly cleaned up after loading a new configuration.
523158-2 : In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails
Component: Access Policy Manager
Symptoms:
In rare case when dn is returned with cn= in lower case VPE is failing to match groupnames
Conditions:
Server that returns cn in low case
Impact:
Group mapping doesn't work
Workaround:
No workaround.
Fix:
Fixed to support CN in both upper & lower cases.
523125 : Disabling/enabling blades in cluster can result in inconsistent failover state
Component: TMOS
Symptoms:
Not all blades in the cluster agree about the high availability (HA) status.
Conditions:
Disabling and enabling blades in a chassis that is configured to use HA Groups can sometimes result in a blade staying in standby even though the other blades in the chassis have gone active.
Impact:
When the blades disagree about active/standby state, traffic might be disrupted.
Workaround:
None.
Fix:
Disabling/enabling blades in cluster no longer results in inconsistent failover state.
523079-2 : Merged may crash when file descriptors exhausted
Component: Local Traffic Manager
Symptoms:
The merged daemon crashes.
Conditions:
The limit on file descriptors is exceeded.
Impact:
Merged crashes leaving a core file. The collection of system stats and merging of blade stats will not work until merged restarts.
Workaround:
Monitor the system file descriptor use and avoid exceeding the limit.
Fix:
Fixed a crash bug in Merged.
522934 : Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy
Component: Policy Enforcement Manager
Symptoms:
Some PCRF's require subscription ID in all CCR messages over Gx/Gy for easier session management.
Conditions:
Impact:
Some PCRF's will not work properly with PEM if subscription ID is not specified in CCR-u and CCR-T messages.
Workaround:
Set sys db varaible Tmm.diameter.application.encode.subscriber.id.in.all.ccr to True to see Subscription ID in CCR-u and CCR-T messages as well. By default it is set to True.
522933-1 : diam_app_process_async_lookup may cause TMM crash
Component: Policy Enforcement Manager
Symptoms:
TMM may crash
Conditions:
TMM may crash with diam_app_process_async_lookup when the traffic is triggered to the virtual which has gx profile
Impact:
TMM crash
Workaround:
N/A
Fix:
Fix double free for serdes message
522878-1 : Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access.
Component: Access Policy Manager
Symptoms:
Customer does not want to clearly expose the MRHSession cookie value in the URL because they found that they could bypass the authentication by putting the F5SSO_SID value into the MRHSession cookie from another laptop and gain access to the same virtual server.
Conditions:
Set up multidomain SSO, use httpwatch or tcpdump to capture the traffic and look at the F5SSO_SID in the URL. Set this value into the cookie from another location, and gain access to the virtual.
Impact:
Unauthorized access allows security breach.
Workaround:
iRule Workaround: when HTTP_RESPONSE_RELEASE { if { [HTTP::is_redirect] } { log local0. "Redirect detected with Location header: [HTTP::header Location]" set loc [HTTP::header Location] if { $loc contains "F5SSO_SID" } { # Using F5SSO_SID hashed value inside Location header set F5_sid [string range $loc [expr {[string last "F5SSO_SID" $loc] + 10}] [string length $loc]] log local0. "F5_sid: $F5_sid" set shasid [URI::encode [b64encode [sha512 $F5_sid]]] # we create one subtable to access the hash from the sessionid table add -subtable "sha" $shasid $F5_sid indefinite indefinite log local0. "adding sessionID $F5_sid to ssha subtable with value $shasid" set newloc [string map [list $F5_sid $shasid] $loc] log local0. "Location after obfuscation: $newloc" HTTP::header replace Location $newloc unset loc unset newloc } } } when HTTP_REQUEST { log local0. "received [HTTP::method] [HTTP::host] [HTTP::uri]" if { [HTTP::uri] contains "F5Networks-SSO-Resp" } { # Switch F5SSO_SID value back from hash to real value log local0. "[HTTP::uri] contains F5Networks-SSO-Resp" set newuri2 [HTTP::uri] set F5_hash_b64 [string range $newuri2 [expr {[string first "F5SSO_SID=" $newuri2] + [string length "F5SSO_SID="]} ] [string length $newuri2] ] log local0. "F5SSO_SID value in base64 is: $F5_hash_b64" set lookup_sid [table lookup -subtable "sha" $F5_hash_b64] log local0. "lookup_sid is: $lookup_sid" set newuri2 [string map [list $F5_hash_b64 $lookup_sid] [HTTP::uri]] HTTP::uri $newuri2 log local0. "URI with SID: $newuri2" unset newuri2 unset lookup_sid unset F5_hash_b64 } # route traffic to internal APM VS accordingly if { [HTTP::host] == "www.primaryauth.com" } { use virtual VS_internal_primaryauth } elseif { [HTTP::host] == "www.site.com" } { use virtual VS_internal_site1 } }
Fix:
Following changes were made to avoid vulnerability attack of F5SSO_SID: 1.) While re-directing, Append a 8 byte generated random token in place of F5SSO-ID and store the value of SID in session-DB with the token as key. 2.) When the response comes with the token, lookup in session-DB to identify the SID value and delete the token to prevent future use of token by any illegitimate user attack.
522784-2 : After restart, system remains in the INOPERATIVE state
Component: Local Traffic Manager
Symptoms:
After restarting, it is normal for the system to remain in some state other than "Green/Active" for a few minutes while the system daemons complete their initialization. During this time the following advanced shell command may produce one or more lines of output: # bigstart status | grep waiting However, if this condition persists for more than five minutes after access to the root shell via the management interface is available, then you may be experiencing this defect.
Conditions:
BIG-IP versions 11.5.x, 11.6.x or 12.0.x that have received the fix for bug 502443 but *not* 522784, may experience this issue. There are no officially supported BIG-IP releases that have this condition.
Impact:
As long as the system remains in the INOPERATIVE state, neither LTM nor ASM will function.
Workaround:
In order to work around this problem, de-provision ASM.
Fix:
Resolves a deadlock at startup, when LTM and ASM are provisioned, that may occur as a result of the fix for 502443.
522579-1 : TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM
Component: Policy Enforcement Manager
Symptoms:
TMM memory leak. Memory consumption of TMM increases constantly and never reduces.
Conditions:
RAR messages with session-release cause received from PCRF for sessions where PEM does not have.
Impact:
Memory leak and eventually TMM will have to be restarted.
Workaround:
Make sure RAR messages are not sent for sessions which are non-existent in PEM
Fix:
This issues has been fixed now. No more memory leaks when RAR messages with session-release AVP set for non-existent sessions in PEM
522282-1 : iApp templates are visible with only vCMP provisioned.
Component: TMOS
Symptoms:
iApp templates are visible with only vCMP provisioned. Depending on the iApp template, other modules must also be provisioned, for example, LTM, GTM, and so on, must be provisioned for certain iApp. Although template authors can templates even with only vCMP provisioned, the application does not work without the required modules provisioned.
Conditions:
This occurs when vCMP is provisioned as Dedicated and an author makes changes in an iApp with the assumption that the functionality is available because the iApp is visible.
Impact:
iApps are visible that are inappropriate for the provisioning. The system posts an error message if the user attempts to create an app from that template.
Workaround:
Provision the modules needed for the iApp to work.
Fix:
Hide a DNS and iApps menu when VCMP is provisioned
522231-3 : TMM may crash when a client resets a connection
Component: WebAccelerator
Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.
Conditions:
1) AAM must be provisioned. 2) A response to the requested URL must be cached and fresh. 3) Client resets a connection immediately after the request is done and the response has not started to serve.
Impact:
TMM crashes when the issue occurs causing failover for a high availability group or service disruption on a standalone device or temporary load increase if the device is a member of a cluster (AAM farm, for example).
Workaround:
Install the fix.
Fix:
Fix removes the condition when AAM starts to serve the response to the already aborting connection.
522147-2 : 'tmsh load sys config' fails after key conversion to FIPS using web GUI
Component: Local Traffic Manager
Symptoms:
Web GUI does not save config after key conversion to FIPS
Conditions:
On a Cavium-FIPS BIG-IP, create a normal key and then covert to FIPS using web GUI
Impact:
'tmsh load sys config' fails
Workaround:
Two possible workarounds: 1) Run 'tmsh save sys config' after the key conversion to FIPS using web GUI 2) Convert normal key to FIPS using tmsh instead of web GUI
Fix:
Web GUI is now fixed to properly save config after key conversion to FIPS
522141-1 : Tmm cores while changing properties of PEM policies and rules.
Component: Policy Enforcement Manager
Symptoms:
If a policy with session reporting is configured on the bigip, and the policy is changed to remove this action, then a tmm core is observed rarely.
Conditions:
This core only occurs when session reporting is configured, and while traffic is being processed, this policy is modified to remove the session reporting action.
Impact:
This core occurs rarely, and hence would not have a significant impact.
Workaround:
Fix:
Deleting a session reporting action will not cause a tmm core.
522140-1 : Multiple IP is not added through iRule after setting the state of a session to provision by iRule
Component: Policy Enforcement Manager
Symptoms:
Provisioning an iRule may not add multiple IP's when state is set to provisioned
Conditions:
iRule with multiple IP's may not get added when provisioned
Impact:
IP's not present in the session
Workaround:
N/A
Fix:
Release the call back ctx connflow after setting session state asynchronously.
521835-2 : [Policy Sync] Connectivity profile with a customized logo fails
Component: Access Policy Manager
Symptoms:
Policy sync failed with a customized logo in connectivity profile.
Conditions:
Configure a customized logo on the connectivity profile. Associate the profile with the access profile through a virtual server. Start a policy sync.
Impact:
Policy Sync fails.
Workaround:
Keep the default logo for connectivity profile. After syncing to target, customize directly on the devices.
Fix:
A user can include a customized logo in a connectivity profile and sync it.
521774-3 : Traceroute and ICMP errors may be blocked by AFM policy
Component: Local Traffic Manager
Symptoms:
ICMP error packets for existing connections can be blocked by AFM policy. Diagnostics that use ICMP error messages, such as traceroute, may fail to display information beyond the AFM device.
Conditions:
The AFM policy has a rule to drop or reject that can match the IP header of ICMP messages going from a router IP address back to the client or server IP address that sent the original packet.
Impact:
Network diagnostics such as traceroute through an AFM device will not display information from routers between the AFM device and the destination IP address.
Workaround:
If possible and allowed, create an AFM rule matching the affected ICMP packets with an action of accept-decisively.
521773-2 : Memory leak in Portal Access
Component: Access Policy Manager
Symptoms:
Memory consumption of "rewrite.*" processes is growing constantly. On manually taken core file, result of following command is large (more than 100000). zcat <core-file.gz> | strings -n 15 | grep "^/f5-w-" | wc -l
Conditions:
Memory leaks in cases when POST request content could be modified by Portal Access (for example, xml).
Impact:
Rewrite processes may use all available memory on the box and then cause 'Out of memory' condition and failover.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed a memory leak of request urls in rewrite plug-in.
521763-1 : Attack stopped and start messages should not have source/dst ip addresses in log messages
Component: Advanced Firewall Manager
Symptoms:
We don't want attack and stop messages to have srcip/dstip in DoS logging but in the code we were printing that.
Conditions:
dstip/srcip were getting logged when the attack was started/stopped in DoS AFM code.
Impact:
Attack start and stop log messages in DoS will not have srcip and destip.
Workaround:
None
Fix:
Attack stopped and start messages are logged as NULL
521683-1 : PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs
Component: Policy Enforcement Manager
Symptoms:
PEM session is not replaced with a new one when for the subscriber
Conditions:
When the same radius start message is sent 3 times and more.
Impact:
Session not being replaced will still be applying old policy for the session.
Workaround:
Make sure radius stop is being for the subscriber before a new radius start is sent.
Fix:
Issue has been fixed now. Session should be replaced when any number of radius start messages are received associated to the subscriber,
521655-2 : Session hangs when trying to switch state to provisioned
Component: Policy Enforcement Manager
Symptoms:
iRule sessions may hang when switching state
Conditions:
Applying iRule to a client data virtual may cause state to hang
Impact:
Session state will hang
Workaround:
N/A
Fix:
Release the call back ctx connflow after setting session state asynchronously
521556-1 : Assertion "valid pcb" in TCP4 with ICAP adaptation
Component: Service Provider
Symptoms:
TMM crashes with assertion "valid pcb" in tcp4.c
Conditions:
Virtual server with request-adapt or response-adapt profile. Congested client or TCP small window (flow-control is active). Multiple HTTP requests in a single client connection. More likely with iRules that park.
Impact:
Intermittent crash under load.
Workaround:
Fix:
Assertion "valid pcb" does not occur.
521538-2 : Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known
Component: Local Traffic Manager
Symptoms:
After failover of an L4 flow that is using keep-alive, the keep-alive transmissions do not resume after traffic has flowed through the BIG-IP system.
Conditions:
Using HA mirroring of L4 connections, with keep-alive enabled on the profile for TCP. After a failover, there was traffic before the flow timed out, then the traffic becomes idle. If there is no traffic after failover, the correct sequence numbers are unknown, then this is expected behavior: the flow times out due to inactivity. If there is traffic after failover, the correct TCP sequence numbers are known; if there is traffic after failover, and then the flow becomes idle, keep-alive transmissions should resume.
Impact:
Flows after failover with TCP keep-alive age out and expire even if traffic is available to set the sequence numbers. Depending on the configuration options, subsequent packets may reset or transparently create a new flow (if TCP loose initiation is enabled).
Workaround:
None.
Fix:
Keep-alive transmissions now resume after failover of flows on an L4 virtual, when the sequence number is known
521522-3 : Traceroute through BIG-IP may display destination IP address at BIG-IP hop
Component: Local Traffic Manager
Symptoms:
When performing traceroute through a BIG-IP device, the traceroute utility may display the destination IP in place of the hop where BIG-IP is located, instead of a Self IP address of the BIG-IP device at that hop.
Conditions:
No return route for the client IP address exists on the BIG-IP device.
Impact:
There is no impact to the performance of traffic through the BIG-IP device. The impact occurs only when reading and interpreting the results of a traceroute utility.
Workaround:
If possible and allowed, add route entry for the traceroute client subnet.
Fix:
Traceroute through BIG-IP now displays a Self IP address of the BIG-IP device at that hop. This is correct behavior.
521506-2 : Network Access doesn't restore loopback route on multi-homed machine
Component: Access Policy Manager
Symptoms:
Network Access on Windows doesn't restore loopback route for one adapter on multi-homed (Ethernet + Wi-Fi) machine.
Conditions:
This issue happens if: 1. Network Access was established via Ethernet 2. Ethernet cable was unplugged 3. Network Access reconnects using Wi-Fi 4. Ethernet cable is plugged in back
Impact:
Minor routing issues may occur if one special loopback is removed. To restore this route affected adapter should be disabled and enabled.
Workaround:
Fix:
Fixed issues causing improper routing table management.
521455-2 : Images transcoded to WebP format delivered to Edge browser
Component: WebAccelerator
Symptoms:
The Microsoft Edge browser does not support, and cannot render WebP format images. The AAM image optimization framework improperly classifies the Edge browser as being capable of supporting WebP and delivers WebP-transcoded images to such clients.
Conditions:
The AAM system's image optimization as well as the "optimize for client" setting must both be enabled, and the associated acceleration policy and application associated with one or more virtual servers.
Impact:
Some images will fail to render on the Edge browser.
Workaround:
Disable the "optimize for client" attribute in the applicable policies' acceleration assembly settings.
Fix:
Transcoded WebP images are no longer served to the Edge browser. By default, transcoded JPEG-XR is also no longer served to the Edge browser, but the db variable ccdb.allow.edge.jpegxr may be used to override this.
521408-3 : Incorrect configuration in BigTCP Virtual servers can lead to TMM core
Component: Local Traffic Manager
Symptoms:
An incorrect configuration on an irule associated to a BigTCP virtual server can lead to TMM to core.
Conditions:
The following circumstances are needed: - BigTCP Virtual server - FastL4 profile with syncookies enabled. - Invalid iRule that will fail to execute, on LB_FAILED - Syncookie currently activated in that moment.
Impact:
TMM will core leading to unwanted outage of varying impact.
Workaround:
Correct or remove the irule event and coring will no longer occur.
Fix:
TMM now correctly handles the specific scenario to no longer core.
521272 : Fixed memory leak in restjavad's Authentication Token worker
Component: Centralized Management
Symptoms:
There is a memory leak that causes the Authentication Token worker to run Out of Memory after approximately 27,000 token requests, when running with 96 MB image on a BIG-IP system. Any service might receive the OutOfMemory exception, so the external symptoms might vary (e.g., Socket failure, Bad Gateway, and others). To identify this issue, check for Out Of Memory exceptions in /var/log/restjavad.0.log.
Conditions:
This usually occurs when scripting against the rest interface. On a vCMP guest, guestagentd generates an authentication token every 90 seconds so that hostagentd on the vCMP hypervisor can make periodic REST calls to the guest. This info is used to populate the 'tmsh show vcmp health' stats.
Impact:
It takes a long time to log in 27,000 times, when logons come in through the GUI.
Workaround:
Restart restjavad after 10,000 tokens. To stop auth token generation on vCMP guests, on the hypervisor run the commands: -- tmsh modify vcmp guest all capabilities add { stats isolated-mode }. -- bigstart restart hostagentd
Fix:
Fixes a memory leak in Authentication Token mechanism in restjavad.
520705-5 : Edge client contains multiple duplicate entries in server list
Component: Access Policy Manager
Symptoms:
Edge client contains multiple duplicate entries in the server list.
Conditions:
Edge client with duplicate entries in connectivity profile.
Impact:
Edge client shows duplicate entries.
Workaround:
Do not create duplicate entries in connectivity profile
Fix:
BIG-IP Edge Client for Mac doesn't show duplicate entries in the servers list.
520642-3 : Rewrite plugin should check length of Flash files and tags
Component: Access Policy Manager
Symptoms:
Portal Access Flash patcher could crash or apply incorrect modifications on some malformed Flash files.
Conditions:
This occurs when a Flash file is truncated or contains incorrect length value in file or tag headers.
Impact:
It may cause a crash and restart of Portal Access services.
Workaround:
Fix:
Rewrite plugin now correctly processes Adobe Flash files with invalid length in file or tag header.
520640-2 : The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.
Component: TMOS
Symptoms:
Using the string returned in the options_seq field by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option method can result in an 'Invalid zone option syntax...' error.
Conditions:
Use of the string returned by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option() method.
Impact:
Strings returned in the options_seq field by the iControl Management.Zone.get_zone method cannot be used in the Management.Zone.set_zone_option() method unless they are reformatted consistent with the format expected by the Management.Zone.set_zone_option() method.
Workaround:
Use the GUI to set the zone options. Alternatively, modify the strings returned in the options_seq field by the iControl Management.Zone.get_zone method to a format consistent with those expected by the Management.Zone.set_zone_option() method. For example, modify options_seq to have each option as a single string (rather than the masters string, which is returned as 3 separate options strings).
Fix:
The iControl Management.Zone.get_zone_v2() method returns a value in the options_seq field in a format that is consistent with the format expected by the Management.Zone.set_zone_option() method.
520585-2 : Changing Security Policy Application Language Is Not Validated or Propagated Properly
Component: Application Security Manager
Symptoms:
After changing the Application Language for a Security Policy and pushing the changes over a manual sync device group, the CMI device group's status immediately returns to "Changes Pending". Additionally calls through the REST interface erroneously allowed a client to change the language for a policy where it was already set.
Conditions:
A Security Policy was set to "Auto-Detect" the Application Language, and then set to a specific encoding. Or an application language is already set and is changed through the REST API. Issue is seen most prominently in CMI when ASM sync is enabled on a Manual Sync Failover Group
Impact:
1) The change to encoding is not seen if looking at the result in tmsh. 2) In a manual sync group, after the change has been pushed to its peers, the change is correctly written to the MCP configuration when it is loaded. This appears as a new pending change from the peer device, and the device group appears out of sync again.
Workaround:
Push another sync from the peer to the original device.
Fix:
Changes to Language encoding are now validated and propagated correctly.
520540-1 : HTTP Basic authentication may cause the TMM to crash if the header is too large
Component: Local Traffic Manager
Symptoms:
Accessing the information within a HTTP Authorization header via the HTTP::username, HTTP::password (or other method), may cause the TMM to crash if the header is too large.
Conditions:
An overlarge Authorization HTTP header, together with an iRule that accesses it via the HTTP::username or HTTP::password commands, or via the sflow feature.
Impact:
The TMM will crash
Workaround:
One possible work-around is to manually truncate the size of the HTTP Authorization header by an iRule.
Fix:
Overlarge HTTP Authorization headers will no longer cause the TMM to crash if they are inspected via the HTTP::username, HTTP::password iRule commands, or via the sflow feature.
520466-2 : Ability to edit iCall scripts is removed from resource administrator role
Component: TMOS
Symptoms:
A user account with resource administrator role assignment is able to modify user accounts using iCall scripts.
Conditions:
Resource administrators attempting to modify iCall scripts will be denied access. Such users will still be able to create iCall handlers that reference existing scripts.
Impact:
Resource administrators are no longer able to modify iCall script objects.
Workaround:
To manage iCall scripts the user account must be assigned the administrator role.
Fix:
We have removed access to modify iCall scripts for the Resource Administrator role. iCall handlers can still be created that refer to scripts created by an administrator.
520390-1 : Reuse existing option is ignored for smtp servers
Component: Access Policy Manager
Symptoms:
If policy is imported with reuse existing objects option and there is appropriate SMTP server, the newly imported policy would create and use a new one instead reusing the existing one.
Conditions:
Always
Impact:
Minor - easy to fix after import
Workaround:
Open assignment and reuse existing SMTP server, then delete old one.
Fix:
Reuse existing option works properly for SMTP servers.
520298-2 : Java applet does not work
Component: Access Policy Manager
Symptoms:
Web applications may work incorrectly through Portal Access if they use Java applets.
Conditions:
Website uses Java applet that is loaded with deprecated <applet> HTML tag.
Impact:
Websites can't use Java applets.
Workaround:
Fix:
Java applets now work correctly through Portal Access.
520280-1 : Perl Core After Apply Policy Action
Component: Application Security Manager
Symptoms:
Apply policy causes a perl core Further apply policy do not work
Conditions:
ASM provisioned. LTM provisioned. An ASM policy exists that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.
Impact:
Apply policy causes a perl core and ASM config event dispatcher crash. ASM config event dispatcher then is not restarted and remains down. Further apply policy do not work.
Workaround:
Make sure that if an ASM policy exists that is referenced by an LTM (L7) policy then such LTM (L7) policy is assigned to some LTM virtual server. one can create a dummy LTM virtual server for that purpose.
Fix:
Perl no longer cores and crashes ASM config event dispatcher in the case of an apply policy to an ASM policy that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.
520205-3 : Rewrite plugin could crash on malformed ActionScript 3 block in Flash file
Component: Access Policy Manager
Symptoms:
The rewrite plugin crashes. The following log message is in the log: ../fm_patchers/abc/abcScanner.cpp:70: void abc::abcScanner::has(size_t): Assertion `GetRemaining() >= (ssize_t)l' failed.
Conditions:
Input file is truncated or contains invalid bytecode instructions at the end of doabc/doabcdefine tag.
Impact:
Portal Access services restart.
Workaround:
Fix:
Rewrite plugin no longer crashes on truncated or malformed Adobe Flash files with incorrect ActionScript 3 method body blocks.
520145-3 : [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy
Component: Access Policy Manager
Symptoms:
Policy sync fails with out-of-memory error on target device with big and complex policy.
Conditions:
Profile of big size, for example, excessive use of ACL resource.
Impact:
Policy Sync fails.
Workaround:
Fix:
APM allows a user to sync a large and complex policy.
520118-2 : Duplicate server entries in Server List.
Component: Access Policy Manager
Symptoms:
There are multiple entries in the server list, possibly with different connection strings.
Conditions:
Client ends up with duplicate entries in the server list if it connects to different virtual servers that have the same aliases in the connectivity profile.
Impact:
Duplicate server entries in Server List.
Workaround:
Avoid duplicate aliases across connectivity profiles on servers that client connects to.
Fix:
Single entry in the server list.
520090-1 : FPS plugin
Component: Fraud Protection Services
Symptoms:
Flows are closed as expired rather than gracefully.
Conditions:
BIG-IP is passing about 400 RPS and bottlenecks.
Impact:
response timeouts
Workaround:
Fix:
The BIG-IP now closes TCP connection after requests for FPS JavaScript.
519966-2 : APM "Session Variables" report shows user passwords in plain text
Component: Access Policy Manager
Symptoms:
APM Session Variables report shows user passwords in plain text.
Conditions:
Has password session variable.
Impact:
It is not safe to show users' password in plain text.
Workaround:
Fix:
APM Session Variables report masks user passwords, displaying ************ instead.
519864-3 : Memory leak on L7 Dynamic ACL
Component: Access Policy Manager
Symptoms:
There is a memory leak on Dynamic ACL with regard for HTTP related configuration such as HTTP host name, and HTTP URI path in ACL entry. The leaks occurs for every session as these entries are generated per session bases.
Conditions:
Use L7 Dynamic ACL
Impact:
The memory usage is slowly increasing, and cause unstability in the overall system.
Workaround:
Use static ACL whenever possible.
Fix:
L7 Dynamic ACL is no longer leaking memory.
519510-3 : Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware
Component: TMOS
Symptoms:
TCP throughput might be severely impacted for traffic traversing a tagged VLAN and BCM57800/BCM57810 NIC on BIG-IP VEs. The 'rxbadsum' counts increase as received LRO'd traffic is ignored by TMM.
Conditions:
1. Traffic traverses a tagged VLAN. 2. This issue might be related to systems using Broadcom BCM57800 or BCM57810 NICs. However in general, the required condition is reception of packets with VLAN header are received in uNIC driver.
Impact:
Potential throughput drop during a high volume of data transfer.
Workaround:
You can use either of the following workarounds: 1. Avoid using tagged VLANs. 2. Run the following commands on the ESX hypervisor to disable LRO/GRO system-wide, followed by a reboot. -- esxcli system settings advanced set -o /Net/Vmxnet2HwLRO -i 0. -- esxcli system settings advanced set -o /Net/Vmxnet3HwLRO -i 0. -- esxcli system settings advanced set -o /Net/Vmxnet2SwLRO -i 0. -- esxcli system settings advanced set -o /Net/Vmxnet3SwLRO -i 0. -- esxcli system settings advanced set -o /Net/VmxnetSwLROSL -i 0.
Fix:
Change in L4 packet header offset, resulting from VLAN header insertion, is being accounted for to verify checksum.
519506-1 : Flows dropped with initiate data from sever on virtual servers with HTTP
Component: Policy Enforcement Manager
Symptoms:
Accepted Events held when HTTP is present on the hudchain
Conditions:
HTTP present on on hudchain
Impact:
Data flows dropped
Workaround:
N/A
Fix:
Enable checking of HTTP state and pass Accepted events
519415-3 : apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
Component: Access Policy Manager
Symptoms:
If a customer wants to change timeout values for server-side initiated flows inside Network Access tunnels, ephemeral listeners ignore irules. There seems to be a workaround for this through tmsh (not ui) by attaching iRules (related-rules) to main virtual that gets run on ephemeral listeners. (These ephemeral listeners are created by Network Access tunnels for lease-pool IPs.) The command for this is (for example): tmsh modify ltm virtual vs_dtls related-rules { idle_time } The problem here was APM Network Access used to ignore the related-rules on main virtual and the rules weren't triggered.
Conditions:
APM Network access use case.
Impact:
Related rules on main virtual are not applied to ephmeral listeners; (these ephemeral listeners are created by Network Access tunnels for lease-pool IPs).
Workaround:
none.
Fix:
iRules get executed on Ephemeral listeners.
519372 : vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files.
Component: TMOS
Symptoms:
Extremely large and increasing number of files present, of the form /var/run/tmstats-rsync.*. This is a memory-backed directory, and these files are never automatically moved or deleted, hence the vCMP guest may eventually experience swap and out of memory conditions.
Conditions:
vCMP guests upload statistics to the VCMP host periodically. In a small percentage of vCMP guests which have large configurations, these statistics take up an unusually high amount of space. This is not an error, but it exceeds the 6 MB limit that the host accepts. The host's refusal to accept the file triggers behavior in the guest that logs the condition to /var/run/tmstats-rsync.*. If the file size never decreases, this happens repeatedly and indefinitely.
Impact:
In swap and low memory conditions, the vCMP guest suffers performance problems and instability.
Workaround:
To work around this issue, you can disable guest health statistic collection on the vCMP host. To do so, perform one of the following procedures: Disabling statistic collection for the tmsh show vcmp health command. Impact of workaround: This procedure affects values returned by the tmsh show vcmp health stats command. 1. Log in to the command line of the vCMP host. If the device is a VIPRION, ensure you are logged in to the primary blade. 2. To disable statistic collection, type the following command: tmsh modify vcmp guest all capabilities add { stats-isolated-mode }.
Fix:
The /var/run/tmstats-rsync.* files are no longer generated. Instead, statistics are kept in the vCMP guest to track failures to send stats to the host. You can see these by running the following command in the guest: tmctl -d blade vcmpd/rsync_stat. If the guest is a multi-slot guest on a VIPRION platform, this command shows separate stats for each slot it's run on.
519198-3 : [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user
Component: Access Policy Manager
Symptoms:
Failed to sync a policy in non-Common partition as a non-default admin user.
Conditions:
Log in as different admin user than the default "admin". Sync a policy that was created in a non-Common partition..
Impact:
Policy Sync fails
Workaround:
Log in as default "admin" user.
Fix:
APM allows a user to log in as any admin user to sync policy in any partition.
519068-3 : device trust setup can require restart of devmgmtd
Component: TMOS
Symptoms:
Depending on the order of operations, the device trust might enter a state in which the device trust connections between devices are continuously reset and messaging about self-signed certificates.
Conditions:
This occurs when devices are being added to and deleted from the device trust.
Impact:
This prevents devices from being able to communicate with each other. The device trust goes to Disconnected and cannot synchronize.
Workaround:
A restart of the devmgmtd daemon clears any stale cached information that it has. However, the administrator may still need to reset the device trust (remove devices from the trust and re-add them).
Fix:
The system now correctly resets device trust when devices are being added to and deleted from the device trust.
519053-1 : Request is forwarded truncated to the server after answering challenge on a big request
Component: Application Security Manager
Symptoms:
Large requests (over 5K) arrive truncated to the server when web scraping bot detection is enabled, or a brute force/session opening attack is ongoing with client-side mitigation.
Conditions:
The request size is between 5k-10k. Web scraping bot detection is turned on, or a brute force/session opening attack is ongoing with client-side mitigation.
Impact:
The client side challenge mechanism causes a truncation of the request forwarded to the server. Only the first 5k of the request arrives to the server.
Workaround:
Change the internal parameter size max_raw_request_len to 10000.
Fix:
The system's client-side challenge mechanism no longer truncates large requests (those over 5K) forwarded to the server.
519022-2 : Upgrade process fails to convert ASM predefined scheduled-reports
Component: Application Visibility and Reporting
Symptoms:
Upgrade from versions prior to 11.5 fail, if the scheduled report is using the predefined settings named: "Top alerted and blocked policies".
Conditions:
There is a scheduled report that is using the predefined settings named: "Top alerted and blocked policies".
Impact:
Upgrade process fails.
Workaround:
Fix:
A scheduled report using the predefined settings named: "Top alerted and blocked policies" no longer causes upgrades from versions prior to 11.5 to fail. The upgrade process now rename the predefined report-type to the correct one and thus the upgrade process does not fail anymore.
518981-2 : RADIUS accounting STOP message may not include long class attributes
Component: Access Policy Manager
Symptoms:
The class attribute should be sent back to RADIUS server unmodified. However, if the RADIUS server is configured to send lots of long class attributes, the BIG-IP system might drop them when sending accounting stop message.
Conditions:
The BIG-IP system is configured with an Access Policy that contains RADIUS Acct agent. The RADIUS server is configured to send class attributes with total size of greater than 512bytes.
Impact:
RADIUS Accounting server doesn't receive STOP message when user session is over.
Workaround:
Fix:
Previously, the BIG-IP system would not send an accounting stop message if class attributes were more than 512 bytes total size. Now, BIG-IP system sends the accounting stop message, but does not include class attributes.
518663-1 : Client waits seconds before page finishes load
Component: Application Visibility and Reporting
Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will "promise" to the client a CSPM injection in the response by adding to the Content-length header. If the response contains no <html> tag, AVR will "change its mind" and won't inject the JavaScript, causing the client to wait for the missing bytes until timeout.
Conditions:
Page-load-time is enabled in the AVR profile,
Impact:
Client waits many seconds until timeout.
Workaround:
Fix:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will "promise" to the client a CSPM injection in the response by adding to the Content-length header. If no <html> tag is found in the response, the system now injects empty spaces to fill in the missing bytes in order to prevent the client from timing out.
518573 : The -decode option should be added to expressions in AD and LDAP group mapping.
Component: Access Policy Manager
Symptoms:
-decoded option is needed.
Conditions:
upgrade to 11.6.0
Impact:
in 11.6.0, if you create a rule to match an AD group in an "AD group resource assign" it will create something like this in the bigip.conf: expression "expr { [mcget -decode {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }" Prior to 11.6.0 the generated config was: expression "expr { [mcget {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }" The upgrade script does not take care of adding the "-decode" option which result in no groups being displayed in the VPE after an upgrade to 11.6.0
Workaround:
No workaround
Fix:
issue resolved, the -decode and lower string comparison added to expressions in AD and LDAP Group Mapping during upgrade.
518432 : [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation
Component: Access Policy Manager
Symptoms:
TLS tunnel freezes on Mac and Linux in case of SSL renegotiation.
Conditions:
TLS tunnel on Mac and Linux and SSL renegotiation happens
Impact:
Tunnel freezes and user cannot pass data traffic.
Workaround:
Restart session with BIG-IP
Fix:
Tunnel no longer freezes on SSL renegotiation on MAC and Linux.
518283 : Cookie rewrite mangles 'Set-Cookie' headers
Component: TMOS
Symptoms:
'Set-Cookie' headers are syntactically invalid.
Conditions:
Rewrite profile and 'Set-Cookie' header has 'Expires' attribute before 'Path' attribute.
Impact:
'Set-Cookie' headers in the client side become syntactically invalid (two 'Path' values that can be contradictory, plus a broken 'Expires' string).
Workaround:
Put the 'Path' attribute before 'Expires' attribute.
Fix:
The 'Expires' attribute is now properly parsed.
518260-1 : Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message
Component: Access Policy Manager
Symptoms:
NTLMSSP_TARGET_INFO flag is set on NTLMSSP_CHALLENGE message that is generated by ECA, although Target Info attribute itself is included. Certain NTLM clients may ignore the target info attribute due to this issue, and fall back to use NTLM v1 authentication. With ActiveDirectory default configuration this is not an issue. However, if the customer had specifically required NTLMv2 in their policy, then the authentication never succeeded due to mismatch of the protocol.
Conditions:
Customer has specifically required NTLMv2 and denied NTLMv1 in their ActiveDirectory policy.
Impact:
Users cannot authenticate.
Workaround:
Fix:
NTLM client that depends on NTLMSSP_TARGET_INFO flag can complete NTLM authentication using NTLMv2 protocol.
518201-1 : ASM policy creation fails with "ASMConfig exception ... Policy ... already exists" after upgrade
Component: Application Security Manager
Symptoms:
policy creation should fail like this: ------------------ # tmsh create asm policy /Common/blabla active encoding utf-8 Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy. ------------------ Same if created by any other means (GUI, etc...)
Conditions:
ASM provisioned Upgrade to 11.6.X
Impact:
ASM policies cant be created
Workaround:
Please apply the following workaround, as root user, from CLI of the affected BIGIP. Please execute the exact commands (spaces are significant!!!) - copy and paste into the CLI: --------------------------------------- # mount -o remount,rw /usr # cp /usr/share/ts/config/default_rows_config.yaml /usr/share/ts/config/default_rows_config.yaml.orig # perl -pi -e 's/PL_SESSION_AWARENESS_VIOLATIONS_DEFAULTS\n/PL_SESSION_AWARENESS_VIOLATIONS_DEFAULTS\n insert_ignore: 1\n/m' /usr/share/ts/config/default_rows_config.yaml # mount -o remount,ro /usr --------------------------------------- Validate the workaround by diffing the updated file (.yaml) against the original file (.yaml.orig): --------------------------------------- # diff /usr/share/ts/config/default_rows_config.yaml /usr/share/ts/config/default_rows_config.yaml.orig 45d44 < insert_ignore: 1 --------------------------------------- Make sure that the diff is exactly "< insert_ignore: 1" (spaces are significant!!!).
Fix:
We've fixed ASM policy creation so that it does not fail after upgrade
518039-1 : BIG-IQ iApp statistics corrected for partition use cases
Component: TMOS
Symptoms:
When the f5.http iApp is deployed in a partition, the icall script fails to get stats because it assumes the application is in /Common.
Conditions:
iApps are running in an administrative partition.
Impact:
BIG-IQ customers fail to get statistics from iApps running on BIG-IP.
Workaround:
Fix:
Certain iApps deployed by BIG-IQ now provide statistics.
518020-11 : Improved handling of certain HTTP types.
Component: Local Traffic Manager
Symptoms:
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.
Conditions:
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server. If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later. F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.
Impact:
This has the potential to exhaust the number of connections at the backend.
Workaround:
Mitigations: 1) iRule that can drop the connections after a specified amount of idle time. 2) iRule to validate the request line in an iRule and fix it. 3) Tuning of profile timeouts 4) ASM prevents this issue.
Fix:
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.
517988-2 : TMM may crash if access profile is updated while connections are active
Component: Access Policy Manager
Symptoms:
The BIG-IP system has a virtual server with an access profile. There is live traffic using that virtual. If the access profile is updated, enforcement of certain behaviors on the live traffic may end up accessing stale profile data, and result in a crash.
Conditions:
If an access profile is attached to a virtual server, and the profile is updated while the virtual has active connections.
Impact:
TMM may crash. Connections may be interrupted. Access sessions are lost.
Workaround:
(These are untested...) Without HA, (1) disable virtuals using access profile, (2) delete any active connections on the virtuals, (3) update access profile, and, (4) enable virtuals. With HA, (1) update access profile on standby, (2) failover to the standby, and (3) sync the configuration.
Fix:
Upon access profile update, cleanup of the previous profile data is deferred until there are no active connections referencing it.
517872-1 : Include proxy hostname in logs in case of name resolution failure
Component: Access Policy Manager
Symptoms:
It's hard to troubleshoot cases when proxy name resolution failure happens.
Conditions:
Troubleshooting is required in proxy name resolution area.
Impact:
Network Engineer has problems with identifying root cause.
Workaround:
Fix:
Now proxy hostname is printed to logfile when resolution fails.
517790-1 : When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
Component: Local Traffic Manager
Symptoms:
Non-HTTP traffic can have the server-side send data outside the usual request-response pairing. (Either before a request, or extra data after a response is complete.) If so, HTTP will reject the connection as the server state is now unknown. However, if HTTP is acting as a Transparent proxy, switching to pass-through mode and disabling HTTP may be a better course of action.
Conditions:
Non-HTTP data sent to the server-side not belonging to a response.
Impact:
Banner protocols, where the a server will respond before seeing any data will not pass through the Transparent HTTP proxy. Non-HTTP protocols that start with a pseudo-HTTP response, followed by extra data will reject the connection when the extra data is seen.
Workaround:
It may be possible to use HTTP::disable to disable the HTTP filter when some signature of the non-HTTP protocol is seen.
Fix:
The passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode.
517580-3 : OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
Component: TMOS
Symptoms:
Changing configuration (enable/disable/auto-negotiation) on copper SFPs on 10000-series appliance might cause an internal bus to hang. Symptoms are bcm56xxd process restarts, and the interfaces may show as unknown.
Conditions:
Only copper SFPs OPT-0015 on 10000-series appliances exhibit this problem.
Impact:
The bcm56xxd process restarts, and the interfaces may show as unknown.
Workaround:
To work around this issue, follow these steps: 1) Force the system offline. 2) Reboot the system. 3) Release the system's offline status.
Fix:
The bcm56xxd daemon detects a bus problem and resets the bus to recover communications with SFP transceivers.
517564-1 : APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port
Component: Access Policy Manager
Symptoms:
Starting from BIG-IP APM 11.6.0, there is a new feature called LDAP Group Resource Assign agent. The agent relies on a group list that is retrieved at AAA > LDAP Server > Groups configuration page. AAA LDAP Server fails to update the group list when the backend LDAP server is configured to use a port other than 389 (the default port).
Conditions:
Backend LDAP server is configured to use a non-default port (a port other than 389). LDAP Group Resource Assign agent is added to an Access Policy.
Impact:
It is impossible to update group list from LDAP server. LDAP Group Resource Assign agent does not provide a list of LDAP groups for easy configuration.
Workaround:
Fix:
LDAP groups can now be retrieved from an LDAP server that uses a non-default port (a port other than 389).
517556-3 : DNSSEC unsigned referral response is improperly formatted
Component: Local Traffic Manager
Symptoms:
When DNSSEC signs an unsigned referral response, the contained NSEC3 resource record has an empty type bitmap. Type bitmap should contain an NS type.
Conditions:
DNSSEC processing an unsigned referral response from DNS server.
Impact:
DNSSEC referral response is not RFC compliant.
Workaround:
None.
Fix:
NS type added to NSEC3 type bitmap, so that DNSSEC unsigned referral response is properly formatted.
517441-5 : apd may crash when RADIUS accounting message is greater than 2K
Component: Access Policy Manager
Symptoms:
If the RADIUS Acct agent is configured for an access policy, and there are a lot of attributes with total size greater than 2K, apd may crash.
Conditions:
RADIUS Acct agent is configured and an AP with numerous attributes in RADIUS Acct request
Impact:
service becomes unavailable while restarting apd process
Workaround:
Fix:
The maximum size of RADIUS packet is now set to 4K (RFC2865). If the total size of attributes is greater than 4K, the packet will be truncated to 4K.
517178-2 : BIG-IP as SAML Service Provider cannot process some messages from simplesamlphp under certain conditions
Component: TMOS
Symptoms:
When BIG-IP is used as Service Provider with Simplesamlphp as Identity Provider, processing of signed artifact response messages from IdP may fail with following error: "Digest of SignedInfo mismatch".
Conditions:
- BIG-IP is configured as SP. - Artifact binding is used for SSO. - Artifact response message from IdP is signed.
Impact:
User SSO may not work.
Workaround:
Use POST binding instead of Artifact.
Fix:
Fixed exclusive (exc-c14n) canonicalization in the XML so it would produce result with missing namespaces.
517083-1 : Some autodiscovered virtuals may be removed from pools.
Component: Global Traffic Manager
Symptoms:
As part of a larger effort to refine Virtual Server Auto Discovery and monitoring, several changes were made to improve cross version interoperability and Virtual Server matching. As part of these fixes, an error was introduced which caused some virtual servers to be deleted and rediscovered. This removed them from the Pool they were assigned to, which can cause load balancing errors.
Conditions:
This can occur with Virtual Servers that were originally specified on a pre-folder aware version of BIGIP, such as 10.2.x. When they are discovered by a folder aware version, they may be deleted from the GTM config and re-added with "/Common/" prepended to the name.
Impact:
Some virtual servers will be removed from Pools. The virtual server will be deleted and recreated, but not added back to the pool. This will result in incorrect load balancing decisions.
Workaround:
Changing the GTM config to add the virtual servers back to the pool will resolve the issue.
Fix:
The discovery and monitoring of virtual servers has been made more robust to deal with cases of multiple GTM VSes pointing at the same LTM virtual, as well as naming/folderization issues.
516839-3 : Add client type detection for Microsoft Edge browser
Component: Access Policy Manager
Symptoms:
Microsoft Edge browser cannot be detected by Client Type action item agent in access policy.
Conditions:
Microsoft Edge browser, Client Type action item agent in access policy on BIG-IP APM.
Impact:
Microsoft Edge browser is not detected by Client Type action item and the webtop might not display properly or might display resources that are not supported.
Workaround:
Fix:
Improvement: Microsoft Edge browser is now detected properly and only supported resources are shown on the webtop now. All components that require ActiveX are not supported.
516685-2 : ZoneRunner might fail to load valid zone files.
Component: Global Traffic Manager
Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.
Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.
Impact:
The user cannot load a zone file via the GUI.
Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI. Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.
Fix:
ZoneRunner now successfully loads zone files that contain $TTL directives, blank lines, comment-only lines, or some combination of the above.
516680-2 : ZoneRunner might fail when loading valid zone files.
Component: Global Traffic Manager
Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.
Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.
Impact:
The user cannot load a zone file via the GUI.
Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI. Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.
Fix:
ZoneRunner will no longer crash when parsing zone files containing $TTL directives, blank lines, comment-only lines, or some combination of the above.
516669-1 : Rarely occurring SOD core causes failover.
Component: TMOS
Symptoms:
Spontaneous failover occurs rarely due to a SOD core dump.
Conditions:
Cannot reproduce the issue reliably, so conditions for the crash are unknown.
Impact:
When SOD cores, all traffic groups fail over to another device. Non-mirrored flows will be interrupted.
Workaround:
None.
Fix:
Errors in handling memory have been fixed to prevent allocation failure.
516618-5 : CVE-2013-7424
Component: TMOS
Symptoms:
CVE-2013-7424 : An invalid free flaw was found in glibc's getaddrinfo() function when used with the AI_IDN flag.
Conditions:
Using getaddrinfo() with the AI_IDN flag can result in a bogus call to free() which glibc detects and possibly crashes the calling program.
Impact:
This is a low impact vulnerability since the BIGIP usage is limited to utilities that require local shell access.
Workaround:
Fix:
Updated glibc with upstream fix for this issue.
516598-1 : Multiple TCP keepalive timers for same Fast L4 flow
Component: Local Traffic Manager
Symptoms:
Multiple TCP keepalive timers for same Fast L4 flow.
Conditions:
Fast L4 profile with TCP Keepalive option enabled.
Impact:
TMM core.
Workaround:
Disable TCP Keepalive option from the Fast L4 profile.
Fix:
Prevent starting multiple TCP keepalive timer for the same fastL4 flow
516522-1 : After upgrade from any pre-11.4.x to 11.4.x (or later) the configured redirect URL location is empty
Component: Application Security Manager
Symptoms:
After upgrade from any pre-11.4.x to 11.4.x (or later) the configured redirect URL location is empty.
Conditions:
1) asm provisioned and redirect URL configured on any pre-11.4.x. 2) upgrade to 11.4.x (or later)
Impact:
After upgrade from any pre-11.4.x to 11.4.x (or later) the configured redirect URL location is empty.
Workaround:
N/A
Fix:
The configured redirect URL location is now preserved after upgrade from any pre-11.4.x to 11.4.x (or later).
516462-2 : Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines
Component: Access Policy Manager
Symptoms:
Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines.
Conditions:
Client Windows machine roams between different networks (Wi-Fi or Ethernet) when the BIG-IP system has configured split-tunneling.
Impact:
Excluded address space routes are not applied.
Workaround:
Fix:
Fixed reason causing this issue; now excluded address routes are applied correctly even if a client machine roams between different networks.
516320-2 : TMM may have a CPU spike if match cross persist is used.
Component: Local Traffic Manager
Symptoms:
TMM may have a CPU spike. A few(very few) connections may fail.
Conditions:
1) Match cross persist is used. 2) Long idle time out makes the symptom worse. 3) Persist HA makes the symptom worse.
Impact:
TMM may have a CPU spike. A few(very few) connections may fail.
Workaround:
Avoid using match across persist.
Fix:
Match across persistence no longer causes CPU spike.
516057-3 : Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
Component: Service Provider
Symptoms:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), and a new connection is initiated during the update, the TMM can assert 'valid proxy' and crash. If there were are no preexisting active connections, the assertion does not occur, but connections initiated during the configuration update might be in a bad state and cause unpredictable effects.
Conditions:
1. Active flows exist on an internal virtual server (IVS). Necessary to trigger the assertion. 2. A configuration update or sync affecting that IVS is in progress. 3. A new connection is initiated to that IVS during the update.
Impact:
This is intermittent and rarely encountered. When all preexisting connection flows on this IVS tear down, a 'valid proxy' assertion can trigger and cause a TMM crash and restart, resulting in lost connections across the BIG-IP system or blade. New IVS connection flows initiated during the configuration update might be in a bad state and exhibit unpredictable effects, even if there is no crash.
Workaround:
Try to avoid configuration changes affecting any IVS while connections are active. This is intermittent so most likely will not manifest, even with active connections.
Fix:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), new connections fail and log an error message indicating that the IVS is not ready for connections. If the connections are to an ICAP server, the BIG-IP system performs the service-down-action configured in the request-adapt or response-adapt profile of the virtual server that attempted to initiate the connection. There are no assertions or unpredictable effects. Any new connections that failed for this reason may be retried after the configuration update is complete.
515943-2 : "Session variables" report may show empty if session variable value contains non-English characters
Component: Access Policy Manager
Symptoms:
"Session variables" report may show empty if session variable value contains non-English characters
Conditions:
For active session only.
Impact:
User cannot see the Session Variable information for active session.
Workaround:
Use English characters for network configuration, such as host name, user name...
Fix:
"Session variables" report shows correct information for any language characters.
515817-2 : TMM may not reset connection when receiving an ICMP error
Component: Local Traffic Manager
Symptoms:
Connection is not reset after receiving an ICMP error
Conditions:
TMM receives an ICMP error after sending a TCP/SYN on a FastL4 virtual
Impact:
Delayed shutdown of connection
Workaround:
Fix:
TMM will now reset FastL4 connections when receiving an ICMP error in response to TCP/SYN.
515797-1 : Using qos_score command in RULE_INIT event causes TMM crash
Component: Global Traffic Manager
Symptoms:
TMM crashes when the iRule with qos_score command in RULE_INIT event is added to a wide IP.
Conditions:
Configured iRule with qos_score command in RULE_INIT event that is added to a wide IP.
Impact:
TMM crashes.
Workaround:
Mitigation: Do not use qos_score command in RULE_INIT event.
Fix:
qos_score command is disallowed in RULE_INIT event.
515667-4 : Unique truncated SNMP OIDs.
Component: TMOS
Symptoms:
When a BIG-IP generates SNMP OID-required truncation in order to stay within the OID max length limit of 128, the truncated OID is not always consistent or unique.
Conditions:
An SNMP table has a unique index (key) consisting of one or more table attributes of various types. String type index attributes with values lengths approaching or exceeding 128 characters expose this truncation issue.
Impact:
SNMP get, get-next, and set commands might fail or even operate on incorrect data when the target OID is not consistent or unique.
Workaround:
The long string values triggering this issue are typically identified as user-supplied names that were introduced as part of BIG-IP configuration. Often these names can be reconfigured to a shorter length.
Fix:
Truncated OIDs are now appended with a unique check-sum value that remains unchanged from one query to the next.
515646-1 : TMM core when multiple PPTP calls from the same client
Component: Carrier-Grade NAT
Symptoms:
TMM can core when there are multiple PPTP calls arrive from the same client.
Conditions:
PPTP ALG VS with CGNAT.
Impact:
TMM crash.
Workaround:
Fix:
TMM no longer core when multiple PPTP calls arrives from the same client.
515345-1 : NTP Vulnerability
Component: TMOS
Symptoms:
BIG-IP is NOT VULNERABLE with DEFAULT configuration. BIG-IP versions can become VULNERABLE with a NON DEFAULT configuration. A customer would be exposed to this vulnerability in a situation where manual configuration of the system was done inline with the requirements in the advisory.
Conditions:
All NTP4 releases starting with ntp-4.2.5p99 up to but not including ntp-4.2.8p2 where the installation uses symmetric keys to authenticate remote associations
Impact:
An attacker may be able to inject network packets without knowledge of the symmetric key
Workaround:
N/A
Fix:
Apply patches form ntp.org's 4.2.8p2
515322-1 : Limit the number of extra callbacks scheduled from inside the cache resolver
Component: Local Traffic Manager
Symptoms:
Cache configuration is removed
Conditions:
When a cache configuration is "removed" there are conditions where a refcount is not properly managed that would lead to memory being deleted before the last user is done with it.
Impact:
TMM core
Workaround:
N/A
Fix:
Schedule the special cache release hudevent for all cache completion callbacks
515112-1 : Delayed ehash initialization causes crash when memory is fragmented.
Component: Advanced Firewall Manager
Symptoms:
When first using a new feature (fpm, firewall) under memory fragmentation conditions, if the feature uses an ehash table, TMM may crash.
Conditions:
Severe memory fragmentation, where contiguous allocations are not satisfied, combined with initial use of a new feature.
Impact:
TMM crashes.
Workaround:
Utilize all features shortly after TMM comes up, so all initial allocations are performed.
Fix:
Certain allocations are no longer delayed. Delayed allocations which fail retry with smaller sizes, possibly reducing performance.
515072-4 : Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
Component: Local Traffic Manager
Symptoms:
When a virtual server has priority groups and connection limit configured, if the connection limit is reached and is increased while the member is limited, then subsequent connections will be reset rather than allowed.
Conditions:
Using priority groups and a non-zero connection limit, with one of the following load balancing methods: least-connections-member, least-sessions, ratio-member, ratio-least-connections-member, ratio-session. The issue occurs when the connection limit is adjusted higher when the connection limit is reached on the high-priority pool.
Impact:
New connections are reset without being able to send traffic.
Workaround:
If it is feasible to adjust the priorities, adjust the connection limit to its initial value, and adjust the priority groups so that the traffic currently on the limited pool drains out. When the pool has no connections, increase the limit to restore the correct priorities.
Fix:
Make pool member eligible for load balancing if its not connection limited after modifying its connection limit.
515033 : [ZRD] A memory leak in zrd
Component: Global Traffic Manager
Symptoms:
Memory leaks for zrd when performing wide IP alias updating.
Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh, there is a small memory leak in zrd. Although this memory leak is small for any one change, it could be noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.
Impact:
Memory leak after multiple wide IP alias create/update operations.
Workaround:
If the zrd memory usage is negatively impacting system performance, you can restart zrd and clear out the memory usage by running the command: bigstart restart zrd.
Fix:
Memory no longer leaks for zrd when performing wide IP alias updating.
515030-1 : [ZRD] A memory leak in Zrd
Component: Global Traffic Manager
Symptoms:
Memory leaks for zrd when performing multiple wide IP alias updating.
Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh there is a small memory leak in zrd. This memory leak is not significant for any one change, but it might become noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.
Impact:
Memory leak after multiple wide IP alias updates.
Workaround:
Although there is no workaround, you can mitigate potential system performance impacts by restarting zrd, which clears out the memory usage. To do so, run the command: bigstart restart zrd.
Fix:
Memory no longer leaks in zrd when performing multiple wide IP alias updating.
514912-3 : Portal Access scripts had not been inserted into HTML page in some cases
Component: Access Policy Manager
Symptoms:
If HTML page contains forms with absolute action paths, Portal Access scripts must be inserted into this page. But if there are no other reasons to include them, these scripts were not included.
Conditions:
HTML page which consists of the form with absolute action path, for instance: <form action='/cgi-bin/a.gci"> </form>
Impact:
The form can not be submitted because browser fires JavaScript error.
Workaround:
It is possible to use iRule to insert Portal Access scripts into rewritten HTML page.
Fix:
Now Portal Access scripts are inserted into HTML page if it contains forms with absolute action path.
514726-4 : Server-side DSR tunnel flow never expires
Component: TMOS
Symptoms:
TMM cores and memory exhaustion using Direct Server Return (DSR). DSR establishes a one-way tunnel between the BIG-IP system and the back-end servers using the clients' IP addresses as the tunnel local-address on the BIG-IP system. These flows never expire.
Conditions:
BIG-IP virtual servers using DSR tunnels to send client traffic to the server.
Impact:
Server-side DSR tunnel flow never expires. Because the DSR tunnels use client's IP address as the tunnel local-address and the server's IP address as the tunnel remote-address, a single DSR setup might introduce as many tunnels as the clients' requests. When these tunnels do not expire, the BIG-IP system memory resource might be used up eventually, causing TMM cores.
Workaround:
None.
Fix:
Individual DSR tunnels are removed after the corresponding client's user flows expire.
514724-1 : crypto-failsafe fail condition not cleared when crypto device restored
Component: TMOS
Symptoms:
If a crypto device fails, the crypto-failsafe fail condition will not be cleared when the crypto device is restored.
Conditions:
This issue affects systems with failed crypto devices that are restored.
Impact:
In an HA pair, the failing unit will fail over, but it will always stay down.
Workaround:
To restore the crypto-failsafe HA fail status, restart tmm by issuing a 'bigstart restart tmm'. Note that on a VIPRION system, this command must be run on the appropriate blade.
Fix:
Allowed the crypto device to be restored and not keep the crypto-failsafe HA status in the fail state.
514246-3 : connflow_precise_check_begin does not check for NULL
Component: Local Traffic Manager
Symptoms:
Currently connflow_precise_check_begin does not check for NULL for its parameters while hudproxy has plenty of places where it calls connflow_precise_check_begin with NULL.
Conditions:
Connection Rate Limit is configured
Impact:
This leads to NULL pointer dereference and subsequent tmm crash
Workaround:
N/A
Fix:
Fix NULL pointer dereference in connflow_precise_check_begin
514236-1 : [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses
Component: Global Traffic Manager (DNS)
Symptoms:
IP addresses associated with a BIG-IP DNS server object may not be viewable from the Configuration utility.
Conditions:
This issue occurs when all of the following conditions are met: -- You use the Configuration utility to create a BIG-IP DNS server object with one or more IP addresses. -- You then use the Configuration utility to add one or more IP addresses to a BIG-IP DNS server object. -- You use the Traffic Management Shell (tmsh) to add one or more additional IP addresses to the BIG-IP GTM server object. -- From the Configuration utility, you navigate to DNS :: GSLB :: Servers :: [BIG-IP DNS Server Name] and then view the BIG-IP DNS server object IP addresses in the Address List box.
Impact:
Only the BIG-IP GTM server object IP addresses that are added from the tmsh utility display in the Configuration utility. After tmsh modifies the BIG-IP DNS server by adding another IP address, the GUI fails to show those IP addresses previously added using the GUI.
Workaround:
Use tmsh to create and modify IP addresses on BIG-IP DNS servers. Or use only the Configuration utility or only the tmsh utility to create and modify BIG-IP GTM server object IP addresses.
Fix:
GUI now adds the partition prefix to device-name for BIG-IP DNS Server IP addresses, so IP addresses associated with a BIG-IP DNS server object are now viewable from the Configuration utility.
514220-1 : New iOS-based VPN client may fail to create IPv6 VPN tunnels
Component: Access Policy Manager
Symptoms:
Newer iOS-based VPN client does not provide MAC address during IPCP negotiation. This prevents the IPv6 VPN tunnel from getting established.
Conditions:
It affects only iOS-based IPv6 VPN connection requests.
Impact:
This impacts only IPv6 VPN tunnel requests from iOS-based devices.
Workaround:
None.
Fix:
Newer iOS-based VPN clients can successfully create IPv6 VPN tunnels.
514117-1 : Store source port higher than 32767 in Request Log record
Component: Application Security Manager
Symptoms:
Any Request Log record for request with source port higher than 32767 will have source port equal to 32767.
Conditions:
Request Log record get wrong source port when source port value of request higher than 32767.
Impact:
Request Log record has wrong source port if source port value higher than 32767.
Workaround:
There is no workaroud
Fix:
The Request log record now gets the correct source port even when the source port value of the request is higher than 32767.
514108-1 : TSO packet initialization failure due to out-of-memory condition.
Component: Local Traffic Manager
Symptoms:
TCP Segmentation Offload (TSO) packet initialization failure due to out-of-memory condition with the message: packet is locked by a driver.
Conditions:
Requires a specific packet layout and memory allocation to fail in a specific place at a specific time.
Impact:
TMM posts the assert message: packet is locked by a driver.
Workaround:
None.
Fix:
TCP Segmentation Offload (TSO) packet is now cleared correctly with no packet-locked message.
513969-3 : UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running
Component: Access Policy Manager
Symptoms:
UAC prompt is shown for machine cert check for non-limited users, even if Machine Cert Check service is running on client Windows machine.
Conditions:
Current user is non-limited. Machine Cert Check service is running. User tries to pass Access Policy.
Impact:
Non-limited user has to press 'ok' in UAC window.
Workaround:
Fix:
Now Machine Certificate Check service is used for certificate verification even for non-limited users.
513953-1 : RADIUS Auth/Acct might fail if server response size is more than 2K
Component: Access Policy Manager
Symptoms:
RADIUS authentication or accounting fails when a response from the backend server is bigger than 2048 bytes
Conditions:
Response from backend server is bigger than 2048 bytes
Impact:
RADIUS Auth/Acct agent failed.
Workaround:
Fix:
Now RADIUS Auth and RADIUS Acct agents can successfully parse packets of sizes up to 4K, which is the maximum allowed RADIUS packet size. At the moment the BIG-IP system does not support RADIUS packet fragmentation.
513916-5 : String iStat rollup not consistent with multiple blades
Component: TMOS
Symptoms:
An iStat of type string does not merge consistently in a multi-bladed chassis, so the value read on different blades at the same time may differ.
Conditions:
The iStat must be of type string, and the chassis must have multiple blades.
Impact:
The value of the iStat after the merge differs on different blades.
Workaround:
Use clsh to write the string iStat value to all blades together.
Fix:
The rollup of strings is based on a timestamp of the last update, but this value was not preserved through the first level of merge so the second level done on each blade was arbitrary. Now, the value is preserved, so the iStat value for multiple blades is correct.
513860-1 : Incomplete support for special characters in input field names
Component: Fraud Protection Services
Symptoms:
When HTML input fields with special character in their names were configured for data integrity, false positive alerts were sent
Conditions:
HTML fields with special characters in their names.
Impact:
False positive automatic transactions (data integirty) alerts.
Workaround:
Do not configure data integrity checks on fields with special characters in the name.
Fix:
Encoding was fixed and now special characters are supported.
513822-1 : ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page
Component: Application Security Manager
Symptoms:
When setting the responseActionType, such as "default" or "soap-fault", to a value that has an expected related unmodifiable responseContent value, the expected responseContent is not set. As a result an empty response page is returned when ASM blocks a request.
Conditions:
Via ASM REST a client changes the responseActionType from "custom" to "default" or "soap-fault".
Impact:
An empty response page is returned when ASM blocks a request.
Workaround:
The alternate response body can be set explicitly via REST
Fix:
Expected responseContent is now set when changing responseActionType to a static content type like "default" or "soap-fault" using ASM REST.
513706-2 : Incorrect metric restoration on Network Access on disconnect (Windows)
Component: Access Policy Manager
Symptoms:
The metric after Network Access disconnect differs from metric before Network Access for default route.
Conditions:
Using Network Access on Windows systems.
Impact:
A multi-home environment might experience routing issues after disconnecting Network Access, for example, by default traffic might go through Wi-Fi instead of wired networks.
Workaround:
Disable and enable the network adapter.
Fix:
Fixed an issue causing incorrect metric restoration on Network Access on disconnect.
513545-1 : '-decode' option produce incorrect value when it decodes a single value
Component: Access Policy Manager
Symptoms:
When a session variable set by AD/LDAP module is HEX-encoded, it is possible to decode it with the -decode option for the mcget command. The option works correctly when the session variable contains multiple values (such as | 0xABCD | 0xDCBA |), but it does not work properly with a single encoded value (such as0xABCD).
Conditions:
The problem occurs under these conditions: the -decode option is specified when retrieving a HEX-encoded variable, and the session variable contains only one value/
Impact:
As a result, the access policy does not follow the expected branch rule.
Workaround:
While decoding a single value, the mcget command produces a result like EncodedValueDecodedValue. For example, for encoded string 0x616161, the result of the operation will be 616161aaa. It is possible to write a Tcl expression in the Variable Assign agent that truncates the left half of the string and leaves aaa, the decoded value only.
Fix:
The -decode option works as expected for single-value and multi-value session variables.
513464-1 : Some autodiscovered virtuals may be removed from pools.
Component: Global Traffic Manager
Symptoms:
As part of a larger effort to refine Virtual Server Auto Discovery and monitoring, several changes were made to improve cross version interoperability and Virtual Server matching. As part of these fixes, an error was introduced which caused some virtual servers to be deleted and rediscovered. This removed them from the Pool they were assigned to, which can cause load balancing errors.
Conditions:
This can occur with Virtual Servers that were originally specified on a pre-folder aware version of BIGIP, such as 10.2.x. When they are discovered by a folder aware version, they may be deleted from the GTM config and re-added with "/Common/" prepended to the name.
Impact:
Some virtual servers will be removed from Pools. The virtual server will be deleted and recreated, but not added back to the pool. This will result in incorrect load balancing decisions.
Workaround:
Changing the GTM config to add the virtual servers back to the pool will resolve the issue.
Fix:
The discovery and monitoring of virtual servers has been made more robust to deal with cases of multiple GTM VSes pointing at the same LTM virtual, as well as naming/folderization issues.
513454-3 : An snmpwalk with a large configuration can take too long
Component: TMOS
Symptoms:
The snmpwalk will fail and the mcpd daemon could be restarted.
Conditions:
The configuration must be large so that the number of configured items related to the snmpwalk are in the tens of thousands.
Impact:
Failure to read SNMP data, mcpd restart and temporary loss of service.
Workaround:
Spread the configuration among more BIG-IPs or avoid running snmpwalks.
Fix:
Cache internal query data to optimize statistical queries.
513382-1 : Resolution of multiple OpenSSL vulnerabilities
Component: TMOS
Symptoms:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288
Conditions:
None.
Impact:
Update of OpenSSL to resolve multiple vulnerabilities.
Workaround:
Fix:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288
513294-8 : LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances
Component: TMOS
Symptoms:
The following issues may be observed on BIG-IP 5000-/7000-series appliances: 1. When a system shuts down due to a over temperature condition, the name of the sensor that triggered the shutdown does not display. 2. Unable to configure AOM IP address using the DHCP Menu Option, with the system responding with the message: Error: Failed to configure AOM management port. 3. TMOS may log a critical alarm for the 0.9 volt sensor even though the voltage is in the nominal range.
Conditions:
BIG-IP 5000-/7000-series appliances with LBH firmware versions prior to v3.07 may experience each of the above issues under the following corresponding conditions: 1. Over temperature, thermal shutdown. 2. When trying to configure an IP address for AOM using the N - Configure AOM network option. 3. When the host is powered off using the AOM menu, the LBH will detect an under voltage condition for all non-standby voltage rails.
Impact:
The impacts of these issues are: 1. The user cannot determine which sensor triggered the thermal shutdown. 2. Unable to configure the AOM address using DHCP. 3. There will be a single ltm log message indicating this critical alarm, however the voltage reported in the log message will be in the nominal range.
Workaround:
Corresponding workarounds include: 1. None. 2. None. 3. Do not power cycle the host with the AOM menu. This error does not occur with an AC power cycle.
Fix:
LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances now works as expected.
513283-1 : Mac Edge Client doesnt send client data if access policy expired
Component: Access Policy Manager
Symptoms:
If an access policy expires (for example, if a user took too long to enter password ) then BIG-IP Edge Client displays a new page with link "Start a New session". Clicking this link causes Edge Client for Mac to be detected as browser by BIG-IP APM.
Conditions:
Edge Client fpr <ac, access policy expires.
Impact:
Edge Client is detected as browser.
Workaround:
Click disconnect button and Connect buttons on Edge Client.
Fix:
APM no longer detects BIG-IP Edge Client for Mac as a browser when a user clicks "Start a New session" on access policy expired page.
513201-6 : Edge client is missing localization of some English text in Japanese locale
Component: Access Policy Manager
Symptoms:
Edge Client is missing localization of some English text in Japanese locale.
Conditions:
Edge Client in Japanese locale
Impact:
Edge Client shows some text in english
Workaround:
Fix:
BIG-IP Edge Client is correctly localized for Japanese locale.
513098-1 : localdb_mysql_restore.sh failed with exit code
Component: Access Policy Manager
Symptoms:
In certain scenarios, deleting a dynamic user entry from memory does not clear the entry from the underlying table.
Conditions:
This might occur when a dynamic user record is marked for deletion but has not yet been removed when the dynamic user representing that record is re-authenticated.
Impact:
Over time, the table grows in size due to stale records.
Workaround:
Fix:
Orphaned dynamic user records are now correctly deleted.
512383-3 : Hardware flow stats are not consistently cleared during fastl4 flow teardown.
Component: Local Traffic Manager
Symptoms:
The PVA stat curr_pva_assist_conn is not being updated properly for certain Fast L4 flows.
Conditions:
1) Fast L4 virtual server. 2) PVA-acceleration enabled. This occurs when the connection flow is not created because UDP traffic arrives at an undefined port on the virtual server. The curr_pva_assist_conn value is incremented though there are no active PVA flows. This can also occur when LTM get ICMP unreachable messages from the serverside.
Impact:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', show invalid counts. If the hardware SYN cookie protection is on, the SYN cookie protection may be activated when it is not supposed to.
Workaround:
None.
Fix:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', now show the correct counts.
512345-2 : Dynamic user record removed from memcache but remains in MySQL
Component: Access Policy Manager
Symptoms:
When the system fetches a dynamic user record from MySQL and places the record into memcache, the record might remain there in an unmodified state for ten days.
Conditions:
This occurs when a dynamic user record is removed from memcache but remains in MySQL, due to an intermittent race condition between apmd/memcache and localdbmgr.
Impact:
Dynamic user, if locked out, remains in memcache for ten days. During this interval, the dynamic user record is unusable.
Workaround:
The Admin can remove the user by deleting the associated memcache record.
Fix:
Now APM handles the condition in which a dynamic user record is removed from memcache but remains in MySQL due to an intermittent race condition between apmd/memcache and localdbmgr.
512245-7 : Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
Component: Access Policy Manager
Symptoms:
Machine certificate agent checker on client might extract wrong certificate based on LocalHostName if it is not same as hostname. Machine certificate agent checker might fail.
Conditions:
BIG-IP APM with machine certificate agent.
Impact:
Machine certificate check might fail
Workaround:
Fix:
Machine Cert Auth agent passes on OS X 10.8 and OS X 10.9.
512148-1 : Self IP address cannot be deleted when its VLAN is associated with static route
Component: Local Traffic Manager
Symptoms:
A self IP address cannot be deleted when its VLAN is associated with a static route
Conditions:
The self IP address' VLAN is associated with a static route.
Impact:
Self IP address cannot be deleted.
Workaround:
Temporarily remove the static route entries, delete the self IP, and then add the static route entries again.
Fix:
A self IP now can be deleted even when its VLAN is associated with a static route, as long as at least one self IP exists on that VLAN. If the static route is IPv4, then an IPv6 self IP does not meet the requirement, and vice versa.
512062-2 : A db variable to disable verification of SCTP checksum when ingress packet checksum is zero
Component: Local Traffic Manager
Symptoms:
SCTP INIT multi-homing message will be dropped by BIGIP with checksum "0x00000000".
Conditions:
SCTP packet's verification tag is 0x00000000 and checksum also is 0x00000000.
Impact:
The SCTP packets with verification tag is 0x00000000 and checksum is 0x00000000 will be dropped.
Workaround:
N/A
Fix:
Add a db variable to disable verification of SCTP checksum when ingress packet's checksum is zero. The current default behavior is not changed if this db variable is not enabled.
511854-4 : Rewriting URLs at client side does not rewrite multi-line URLs
Component: Access Policy Manager
Symptoms:
Exception posted when rewriting multi-line URLs on the client side.
Conditions:
Using multi-line URLs in client-side JavaScript code.
Impact:
Web-application logic might not work as expected. The system might post a message similar to the following: Unable to get property '2' of undefined or null reference.
Workaround:
None.
Fix:
This release fixes client-side URL rewriting for multi-line URLs.
511196-1 : UMU memory is not released when remote logger can't reach its detination
Component: Application Security Manager
Symptoms:
UMU memory is printed in the bd.log as being held although there is no traffic in the system.
Conditions:
Remote logger has an unreachable detination
Impact:
Some memory is wasted and is not released for a long time
Workaround:
Fix the remote logger configuration, or the network issue
Fix:
We fixed UMU memory slow releases that occurred when the remote logger's destination was unreachable.
510979-1 : Password-less SSH access after tmsh load of UCS may require password after install.
Component: TMOS
Symptoms:
Should an account such as admin have password-less SSH access, after loading the UCS config or doing a live install and moving the config, their SSH access no longer works without a password.
Conditions:
User has .ssh/authorized_keys file owned with uid=0.
Impact:
tmsh load sys ucs config replaces the uid ownership of /home/user_name/.ssh/authorized_keys incorrectly, which prevents SSH access without passwords.
Workaround:
Create a directory in /var/ssh for each user, move .ssh/authorized_keys there, and then link to the moved file in the ~/.ssh directory. In that case, UCS load affects the link, but not the linked file, so password-less SSH access is maintained.
Fix:
Password-less SSH access is now maintained after tmsh load (or install and move config) of UCS.
510921-1 : Database monitors do not support IPv6 nodes
Component: Local Traffic Manager
Symptoms:
Unable to monitor IPv6 nodes.
Conditions:
Pool configured with a DB monitor (MySQL, MSSQL, Oracle or Postgres) and IPv6 nodes.
Impact:
IPv6 nodes are reported down and do not receive traffic.
Workaround:
Fix:
Database monitors now support monitoring IPv6 nodes.
510837-2 : Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. bigip sends bad client key exchange.
Component: Local Traffic Manager
Symptoms:
BIG-IP SSL when serves as a SSL client and the ciphers used are ECDHE_ECDSA or DHE_DSS, it will send a bad client key exchange to SSL server in server initiated renegotiation.
Conditions:
BIG-IP acts as a SSL client and the ciphers used are ECDHE_ECDSA or DHE_DSS in server initiated renegotiation.
Impact:
SSL handshake failed. The SSL server may reset the SSL connection with an error: digest check failed, or ssl handshake failed.
Workaround:
Do not use ciphers ECDHE_ECDSA or DHE_DSS.
Fix:
BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS in server initiated renegotiation where BIG-IP acts as a client.
510720-1 : iRule table command resumption can clear the header buffer before the HTTP command completes.
Component: Local Traffic Manager
Symptoms:
iRule table command resumption can clear the header buffer before the HTTP command completes.
Conditions:
An HTTP request was attempted with an iRule table command that resumed after parking.
Impact:
Results in a SIGABRT. The header names might intermittently output incorrectly, and report empty names and/or parts of the request line.
Workaround:
None.
Fix:
iRule resumption after halting now works correctly.
510709-1 : Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
Component: Access Policy Manager
Symptoms:
If more than 2 start URIs are configured, start URI parsing does not work correctly. This results in no start URI match and websso failure.
Conditions:
SSO error happens only if there are more than 2 start URIs configured in the SSO configuration.
Impact:
SSO V1(websso) fails for configured start URI due to start URI mismatch.
Workaround:
No workaround
Fix:
Websso config start URI parsing was wrong when there are multiple lines in start URI configuration. Websso start URI parsing is fixed.
510638-1 : [DNS] Config change in dns cache resolver does not take effect until tmm restart
Component: Local Traffic Manager
Symptoms:
Config change in DNS cache resolver does not take effect until tmm restart.
Conditions:
Make changes to LTM DNS cache resolver.
Impact:
Changes made to DNS cache resolver are not in effect until tmm restarts. For example, changes to the DNS cache resolver's parameters Max. Concurrent Queries and Allowed Query Time do not load into the system until tmm restarts.
Workaround:
Restart tmm after making changes, or create a new DNS cache profile.
Fix:
Config change in DNS cache resolver now take effect immediately and no longer require tmm restart.
510459-1 : In some cases Access does not redirect client requests
Component: Access Policy Manager
Symptoms:
A client may receive the following error message upon request: "The requested file could not be found on the server. Please contact system administrator."
Conditions:
Client requests received by Access running on BIG-IP versions 11.4.0 to 11.6.0 may encounter this issue.
Impact:
Client request is not fulfilled and error message received.
Workaround:
None
Fix:
Resolved issue in which clients receive a file not found message from Access due to out of date White List entry in OPSWAT.
510226-2 : All descriptions for ports-list's members are flushed after the port-list was updated
Component: Advanced Firewall Manager
Symptoms:
'Description' for port-list entries created from tmsh gets deleted when the corresponding port-list object is updated from GUI.
Conditions:
When a user updates an port-list object with member's description set, it gets deleted.
Impact:
User will lose the description value set for its members.
Workaround:
Not update the port list entry from GUI when its members have a 'description', or use tmsh to update port list
Fix:
Descriptions created for port list members from tmsh no longer get deleted when a user updates the port list object.
510224-2 : All descriptions for address-list members are flushed after the address-list was updated
Component: Advanced Firewall Manager
Symptoms:
'Description' for address-list entries created from tmsh gets deleted when the corresponding address-list object is updated from GUI.
Conditions:
When a user updates an address-list object with member's description set, it gets deleted.
Impact:
User will lose the description value set for its members.
Workaround:
Not update the address list entry from GUI when its members have a 'description.'
Fix:
Descriptions created for address list members from tmsh no longer get deleted when a user updates the address list object.
510159-1 : Outgoing MAP tunnel statistics not updated
Component: TMOS
Symptoms:
Outgoing statistics for MAP tunnels are not being shown in the 'tmsh show net tunnels command.
Conditions:
When sending bidirectional traffic over a MAP tunnel between a client and server across a DUT.
Impact:
Only incoming traffic is shown in the 'tmsh show net tunnels' command output. This is a cosmetic error, and does not indicate incorrect functionality.
Workaround:
Fix:
Outgoing statistics for MAP tunnels are now included in the 'tmsh show net tunnels command.
510119-4 : HSB performance can be suboptimal when transmitting TSO packets.
Component: TMOS
Symptoms:
For heavily fragmented TSO packets, it is possible to populate a high percentage of the HSB's transmit ring.
Conditions:
This can happen when transmitting large fragmented TSO packets.
Impact:
Suboptimal behavior might be seen when transmitting large fragmented TSO packets. There is a rare chance it can lead to a full or stuck transmit ring.
Workaround:
Disable TSO.
509934-1 : Blob activation fails due to counter revision
Component: Advanced Firewall Manager
Symptoms:
Activation of Blob failed after config from ucs files (saved config has policy with atleast 1 rule) and running config has a policy (with same name) without any rules
Conditions:
Running config has a policy (say policy name = X) with no rules and associated to a context. Saved config (UCS) has a different policy (but same name X) with at least 1 rule. When loading UCS (saved config), blob activation fails due to TMM not being able to revise counters for the new container.
Impact:
Activation fails
Workaround:
N/A
Fix:
Correct counter tracking
509919-2 : Customer may experience incorrect counter update for SelfIP traffic on cluster
Component: Advanced Firewall Manager
Symptoms:
SelfIP traffic is always handled on the primary blade on a cluster and if it's disaggregated to non-primary blade, it gets internally forwarded to the primary blade. Due to this, AFM was double classifying this traffic (only on cluster) causing incorrect AFM ACL/IPI counts.
Conditions:
SelfIP traffic is disaggregated to non-primary blade on a cluster and AFM is enabled
Impact:
Incorrect AFM ACL/IPI rule counters due to internal forwarding of SelfIP traffic on a cluster from non-primary to primary blade causing AFM to match/classify these packets twice.
Workaround:
None
Fix:
With the fix, self IP traffic on a cluster is counted correctly for AFM ACL/IPI matches.
509782-3 : TSO packets can be dropped with low MTU
Component: TMOS
Symptoms:
If an interface is configured with a low MTU, it is possible for the system to drop TSO packets. This can be observed looking at the tx_drop_tso_bigpkt stat in the tmm/hsb_internal_fsc table.
Conditions:
The interface is configured with a low MTU, usually 750 or lower. If TMM then attempts to use TSO for a packet, there is a chance this packet will be dropped.
Impact:
Large TSO packets are dropped.
Workaround:
Increase the MTU or disable TSO. If TSO is not disabled, three related fixes are needed to fully address the issue: -- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message. -- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded. -- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here: -- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
Fix:
Three related fixes are needed to fully address the issue: -- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message. -- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded. -- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here: -- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
509722-1 : BWC traffic blocked
Component: Access Policy Manager
Symptoms:
BWC traffic blocked when configured using percentages and the configuration is modified.
Conditions:
Modifying configurations of BWC categories using percentages.
Impact:
BWC traffic is blocked.
Workaround:
The workaround is to not configure with percentages but configure with bandwidth.
Fix:
The problem with modifying BWC configured percentages has been corrected.
509677-1 : Edge-client crashes after switching to network with Captive Portal auth
Component: Access Policy Manager
Symptoms:
When switching to a network with Captive Portal authentication, the Edge-client becomes unresponsive.
Conditions:
- Captive Portal uses https logon page - Network switching done by unplugging network cable from NIC or disconnecting from wireless network (not disabling network interface).
Impact:
Edge-client crashes
Workaround:
N/A
Fix:
Corrected invalid pointer by update pointer name.
509600-1 : Global rule association to converted policy is lost on one device in HA configuration.
Component: Advanced Firewall Manager
Symptoms:
Global policy appears to no longer be enabled after a period of time.
Conditions:
Using global rules on HA configuration.
Impact:
Global rule associations to converted policies are lost on one device.
Workaround:
Manually add back rules.
Fix:
Global rule associations to converted policies remain on both devices.
509504-5 : Excessive time to save/list a firewall rule-list configuration
Component: TMOS
Symptoms:
A configuration containing a large number of firewall rule-list::rules might take an excessively long time to save. Similarly, excessive times are seen for listing the firewall configuration.
Conditions:
Large number of AFM rules.
Impact:
A long time to save or list the configuration. While this issue was noticed for a firewall rule-list::rules configuration, the same issue might occur for deeply nested configurations.
Workaround:
Fix:
The save and list times for the numerous firewall rules/deeply nested configurations [example: firewall rule-list::rules] is significantly reduced.
509503-4 : tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration
Component: TMOS
Symptoms:
For certain configurations with deeply nested structures in it ex: some of the firewall rule rule-list configuration, requires excessive time for the tmsh load config file merge operation.
Conditions:
Configurations containing deeply nested structures.
Impact:
The time for the merge is significantly more than the time needed for load operation.
Workaround:
For customers who are affected of long load times during merging a configuration file into existing one, they can instead append the config file to the respective bigip_base.conf or bigip.conf file manually.
Fix:
The tmsh load sys config merge operation performance was optimized. With this optimization the time for merge operation is slightly greater than the load operation.
509490-2 : [IE10]: attachEvent does not work
Component: Access Policy Manager
Symptoms:
Websites are broken in Internet Explorer if they use postMessage to send objects. There could be errors in the JavaScript console.
Conditions:
Web application in Internet Explorer 8, 9 or 10 that uses window.postMessage() and recieves message with handler added through window.attachEvent() working through Portal Access.
Impact:
Web-Application cannot use Window.postMessage() to send data with Portal Access in Internet Explorer.
Workaround:
No
Fix:
The 'onmessage' handler added with window.attachEvent() now correctly recieves data sent through window.postMessage().
509273 : hostagentd consumes memory over time
Component: Centralized Management
Symptoms:
The hostagentd process on a vCMP host might consume more memory over time.
Conditions:
BIG-IP appliance or VIPRION blade/cluster with vCMP guests.
Impact:
Rarely, the vCMP host might run out of memory.
Workaround:
To work around this issue, you can disable guest health statistic collection on the vCMP host. To do so, perform one of the following procedures: Option 1: Disabling statistic collection for the tmsh show vcmp health command. Impact of workaround: This procedure affects values returned by the tmsh show vcmp health stats command. 1. Log in to the command line of the vCMP host appliance or primary blade of the cluster. 2. To disable statistic collection, type the following command: tmsh modify vcmp guest all capabilities add { stats-isolated-mode }. 3. To restart the hostagentd process, type the following command: a. On a BIG-IP appliance: bigstart restart hostagentd. b. On a blade in a VIPRION cluster: clsh bigstart restart hostagentd. Option 2: Disabling the hostagentd process Impact of workaround: This procedure affects health statistic collection, as well as the ability for guests to install from a host-provided ISO. 1. Log in to the command line of the vCMP host appliance or primary blade of the cluster. 2. To disable the hostagentd process, type the following command: a. On a BIG-IP appliance: bigstart stop hostagentd. b. On a blade in a VIPRION cluster: clsh bigstart stop hostagentd. 3. To exclude the hostagentd process from starting up after rebooting the system, type the following command: a. On a BIG-IP appliance: bigstart disable hostagentd. b. On a blade in a VIPRION cluster: clsh bigstart disable hostagentd.
Fix:
Fixed a rare vCMP host memory growth issue.
509108-1 : CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber
Component: Carrier-Grade NAT
Symptoms:
CGNAT PBA may log port-block allocation(LSN_PB_ALLOCATED) and immediately followed by a port-block release(LSN_PB_RELEASE) log message for a port-block which is already allocated to a different subscriber.
Conditions:
This can happen if subscriber traffic is received when blade is being added/removed or when blade is failing or while HA failover is in progress
Impact:
Causes ambiguity in reverse mapping subscriber connections
Workaround:
Fix:
CGNAT PBA does not log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber during a blade add/remove/fail/HA failover
509037-1 : BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type
Component: TMOS
Symptoms:
MCPD accepts the wild-card IPIP tunnels with the same local-address and tunnel type (ip4ip6, ipip, ip6ip4, ip6ip6) without validation, although the configuration is eventually discarded in TMM.
Conditions:
Creating wild-card tunnels with the same local-address and IPIP tunnel-type.
Impact:
This incorrect configuration is allowed on the BIG-IP system without error.
Workaround:
Specify wild-card tunnel using different local-address and tunnel-type.
Fix:
Wild-card tunnel setup trials are now detected by BIG-IP system validation during creation time. The system disallows creation of wild-card tunnels with the same local-address and tunnel-type.
507853-1 : MCP may crash while performing a very large chunked query and CPU is highly loaded
Component: TMOS
Symptoms:
MCP crashes while performing a chunked query (such as 'tmsh show sys connection) that returns a large result if a connection to a TMM is severed (due to a zero-window timeout).
Conditions:
CPU is highly loaded.
Impact:
Failover (in a device cluster) or temporary outage (in a standalone system). A core file is generated that has a stack trace that includes a message similar to the following: error reading variable: Cannot access memory at address 0x1.
Workaround:
None.
Fix:
Ensured that MCP no longer crashes when performing a large chunked query and a connection to a TMM is severed.
507681-5 : Window.postMessage() does not send objects in IE11
Component: Access Policy Manager
Symptoms:
Websites are broken if they use postMessage to send objects in Internet Explorer 11. There could or could not be error in JavaScript console based on web application.
Conditions:
Web-Application that uses Window.postMessage() with Portal Access working in Internet Explorer 11.
Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access in Internet Explorer 11.
Workaround:
No
Fix:
Window.postMessage() now works in Internet Explorer 11.
507602-1 : Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled
Component: TMOS
Symptoms:
IPsec lifebyte might cause inconsistent Security Association state among different cores. This might cause a memory leak and in some case data packets going through the IPsec tunnel can be looping between cores.
Conditions:
IPsec lifebyte is enabled in IPsec Policy configuration object on BIG-IP system or 3rd party IPsec device.
Impact:
Possible data packets looping and memory leak.
Workaround:
Disable lifebyte on IPsec devices on both end of the IPsec tunnel.
Fix:
IPsec lifebyte functions properly and leaves no inconsistent state on the BIG-IP device after rekey.
507575-1 : An incorrectly formated NAPTR creation via iControl can cause an error.
Component: TMOS
Symptoms:
NAPTR records are somewhat complicated and if an incorrect set of string arguments are passed to iControl, the string parsing can fail and generate unhelpful error messages.
Conditions:
Specifically, it is valid to have empty strings as some of the fields of a NAPTR record. However, these empty strings must be quoted as empty strings. An example of a valid empty string parameter foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com. Not quoting the empty parameter (after "good") confuses the parser into thinking that not enough parameters were passed. This causes a segfault and the error.
Impact:
Potential failure of iControl parsing.
Workaround:
Use quotes around empty strings such as: foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.
Fix:
The string parser has been made tolerant of missing parameters for these records and will now report an error.
507529-1 : Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow
Component: Local Traffic Manager
Symptoms:
A blade on the active system crashes in a configuration containing a performance layer 4 virtual server with connection mirroring enabled.
Conditions:
The chassis is configured for network mirroring within cluster. There is more than one blade installed in the system or vcmp guest. A virtual server has connection mirroring enabled and is associated with a virtual address that is not assigned a traffic-group (traffic-group is none).
Impact:
When the crash occurs, the blade posts the following assert: 'tmm failed assertion, non-zero ha_unit required for mirrored flow' and crashes.
Workaround:
Ensure that mirrored virtual servers are utilizing virtual addresses that are associated with a traffic group.
507321-3 : JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields
Component: Access Policy Manager
Symptoms:
If JavaScript application uses user-defined object which contains 'origin', 'source' and 'data' fields with NULL values, any attempt to get these values fires an error.
Conditions:
User-defined JavaScript object with 'origin', 'source' and 'data' fields and with NULL value in any of these fields, for example: var a = { origin: null , data:null , source:null }; Any attempt to read these values leads to JavaScript error in Portal Access scripts.
Impact:
Web application does not work correctly.
Workaround:
Fix:
Now user-defined JavaScript objects with 'origin', 'source' and 'data' fields may contain any values in these fields.
507312-1 : icrd segmentation fault
Component: TMOS
Symptoms:
icrd segmentation fault generates a core
Conditions:
Multiple signals to the same Quit signal handler
Impact:
Core generated
Workaround:
N/A
Fix:
Simplify std::map to an array to avoid problems with signal races.
506304-2 : UDP connections may stall if initialization fails
Component: Local Traffic Manager
Symptoms:
UDP connections that never expire. tmm logs containing 'hud queue full' errors.
Conditions:
UDP connections fail to initialize if the tmm's hud message queue is full. If these connections are flagged to not expire then they will linger forever.
Impact:
Stalled connections. Increased memory usage.
Workaround:
Fix:
UDP connections no longer stall if initialization fails.
506286-1 : TMSH reset of DOS stats
Component: Advanced Firewall Manager
Symptoms:
DOS stat reset via TMSH results in TMM restarts and cores.
Conditions:
Reset DOS stats via TMSH command
Impact:
TMM restarts and core files
Workaround:
N?A
Fix:
Corrected reset command to prevent core and restarts
506282-1 : GTM DNSSEC keys generation is not sychronized upon key creation
Component: Local Traffic Manager
Symptoms:
DNSSEC key generation is not synchronized upon key creation.
Conditions:
This occurs when creating LTM DNSSEC keys on one unit of a sync group.
Impact:
The keys are synced, but the key generation information is not.
Workaround:
Modify another parameter on the GTM system after DNSSEC key generation to trigger the sync operation.
Fix:
DNSSEC key generation is now synchronized upon key creation.
506223-2 : A URI in request to cab-archive in iNotes is rewritten incorrectly
Component: Access Policy Manager
Symptoms:
There are direct (not rewritten) requests in web application traffic (iNotes 8.5, 9)
Conditions:
Web application runs through Portal Access
Impact:
Installation of iNotes plug-ins is impossible. Some resources may be not loaded.
Workaround:
Fix:
Portal Access rewrites URIs correctly.
506199-4 : VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles
Component: TMOS
Symptoms:
When multiple VCMP guests are configured on a VDAG platform, It is possible through cycles of provisioning and deprovisioning the guests to cause switch rules that play a role in disaggregation to be programmed in an order that causes packets to reach the wrong TMM in a guest, thus causing lower dataplane performance.
Conditions:
On a configuration with at least two VCMP guests that share at least one blade on a VDAG-based platform, change the vCMP state to provisioned, then to configured, then to provisioned, and so on.
Impact:
The potential for decreased dataplane performance. In addition to potentially lower performance, the guest's tmm flow redirect statistics increment quickly in conjunction with traffic. To determine these stats, run a command similar to the following: config # tmctl -d blade tmm/flow_redir_stats. This presents results similar to the following: pg pu redirect_pg redirect_pu packets -- -- ----------- ----------- ------- 0 0 0 1 636991 Also, VDAG statistics on the host might show an imbalance in destination port hits for those assigned to a single guest. To determine these stats, run a command similar to the following: config # tmctl -d blade switch/vdag_dest_hits -w 200. This presents results similar to the following: slot dst_mod dst_port dst_trunk hits red_hits ---- ------- -------- --------- ------ -------- 1 1 0 0 0 0 1 7 0 0 0 0 1 13 0 0 0 0 1 19 0 0 0 0 1 0 0 0 0 0 1 1 5 0 509100 0 1 1 6 0 0 0
Workaround:
During a window in which a brief traffic interruption is acceptable, restart bcm56xxd on each effected blade in the host. On the host, run a command similar to the following: clsh bigstart restart bcm56xxd
Fix:
The system now ensures that VDAG entries get ordered correctly to avoid cases where VCMP guests on VDAG platforms might experience excessive TMM redirects after multiple guest provisioning cycles
506041-2 : Folders belonging to a device group can show up on devices not in the group
Component: TMOS
Symptoms:
All folders and partitions always get synced regardless of whether they are in the device group. If a user wants to utilize the same folder/partition scheme across multiple devices, this can lead to conflicts. In particular it can clobber the default route domain on a partition or rewrite the device group of a folder.
Conditions:
This only occurs during a full sync. This can occur if two different device groups use the same folder or partition names. For example, if there are two separate failover-sync groups in the same trust and they both sync a different set of objects in /MyHAFolder. This can also occur if a device has a local folder or partition with the same name as one in a device group.
Impact:
If a conflicted partition uses different default route domains, they will be overridden and may result in a sync error. Conflicted folders will inherit the configuration of the source of the config sync. This can override the device group, traffic group, and iApp reference of the folder.
Workaround:
Use unique partition and folder names across all devices in the trust group.
Fix:
Only folders and partitions in the device group will get synced. However, since multiple device groups can still share the same partition, there is still a chance that the route domain on the partition could get overridden if the two device groups use different route domains.
506034-3 : NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)
Component: TMOS
Symptoms:
CVE-2014-9297 CVE-2014-9298
Conditions:
CVE-2014-9297 CVE-2014-9298
Impact:
CVE-2014-9297 Summary: The vallen packet value is not validated in several code paths in ntp_crypto.c which can lead to information leakage or a possible crash of ntpd. CVE-2014-9298 Summary: While available kernels will prevent 127.0.0.1 addresses from "appearing" on non-localhost IPv4 interfaces, some kernels do not offer the same protection for ::1 source
Workaround:
Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.
Fix:
Applied patches for CVE-2014-9297 and CVE-2014-9298
505331-1 : SASP Monitor may core
Component: Local Traffic Manager
Symptoms:
The SASP monitor unexpectedly terminates with a core dump.
Conditions:
More than one Group Workload Manager (GWM) server, and all servers are down at the same time.
Impact:
When the monitor cores, a pool member gets marked down, which might lead to an outage.
Workaround:
None.
Fix:
SASP monitor no longer cores when multiple Group Workload Manager (GWM) servers are down.
505222-2 : DTLS drops egress packets when traffic is large
Component: Local Traffic Manager
Symptoms:
DTLS drops egress packets when traffic is large
Conditions:
DTLS has egress queue with maximum elements 127(default). When traffic is large enough, the queue reaches the maximum limit and some packets are dropped.
Impact:
DTLS drops egress packets.
Workaround:
We can change the maximum elements from 127 to some bigger value by DB variable.
Fix:
In current implementation, DTLS sends CN requests one by one. DTLS sends one request, waits for the response and then sends another one. The fix is sending multiple requests currently to CN.
505097-1 : lsn-pool backup-member not propagated to route table after tmrouted restart
Component: Carrier-Grade NAT
Symptoms:
The lsn-pool backup-member prefix is not in the route table after tmrouted restart, when lsn-pool route-advertisement is enabled.
Conditions:
An lsn-pool with route-advertisement enabled, and backup-members, backup-member prefix not properly propagated to the route-domain routing table after tmrouted restart.
Impact:
No routes for lsn-pool backup-member prefix.
Workaround:
Remove and re-add lsn-pool backup members.
Fix:
The lsn-pool backup-member prefix is now present in the route table after tmrouted restart, when lsn-pool route-advertisement is enabled.
505059-1 : Some special characters are not properly handled for username and password fields in TCL monitors
Component: Local Traffic Manager
Symptoms:
Pool members are taken down
Conditions:
special characters like ", \ in the username or password fields in FTP, IMAP, POP3
Impact:
Pool members are taken down
Workaround:
Remove the special characters from the password and username.
Fix:
Handle special characters properly for username and password fields
505045-1 : MAP implementation not working with EA bits length set to 0.
Component: TMOS
Symptoms:
MAP implementation not working with EA bits length set to 0.
Conditions:
MAP-E tunnel profile is configured with (ea-bits-length == 0) and (ip4-prefix-length greater than 0). - Case when (ea-bits-length == 0) and (ip4-prefix-length is greater than 0). - Case when (ip6-prefix-length plus ea-bits-length, which is the MAP domain prefix-length) is greater than 48 bits. In this case, the Interface ID in the IPv6 destination address will be overwritten.
Impact:
MAP-E tunnel does not work.
Workaround:
None.
Fix:
MAP implementation is now working with EA bits length set to 0.
504899-2 : Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)
Component: Local Traffic Manager
Symptoms:
It is possible to have duplicated snat-translation addresses if one is explicitly created (named one) and the other is implicitly created when adding anonymous addresses to a snatpool.
Conditions:
No special conditions required other than to perform the configuration changes.
Impact:
As duplicated snat-translation addresses may exist, any change to an address entry which is assigned to an snatpool may not be affecting the right entry, this is: we have the following snat-addresses: snat_address_01 address 1.2.3.1 1.2.3.1(anonymous) address 1.2.3.1 And the following snatpool: snat_pool { 1.2.3.1 1.2.3.2 } If there is a change in snat_address_01 (which address is part of snat_pool (1.2.3.1)), then the actual snat_pool member (anonymous 1.2.3.1) will not be updated with the new setting and there will be no effect.
Workaround:
504627-1 : Valid sessions won't be deleted any more due to session inactivity.
Component: Policy Enforcement Manager
Symptoms:
Valid sessions may be deleted after 2 mins without session activity (traffic).
Conditions:
Sessions are created through RADIUS but stay with no traffic over 2 mins.
Impact:
Valid sessions fail due to lack of activity and the user must re-authenticate.
Workaround:
Fix:
Alive or Valid sessions won't be deleted before the timeout any more due to a lack of traffic.
504496-3 : AAA Local User Database may sync across failover groups
Component: TMOS
Symptoms:
APM units that are not in the same BIG-IP Sync-Failover group are sharing local user entries. The system may possibly also experience higher management CPU load as a result of frequently syncing the local user database.
Conditions:
There is at least one sync-failover group in the Device Management :: Device Groups list, and there are devices listed in Device Management :: Devices list that are not members of that sync-failover group (either standalone or members of another device group), and those devices are provisioned with APM.
Impact:
Unwanted sharing of local user database between sync-failover groups and/or standalone devices. The system may also experience higher management CPU load as a result of frequently syncing the local user database. Under severe conditions where the database is synced multiple times per minute continually for hours or days, the rapid syncing of the database may result in unexpected failover.
Workaround:
Fix:
AAA Local User Database now syncs correctly.
504494-2 : Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.
Component: TMOS
Symptoms:
If the BIG-IP system has a disabled HA Group and is upgraded to 11.5.x or later, the disabled group might be associated with traffic groups on upgrade.
Conditions:
Pre-upgrade there is exists a HA Group that is disabled. Upgrade to 11.5.x or later from 10.2.x or 11.x (pre-11.5.0)
Impact:
If the BIG-IP system is rebooted after the upgrade, it's possible that the switch will fail over because the HA group score is used even though the HA group is disabled.
Workaround:
After the upgrade, check all traffic groups and ensure that none of them are configured to use a disabled HA Group.
Fix:
Upgrading to 11.5.0 and later no longer associates a disabled HA group to traffic groups. This is correct behavior.
504306-2 : https monitors might fail to re-use SSL sessions.
Component: Local Traffic Manager
Symptoms:
SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.
Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur. For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.
Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers. BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.
Workaround:
None.
Fix:
https monitors now properly perform SSL session re-use.
504105-4 : RRDAG enabled UDP ports may be used as source ports for locally originated traffic
Component: Local Traffic Manager
Symptoms:
RRDAG enabled UDP ports may be used as the source port on locally originated connections.
Conditions:
RRDAG is enabled
Impact:
Connections may be forwarded between tmms resulting in a performance impact
Workaround:
Fix:
RRDAG enabled ports can no longer be selected as a source port for locally originated connections.
504031-1 : document.write()/document.writeln() redefinition does not work
Component: Access Policy Manager
Symptoms:
document.write()/document.writeln() redefinition does not work. Initial function is used instead.
Conditions:
When web application JavaScript tries to redefine document.write() and/or document.writeln().
Impact:
Web application layout an/or logic can be broken.
Workaround:
Fix:
Web application JavaScript can successfully redefine document.write and document.writeln.
504021-1 : lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled
Component: Carrier-Grade NAT
Symptoms:
lsn-pool with route-advertisement enabled does not have routes properly propagated to the routing-table.
Conditions:
when route-domain routing protocol is enabled after lsn-pool route-advertisement is enabled and lsn-pool member added.
Impact:
route entries for lsn-pool members with route-advertisement enabled.
Workaround:
Either 1) restart tmrouted after enable routing-protocol for the desired route-domain. 2) toggle routing-advertisement on lsn-pool after enable routing-protocol for the desired route-domain.
Fix:
route-domain with routing-protocol enabled will have routes for lsn-pool members, regardless of ordering in which routing-protocol or route-advertisement is enabled.
503979-1 : High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.
Component: Local Traffic Manager
Symptoms:
When DNS cache resolver is resolving a DNS query, it might send queries to the backend name server iteratively. If the name server is responding slowly and the cache resolver is sending queries to name servers at a high rate, the CPU usage of the BIG-IP system might be vary high.
Conditions:
(1) Configure the cache resolver to have a large value (, for example, 40 KB) for both max-concurrent-queries and max-concurrent-udp. (2) The cache resolver sends queries to the name servers at a high rate. (3) The backend name server is responding slowly to the cache resolver.
Impact:
The CPU usage might be extremely high. Site might be unstable.
Workaround:
Configure the cache resolver to have a default value for both max-concurrent-queries and max-concurrent-udp.
Fix:
The CPU usage does not increase unexpectedly when the cache resolver sends a large number of DNS queries to slow backend name servers.
503652-4 : Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.
Component: Service Provider
Symptoms:
When a blade is enabled on a cluster while it is actively processing SIP UDP traffic, some packets might be lost.
Conditions:
This occurs in an Active HA cluster containing VIPRION B2100 blades with the udp.hash value set to 'ipport' and client-side round robin TMM disaggregation enabled.
Impact:
Some SIP UDP traffic packets might be lost.
Workaround:
Do not enable a blade in a cluster while the blade is processing SIP UDP traffic.
Fix:
Some SIP UDP connections are now retained after enabling a blade on the Active HA unit.
503461-1 : Intermittent Javascript failure on Safari on Mac
Component: Fraud Protection Services
Symptoms:
On first page load, JavaScript encryption occasionally fails due to a bug in Safari's Javascript interpreter.
Conditions:
Open protected page in Safari
Impact:
Protection fails
Workaround:
Install 11.6.0 hotfix 4 or later
Fix:
FPS client-side code has been adapted to suit Safari on iOS and OSX.
503384-1 : SMTP monitor fails on multi line greeting banner in SMTP server
Component: Local Traffic Manager
Symptoms:
SMTP monitor fails
Conditions:
This issue occurs when a multi line greeting banner is configured in SMTP server.
Impact:
SMTP monitor fails.
Workaround:
To work around this issue, configure a single line greeting banner in SMTP server.
Fix:
SMTP monitor succeeds with multi line greeting banner in SMTP server.
503343-7 : TMM crashes when cloned packet incorrectly marked for TSO
Component: Local Traffic Manager
Symptoms:
TMM cores
Conditions:
1. Clone pool configured 2. Clone MTU > Client or Server MTU 3. tm.tcpsegmentationoffload db var in "disable" state 4. TSO enabled in client or server side interface 5. TSO disabled in clone interface
Impact:
Traffic disruption
Workaround:
Remove the configured clone pool
Fix:
Prevent TMM crash due to cloned packet incorrectly marked for TSO.
502443-4 : After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.
Component: Local Traffic Manager
Symptoms:
The external monitoring daemon (bigd) sends monitoring traffic before tmm is ready to receive those responses. The response traffic is routed to a tmm on another blade/HA member. This tmm responds to the server with an ICMP "Unreachable" message. Meanwhile, the originating tmm on the new blade/HA member marks the pool member "down" because it never received the server's response.
Conditions:
Start with at least 1 blade enabled in a chassis or one HA member configured, and pass traffic constantly through a virtual server with a monitor-enabled pool attached. Then, enable a new blade in the cluster or a new HA member.
Impact:
Some packets are lost for several seconds. It can be longer depending on the total number of pool member.
Workaround:
Before adding a new blade to a chassis or a member to the HA configuration that is actively processing traffic, temporarily remove the monitor(s) from the pool. Once the new blade/HA member is up, manually add the monitor(s) back to the pool.
Fix:
When a VIPRION blade or BIG-IP HA member comes on-line, the bigd process on the blade/HA member no longer starts health monitors prematurely, which could have caused some monitored objects to be marked down incorrectly.
502238-3 : Connectivity and traffic interruption issues caused by a stuck HSB transmit ring
Component: TMOS
Symptoms:
Customers can experience sudden and permanent traffic interruption, impacting all traffic through TMM.
Conditions:
With TCP Segmentation Offload (TSO) enabled, it is possible to fill up the High-Speed Bridge (HSB) transmit ring, resulting in a stuck transmit ring. The exact conditions under which this occurs is unknown, but it requires sudden transmission of a number of large packets that require TSO in order to result in a full transmit ring.
Impact:
The HSB's transmit ring becomes stuck. This requires a TMM restart in order to clear.
Workaround:
Disable TSO. This can be done using the following steps: 1. tmsh modify sys db tm.tcpsegmentationoffload value disable 2. bigstart restart tmm. If TSO is not disabled, three related fixes are needed to fully address the issue: -- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message. -- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded. -- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here: -- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
Fix:
Three related fixes are needed to fully address the issue: -- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message. -- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded. -- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here: -- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
501516-5 : If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
Component: Local Traffic Manager
Symptoms:
When using a very large number of monitors, bigd may run out of file descriptors when it is restarted.
Conditions:
A system with a large number of monitors configured.
Impact:
bigd cores and gets into a restart loop; monitors no longer work properly. The ltm log might contain error messages similar to the following: socket error: Too many open files.
Workaround:
Reduce the number of monitors on the system.
Fix:
bigd no longer runs out of file descriptors during restart when using a very large number of monitors.
501494-1 : if window.onload is assigned null, then null should be retrieved
Component: Access Policy Manager
Symptoms:
After window.onload=null, non null value is returned from window.onload.
Conditions:
Web application that assigns null to window.onload and expects to obtain null in window.onload then.
Impact:
Web application logic can be broken.
Workaround:
Fix:
After window.unload=null, null is returned by getting value of window.onload;
501437-3 : rsync daemon does not stop listening after configsync-ip set to none
Component: TMOS
Symptoms:
If a device is not in a CMI configuration, but has configsync-ip set on its self device object, and this configsync-ip is set to none, an rsync daemon continues to listen on the old configsync-ip.
Conditions:
This occurs when the following conditions are met: -- Device is not in a CMI configuration. -- Self device has a configsync-ip set.
Impact:
The rsync server may continue to listen even after it is expected that it will not listen.
Workaround:
Fix:
The rsync daemon is now shut down properly when the configsync-ip is set to none, and no longer listens on configsync-ip.
500938-3 : Network Access can be interrupted if second NIC is disconnected
Component: Access Policy Manager
Symptoms:
Networks Access connection breaks if second NIC disconnects. Both NICs should be connected to same network. This happens for a specific Network Access configuration.
Conditions:
Network Access configuration: * Full tunnel with "Prohibit routing table changes during Network Access connection" set to true. * Split tunneling with "Prohibit routing table changes during Network Access connection" set to true, Address space is 0.0.0.0/0. Client with 2 NICs both connected to the same network.
Impact:
NA is interrupted.
Workaround:
500450-1 : ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.
Component: Access Policy Manager
Symptoms:
With APM and ASM configured on the same virtual server, cookie validation on ASM could modify the Set-Cookie header sent by the application server or inject another Set-Cookie header. APM websso module does not honor the Set-Cookie modification, nor the injection. ASM subsequently causes the connection to reset.
Conditions:
With APM and ASM configured on the same virtual server, if cookie validation on ASM modifies the Set-Cookie header sent by the application server or injects another Set-Cookie header, then APM websso module does not honor this.
Impact:
Connection reset on the above condition.
Workaround:
Use layered virtual servers with an iRule virtual command to send traffic from the ASM virtual server to an APM virtual server with ARP disabled instead of having everything on one virtual server.
Fix:
The APM websso module is modified to handle an ASM use case. Now the websso reparses the HTTP 401 response header from the server at the client side in addition to the current parsing at server-side processing. With this fix any Set-Cookie modification or addition by ASM is sent to server in the response to 401 header.
500424-2 : dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error
Component: Carrier-Grade NAT
Symptoms:
DNATutil exits with the error "dnatutil: No tmms on the blade."
Conditions:
A DNAT state log entry that is interpreted as invalid
Impact:
DNATUtil will not be able to parse the whole log file for reverse mappings
Workaround:
remove the DNAT state chunk that produces the error.
Fix:
DNATUtil will continue on even if it encounters an error. It will report the error but not exit.
500234-4 : TMM may core during failover due to invalid memory access in IPsec components
Component: TMOS
Symptoms:
TMM cores when transitioning from standby to active.
Conditions:
This might occur when the following conditions are met: -- An IPsec tunnel is enabled. -- The BIG-IP system is a member of an HA pair. -- The BIG-IP system transitions from standby to active.
Impact:
TMM core leading to outage.
Workaround:
Fix:
Fixed a race condition that might have caused IPsec components to access previously freed memory.
499778-1 : A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs
Component: Policy Enforcement Manager
Symptoms:
A stale session is left behind.
Conditions:
1. Create a session by sending radius start messages to static subscriber that learns IP addresses dynamically. 2. remove master IP from static subscriber list. 3. delete static subscriber. 4. Use pem_sessiondump --list to see that the session is not deleted.
Impact:
No functional issue.
Workaround:
Fix:
Reprovison session if IP removed/added in SSP case too. This will fix session delete if Master IP being removed
499422-1 : An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
Component: Local Traffic Manager
Symptoms:
An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
Conditions:
When an ACK with an "invalid" sequence number is received, the resulting calculations involving the incoming seqno and rcv_nxt causes an outgoing ACK to be generated which will repeat if the server behavior repeats.
Impact:
Many connections delayed and CPU usage is very high, peak usage is around 90%. Traffic suffer a severe deterioration.
Workaround:
Fix:
This problem is now corrected by ensuring that when outgoing ACK is being generated that the FIN is stripped if it is not a retransmission of the FIN.
499315-1 : Added "Collect full URL" functionality.
Component: Application Visibility and Reporting
Symptoms:
Added functionality to collect the full URL (with host name) to AVR statistics.
Conditions:
In tmsh, run the command: modify sys db avr.includeserverinuri value disable Run traffic with the URL http://172.29.33.87/debug The URL that will be written to the lookup table is: "/debug" In tmsh, run the command: modify sys db avr.includeserverinuri value enable Run traffic with the URL http://172.29.33.87/debug The URL that will be written to the lookup table is: "172.29.33.87/debug"
Impact:
Now possible to collect full URLs
Workaround:
Fix:
Added functionality to collect the full URL (with host name) to AVR statistics.
499260-3 : Deleting trust-domain fails when standby IP is in ha-order
Component: TMOS
Symptoms:
Deleting trust-domain fails when the ha-order traffic group contains a standby unit's IP address.
Conditions:
This occurs when there is a non-local device that is used by the HA order in one of the traffic groups.
Impact:
Unable to delete trust domain. The tmsh command 'delete cm trust-domain all' intermittently hangs. Pressing Ctrl + C shows: Unexpected Error: Could not reset trust-domain (error from devmgmtd): Error reading from server...' In the /var/log/ltm the system posts the message: 'err devmgmtd[7887]: 015a0000:3: -unknown- failed on -unknown-.devicegroup: 01071761:3: Cannot delete device (bigipsystem.example.com) from device group (/Common/sync-failover-1) because it is used by HA order on traffic group (/Common/traffic-group-2)'.
Workaround:
Retrying sometimes succeeds. Removing the ha-order traffic group also allows the operation to succeed.
Fix:
Deletion of a device trust domain now completes successfully when the BIG-IP system is a member of a device trust domain configured with a traffic group high-availability order that references a device other than the local system.
498992-6 : Troubleshooting enhancement: improve logging details for AWS failover failure.
Component: TMOS
Symptoms:
Logging information on BIG-IP VE for Failover on AWS was inadequate and did not provide the reason for failures in Failover.
Conditions:
Traffic-group failover sometimes failed without providing specific reason for the failure.
Impact:
Because of the lack of proper logging messages that could pin-point the mis-configuration or connectivity issues on AWS, it was difficult for customers to figure out what is causing the Failover to fail.
Workaround:
Adding more logging information in failover script resolves this issue and provides enough information to the customer to detect problems in failover.
Fix:
Added more logging details for AWS failover failure to assist in detecting problems in failover.
497742-3 : Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
Component: Local Traffic Manager
Symptoms:
Some packets re-transmitted as part of a full-proxy, non-SNAT'd TCP virtual server on a translucent-mode vlangroup do not correctly have the translucent-mode bit-flip applied.
Conditions:
This occurs with a translucent vlangroup and full virtual server with no SNAT.
Impact:
Egressing traffic with the source-MAC of another host can potentially lead to traffic loops.
Workaround:
Enable SNAT on the virtual server.
Fix:
All TCP re-transmits have the proper source MAC address.
497627-3 : Tmm cores while using APM network Access and no leasepool is created on bigip.
Component: Access Policy Manager
Symptoms:
TMM cores in Network Access scenario when no leasepool is created on the BIG-IP system and IP address assignment is done through the Variable Assign agent (mcget {session.ldap.last.attr.vpnClientIp}).
Conditions:
Impact:
TMM process cores.
Workaround:
To work around the problem, create a leasepool on the BIG-IP system; it does not need to be attached to an access policy.
Fix:
TMM does not core now.
497564-2 : Improve High Speed Bridge diagnostic logging on transmit/receive failures
Component: TMOS
Symptoms:
When an HSB transmitter or receive failure occurs, no information is provided on the state of the HSB transmit/receive rings prior to the failure.
Conditions:
The HSB experiences a transmitter or receive failure.
Impact:
The unit is rebooted.
Workaround:
497389-1 : Extraneous dedup_admin core
Component: Wan Optimization Manager
Symptoms:
There have been some extraneous dedup_admin cores generated during system shutdown.
Conditions:
Race condition during shutdown of vcmp with 2 blades.
Impact:
Extraneous dedup_admin core generated.
Workaround:
None
Fix:
Missing virtual destructor was added.
497304-1 : Unable to delete reconfigured HTTP iApp when auto-sync is enabled
Component: TMOS
Symptoms:
When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI: -- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16). -- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).
Conditions:
Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp.
Impact:
Sync failure. Cannot delete the iApp manually after the error occurs.
Workaround:
Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync.
Fix:
Ensure the sFlow data source is removed from an HTTP profile when it is deleted.
497299-5 : Thales install fails if the BIG-IP system is also configured as the RFS
Component: Local Traffic Manager
Symptoms:
Thales install fails.
Conditions:
This occurs when the BIG-IP system is also configured as the RFS.
Impact:
Cannot use Thales HSM with the BIG-IP system.
Workaround:
In the following procedure, when running nethsm-thales-rfs-install.sh, the script returns the IP address used by the RFS server. Use that IP address when running the 'rfs-setup' command. When prompted with: Did you successfully run the above 'rfs-setup' command on the RFS server? (Yes/No), perform the following steps: 1. Open a new SSH connection to the BIG-IP system. 2. Run the following command: /opt/nfast/bin/rfs-setup --force -g --write-noauth x.x.x.x. 3. Return to nethsm-thales-install.sh SSH screen and answer 'Yes'. The script should now exit with a success message.
Fix:
Thales install script now runs successfully when the BIG-IP system is also configured as the RFS.
497078-1 : Modifying an existing ipsec policy configuration object might cause tmm to crash
Component: TMOS
Symptoms:
Modifying an existing ipsec policy configuration object might cause tmm to crash
Conditions:
Modifying an existing ipsec policy configuration object that's not associated with any traffic selector that's assigned to an ikev2 ike peer configuration object.
Impact:
tmm crash
Workaround:
Delete and re-create the ipsec policy mcp object
Fix:
tmm will not crash when user modify an existing ipsec policy configuration object
496775-3 : [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for bigip monitor
Component: Global Traffic Manager
Symptoms:
[GTM] [big3d] Unable to mark LTM virtual server up if there is another virtual server with same ltm_name for bigip monitor.
Conditions:
LTM (running BIG-IP software older than v11.2.X) with a virtual server: /Common/http_vip with destination /Common/192.168.10.34:80. GTM (running BIG-IP software newer than v11.5.0) with this LTM as a BIG-IP Server. Two virtual servers on LTM: One with the original LTM virtual server address, and the other with the translated address: 1. name ltm_http_vip :: destination 192.168.10.34:80 :: monitor /Common/bigip. 2. name ltm_http_trans_vip :: destination 10.10.10.34:80 :: translation-address 192.168.10.34:80 :: monitor /Common/bigip.
Impact:
Both virtual servers are marked up for a brief interval. After a few minutes, one of them is marked down.
Workaround:
You can use either of the following workarounds: -- Use a monitor other than bigip. -- Replace /shared/bin/big3d on the LTM system with a copy of a version v11.2.1 big3d.
Fix:
The bigip health monitor no longer incorrectly marks down virtual servers with a duplicate ltm-name when there are BIG-IP GTM systems with differing software versions monitoring BIG-IP LTM virtual servers using the bigip monitor.
496758-5 : Monitor Parameters saved to config in a certain order may not construct parameters correctly
Component: Local Traffic Manager
Symptoms:
When configuring both a monitor and a child monitor, if the two monitors are saved in reverse order, the default monitor parameters will not be created. For example: ltm monitor tcp /Common/child { defaults-from /Common/parent destination *.990 interval 5 ip-dscp 0 time-until-up 0 timeout 16 } ltm monitor tcp /Common/parent { defaults-from /Common/tcp destination *:* interval 5 ip-dscp 0 time-until-up 0 timeout 16 } Some of the default parameters for the above configuration will not be created upon loading config.
Conditions:
This occurs when there are at least two monitors, and the child custom monitor appears before the parent monitor. Must have a parent that derives from a root monitor, and a child that derives from the parent monitor.
Impact:
Possible undefined behavior in bigd, and failing iControl calls. On performing a 'tmsh load sys config verify' the system posts an error message similar to the following: 01070740:3: Performance monitor /Common/http-a may not have the manual resume feature. Unexpected Error: Validating configuration process failed.
Workaround:
A possible workaround involves switching the order of the monitors in the config file. This can either be accomplished manually, or by naming things in alphabetical order, such that the parent precedes the child: ltm monitor tcp /Common/aaa_parent { defaults-from /Common/tcp destination *:* interval 5 ip-dscp 0 time-until-up 0 timeout 16 } ltm monitor tcp /Common/bbb_child { defaults-from /Common/aaa_parent destination *.990 interval 5 ip-dscp 0 time-until-up 0 timeout 16 }
Fix:
The system now handles a configuration in which a child custom monitor precedes the parent's, so that monitor parameters are constructed properly.
495836-2 : SSL verification error occurs when using server side certificate.
Component: Local Traffic Manager
Symptoms:
SSL is stuck at signature check for server side certificates and hence can't complete the SSL handshake.
Conditions:
The issue can be seen when it meets the following conditions: 1. The backend server is Microsoft IIS or Netty. 2. serverSSL profile requires server side certificate authentication.
Impact:
SSL handshake fails. The handshake hangs until the timeout.
Workaround:
To work around this issue, you can configure the back-end Netty based SSL servers to use a Certificate Authority (CA) signed certificate. Otherwise, do not use use 'peer-cert-mode require'.
Fix:
SSL verification error no longer occurs when using server side certificate.
495557-1 : Ephemeral node health status may report as 'unknown' rather than the expected 'offline'
Component: Local Traffic Manager
Symptoms:
Ephemeral node health status may report as 'unknown' rather than the expected 'offline'.
Conditions:
Change the monitor rule on the node several times.
Impact:
Node may be in unknown status when it should be offline.
Workaround:
Reset bigd.
Fix:
Ephemeral node health status now reports 'offline' rather than 'unknown' in cases in which the monitor is offline.
495526-1 : IPsec tunnel interface causes TMM core at times
Component: TMOS
Symptoms:
Before traffic passes through an IPsec tunnel interface, if users choose to modify the tunnel interface attributes, such as MTU value, TMM cores.
Conditions:
When IPsec tunnel interface has its configuration is modified.
Impact:
Site unavailable.
Workaround:
Avoid modifying IPsec tunnel interface. Configure IPsec tunnel interface in one shot, using either create or delete.
Fix:
TMM no longer cores if users choose to modify the tunnel interface attributes, such as MTU value.
495525-1 : iApps fail when using FQDN nodes in pools
Component: iApplications
Symptoms:
Use of FQDN nodes causes errors in almost all f5-supported iapps.
Conditions:
1. create an FQDN node named "foo" that refers to the fqdn "www.foo.com" 2. create an iapp instance using the attached ephemeral_example template 3. enter "foo" when prompted by the iapp for a node name 4. click "finished" and observe the pool in the component view 5. click "reconfigure" 6. click "finished".
Impact:
iApp will throw an error: "0107189b:3: Cannot delete ephemeral object: /Common/foo-173.194.33.144."
Workaround:
none
Fix:
The iApp mark-and-sweep framework should be modified to ignore ephemeral pool members when modifying iApp-managed pools.
495432-2 : Add new log messages for AFM rule blob load/activation in datapath.
Component: Advanced Firewall Manager
Symptoms:
Prior to fix, as AFM rule blob is compiled/serialized by pktclass-daemon and TMM is notified to activate it in datapath, there is no visibility to identify if the activation failed or succeeded.
Conditions:
AFM rule serialization message is processed by TMM
Impact:
End user lacks any visibility if the AFM rule serialized blob is successfully being used in the data path.
Workaround:
None
Fix:
With the fix, now we log message (in /var/log/ltm) as AFM rule serialized blob is activated in data path.
495336-1 : Logon page is not displayed correctly when "force password change" is on for local users
Component: Access Policy Manager
Symptoms:
When more than one logon page is configured in the Access policy and the localdb user has "force password change" enabled, the user is required to change password after successful first login. However, the system prompts the user to "Change Password" again instead of displaying the second logon page.
Conditions:
The issue is caused by not clearing certain session variable after the successful password change.
Impact:
HIGH
Workaround:
The current workaround is to add 'Variable Assign' agent in the LocalDB Auth Successful branch with custom variable, for example: session.logon.page.challenge = expr { 0 }
Fix:
The code has been fixed to reset the relevant session variable after the successful password change.
494743-1 : Deterministic NAT translation cannot reverse-map after blade failure on p8
Component: Carrier-Grade NAT
Symptoms:
TMM translation after blade failure or startup does not agree with dnatutil reverse map results for client address.
Conditions:
On p8 platform, when a blade fails, translation made by TMM can not be reverse map by dnatutil. This can also occur on startup.
Impact:
p8 platform with multiple blades with LSN deterministic NAT
Workaround:
Change LSN Pool members for LSN deterministic NAT pools, which will trigger a deterministic NAT data rebuild.
Fix:
TMM translations after blade failure or startup can be properly reverse-mapped by dnatutil.
494637-2 : localdbmgr process in constant restart/core loop
Component: Access Policy Manager
Symptoms:
The localdbmgr process keeps crashing repeatedly.
Conditions:
The issue is caused by corruption in the contents stored in the memcache. Although the conditions under which the memory corruption occurs are not reproducible, this is a rarely occurring issue.
Impact:
The localdbmgr process crashes repeatedly.
Workaround:
None.
Fix:
The localdbmgr process has been updated in order to gracefully handle corruption in the memcache contents.
494565-4 : CSS patcher crashes when a quoted value consists of spaces only
Component: Access Policy Manager
Symptoms:
CSS content that contains some spaces between quotes leads to rewrite crash. Example: ... background: url(' ') // some spaces between quotes ...
Conditions:
Conditions leading to this problem include any case when CSS content contains a quoted value which consists of spaces only.
Impact:
The impact of this issue causes a rewrite crash which leads to a possible web application malfunction.
Workaround:
To work around this issue, create a particular iRule that removes mentioned spaces between quotes.
494122-2 : Deterministic NAT state information from HSL is not useable on p8
Component: Carrier-Grade NAT
Symptoms:
Deterministic NAT HSL state information is not useable by dnatutil, resulting in "Unparseable line" error.
Conditions:
Deterministic NAT and HSL logging for LSN pool on a p8 platform
Impact:
using the HSL logged state information for dnatutil
Workaround:
Use LTM logged deterministic NAT state information.
Fix:
dnatutil can use HSL logged state information for deterministic NAT on p8
493993-6 : TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module
Component: Access Policy Manager
Symptoms:
On a standby unit, TMM dumps core files when it is starting up and continues to do so when the active unit is handling traffic in the APM module.
Conditions:
The issue happens on APM systems when high availability is configured and the following conditions are met: 1. The active device is busy processing traffic. 2. Some sessions on the active device are terminated. 3. The TMM in standby device is starting up.
Impact:
TMM on the standby device crashes with SEGV, which causes existing sessions not stored on the standby device and users have to re-login should failover occur.
Workaround:
Fix:
In APM HA environments, the system now prevents global status from being updated before the initialization is completed on a standby device. TMM on the standby no longer dumps core files on startup.
493791-2 : iApps do not support FQDN nodes
Component: TMOS
Symptoms:
All iApps fail when FQDN nodes are included as pool members in an iApp-generated pool.
Conditions:
- Create an pool with nodes devined by FQDN - Attempt to Reconfigure, or even just open, make no change, and click update button, on an iApp
Impact:
GUI shows errror 'script did not successfully complete: (field not present: "address"...'
Workaround:
Create the pool outside of the iApp and attach it with the "use existing pool" option, which is a feature of all recent F5 iapps.
493246-2 : SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot
Component: TMOS
Symptoms:
An SNMP query for sysCpuSensorSlot 0 returns 'Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot'.
Conditions:
SNMP query for sysCpuSensorSlot 0.
Impact:
SNMP MIB variable sysCpuSensorSlot 0 is not available.
Workaround:
Use the command 'tmctl cpu_info_stat' on the BIG-IP system to retrieve the sysCpuSensorSlot value.
Fix:
The software that generates the F5 BIG-IP MIBs has been updated to allow a slot 0 return value.
493213-1 : RBA eam and websso daemons segfaulting while provisioning
Component: TMOS
Symptoms:
Crash while provisioning
Conditions:
This sometimes seem to happen with only APM being provisioned and not being tested for APM functionality.
Impact:
RBA eam and websso daemons are segfaulting
Workaround:
none
492701-3 : Resolved LSOs are overwritten by source device in new Policy Sync with new LSO
Component: Access Policy Manager
Symptoms:
Previously resolved Location-Specific Object (LSO) on target devices are overwritten by values on source device in a new Policy Sync operation with new LSO to resolve.
Conditions:
Perform a Policy Sync on a profile with LSO, make changes to the LSO on resolution. Perform another Policy Sync on the same profile with new LSO that requires resolution
Impact:
Previously customized values for LSO on target device are lost.
Workaround:
Config the value back on target device after the new sync.
Fix:
Customized LSO values on target device from previous Policy Sync will be retained after a new Policy Sync with new LSO.
492352-3 : Mismatch ckcName between GUI and TMSH can cause upgrade failure
Component: Local Traffic Manager
Symptoms:
Make the ckcName of clientssl_certkeychain same as TMSH. Case 1: clientssl_certkeychain includes key/cert TMSH uses <key-name> as ckcName GUI uses <key-name>.key as ckcName Case 2: clientssl_certkeychain includes key/cert/chain TMSH uses <key-name>_<chain-name> as ckcName GUI uses <key-name>.key as ckcName The fix is making GUI same as TMSH.
Conditions:
Use GUI to create one SSL profile, then upgrade it.
Impact:
The upgrade failure since the mismatch ckcName between GUI and TMSH.
Workaround:
Fix:
Make ckcName same for both GUI and TMSH
492305-1 : Recurring file checker doesn't interrupt session if client machine has missing file
Component: Access Policy Manager
Symptoms:
If file required for recurring file checker agent is deleted on client machine when session already established - session would not be interrupted.
Conditions:
File checker agent is used. Recurring check is enabled for it.
Impact:
Session is not interrupted when it should be.
Workaround:
Fix:
Now session is interrupted when file required for recurring file check is missing.
492287-1 : Support Android RDP client 8.1.3 with APM remote desktop gateway
Component: Access Policy Manager
Symptoms:
Support Android RDP client 8.1.3 with APM remote desktop gateway
Conditions:
Impact:
User's cannot run up-to-date official Android RDP client against APM as RDG.
Workaround:
Fix:
Support Android RDP client 8.1.3 with APM remote desktop gateway
492163-3 : Applying a monitor to pool and pool member may cause an issue.
Component: TMOS
Symptoms:
Typically, when applying a monitor to pool and a monitor to pool member, there are no issues. In a scenario where the pool monitor is incompatible with the pool member, it can cause validation issue.
Conditions:
A scenario where the pool monitor is incompatible with the pool member, it can cause validation issue. For example, a pool with an http monitor and a wildcard pool member (even if pool member had its own monitor).
Impact:
Failed transaction or configuration load.
Workaround:
Remove the pool monitor, load, then add pool monitor back.
Fix:
Instances in which the pool monitor is incompatible with the pool member are now validated correctly.
492149-3 : Inline JavaScript with HTML entities may be handled incorrectly
Component: Access Policy Manager
Symptoms:
If JavaScript code is included into an HTML page and contains HTML entities inside, it may be processed incorrectly by Portal Access.
Conditions:
HTML page which contains inline JavaScript code with HTML entities inside.
Impact:
Web application does not work as expected.
Workaround:
Use an iRule for each individual case to correct this behavior.
Fix:
Now JavaScript code with HTML entities inside is processed correctly.
491771-2 : Using catch to supress 'invalid command' errors resulting from invalid use of [] around a parking command in a proc can cause TMM to panic
Component: Policy Enforcement Manager
Symptoms:
If inside a proc, a parking command (like table, session, open, send, RESOLVE::lookup) is incorrectly placed within square brackets (meaning the result is to be evaluated as a command by the superior "catch" block) and the error is suppressed by the catch block, TMM will core with a SIGFPE panic and this message: panic: TclExecuteByteCode execution failure: end stack top < start stack top Example (THIS CODE MAY CAUSE TMM TO CRASH if this procedure is called): proc id491771 { # WILL CAUSE TMM TO CRASH catch { [table lookup "key"] } } The correct usage of "catch" is without the brackets: proc id491771 { catch { table lookup "key" } }
Conditions:
1) A parking command like "table" 2) The very next operation generates an error 3) Both commands are inside a "catch" block 4) And this catch block exists within a proc
Impact:
TMM cores with a SIGFPE and this panic string: panic: TclExecuteByteCode execution failure: end stack top < start stack top
Workaround:
Any command which completes without parking after the parking command but before the error will prevent the issue. For instance set A "a" Another solution is to move "catch" statement outside of proc into body of script. Alternately remove the square brackets that indicate that the result of the command should be evaluated in this specific case. The use of brackets in this way is likely a mistake in coding of the iRule.
491716-2 : snmp_similint_test_15370.py failed because of bug fix 483508
Component: TMOS
Symptoms:
Bug fix 483508 introduced an attribute translation of a ulong value limited by a range to MIB type Gauge rather than Integer. MIB attributes with ranges must always be type Integer and this mismatch was correctly detected by the snmp_similint_test.
Conditions:
SNMP queries to some F5 enterprise OIDs.
Impact:
The attribute type mismatch may cause some MIB browsers to report errors because of a failure to strictly adhere to the SNMP standard.
Workaround:
Fix:
All F5 enterprise MIB attribute which include a limited value range have been changed to type Integer.
491556-7 : tmsh show sys connection output is corrected
Component: TMOS
Symptoms:
tmsh show sys connection output is corrupted for certain user roles.
Conditions:
This occurs for users with user roles that do not have access to all partitions.
Impact:
The output from tmsh show sys connection is corrupted. After issuing this command, the output of subsequent tmsh commands might not be correct or complete.
Workaround:
Quit out of tmsh. Restart the shell. Do not use the show sys connection command for users that do not have access to all partitions. Use the GUI instead to get this information.
Fix:
tmsh show sys connection output is correct for users that do not have access to all partitions.
491165-1 : Legal IP addresses sometimes logged in Attack Started/Stopped message.
Component: Advanced Firewall Manager
Symptoms:
Sometimes legal IP addresses are logged as attack started/stopped messages.
Conditions:
AFM licensed and provisioned and Sweep & Flood Vector enabled.
Impact:
Logging.
Workaround:
N/A
Fix:
IP addresses are not logged any more for START/STOP messages. Only sampled messages will have packet details.
490893-4 : Determinstic NAT State information incomplete for HSL log format
Component: Carrier-Grade NAT
Symptoms:
Deterministic NAT state information incomplete for HSL log format, could possibly result in incorrect reverse and forward map for dnatutil when using with HSL logged state information.
Conditions:
Found to affect A112 with HTSPLIT enabled, when using dnatutil with HSL logged deterministic NAT state for reverse map.
Impact:
Reverse and forward map could be incorrect when use with HSL logged deterministic NAT state information.
Workaround:
Use LTM logged deterministic NAT state information for reverse or forward map.
Fix:
HSL logged deterministic NAT state information can be use to correctly forward and reverse map.
490830-4 : Protected Workspace is not supported on Windows 10
Component: Access Policy Manager
Symptoms:
APM does not support Protected Workspace on Windows 10
Conditions:
Protected Workspace action configured on BIG-IP APM server. Users connecting to BIG-IP APM using Windows 10 client.
Impact:
Users cannot use Protected Workspace feature on Windows 10.
Workaround:
n/a
Fix:
Protected Workspace disabled on Windows 10 client.
490713-3 : FTP port might occasionally be reused faster than expected
Component: Local Traffic Manager
Symptoms:
FTP port is randomly selected and occasionally might be reused quickly.
Conditions:
FTP active mode. Source Port is set to change.
Impact:
FTP port might occasionally be reused faster than expected.
Workaround:
Fix:
FTP port selection uses a round robin method to avoid quick-reuse as much as possible.
490429-2 : The dynamic routes for the default route might be flushed during operations on non-default route domains.
Component: Local Traffic Manager
Symptoms:
The dynamic routes for the default route might be flushed during operations on non-default route domains. For example when non-default route domain is deleted TMM, the operation also removes routes in the default route domain.
Conditions:
This happens on configuration changes and failover.
Impact:
Routing in default route domain might be impacted until tmrouted is restarted.
Workaround:
Avoid deleting non-default route domains. Issuing a bigstart restart tmrouted returns the system to a consistent state.
Fix:
The dynamic routes for the default route are no longer flushed during operations on non-default route domains.
489957-5 : RADIUS::avp command fails when AVP contains multiple attribute (VSA).
Component: Service Provider
Symptoms:
The RADIUS::avp command fails when AVP contains multiple attributes (VSA) within an AVP.
Conditions:
One AVP contains multiple attributes (VSA).
Impact:
RADIUS::avp command fails.
Workaround:
None.
Fix:
RADIUS::avp command now completes successfully when AVP contains multiple attribute (VSA).
489084-1 : Validation error in MCPD for FQDN nodes
Component: TMOS
Symptoms:
Validation does not enforce unique FQDN nodes across folders.
Conditions:
Create two nodes with the same FQDN in two different folders.
Impact:
This issue can cause undefined behavior
Workaround:
Ensure FQDN nodes, like regular IP nodes, to be unique across folders.
Fix:
Ensure FQDN nodes, like regular IP nodes, to be unique across folders.
488736-5 : Fixed problem with iNotes 9 Instant Messaging
Component: Access Policy Manager
Symptoms:
iNotes 9 IM (Sametime) is not working. There are errors in JS Console.
Conditions:
User is connected to iNotes 9 through Portal Access.
Impact:
Sametime in iNotes 9 is not accessible.
Workaround:
No
Fix:
iNotes 9 Sametime (instant messaging) is working now.
488600-2 : iRule compilation fails
Component: Local Traffic Manager
Symptoms:
Previously created iRules may fail on upgrade
Conditions:
Upgrade to 11.6.x versions may cause iRule compilation failures
Impact:
iRule may not work after upgrade
Workaround:
N/A
Fix:
Fix tickle parse if there is a whitespace before the new line.
488581 : 'SSL::disable clientside' inside HTTP_REQUEST causes tmm core if crypto is in progress
Component: Local Traffic Manager
Symptoms:
'SSL::disable clientside' inside HTTP_REQUEST might cause tmm core with a SIGSEGV if crypto is in progress when the iRule makes the request.
Conditions:
This occurs in iRules that contain 'SSL::disable clientside' inside HTTP_REQUEST and crypto is in progress when HTTP_REQUEST occurs.
Impact:
TMM dumps a core file and the system fails over.
Workaround:
Do not put 'SSL::disable clientside' inside HTTP_REQUEST.
488105-3 : TMM may generate core during certain config change.
Component: Access Policy Manager
Symptoms:
While the sandbox file is being used by data-plane, if the admin changes configuration to delete this sandbox file, the TMM may generate core due to accessing freed up memory.
Conditions:
While data-plane is handling requests for the sandbox files, if admin deletes it from the control plane.
Impact:
TMM may core, which may cause APM service to become unavailable for some time.
Workaround:
Fix:
Access whitelist entries are refcount-ed to prevent freeing of the memory while it is still being used.
487696-3 : Number of CPU allocated for ASM guests
Component: Local Traffic Manager
Symptoms:
The TMM plugin manager does not expect/support an ASM guest configuration of 10 cores, thus its calculations as to the number of devices required and numbering does not match the existing number of threads/devices.
Conditions:
This occurs when there are 10 CPUs allocated for ASM guests.
Impact:
System does not start up or has intermittent failures if running.
Workaround:
Reduce the number of cores to 8 or increase the number to 12.
Fix:
This release disables channel splitting/division when number of TMMs is not a supported number, so ASM guests work correctly.
486829-1 : HTTP Protocol Compliance options should not be modified during import/upgrade
Component: Application Security Manager
Symptoms:
HTTP Protocol Compliance options are enabled upon version upgrade or security policy import from a prior version.
Conditions:
This issue occurs when configuration was upgraded to 11.6.0, or security policy was imported from prior version to 11.6.0.
Impact:
HTTP Protocol Compliance options are enabled.
Workaround:
Set HTTP Protocol Compliance options to desired values after import/upgrade.
Fix:
HTTP Protocol Compliance options are correctly preserved after a security policy import or a version upgrade.
486762-1 : lsn-pool connection limits may be invalid when mirroring is enabled
Component: Carrier-Grade NAT
Symptoms:
A client may not be able to create as many connections as allowed because mirroring may cause a connection to be counted more than once against the connection limit.
Conditions:
An lsn-pool with connection limits enabled, assigned to a virtual server.
Impact:
Clients may not be able to open as many connections as they should be able to open. The connections will fail.
Workaround:
This issue has no workaround at this time.
Fix:
With the fix in place, clients may open the full number of allowable connections.
486661-3 : Network Access should provide client IP address on reconnect log records
Component: Access Policy Manager
Symptoms:
Network Access should provide client IP address on reconnect log records
Conditions:
- Connect a client via network access - observe log of Client IP - Disconnect and reconnect from a different client IP (or the same one)
Impact:
note that the log messages generated for the session do not include the client IP address.
Workaround:
none
485472-3 : iRule virtual command allows for protocol mismatch, resulting in crash
Component: Local Traffic Manager
Symptoms:
iRule 'virtual' command allows for protocol mismatch.
Conditions:
A virtual server with an iRule which leverages the 'virtual' command targeting a virtual server that differs in protocol. For example, a UDP virtual server targeting a TCP virtual server.
Impact:
tmm might crash with assert: 'Must be syncookie'. Traffic is interrupted.
Workaround:
This is the result of a misconfiguration. Modify iRules to ensure L4 protocols match between virtual servers.
Fix:
Resolved issue where TMM might crash with assert: 'Must be syncookie' when the iRule 'virtual' command leads to a protocol mismatch.
485251-1 : AVR core witch include tmstat backtrace
Component: Application Visibility and Reporting
Symptoms:
due to a synchronization problem in AVR, some tmstat data (relevant to AVR only) got corrupted. This corruption can cause AVR core.
Conditions:
Provision AVR.
Impact:
This bug cause AVR core.
Workaround:
Fix:
The synchronization problem fixed.
485182-2 : wom_verify_config does not recognize iSession profile in /Common sub-partition
Component: Wan Optimization Manager
Symptoms:
The wom_verify_config does not recognize iSession profile in /Common sub-partition.
Conditions:
iApps creates some objects (virtual, profiles) under /Common/DMZPrimary.vysbank.com.app/. These objects are invisible to wom_verify_config.
Impact:
wom_verify_config cannot verify the system configuration.
Workaround:
Fix:
The wom_verify_config now recognizes objects in sub-partitions.
484706-2 : Incremental sync of iApp changes may fail
Component: TMOS
Symptoms:
Incremental sync of the deletion of an iApp instance may fail, with the error message indicating that certain objects owned by the application are still in use. Alternatively, child objects that should have been deleted when reconfiguring an iApp instance may remain on peer devices after incremental sync has completed.
Conditions:
Incremental sync of the deletion of an iApp instance. Incremental sync of deleting a child object, if the iApp implementation script creates the parent object without child objects, and then separately adds the replacement child objects.
Impact:
An attempt to delete an iApp may cause a sync failure. An attempt to reconfigure an iApp without a previously existing child object (pool member, etc.) may cause the object to continue to exist on peer devices.
Workaround:
Full load sync (either the 'Overwrite Configuration' option on the Device Management Overview page, or temporarily setting the device group to full load only), and then performing the sync operation completes successfully.
Fix:
Incremental sync of the deletion of an iApp instance now completes successfully. Incremental sync of iApp changes, where the iApp template creates a parent object separately from child objects now syncs correctly.
483792-5 : when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
Component: Access Policy Manager
Symptoms:
Customers running into iSession related issues.
Conditions:
This happens when APM has been running.
Impact:
Some of the Network Access resources may not run properly when iSession control channel is disabled.
Workaround:
None
Fix:
When the iSession control channel is disabled through db variable, then some of the Network Access resources, including App tunnel, Microsoft RDP, and optimized tunnel resources, will not be assigned to the session.
483501-1 : Access policy v2 memory leak during object deletion in tmm.
Component: Access Policy Manager
Symptoms:
A small memory leak everytime a per request access policy is deleted.
Conditions:
If the access policy delete was done before execute_access_policy' released the ref count, the access policy was getting deleted even though its still being used for one session. If the access policy delete was done when the access policy was not being used by any session, the access policy was not getting deleted.
Impact:
A small memory leak everytime a per request access policy is deleted.
Workaround:
None
Fix:
1) In 'access_policy_add', increment the access policy reference count before adding the access policy to the global access policy hash table. 2) In 'release_access_policy' dont return 'access_policy->ref_count' at the end of the function. The 'access_policy' could have potentially been deleted and freed by this point. The return value is not really used so just dont return any value.
483286-3 : APM MySQL database full as log_session_details table keeps growing
Component: Access Policy Manager
Symptoms:
APM stores session reporting data in "apm" MySQL database, under log_session_details table, but never does any cleanup. This causes the table to continuously grow. Eventually this consumes all disk, potentially corrupting the SQL data, and stopping services on the BIG-IP system that rely on MySQL.
Conditions:
Conditions leading to this issue include: APM is provisioned; and 350M APM sessions are created over any period of time (each row in log_session_details consumes ~20 bytes).
Impact:
MySql volume (12G) will fill with data, potentially stopping or degrading services in the box that rely on MySQL. Including: ASM, AVR, APM Reporting, Web UI, and QkView.
Workaround:
Workaround is to manually clean up the log_session_details table in MySQL database. First, retrieve the randomly generated MySQL password per box, using the following shell command as the root user. For example, # perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw PjL7mq+fFJ where PjL7mq+fFJ is the random password at MySQL installation in this example. Use this password in the following command for clean-up. # /usr/bin/mysql -uroot -pPjL7mq+fFJ --database=apm -e "delete from log_session_details where active = 'N';" This will delete all those rows that are referred to by an inactive session.
483104-3 : vCMP guests report platform type as 'unknown'
Component: TMOS
Symptoms:
vCMP guests report 'unknown' as platform type.
Conditions:
This occurs on vCMP guests.
Impact:
Customer is unable to remotely determine exactly which platform is being monitored.
Workaround:
None.
Fix:
vCMP guests now report bigipVcmpGuest as platform type.
483020-1 : [SWG] Policy execution hang when using iRule event in VPE
Component: Access Policy Manager
Symptoms:
Using the iRule Event Visual Policy Editor (VPE) object creates hang in the policy. The event is started, but never finishes, just hangs.
Conditions:
This issue occurs when the iRule event is in the access policy.
Impact:
The access policy evaluation never finishes.
Workaround:
None.
Fix:
[SWG] Policy execution with the iRule event in place no longer hangs.
482699-4 : VPE displaying "Uncaught TypeError"
Component: Access Policy Manager
Symptoms:
VPE displaying "Uncaught TypeError"
Conditions:
While editing on Chrome ver >=37
Impact:
Really hard to Edit VPE on chrome
Workaround:
Use different browser
Fix:
Visual policy editor works correctly on Google Chrome.
482269-8 : APM support for Windows 10 out-of-the-box detection
Component: Access Policy Manager
Symptoms:
APM does not support out-of-the-box detection for Windows 10 in visual policy editor configuration.
Conditions:
Windows 10, APM
Impact:
Windows 10 cannot be detected in visual policy editor rules.
Workaround:
Fix:
APM now supports out-of-the-box detection of Microsoft Windows 10 in visual policy editor action items, such as, Client OS and Client Type.
482266-3 : Network Access can't be established for Windows 10
Component: Access Policy Manager
Symptoms:
Connection fails with "Network Access Connection Device was not found." message.
Conditions:
1. Clean installation of Windows 10 (not upgrade) OR 2. Windows has been upgraded from previous version of Windows OS and it did not have NA driver installed.
Impact:
User can not establish a VPN connection.
Workaround:
482251-3 : Portal Access. Location.href(url) support is added
Component: Access Policy Manager
Symptoms:
Some pages can't be loaded in specific web-applications.
Conditions:
IE browser specific coded which uses: location.href(some_url) in it's code.
Impact:
Web-application can't load some web-pages.
Workaround:
Fix:
Added rewriting for: Location.href(some_url)
482241-1 : Windows 10 cannot be properly detected
Component: Access Policy Manager
Symptoms:
Windows 10 cannot be properly detected by BIG-IP
Conditions:
Windows 10 desktop operating system and BIG-IP APM access policy with client OS and Windows info agents.
Impact:
Windows 10 will not be detected out-of-the-box by BIG-IP client OS and Windows info agents.
Workaround:
User agent can be parsed in access policy for windows 10 tokens.
Fix:
Windows 10 can now be detected out-of-the-box by client OS and windows info agents.
482145-3 : Text in buttons not centered correctly for higher DPI settings
Component: Access Policy Manager
Symptoms:
When high DPI setting are used in Windows, text in buttons is not centered correctly and may run outside the boundaries of buttons.
Conditions:
User interface is displayed and user has set a higher DPI setting for Windows.
Impact:
Button text does not look correct.
Workaround:
Set DPI settings back to default.
Fix:
Buttons are now correctly scaled for Windows DPI setting.
481987-6 : Allow NTLM feature to be enabled with APM Limited license
Component: Access Policy Manager
Symptoms:
When a BIG-IP system has an APM Limited license, NTLM is silently disabled and the connection goes through. This breaks many (all) use-cases for Exchange + APM.
Conditions:
APM and Exchange are deployed together with APM Limited / Lite license.
Impact:
Exchange cannot be used with APM Limited license when NTLM frontend authentication is selected, which is used in essentially all APM + Exchange deployments.
Workaround:
Fix:
The NTLM frontend authentication (ECA) feature can now be used with an APM Limited license. Typically, this is for Exchange deployments.
481706-2 : AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP
Component: Advanced Firewall Manager
Symptoms:
When a AFM DoS Sweep/Flood attack is ongoing there is a chance that we could log a non-attacking src IP (which is sending packets which are below the detect threshold) as an attacker in the "attack_sampled" AFM DoS log message.
Conditions:
When the AFM DoS Sweep or Flood attack is ongoing, and we have multiple src IPs (attackers and non-attackers) sending packets which match the AFM DoS Sweep or Flood vector, we could see the "attack sampled" log from a IP which is not actually sending packets above the configured attack rate.
Impact:
The log message could list an innocent src IP as an attacker. In AVR also you could see this IP as an attacker.
Workaround:
None, since the log message is cosmetic.
Fix:
Improved security logging to reduce incorrect messages.
481677-2 : A possible TMM crash in some circumstances.
Component: Local Traffic Manager
Symptoms:
If TCP::Close is called during the SSL handshake, the TMM might crash.
Conditions:
TCP::close is called during an SSL handshake
Impact:
TMM crash.
Workaround:
When closing the connection before or during an SSL/TLS handshake, use the "drop" or "reject" command instead of the TCP::close command.
Fix:
A TMM crash bug has been fixed.
481663-5 : Disable isession control channel on demand.
Component: Access Policy Manager
Symptoms:
Customers running into isession related issues.
Conditions:
This happens when APM has been running.
Impact:
TMM could run out of memory because of these issues.
Workaround:
This issue has no workaround at this time.
Fix:
If customer does not need optimized tunnels, app tunnels, remote desktop then he can safely disable the db variable "isession.ctrl.apm" which disables isession. Then do "bigstart restart tmm apd" so that the db variable takes effect.
481648-8 : mib-2 ipAddrTable interface index does not correlate to ifTable
Component: TMOS
Symptoms:
The ipaddrTable's ipAdEntIfIndex value does not match the ifTable's ifIndex value for the same interface.
Conditions:
Using SNMP to monitor F5 and other network devices.
Impact:
Data in the mib-2 ifTable does not correlate to the data in the ipAddrTable.
Workaround:
Use the F5 MIB to monitor F5 devices.
Fix:
The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the same interface.
481162-2 : vs-index is set differently on each blade in a chassis
Component: Local Traffic Manager
Symptoms:
The vs-index field on virtual servers differs on each blade in a chassis.
Conditions:
This occurs on chassis systems when creating a virtual server on a multi-blade VIPRION and on multi-blade vCMP guests.
Impact:
The recently created virtual server holds different vs_index across blades (typically, the virtual servers differ by one, when compared with the active blade). From that point on, every newly created virtual server carries that inconsistency, so that vs-index is set differently on each blade in a chassis.
Workaround:
Follow the procedure in SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) to clear the configuration cache and reload configuration after reboot.
480910 : A TCP profile with 'Rate Pace" or "Tail Loss Probe" enabled fails to successfully establish a connection.
Component: Wan Optimization Manager
Symptoms:
TCP connection establishment fails on some virtuals.
Conditions:
A TCP profile with advanced options like "Rate Pace" or "Tail Loss Probe" enabled, needs to be in use.
Impact:
All TCP connections using a tcp profile which has advanced options like "Rate Pace" or "Tail Loss Probe" enabled will fail to establish a connection.
Workaround:
Avoid using the tcp profile options like "Rate Pace" or "Tail Loss Probe". If these options are a must requirement then there is no other workaround, other than to upgrade to a build with fix.
Fix:
Properly handle the internal events in mptcp handler.
480761-1 : Fixed issue causing TunnelServer to crash during reconnect
Component: Access Policy Manager
Symptoms:
TunnelServer may crash in rare conditions during reconnect.
Conditions:
Crash may happens when PC wakes up after hibernate
Impact:
User sees confusing message about crashed TunnelServer.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed issue that caused TunnelServer to crash during reconnect.
480679-1 : The big3d daemon does not receive config updates from mcpd
Component: TMOS
Symptoms:
Any Enterprise Manager device connected to a BIG-IP v11.6.0 will not receive configuration change notifications (including status) for nodes, pool members, or pools and will require manual refresh of configuration for those types. Stats and other configuration items remain unaffected.
Conditions:
This only affects EM devices and potentially MangementPack connections to a BIG-IP. The BIG-IP must be version 11.6.0 only, but the EM may be any version.
Impact:
The impact of this bug is that Enterprise Manager devices will not receive configuration update notifications for nodes, pool members, or pools. This includes status changes. Stats and other configuration items remain unaffected.
Workaround:
This issue has no workaround at this time.
Fix:
The mapping for subscription groups has been fixed so that the SUBSCRIPTION_NODE_ADDRESS and other similar subscription groups will not be overwritten by the SUBSCRIPTION_MONITOR group.
480311-1 : ADAPT should be able to work with OneConnect
Component: Service Provider
Symptoms:
The request-adapt and response-adapt profiles are unable to work with the OneConnect profile, and so those combinations are not allowed in the same virtual server.
Conditions:
Attempt to combine request-adapt or response-adapt profile with OneConnect profile on the same virtual server.
Impact:
When adaptation is being used, the connection cannot be kept open and reused for multiple HTTP transactions.
Workaround:
Fix:
The OneConnect profile can be combined with either or both of request-adapt and response-adapt profiles on a virtual server. Both client and server HTTP connections are reused.
480272-6 : During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
Component: Access Policy Manager
Symptoms:
OAM ObConfig Initialization returns wrong accessgate ID, and that resulted in EAM setting wrong domain for the ObSSOCookie.
Conditions:
After network connection failure with backend OAM server, ObConfig initilization returned past Accessgate ID.
Impact:
The impact of this issue is that ObConfig initialization returns the wrong accessgate ID.
Workaround:
This issue has no workaround at this time.
Fix:
AccessGate init should now fail initialization and retry in case of an AccessGate ID mismatch. If all retries fail, then the AccessGate remains uninitialized. The administrator should clear the config cache for all the AccessGates and restart the EAM process.
480119-2 : Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.
Component: Carrier-Grade NAT
Symptoms:
PPTP filter emits a vague error message in the ltm log, for example: 'Error ERR_BOUNDS connflow 74.14.223.32:1723 -- 121.54.54.11:34976 processing pullup of control message,' or 'Error ERR_BOUNDS connflow 65.93.152.110:1723 -- 121.54.54.11:2004 processing egress message.'
Conditions:
PPTP ALG is configured. CGNAT is configured. Non-PPTP traffic is being directed to port 1723.
Impact:
These messages are cosmetic only, and can be ignored safely, but may indicate that another protocol is using port 1723.
Workaround:
None.
Fix:
Error ERR_BOUNDS loglevel has changed from ERR to DEBUG, which is correct behavior.
479674-1 : bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.
Component: Local Traffic Manager
Symptoms:
bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.
Conditions:
Tcl Monitors: FTP, SMTP, POP3, IMAP, when the timeout is less than the interval. Might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.
Impact:
bigd crashes and posts an error message similar to the following: Received invalid magic value in the stream'.
Workaround:
Correct the monitor timeout to be higher than interval. Generally, the timeout should be ((3 * interval) + 1) seconds. Note: This workaround might not work in cases where the failure is due to Tcl worker being in a stuck state due to the pool member not responding within the configured timeout.
Fix:
The system no longer crashes when Tcl monitors are improperly configured, that is, when the timeout specified is less than the interval.
479460-5 : SessionDb may be trapped in wrong HA state during initialization
Component: TMOS
Symptoms:
An error case may happen on BIG-IP if the following conditions are met: 1. There are two BIG-IPs configured as inter-cluster HA. 2. These two BIG-IPs are multi-blade chasis system. 3. Master record with independent subkeys is added to SessionDB. The observed symptom this that you can explicitly deleted such a master record, but auto expiration mechanisms (timeout & lifetime) will not work on it, and this record will live forever until it is explicitly deleted.
Conditions:
Inter-chassis mirroring Chassis w/ multiple blades
Impact:
an inconsistent state between systems can cause persistence entries to never timeout. This will impact CGNAT records stored in SessionDB such as persistence records and PBA blocks.
Workaround:
479334-5 : monpd/ltm log errors after Hotfix is applied
Component: Application Visibility and Reporting
Symptoms:
When you apply a hotfix on an already configured and working volume, many errors are logged in the monpd/ltm logs.
Conditions:
Applying a hotfix to a configured and working volume.
Impact:
None, cosmetic benign errors only.
Workaround:
Run the following commands: 1. mysql -p`perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw` AVR < /var/avr/avr_srv_code.sql 2. bigstart restart monpd
479142-1 : Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)
Component: Global Traffic Manager
Symptoms:
The resource record (RR) in ZoneRunner Daemon (ZRD) is not deleted when the associated Virtual Server is deleted from the Global Traffic Manager (GTM) server object.
Conditions:
Conditions that lead to this issue include a GTM server object with a Virtual Server; a pool with the above virtual server; a wideip using the above pool as resources; and deleting the virtual server from the GTM server object.
Impact:
BIND will contain and return RRs that were intended to be deleted. The RR is orphaned and could only be deleted manually from ZRD.
Workaround:
To workaround this issue you can delete the GTM server associated with the virtual server to be deleted, but this would delete other associated virtual servers too. Alternatively, you can manually delete the RR in ZRD.
Fix:
Deleting a virtual server now correctly deletes the resource record (RR) in ZoneRunner Daemon (ZRD).
479084-1 : ZoneRunner can fail to respond to commands after a VE resume.
Component: Global Traffic Manager
Symptoms:
The ZoneRunner GUI can become unresponsive after a VE resume.
Conditions:
This is due to the "lo:" interface not being recreated during the resume processing. ZoneRunner relies on this interface to communicate with the on box BIND server.
Impact:
ZoneRunner cannot create/modify/delete/query records from the on box BIND server
Workaround:
Restart ZoneRunner after a VE resume with the command: bigstart restart zonerunner.
Fix:
ZoneRunner now uses the tmm0 interface to communicate with BIND.
478920 : SIP::discard is not invoked for all request messages
Component: Service Provider
Symptoms:
SIP::discard is invoked only for the first two request messages, and the other request messages are allowed to pass through.
Conditions:
This occurs when an iRule that uses SIP::discard, for example: when SIP_REQUEST { SIP::discard }.
Impact:
Any iRule that uses SIP::discard might not work as expected.
Workaround:
To work around this issue, you can use MR::message drop in MR event to drop the message instead
Fix:
The ingress queue for the messages is cleared properly when SIP::discard iRule is present. Now all request messages are correctly dropped if the SIP::discard iRule is present in SIP_REQUEST event.
478751-6 : OAM10g form based AuthN is not working for a single/multiple domain.
Component: Access Policy Manager
Symptoms:
OAM10g form based AuthN is not working for a single/multiple domain.
Conditions:
Conditions leading to this issue include double encoding of parameters and race condition on parsing form body.
Impact:
Form based OAM authentication might not work.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed all the issues found during the testing of OAM Form-based AuthN scheme, for both single domain and multiple domain.
478658-6 : Window.postMessage() does not send objects
Component: Access Policy Manager
Symptoms:
Websites are broken if they use postMessage to send objects. There could or could not be an error in the JavaScript console based on web application.
Conditions:
Web-Application that uses Window.postMessage() with Portal Access.
Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access.
Workaround:
No
Fix:
Window.postMessage supports sending objects.
478617-6 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
Component: Local Traffic Manager
Symptoms:
TCP segment size is 40 bytes less.
Conditions:
ICMP implementation using Path MTU (PMTU)
Impact:
The impact of this issue is less data per TCP segment.
Workaround:
Disable Path MTU Discovery by doing the following, "tmsh modify sys db tm.enforcepathmtu value disable"
Fix:
Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
478492-7 : Incorrect handling of HTML entities in attribute values
Component: Access Policy Manager
Symptoms:
If an HTML tag attribute contains HTML entities inside its value, this value may not be processed correctly by Portal Access.
Conditions:
For example, if a form action begins with '/' instead of '/', it will be rewritten although absolute action path should be left untouched. This leads to incorrect behavior of this web application.
Impact:
Web application may not work correctly.
Workaround:
This issue has no workaround at this time.
Fix:
Now HTML tag attributes with HTML entities inside their values are processed correctly.
478439-6 : Unnecessary re-transmission of packets on higher ICMP PMTU.
Component: Local Traffic Manager
Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.
Conditions:
ICMP PMTU is higher than existing MTU.
Impact:
Burst traffic generated.
Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.
Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU).
478261-2 : WinInet handle leak in Edge Client on Windows
Component: Access Policy Manager
Symptoms:
WinInet handle leak in Edge Client on Windows
Conditions:
EdgeClient on Windows, general use
Impact:
This leak has slight/minor impact on consuming resources
Workaround:
Fix:
WinInet handle leak was eliminated.
478257-7 : Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
Component: Local Traffic Manager
Symptoms:
Re-transmission of fragment needed packets.
Conditions:
Multiple ICMP Destination Unreachable with Fragmentation needed code messages.
Impact:
Burst traffic generated.
Workaround:
Disable Path MTU Discovery by doing the following, "tmsh modify sys db tm.enforcepathmtu value disable"
Fix:
Don't re-transmit packets if the MTU is not changed.
477218-5 : Simultaneous stats query and pool configuration change results in process exit on secondary.
Component: TMOS
Symptoms:
Simultaneous stats query and pool configuration change results in process exit on secondary.
Conditions:
Running parallel operations in tmsh/GUI or multiple tmsh operations on pool objects. For example, running 'tmsh show' command while simultaneously updating the monitor on the pool in the GUI.
Impact:
The primary restarts, and the slot goes down, resulting in potential traffic impact. The ltm logs display error messages similar to the following: -- err mcpd[29041]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool (/Common/CYBS-P-UBC-43) was not found. -- notice mcpd[8487]: 0107092a:5: Secondary slot 1 disconnected.
Workaround:
Use the absolute name of the pool in the tmsh command: /partition_name/pool_name.
Fix:
TMSH command now automatically issues the absolute path by using the context for the current connection to MCPd, so there are no MCPd restarts in this case.
476097-1 : TCP Server MSS option is ignored in verified accept mode
Component: Local Traffic Manager
Symptoms:
After enabling 'verified-accept' in the TCP profile, window scaling is not working on server side connection. More specifically, the BIG-IP system ignores window scaling from the back-end server.
Conditions:
Enabling 'verified-accept' in TCP profile.
Impact:
the BIG-IP system ignores window scaling from the back-end server.
Workaround:
Disable 'verified-accept' in the TCP profile.
Fix:
Window scaling with back-end server now works when 'verified-accept' is enabled in the TCP profile.
475735-4 : Failed to load config after removing peer from sync-only group
Component: Access Policy Manager
Symptoms:
Load sys config fails.
Conditions:
Loading config after removing peer from sync-only device group.
Impact:
Failed to load config.
Workaround:
Remove peer device from the sync-only device group on which policy sync has been performed previously.
Fix:
A user can now load sys config even after removing the peer from the sync-only group.
475647-2 : VIPRION Host PIC firmware version 7.02 update
Component: TMOS
Symptoms:
Correctly report part numbers of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00).
Conditions:
Affects VIPRION B4300 series blades.
Impact:
Features of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00) may not be properly supported by the BIG-IP software.
Workaround:
None.
Fix:
VIPRION Host PIC firmware version 7.02 update now supports all expected BIG-IP software features on VIPRION B4300 blades.
475403-2 : Tunnel reconnect with v2.02 does not occur
Component: Access Policy Manager
Symptoms:
Tunnel reconnect does not happen when DTLS is enabled
Conditions:
Configure SSL profile Enable DTLS in NA resource Establish NA connection from the device
Impact:
Reconnect does not happen
Workaround:
N/A
Fix:
A HelloRequest is re-transmitted if not responded by a ClientHello
474779-1 : EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
Component: Access Policy Manager
Symptoms:
On EAM process initialization, the plugin is unable to register a thread (MPI channel) with TMM on rare occasions. A subsequent system call to end the process fails.
Conditions:
Unknown.
Impact:
EAM plugin is up but the access gates are not initialized correctly.
Workaround:
Establish connection to OAM server. bigstart stop eam Clear config.cache from each accessgates by deleting /config/aaa/oam/<partition_name>/<aaa_oam_obj_name>/<accessgate_name>/config.cache using commandline. bigstart restart eam
Fix:
EAM plugin initialization is fixed, now the plugin register with TMM process will not fail.
474601-5 : FTP connections are being offloaded to ePVA
Component: Local Traffic Manager
Symptoms:
FTP connections are offloaded to acceleration hardware embedded Packet Velocity Acceleration (ePVA) chip.
Conditions:
SNAT listener
Impact:
FTP data connections fail due to lack of translation in PORT commands.
Workaround:
Use FTP virtual instead of SNAT listener.
Fix:
FTP connections will no longer be offload to ePVA hardware when traversing through a SNAT listener.
474356-1 : Client SSL on partition other than /Common does not load if no key/cert/inherit-certkeychain
Component: Local Traffic Manager
Symptoms:
Client SSL configurations on a partition other than /Common do not load if there is no key/cert or inherit-certkeychain.
Conditions:
This occurs when the following conditions are met: 1. There is a configuration in a folder/partition other than /Common. 2. crypto-server-default-clientssl, or another clientssl profile, has no key/cert or inherit-certkeychain configured.
Impact:
Cannot load configuration or UCS.
Workaround:
To work around this, complete the following steps: 1. modify /defaults/profile_base.conf and /config/profile_base.conf -- config # vim /defaults/profile_base.conf -- config # vim /config/profile_base.conf -- Locate crypto-server-default-clientssl and add the key/cert-related configuration to it. Specifically, change the profile information to match the following: ltm profile client-ssl crypto-server-default-clientssl { defaults-from /Common/clientssl cert-key-chain { default { cert /Common/default.crt chain none key /Common/default.key passphrase none } } cert /Common/default.crt chain none key /Common/default.key passphrase none inherit-certkeychain true ciphers DHE-RSA-AES256-GCM-SHA384 renegotiate-period 21600 cache-size 0 } 2. For clientssl other than crypto-server-default-clientssl, make sure key/cert and/or inherit-certkeychain is set. 3. Load the configuration by running the command: tmsh load sys conf
Fix:
Client SSL configurations on a partition other than /Common do not now have a default key/cert and inherit-certkeychain, so the configuration loads correctly.
473685-1 : Websso truncates cookie domain value
Component: Access Policy Manager
Symptoms:
Cookies assigned during back end authentication may not be returned to back end servers. The failures require the set-cookie header contain a domain assignment and the domain value must begin with a dot.
Conditions:
401 response from a back end has Set-Cookie headers containing domain assignments that begin with a dot.
Impact:
Applications protected by the above authorization may not work.
Workaround:
An iRule can be used to catch the 401 response. If it contains one or more Set-Cookie headers, check each for a domain attribute. Remove the initial dot in the domain value, if present.
Fix:
Websso processes domain fields in Set-Cookie headers correctly.
473488-6 : In AD Query agent, resolving of nested groups may cause apd to spin
Component: Access Policy Manager
Symptoms:
Access policy daemon (apd) consumes about 100% CPU and puts a heavy load on the network sometimes when resolving nested groups in AD Query. The AD Group Cache updates in a loop.
Conditions:
This issue occurs when the user belongs to a parent domain, and is a member of group that belongs to a sub-domain For example, user belongs to parent.com group belongs to child.parent.com the user is a member of the group "fetch nested groups" option is enabled for AD Query.
Impact:
The impact of this issue is that the user will be unable to resolve nested groups and unable to finish AD Query.
Workaround:
There is no workaround at this time.
473348-6 : hbInterval value not set to 300 sec after upgrad.
Component: TMOS
Symptoms:
The hbInterval determines the amount of time the snmpd daemon can wait for a response. Software versions 11.2.x use an hbInterval of 60 sec. Software versions 11.3.0 and later use an hbInterval of 300 sec.
Conditions:
When upgrading from version 11.2.x to version 11.3.0 or later.
Impact:
After upgrade, the hbInterval is still set to 60 sec and not set to 300 sec. An snmpd core is created.
Workaround:
Edit bigipTrafficMgmt.conf and set hbInterval value to 300 using the following procedure: 1. Run the command: bigstart stop snmpd. 2. Change the value of hbInterval in /config/snmp/bigipTrafficMgmt.conf and save the file. 3. Run the command: bigstart start snmpd.
Fix:
When upgrading from a release that did not have the hbInterval set to 300, the new release now has hbInterval set to 300.
473255-3 : Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.
Component: Access Policy Manager
Symptoms:
Portal Access could incorrectly rewrite Javascript submit() method if it's called in scope of 'with' statement and without object.
Conditions:
Impact:
Form cannot be submitted from script on page.
Workaround:
Create an iRule which adds explicit object reference to submit() call.
Fix:
Fixed an issue where Portal Access could incorrectly rewrite a form submit initiated from Javascript.
473163-2 : RAID disk failure and alert.conf log message mismatch results in no trap
Component: TMOS
Symptoms:
Due to a mismatch between the definition of an alert for RAID disk failure in alert.conf, and the actual log message syntax, the appropriate SNMP traps are not issued when a disk is failing.
Conditions:
This happens when there is a RAID disk failure and the definition RAID disk failure in alert.conf is similar to the following: alert BIGIP_RAID_DISK_FAILURE "raid[0-9]: Disk failure .*?" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.96"; lcdwarn description="RAID disk failure." priority="3" }
Impact:
Actual log message syntax matches the following: 'alert kernel: md/raid1:md12: Disk failure on dm-29, disabling device.' As a result, there is no SNMP trap for a failing disk, so no SNMP trap is issued, and the LCD message is not displayed.
Workaround:
For information about configuring custom traps, see SOL3727: Configuring custom SNMP traps, available here: https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html.
473105 : FastL4 connections reset with pva-acceleration set to guaranteed
Component: TMOS
Symptoms:
With 'pva-acceleration' set to 'guaranteed', the BIG-IP system can take up to five seconds to detect that one of either the client-side or server-side connections has not been offloaded to the ePVA hardware.
Conditions:
This occurs with 'pva-acceleration' set to 'guaranteed' and only one of client or server connections is offloaded to hardware.
Impact:
This results in the connection that has not been offloaded being reset five seconds after being established.
Workaround:
None.
Fix:
FastL4 connections are now handles correctly with pva-acceleration set to guaranteed, and are no longer reset.
473088-4 : Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile
Component: TMOS
Symptoms:
The BIG-IP system does not allow you to configure a virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile. If you attach a ClientSSL profile, however, the configuration is allowed, which is incorrect behavior.
Conditions:
Create a virtual server, add tcp, request-adapt, and one-connect profiles along with ClientSSL.
Impact:
This unsupported configuration might have many unknown side effects in TMM.
Workaround:
Do not configure a virtual server with one-connect and requestadapt or responseadapt profiles.
Fix:
Configurations of request-/response-adapt combined with one-connect along with ClientSSL profiles are now handled correctly.
473033-5 : Datastor Now Uses Syslog-ng
Component: TMOS
Symptoms:
Datastor did not use the normal syslog facility, causing some very rare disk full errors in /var/log.
Conditions:
When datastor is heavily overloaded or experiencing a traffic pattern that it was not designed for, it can generate copious notice messages to its log. Because datastor writes directly to its log, log rotation may seem to work, but inadvertently leave a large, hidden file in /var/log.
Impact:
In very rare cases, this hidden large file may cause out of disc errors, preventing logging from occurring.
Workaround:
Log rotate can be configured to restart datastor if this becomes an issue.
Fix:
Datastor now uses syslog-ng.
472256-3 : tmsh and tmctl report unusually high counter values
Component: Access Policy Manager
Symptoms:
When running the command 'tmctl profile_access_stat', the values displayed for sessions_eval_cur, sessions_active_cur, and/or sessions_estab_cur mignt be unusually high.
Conditions:
The issue might appear if the following events happen, in sequence: 1. Some sessions have been established. 2. On a chassis system, a blade restarts. On an appliance system, tmm restarts on the active system, which triggers failover. 3. Some of the existing sessions log out after the chassis or appliance is back online.
Impact:
The profile access stat might report inaccurate readings. The system returns results similar to the following: -- sessions_active_cur 18446744073709551615. -- sessions_eval_cur 18446744073709551615.
Workaround:
472117-2 : Analytics scheduled report: "predefinedReportName" and "multiLeveledReport" are mutually exclusive
Component: Application Visibility and Reporting
Symptoms:
Analytics scheduled report: You create a non-loadable configuration by changing "predefinedReportName" to "multiLeveledReport", or the reverse for an "analytics application-security scheduled-report".
Conditions:
Trying to modify an existing scheduled-report type from predefined to multi-leveled or vice versa caused error message. This was true for both tmsh and REST-API.
Impact:
The entire system configuration is not loaded.
Workaround:
Manually edit /config/bigip.conf so that "predefinedReportName" and "multiLeveledReport" do not appear together in the same Analytics scheduled report.
Fix:
REST API: You can now modify a scheduled-report type, and it will automatically reset the other type's attribute ("predefinedReportName" or "multiLeveledReport").
472062-3 : Unmangled requests when form.submit with arguments is called in the page
Component: Access Policy Manager
Symptoms:
Expressions like form.submit(something) are not being rewritten by Portal Access. This may cause direct URL or unmangled paths in request. Such request will fail and application could stop working.
Conditions:
Impact:
Web Application could send unmangled requests and stop working.
Workaround:
iRule workaround is possible, but it will be unique for each web application.
Fix:
Calls of form.submit with arguments are now correctly handled by Portal Access.
471926-1 : Static subscriber sessions lost after bigstart restart
Component: Policy Enforcement Manager
Symptoms:
Sessions are not created on standby device
Conditions:
Bigstart restart active device. Standby will become active and sessions should be created on new active. Before the old active comes online, Bigstart restart the new active.
Impact:
Sessions are not created on new active device
Workaround:
N/A
Fix:
Corrected intermittent HA issues in static subscriber provisioning
471860-3 : Disabling interface keeps DISABLED state even after enabling
Component: TMOS
Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.
Conditions:
This occurs when using both tmsh and the GUI.
Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.
Workaround:
You can reboot correct the indicator.
Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.
471819-2 : The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.
Component: Global Traffic Manager
Symptoms:
The big3d agent restarts periodically if a v11.4.0 or earlier system with Common Criteria mode enabled is updated with a newer version of the big3d agent.
Conditions:
A v11.4.0 or earlier system is updated to run a newer version of the big3d agent and Common Criteria mode is enabled.
Impact:
The impact of this issue is periodic restarting of the big3d agent.
Workaround:
Disable Common Criteria mode. Alternatively, restore the prior version of the big3d agent.
Fix:
The big3d agent has been modified to run in a mode that eliminates inconsistencies with version 11.4.0 and earlier.
471117-4 : iframe with JavaScript in 'src' attribute not handled correctly in IE11
Component: Access Policy Manager
Symptoms:
If an HTML page contains an iframe with JavaScript code in the src attribute, some web applications might not work correctly through portal access in Internet Explorer 11.
Conditions:
Conditions leading to this issue include Internet Explorer 11 and iframe with JavaScript in the src attribute: <iframe src="javascript: some code...">
Impact:
Some Web applications may work incorrectly.
Workaround:
This issue has no workaround at this time.
Fix:
If an HTML page contains an iframe with JavaScript code in the src attribute, it is handled correctly in Internet Explorer 11 through Portal Access.
471059-4 : Malformed cookies can break persistence
Component: Local Traffic Manager
Symptoms:
Clients sending a malformed cookie (that is, a space character that precedes the persistence cookie) might prevent the parsing of a valid persistence cookie.
Conditions:
HTTP request contains malformed cookie value that occurs before the BIG-IP system persistence cookie, For example: Cookie:foo=bar =bar; BIGipServerhttp=60361226.20480.0001
Impact:
Persistence is ignored.
Workaround:
None.
Fix:
Cookie values containing space character are parsed properly.
470813-1 : Memory corruption in f5::rest::CRestServer::g_portToServerMap
Component: TMOS
Symptoms:
Abort during guestagentd static deinitialization
Conditions:
Daemon and threads are shutdown
Impact:
Crash in guestagentd and CRestServer
Workaround:
N/A
Fix:
Fix crash on shutdown in guestagentd and CRestServer
470756-6 : snmpd cores or crashes with no logging when restarted by sod
Component: TMOS
Symptoms:
Prior to sod restarting snmpd following a heartbeat timeout, there are often no snmpd warning/error logs leading up to the restart condition that might indicate root-cause.
Conditions:
snmpd can be blocked waiting for mcpd responses to its database queries. This is typically experienced when CPU utilization is very high.
Impact:
sod continues restarting snmpd (and generating a core dump) as long as the blocking conditions continue for longer than the configured snmpd heartbeat interval. During this time, external MIB queries might timeout/fail.
Workaround:
Address CPU utilization issues.
Fix:
The snmpd daemon now periodically logs warning messages regarding slow query responses from mcpd. snmpd also attempts to maintain heart-beat communication with sod under these conditions.
468837-5 : SNAT translation traffic group inheritance does not sync across devices
Component: TMOS
Symptoms:
When a snat-translation object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.
Conditions:
This is relevant for any setup with multiple devices in a CMI failover device group.
Impact:
The inherited-traffic-group property must be manually maintained on all devices.
Workaround:
Enable the 'full sync' option instead of using incremental sync.
Fix:
SNAT translation traffic group inheritance now syncs across devices using incremental sync.
468473-2 : Monitors with domain username do not save/load correctly
Component: TMOS
Symptoms:
When using the username/password fields for a monitor, if specifying a domain with the username in the standardized fashion "domain\user", the \ will disappear upon save/reload of the configuration. The result of this will not fail to load , but the monitor may appear down/offline due to improper login credentials.
Conditions:
Configuration must be using a monitor that uses a domain-specific username in the username field.
Impact:
Configuration will load, but monitor will show down/offline due to bad credentials.
Workaround:
The username field must be adjusted in the /config/bigip.conf file to specify the username field with a domain using a \\ syntax. For example: domain\user would need to be configured as: domain\\user.
Fix:
Monitors with domain username now save/load correctly.
468137-6 : Network Access logs missing session ID
Component: Access Policy Manager
Symptoms:
Without session ID in client logs, it's hard to correlate client and server-side logs.
Conditions:
Impact:
Hard to troubleshoot client logs
Workaround:
Fix:
Now Network Access components print session ID in four messages: Starting pending session ID: %sessionid, Session %sessionid established, Session %sessionid closed: Status, and Failed to open session %sessionid.
467930-1 : Searching ASM Request Log for requests with specific violations
Component: Application Security Manager
Symptoms:
Filtering the ASM Request Log for requests that match some violations did not return expected results.
Conditions:
This issue occurs when the Request Log Filter is used for specific violations such as "Web Scraping detected."
Impact:
Request Log search does not return expected matches.
Workaround:
This issue has no workaround at this time.
Fix:
The Request log filter for violations now functions as expected. Previously, filtering the ASM Request Log for requests that match some violations did not return expected results.
466745-3 : Cannot set the value of a session variable with a leading hyphen.
Component: Access Policy Manager
Symptoms:
Cannot set the value of an ACCESS::session variable with a leading hyphen.
Conditions:
Using a leading hyphen for the value of the session variable, for example: ACCESS::session set data var_name -value.
Impact:
Cannot use hyphen in session variable value. The system posts and error message similar to the following: err tmm3[12741]: 01220001:3: TCL error: /Common/pass <ACCESS_POLICY_AGENT_EVENT> - bad option name (line 1)setting variable var_name for sid (null) failed (line 1)Illegal argument (line 1) (line 1) invoked from within "ACCESS::session data set var_name "-foo""
Workaround:
This issue has no workaround at this time.
Fix:
In this release, an extra parameter, made up of two dashes (--), was added. When -- is inserted before a value, the value can start with a hyphen; for example, "ACCESS::session set data var_name -- -value".
465951-2 : If net self description size =65K, gtmd restarts continuously
Component: Global Traffic Manager
Symptoms:
The gtmd process restarts continuously.
Conditions:
This issue occurs when the net self <IP> description >= <65K string> 'Description', 'Location', 'Contact', or 'Comment' field for the device (Device Management>Devices>Properties) > = <65K string>
Impact:
When this happens, gtmd is unable to perform its duties.
Workaround:
This issue has no workaround at this time.
Fix:
An issue that caused gtmd to restart because of long descriptions has been fixed.
465607-7 : TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.
Component: Local Traffic Manager
Symptoms:
TMM cores with the TMM log showing the error 'Assertion "flow in use" failed.' This is an infrequent race condition.
Conditions:
This is an infrequent race condition. The actual set of events that leads to this core is unknown. However, this requires FastHTTP to be configured, and it is known that this happens when the FastHTTP connection is closing.
Impact:
TMM has cores and restarts. Connections may be lost, failover may be triggered.
Workaround:
Do not use FastHTTP.
Fix:
The system now provides checks to mitigate the race condition on close of FastHTTP to avoid the core.
465590-9 : Mirrored persistence information is not retained while flows are active
Component: Local Traffic Manager
Symptoms:
Mirrored persistence information is not retained. This is most visible on long-running flows, where the mirrored entry is removed while the flow is still active.
Conditions:
Mirrored flows with persistence profiles assigned to the VIP, or when persistence profiles are marked to mirror persistence entries.
Impact:
If a failover occurs, a new load balancing pick is made for new flows.
Workaround:
Fix:
Mirrored persistence records are now correctly retained.
465317-1 : Failure notice from "/usr/bin/set-rsync-mgmt-fw close" seen on each boot
Component: TMOS
Symptoms:
The ltm log file will have a line per cluster member at boot that contains a message similar to this: Background command '/usr/bin/set-rsync-mgmt-fw close' failed. The command exited with status 1.
Conditions:
Observable in a log file after boot. Only applies to chassis, not appliances.
Impact:
innocuous
Workaround:
Fix:
An error like this formerly appeared on chassis boot: Background command '/usr/bin/set-rsync-mgmt-fw close' failed. The command exited with status 1. This message was always harmless but now no longer appears.
465052-6 : Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing
Component: Local Traffic Manager
Symptoms:
TMM cores when executing an HTTP::cookie command in an iRule. If the command does not have the minimum required number of arguments, the code is not checking for this condition; it assumes they are there.
Conditions:
An iRule command must execute an HTTP::cookie command (such as "HTTP::cookie sanitize") with missing required arguments.
Impact:
TMM restarts, possibly causing a failover in an active/standby system.
Workaround:
Ensure all HTTP::cookie commands in iRules have the correct number of arguments. A work around is to add a line "log local0. some text" before the line "HTTP::cookie sanitize". Then, there will be no tmm crash.
Fix:
Check to make sure all required arguments are present in an HTTP::cookie command prior to attempting to use them.
464870-7 : Datastor cores and restarts.
Component: TMOS
Symptoms:
Datastor cores and restarts. This occurs potentially because of generational issues, object replacement from archive, and the possibility that an object was deleted in the interim.
Conditions:
Traffic patterns that shift from low to moderate velocity with strong tiling to decoherent, high velocity traffic can cause this to occur when request queuing is turned on.
Impact:
Temporary cache outage. The cache must then be completely reseeded. A datastor core file is written, and datastor is restarted.
Workaround:
Fix:
Fixed potential crash and removed some extraneous time stamps from logged messages.
464252-2 : Possible tmm crash when modifying html pages with HTML profile.
Component: TMOS
Symptoms:
With certain combinations of append_to_tag/prepend_to_tag rules and input fragments, HTML profile could get stuck in an infinite loop.
Conditions:
Impact:
The BIG-IP will stop processing requests and failover after some time.
Workaround:
Remove HTML profile from virtual server. Or, modify profile rules in a way that would not cause loop.
Fix:
Fixed an issue in HTML profile which could cause an infinite loop while processing HTML page with certain rules.
464043-3 : Integration of Firmware for the 2000 Series Blades
Component: TMOS
Symptoms:
Integration of Firmware for the 2000 Series Blades.
Conditions:
When firmware has changes that benefit platforms, it is internally released and updated in the latest version of software.
Impact:
This will improve functioning of the hardware.
Workaround:
None. This is an action item.
Fix:
Integration of Firmware for the 2000 Series Blades.
464024-4 : File descriptor leak when running some TMSH commands through scriptd
Component: TMOS
Symptoms:
File descriptors for pipes are leaking when executing some TMSH commands through scriptd.
Conditions:
TMSH commands must execute via scriptd (for example, running tmsh::modify in an iCall, but there may be other conditions that lead to the leak).
Impact:
iCall scripts cease to function, and scriptd must be restarted. Eventually the system logs error messages similar to the following: err scriptd[11946]: 014f0013:3: Script (/Common) generated this Tcl error: script did not successfully complete: the pipe system call failed, Too many open files.
Workaround:
Fix:
All pipes are closed when a TMSH command is completed, so file descriptors no longer leak when running some TMSH commands through scriptd.
462714-2 : Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
Component: Local Traffic Manager
Symptoms:
A source address persistence record created on a virtual server with a FastL4 profile times out and is aged out even while traffic is flowing through that flow. The traffic that results in this issue is UDP with checksum of 0.
Conditions:
The profile has to be FastL4. Traffic that is either UDP with checksum of 0, or SCTP are definitely affected.
Impact:
Source address persistence is not usable as the entry ages out while it should not.
Workaround:
None.
Fix:
Source address persistence record no longer times out unexpectedly on FastL4 profile virtual server.
462514-1 : Support for XMLHttpRequest is extended
Component: Access Policy Manager
Symptoms:
JavaScript exceptions occur.
Conditions:
The problem occurs with web-application JavaScript code using XMLHttpRequest.
Impact:
Web-application logic and behavior can be broken.
Workaround:
There is no workaround at this time.
Fix:
XMLHttpRequest rewriting is improved, so that patched objects behave the same way (or close enough) as original ones on a given browser.
461189-5 : Generated assertion contains HEX-encoded attributes
Component: Access Policy Manager
Symptoms:
When a BIG-IP system serving as SAML identity provider (IdP), generates an assertion, the message might contain HEX-encoded values.
Conditions:
This occurs when user authenticates against LDAP/AD/RADIUS, and retrieved from AAA server attributes contain non-ASCII values. These non-ASCII values are then used by BIG-IP as Identity Provider in generated Assertion.
Impact:
SAML SSO might fail if Service Provider is not be able to process HEX-encoded attributes.
Workaround:
There is no workaround for IdentityProvider. On Service Provider side, assertion attribute values that begin with '0x' could be treated as HEX encoded. Such values can be HEX decoded after SP processed assertion.
Fix:
BIG-IP as Identity Provider now base64-encodes non-UTF8 attributes, as expected.
460627-3 : SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists
Component: Local Traffic Manager
Symptoms:
When the SASP monitor starts up, it can attempt to open a new TCP connection to the GWM server when another connection exists to it.
Conditions:
This happens when a GWM server sends the SendWeight messages to SASP monitor immediately after the registration of the pool member is complete, but the registration of all the pool members is not complete.
Impact:
The SASP monitor fins an existing TCP connection to the GWM server.
Workaround:
This issue has no workaround at this time.
Fix:
The Send Weight messages are processed only after the registration of all the pool members is complete. Monitor logging has been vastly improved. In addition, there was a crashing bug that caused the SASPD_monitor process to be restarted. That bug has been fixed.
458450-2 : Memory allocation metadata corruption when debugging log is enabled on ECA
Component: Access Policy Manager
Symptoms:
When ECA log level is set to debug, and receives a HTTP header cookie, and HTTP cookie header value is longer then 1023 characters, then there is a possibility of corrupting memory allocation metadata, which cause glibc malloc library to assert whenever it detects a corruption.
Conditions:
1. ECA log level is set to debug 2. ECA receives HTTP request contains HTTP cookie 3. HTTP cookie header value is longer then 1023 characters
Impact:
The impact of this issue is that ECA asserts and crashes.
Workaround:
Do not enable the debugging log.
Fix:
ECA can properly handle HTTP cookie header longer than 1023 characters when log level is set to debug.
458104-3 : LTM UCS load merge trunk config issue
Component: TMOS
Symptoms:
Performing the ucs sys load command does not overwrite trunk interface configuration, it merges with the existent setting. When loading UCS with RMA flag, you may not get expected results. The expected outcome is that the trunk is overwritten, not merged.
Conditions:
Current configuration has a trunk with several interface members. The UCS to be loaded contains the same trunk name but with other interfaces.
Impact:
The trunk incorrectly appears as merged, having both sets of interfaces. The config on disk bigip_base.conf shows the correct config. Reboot does not resolve the issue.
Workaround:
1. Restore the BIG-IP configuration to factory default settings using the command sequence: -- load sys config default. -- load sys ucs example.ucs no-license. -- save sys config. 2. Force the mcpd process to reload the BIG-IP configuration with the command sequence: touch /service/mcpd/forceload. -- load sys ucs example.ucs no-license. -- save sys config.
Fix:
Trunk config member interfaces are no longer merged during load. Only the trunk member interfaces defined in the config are present after a load.
457760-5 : EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
Component: Access Policy Manager
Symptoms:
Logs from standard libraries were not redirected to /var/log/apm in EAM plugin.
Conditions:
Stdout/stderr from standard libraries are affected.
Impact:
stderr/ stdout from standard libraries were not logged and that impacted troubleshooting effort.
Workaround:
No workaround to log stderr/stdout
Fix:
[OAM] Redirecting stdout/stderr from standard libraries to /var/log/apm. This is now fixed.
455264-3 : Error messages are not clear when adding member to device trust fails
Component: TMOS
Symptoms:
If you cannot reach the IP address of a device that you are adding to a device trust then the error message does not properly display in the GUI. For some errors the message is empty and for some errors the message contains unformatted xml data.
Conditions:
This problem occurs when adding a peer or subordinate to the device trust where the IP address cannot be reached.
Impact:
User cannot be sure what the problem with adding the device really is.
Workaround:
Verify that the address is correct and that you are able to route to the device you are trying to add to the device trust.
Fix:
During trust initiation when the peer is unreachable, the system now posts the error message is "This device is not found."
455020-1 : RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout
Component: Carrier-Grade NAT
Symptoms:
The minimum of the Real Time Streaming Protocol (RTSP) and TCP profile timeouts is applied to the RTP and RTCP connflows associated with an RTSP connection.
Conditions:
This problem can leave UDP connflows for RTP and RTCP open for a shorter time period than desired.
Impact:
The shorter timeout (either RTSP profile or TCP profile) is used for the idle timeout on RTP and RTCP flows associated with an RTSP connection.
Workaround:
To workaround this issue configure both the TCP and the RTSP profile so that the idle timeout periods are the same.
Fix:
With the fix, the RTP and RTCP timeouts use the value configured in the RTSP profile.
454692-4 : Assigning 'after' object to a variable causes memory leaks
Component: Local Traffic Manager
Symptoms:
Assigning 'after' object to a variable prevents the release of the 'after' object and its related connflow object, resulting in a memory leak for 'connflow', 'tcl (variable)', 'tclrule_pcb', and 'filter (variable)'.
Conditions:
This occurs when using the 'after' iRule command and assigning it to a variable.
Impact:
TMM crash or TMM memory usage increases.
Workaround:
Unset the variable containing the 'after' object, for example: when HTTP_REQUEST priority 800 { set SCRIPT_ID [\ after $static::one_second { log local0. "$LOG_MSG" } \ ] } when CLIENT_CLOSED { unset SCRIPT_ID }
Fix:
Assigning 'after' object to a variable no longer causes memory leaks.
452010-3 : RADIUS Authentication fails when username or password contain non-ASCII characters
Component: Access Policy Manager
Symptoms:
RADIUS Authentication fails when the logon name contains non-ASCII characters. The problem is caused due to failure in conversion from UTF-8 to Windows-1252.
Conditions:
RADIUS authentication is configured and username/password contain non-ASCII characters.
Impact:
Users are not able to log in.
Workaround:
There is no workaround for this issue.
Fix:
Now it is possible to configure charset decoding behavior. You can decode usernames and passwords into CP-1252 (original behavior) or use UTF-8 charset (in this case, RADIUS Auth sends the username and password unmodified).
450814-10 : Early HTTP response might cause rare 'server drained' assertion
Component: Local Traffic Manager
Symptoms:
Early HTTP response from the server might cause 'server drained' assertion and traffic disruption.
Conditions:
This occurs when the server sends an early response, which might occur if the server responded before the system completed processing the entire incoming HTTP request data from the client. A filter other than HTTP is also required on the chain.
Impact:
The system posts a 'server drained' assertion and traffic is disrupted.
Workaround:
None, however, this issue occurs very rarely.
Fix:
HTTP will not cause a "server drained" assertion if a server ends a connection in an early server response.
447874-5 : TCP zero window suspends data transfer
Component: Local Traffic Manager
Symptoms:
HTTP pipeline request might cause TCP window stay at 0 and not recover.
Conditions:
This intermittent issue occurs when HTTP pipeline requests are sent, and those requests use the GET method.
Impact:
When this occurs, the resulting TCP zero window suspends data transfer. It is possible that the TCP window will be reduced to 0 (zero) and never recover.
Workaround:
None.
Fix:
HTTP pipeline request no longer causes TCP window stay at 0 when HTTP pipeline requests are sent, and those requests use the GET method.
447043-3 : Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
Component: Local Traffic Manager
Symptoms:
Cannot express conditions such as 'user-agent contains 'Android' AND 'Mobile'. LTM policies have operands that can be matched against a set of values, causing a match when the operand matches one of these values. There is no way to use current functionality to match all of the values. One specific situation in which this is needed is to configure 'contains'.
Conditions:
Specify an ltm rule with 2 conditions with the same operand and match type, for example: conditions { 0 { http-header name User-Agent contains values { Android } } 1 { http-header name User-Agent contains values { Mobile } }
Impact:
The policy does not work. The system posts an error message similar to the following: Failed to compile the combined policies.
Workaround:
Fix:
LTM policies now allow for rules to have multiple conditions on the same operand and same match type so that 'user-agent contains 'Android' AND 'Mobile' can now be expressed by specifying: conditions { 0 { http-header name User-Agent contains values { Android } } 1 { http-header name User-Agent contains values { Mobile } }
446860-4 : APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
Component: Access Policy Manager
Symptoms:
APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 (ActiveSync client fails to login to APM with large POST body)
Conditions:
ActiveSync client large POST body tries to log into APM.
Impact:
ActiveSync client with large POST body cannot log in even when tmm.access.maxrequestbodysize DB variable is configured
Workaround:
This issue has no workaround at this time.
Fix:
Now APM Exchange Proxy honors tmm.access.maxrequestbodysize DB variable. Modify the db variable "tmm.access.maxrequestbodysize" with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).
443298-2 : FW Release: Incorporate Victoria2 LOP firmware v1.20
Component: TMOS
Symptoms:
This is a standard bug used for tracking the incorporation of Firmware changes.
Conditions:
The purpose of this change is to integrate a firmware package into the BIGIP build.
Impact:
unknown
Workaround:
Fix:
FW Release: Incorporate Victoria2 LOP firmware v1.20 into BIG-IP
442884-1 : TMM assert "spdy pcb initialized" in spdy_process()
Component: Wan Optimization Manager
Symptoms:
TMM assert "spdy pcb initialized" in spdy_process() caused by a HUDEVT_ABORTED on a zero'd SPDY ctx from iSession.
Conditions:
This may happen when using APM + iSession + SPDY filter. The problem happen when iClient unexpectedly closes the connection (by sending FIN) before handshaking complete. FIN force the HUDEVT_ABORTED may come to SPDY before HUDEVT_FLOW_INIT (because INIT event may delayed in iSession due to HANDSHAKE). We believe the iClient sends FIN as result of some miss-configuration.
Impact:
TMM Asserts.
Workaround:
1. Fix iClient configuration. 2. Remove SPDY profile from the chain.
Fix:
We fixed iSession code for proper serve HUDEVT_ABORTED and HUDEVT_FLOW_INIT events. Now if HUDEVT_ABORTED arrives and HUDEVT_FLOW_INIT event was not passed up, iSession sends up HUDEVT_FLOW_INIT and forwards up HUDEVT_ABORTED only after that.
442871-1 : BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) instances created using OpenStack interfaces may fail to detect the Kernel-based Virtual Machine (KVM) hypervisor.
Conditions:
This issue occurs when all of the following conditions are met: -- You are deploying a BIG-IP VE instance on a KVM hypervisor. -- You are using the OpenStack interface tool set to perform the deployment.
Impact:
As a result of this issue, you may encounter one or more of the following symptoms: -- The BIG-IP VE instance fails to start. -- When starting the BIG-IP VE instance, diagnostic messages may indicate that the hypervisor is not recognized.
Workaround:
To work around this issue, you can modify your OpenStack compute nodes to run all instances as KVM. To do so, perform the following procedure: Note: The workaround assumes that your compute nodes use KVM as the default hypervisor. Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Log in to the OpenStack compute node as the root user. 2. Using an editor, create a file in the /etc/nova directory named release. 3. Add the following content to the new file: [Nova] vendor = Red Hat product = Bochs package = RHEL 6.3.0 PC 4. Restart all services or reboot the compute note. 5. Redeploy a new BIG-IP VE instance using the OpenStack interface tool set.
Fix:
BIG-IP VE instances created using OpenStack interfaces now detect the KVM hypervisor. Important: If you performed the steps to work around this issue (as described in the known issue for this bug), removing the workaround might require a license change.
442698-10 : APD Active Directory module memory leak in exception
Component: Access Policy Manager
Symptoms:
The APD Active Directory module might leak memory if an exception happens.
Conditions:
exception happens when request is being processed
Impact:
session request failed, apd leaks a memory
Workaround:
NA
Fix:
APD is now more robust and handles exceptions in AD module properly.
442647-5 : IP::stats iRule command reports incorrect information past 2**31 bits
Component: Local Traffic Manager
Symptoms:
Due to a mistaken internal object-size conversion, the statistical data used by the IP::stats iRule command reports a negative number when the data exceeds 2**31.
Conditions:
Transferring more than 2 gigabytes or 2 billion packets on a connection that then uses IP::stats commands in an iRule will show a negative number.
Impact:
iRules cannot rely on the validity of the IP::stats counters when more than 2 gigabytes have been transferred.
Workaround:
Upgrade to a fixed version.
Fix:
iRules now uses a 64-bit object
441297-3 : LACP trunk remains down after restarting mcpd on 2000/4000 series platforms
Component: TMOS
Symptoms:
When you restart mcpd on 2000/4000 series platforms configured with a Link Aggregation Control Protocol (LACP) trunk, the trunk remains down.
Conditions:
This occurs on 2000/4000 series platforms with an LACP trunk when mcpd is restarted.
Impact:
Trunk status remains down after the restart, and interfaces are all reported as 'uninit'. Functionally, interfaces are all reported as 'uninit' does not affect single interface VLANs as traffic is still correctly carried.
Workaround:
Run the command: tmsh restart sys service pfmand. The restart of pfmand helps in updating the interface status, which in turn helps update the trunk status.
Fix:
LACP trunk now becomes active after restarting mcpd on 2000/4000 series platforms.
439880-2 : NTLM authentication does not work due to incorrect NetBIOS name
Component: Access Policy Manager
Symptoms:
Internally, the BIG-IP system assumes that the NetBIOS name always matches the prefix of the DNS name. For example, if the domain name is sales.company.com, then the NetBIOS name must be SALES. If the NetBIOS name does not meet this assumption, NTLM and/or Kerberos front-end authentication never work even when configured correctly. Under a Disjoint Namespace Scenario deployment, the NetBIOS name and prefix of the DNS name do not match, and the BIG-IP system cannot establish an SCHANNEL with the Active Directory server.
Conditions:
NetBIOS name does not match with the suffix of the DNS name.
Impact:
NTLM front-end authentication does not work as there is no SCHANNEL to Active Directory which can be used to verify the user's credentials.
Workaround:
Change the ActiveDirectory deployment to match its NetBIOS and DNS name.
Fix:
BIG-IP 11.6.0 HF6 introduced the Apm.NetBIOS.DomainName db variable as a global NetBIOS domain name. When the variable is defined with a non-default value, that value will be used as NetBIOS domain name during configuration. When the variable is defined with the default value (which is "<null>"), then APM reverts to extracting NetBIOS domain name from FQDN. This means when this db variable is set with a non-default value, only one NetBIOS domain is usable. Note: Support for the Apm.NetBIOS.DomainName db variable is discontinued in version 12.0.0 and later. For BIG-IP 12.0.0, when you create a Machine Account in APM, APM performs a domain join, retrieves the NetBIOS domain name from the Active Directory server, stores it in the configuration, and uses it for NTLM authentication. To use the new behavior, delete the existing machine account and recreate it. Otherwise, the machine account continues to obtain the NetBIOS name the way it did before version 12.0.0.
438674-5 : When log filters include tamd, tamd process may leak descriptors
Component: TMOS
Symptoms:
The log filter functionality in TMOS allows users to publish logs from a specific set of processes to various log destinations.
Conditions:
Configure log filter that includes tamd.
Impact:
Client authentication might fail. When a log filter includes tamd, the tamd process might start to leak descriptors.
Workaround:
Do not define log filters that include tamd (tamd is included in 'all').
Fix:
The BIG-IP system no longer sends tamd log messages to the configured remote log destinations.
431467-1 : Mac OS X support for nslookup and dig utilities to use VPN DNS
Component: Access Policy Manager
Symptoms:
Network access from browser or Edge Client on Mac does not change system DNS configuration the way that the nslookup and dig utilities expect. Once network access is established, the nslookup and dig utilities do not utilize DNS servers and DNS search suffixes set by SSL VPN.
Conditions:
NA access with DNS servers and DNS search suffixes, NA from browser or Edge Client on Mac OS X.
Impact:
The system should behave as expected except for the nslookup, dig, and host utilites.
Workaround:
Fix:
The nslookup, host and dig utilities are now able to use DNS server and DNS search suffixes set by SSL-VPN.
431283-7 : iRule binary scan may core TMM when the offset is large
Component: Local Traffic Manager
Symptoms:
Binary command does not check if the offset argument is beyond the internal buffer boundary, this may core TMM. Here is an example: binary scan [TCP::payload] @${offset_num}c var1 if "offset_num" is larger than payload buffer length, TMM may core.
Conditions:
Here is an example: binary scan [TCP::payload] @${offset_num}c var1 if "offset_num" is larger than payload buffer length, TMM may core.
Impact:
TMM may core.
Workaround:
Check payload length and compare with the offset argument before using the command.
Fix:
Check the offset value before moving the cursor.
429018-2 : tmipsecd cores when deleting a non-existing traffic selector
Component: TMOS
Symptoms:
tmipsecd cores when a to-be-removed traffic selector is not found in the internal database on tmipsecd.
Conditions:
This is a rare race condition.
Impact:
IPsec tunnel flapping and core dump.
Workaround:
Fix:
TMIPSECD logs a critical message instead of coring, and IPsec tunnel flapping and core dump no longer occurs when deleting a non-existing traffic selector.
426328-8 : Updating iRule procs while in use can cause a core
Component: Local Traffic Manager
Symptoms:
When updating an iRule that is in process or parked and has existing connections and uses a proc, a core can occur due to incorrect internal reference counting.
Conditions:
High traffic iRule that both parks and uses a proc.
Impact:
The BIG-IP system might temporarily fail to process traffic, and fail over if configured as part of a high availability (HA) pair.
Workaround:
Disable listener before updating iRule. For more information, see SOL14654: Updating an iRule that uses sideband connections may cause TMM to core, available here: http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14654.
Fix:
Updating an iRule that uses sideband connections no longer causes TMM to core.
426209-2 : exporting to a CSV file may fail and the Admin UI is inaccessible
Component: Access Policy Manager
Symptoms:
If there are a large number of APM report records, exporting them to a CSV file might fail and the Admin GUI can then become inaccessible.
Conditions:
When the report data is big
Impact:
the Admin UI is inaccessible
Workaround:
Avoid to export large report data.
423282-8 : BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence
Component: Access Policy Manager
Symptoms:
JavaScript does not work if a page contains conditional comments inside its head tag.
Conditions:
Presence of conditional comments contain very first script tag. Example: <html> <!--[if lt IE 9]> <script src="foo.js"></script> <![endif]--> <script> document.write("foo"); </script> </html>
Impact:
JavaScript does not work.
Workaround:
To work around the problem, use an iRule. The exact commands to use depend on the situation.
Fix:
The issue has been fixed by adding necessary JavaScript includes into every conditional branch.
422107-8 : Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set
Component: Local Traffic Manager
Symptoms:
DNS transparent cache may have RRSIG in the responses for queries without DO bit set.
Conditions:
DNS transparent cache receives a DNS query without DO bit set. If the query is answered by a DNSSEC zone of a pool member. The response returned to the client will contain RRSIG.
Impact:
Responses contain unnecessary RR sets. Not RFC compliant.
Workaround:
None.
Fix:
Queries answered by DNS transparent cache will no longer add RRSIG to the response if DO bit is not set in the query.
422087-5 : Low memory condition caused by Ram Cache may result in TMM core
Component: Local Traffic Manager
Symptoms:
As a result of this issue, you may encounter the following symptoms: - The TMM process crashes with a SIGABRT - The BIG-IP system fails over to the peer system in a high-availability configuration. - The BIG-IP system generates a TMM core file in the /var/core directory.
Conditions:
- Associating a Web Acceleration profile with a virtual server - TMM has become deficient in memory.
Impact:
The BIG-IP system may temporarily fail to process traffic, and may fail over if configured as part of a high-availability system.
Workaround:
There is no workaround for this issue.
Fix:
Tmm no longer crashes in certain low memory conditions with Ram Cache enabled.
420341-6 : Connection Rate Limit Mode when limit is exceeded by one client also throttles others
Component: Local Traffic Manager
Symptoms:
Connection Rate Limit Mode is set to Per Virtual Server and Source Address, you might encounter unexpected results. Once a particular client is above the limit, other clients (other source IP addresses) are also throttled by the system.
Conditions:
This occurs in the following manner: There is a configured connection rate limit per virtual server per client; one client exceeds the configured rate limit; and the virtual server also throttles other, unrelated clients.
Impact:
The virtual server throttles clients that are not exceeding the connection rate limit.
Workaround:
None.
Fix:
Connection Rate Limit Mode when limit is exceeded by one client no longer throttles others.
420107-2 : TMM could crash when modifying HTML profile configuration
Component: TMOS
Symptoms:
Modification of configuration for a virtual with HTML profile attached may cause a tmm crash if there are open connections with html content.
Conditions:
Impact:
TMM restart. Temporary outage or failover, all clients will have to reconnect.
Workaround:
Disable virtual server (or make sure that it does not have open connections in any other way) before modifying configuration.
Fix:
Fixed an issue in HTML profile which could cause a tmm crash during configuration change on a virtual with open connections.
416388-1 : vCMPD will not reattach to guest
Component: TMOS
Symptoms:
If a vcmp guest is deleted while vcmpd is not running (aka vcmpd has crashed and is coming back up), vcmpd will not reattach to that guest because mcpd never said it exists and as a result will never shut it down.
Conditions:
vCMPD deleted while vCMPD is not running
Impact:
Vcmpd should be changed to scan that directory at startup to check for any "lost" guests and kill them if necessary.
Workaround:
N/A
Fix:
On vcmpd startup, handle any guest deletions that happened while vcmpd wasn't running
410398-3 : sys db tmrouted.rhifailoverdelay does not seem to work
Component: TMOS
Symptoms:
The problem is that the sys db tmrouted.rhifailoverdelay value <value> does not seem to take any effect, and the route is being withdrawn, sometimes before the newly active device is able to advertise the virtual address, leaving a blackhole route.
Conditions:
This occurs during a failover.
Impact:
Temporary black hole for a route.
Workaround:
Fix:
Fixed tmrouted to not bypass rhifailoverdelay during op-state change.
408851-7 : Some Java applications do not work through BIG-IP server
Component: Access Policy Manager
Symptoms:
Some Java applications do not work through the BIG-IP server.
Conditions:
Impact:
Users are unable to use some web applications that use Java applets.
Workaround:
Fix:
Fixed bug that resulted in incorrect loading of Java applets (Java applications).
405769-3 : APM Logout page is not protected against CSRF attack.
Component: Access Policy Manager
Symptoms:
User with active APM session could be tricked into logging out from BIG-IP by visiting attacker's website and clicking on a link which would perform CSRF against APM logout page.
Conditions:
An attacker can create a link to BIG-IP's logout page on an external malicious web-site. Alternatively, such link could be sent to user via email. If user is tricked to clicking this link, user's BIG-IP APM session will be terminated.
Impact:
APM session could be terminated by an attacker.
Workaround:
Fix:
A new configuration db variable, Tmm.Access.LogoutUrlRefererHeaderCheck was added to perform a Referer header check on all requests to APM logout page. The new db variable is disabled by default. Enabling this variable will cause a Referer header check to be performed for all requests that attempt to terminate an APM session. Use caution when enabling this db variable because it may affect logout functionality in some cases. Specifically, any custom iRules used to redirect users to logout URLs may not function properly. In addition, SAML single logout (although terminating a user's session) may reset the browser connection under certain conditions when the db variable is enabled.
405752-1 : Monitors sourced from specific source ports can fail
Component: TMOS
Symptoms:
Monitors using TCP transport; when sourced from ports 1097 (on some platforms), 1098, 1099 and 3306, will fail. Upon receipt of SYN-ACK from the monitored device, TMOS will filter the packet and respond with ICMP port unreachable.
Conditions:
Use one or more monitors which rely upon TCP as a transport. Port 1097 will be affected on the BIG-IP 800, 1600, 3600, 3900, 6900, 8900 (and derivative), 1100, and 11050 platforms.
Impact:
May result in false monitor failures.
Workaround:
1. Set bigd.reusesocket database variable to enable and follow F5 Network's best practices for monitors, specifying a timeout of three times the interval plus 1 second. 2. Modify iptables by removing the affecting iptable rule: -- /sbin/iptables -D INPUT -p tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable. -- /sbin/iptables -D INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset. -- /sbin/iptables -A INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.
Fix:
Monitors using TCP transport sourced from certain ports now handle traffic as expected.
402793-12 : APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients
Component: Access Policy Manager
Symptoms:
VPN connection on Linux and Mac clients can slow down and may loose some packets while performing secure re-negotiation on TLS or DTLS Network Access tunnel.
Conditions:
Secure re-negotiation configured on APM virtual server.
Impact:
Users can experience disconnects or traffic loss on APM Network Access connection.
Workaround:
n/a
Fix:
APM clients for Linux and Mac modified to perform better during secure re-negotiation.
402412-8 : FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
Component: Local Traffic Manager
Symptoms:
When FastL4 performs hardware acceleration at TCP handshake, FastL4 handshake timeout is not honored.
Conditions:
When FastL4 performs hardware acceleration at SYN time, once a flow is offloaded to hardware, the flow switches to using idle timeout instead of standard established timeout.
Impact:
FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
Workaround:
None.
Fix:
FastL4 no longer switches to idle timeout before data is received, so the 5-second TCP handshake timeout holds until the first data arrives, at which time it switches to idle timeout.
383784-5 : Remote Auth user names containing blank space cannot login through TMSH.
Component: TMOS
Symptoms:
Remote Auth user names containing blank space cannot login through TMSH.
Conditions:
Remote authentication configuration needs to be setup, and the BIG-IP system should be configured to use remote authentication rather than local auth.
Impact:
Users cannot log into the box using TMSH.
Workaround:
Fix:
Remote user authentication now allows blank space in user names.
375887-4 : Cluster member disable or reboot can leak a few cross blade trunk packets
Component: Local Traffic Manager
Symptoms:
Using the cluster member 'disable' command with a trunk that spans blades might cause a brief period where received broadcast and multicast packets egress out the enabled trunk members of the cluster.
Conditions:
This occurs on a trunk that spans blades.
Impact:
To an external device running spanning tree protocol or variant, this can look like a loop.
Workaround:
None.
Fix:
Cluster member disable or reboot no longer leaks a few cross-blade trunk packets.
374339-4 : HTTP::respond/redirect might crash TMM under low-memory conditions
Component: Local Traffic Manager
Symptoms:
HTTP::respond/redirect might crash TMM under low-memory conditions.
Conditions:
Under low-memory conditions, if a new HTTP connection triggers an HTTP::respond/redirect event.
Impact:
TMM might crash.
Workaround:
Reduce memory usage
Fix:
HTTP::respond/redirect no longer crashes TMM under low-memory conditions.
364994-7 : Disabling OneConnect must be done on Client and Server sides
Component: Local Traffic Manager
Symptoms:
When OneConnect is in use, server-side flows are reused, whenever possible. If this is disabled client-side (via an iRule), this may not take into affect if the server-side currently doesn't exist yet.
Conditions:
This happens when OneConnect is enabled, and the ONECONNET::reuse disable irule command is used.
Impact:
Flows may be reused even though they have been marked as not to be reused.
Workaround:
Add: when SERVER_CONNECTED { if { [info exists oc_reuse_ss_disable] } { ONECONNECT::reuse disable } }
364978-1 : Active/standby system configured with unit 2 failover objects
Component: TMOS
Symptoms:
If an active/standby system is misconfigured with unit 2 failover objects, two traffic groups are automatically created: traffic-group-1 and traffic-group-2.
Conditions:
This occurs when an active/standby system is misconfigured with unit 2 failover objects.
Impact:
For traffic-group-2, the default device points toward the unit 2 box. Instead, it should point to the unit 1 box, because it is an active/standby pair.
Workaround:
To work around this, modify the default device to point to unit 1 using a command similar to the following: tmsh modify /cm traffic-group traffic-group-2 default-device unit_1_device_name.
Fix:
Active/standby system configured with unit 2 failover objects now create one traffic group, which is correct behavior.
362267-3 : Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors
Component: TMOS
Symptoms:
If a user configures network failover on a VIPRION that uses a blade's management address as the unicast address, the other blades cannot use this address and issues an error message. This is correct operation.
Conditions:
System is configured with per-blade management addresses as unicast network failover addresses.
Impact:
The system posts error messages that appear severe. However, there is no impact to system functionality.
Workaround:
No workaround is needed (under these conditions, message is cosmetic), but the use of multicast failover avoids the messages.
Fix:
The system now tracks the set of active self-ips and management addresses, only issues errors when the unicast source ip is invalid, or does not behave as expected.
359774-6 : Pools in HA groups other than Common
Component: TMOS
Symptoms:
In v11.x, pools used in an HA group must be in Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.x fails.
Conditions:
HA group pools in administrative partitions other than Common.
Impact:
Upgrade fails.
Workaround:
None, except ensuring that all pools used in HA groups exist in the Common administrative partition.
Fix:
Upgrade script has been updated to append the full partition path names to pools in ha-groups when upgrading from 10.x to 11.x and ha-groups are defined. If the same pool name is used in multiple partitions, the pool in /Common will be used first. If the name exists in multiple partitions other than /Common, the first match is used, and a warning will be logged by the upgrade script.
356658-2 : Message logged when remote authenticated users do not have local account login
Component: TMOS
Symptoms:
Message is logged when remote authenticated users that do not have local account: alert [20843]: pam_unix(:account): could not identify user (from getpwnam())
Conditions:
Remote authentication is enabled and configured on the BIG-IP system. A remote user without a corresponding local user account logs in to the BIG-IP system.
Impact:
An alert-level log is generated for valid user login.
Workaround:
Fix:
The system no longer logs alert-level log when remote authenticated users that do not have local account login. The notice-level error is written to /var/log/secure, as expected.
355661-3 : sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
Component: TMOS
Symptoms:
During system startup, particularly after an upgrade or 'load sys config', the sod daemon will repeatedly log errors failing to bind() to the appliance management address to listen for network failover packets. This is caused by a race condition between the chassis management daemon programming the management port address and the failover daemon attempting to access that address.
Conditions:
The management address is configured as a device unicast address.
Impact:
Excessive logging traffic at error level for a valid configuration.
Workaround:
Fix:
The sod daemon has been modified to validate the unicast addresses against the configured management addresses and non-floating self-IPs, and retries the bind() without logging an error when the race occurs. The daemon now reports when it is successfully listening on each of the configured unicast addresses, and only logs bind() errors is the configured address is invalid.
353556-4 : big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed
Component: Global Traffic Manager
Symptoms:
Big3d keeps a SSL session cache for HTTPs monitors to improve performance, when the web server changes the SSL protocol, big3d fails to connect to the web server since it was using the cached SSL session.
Conditions:
Modify SSL protocol at the server side and restart the web server.
Impact:
Big3d is unable to correctly monitor the https web server.
Workaround:
restart big3d
Fix:
Fixed, now when big3d fails to connect to the https web server it will clear the session entry from the session cache and initiate a new SSL negotiation.
352925-2 : Updating a suspended iRule and TMM process restart
Component: Local Traffic Manager
Symptoms:
Updating a suspended iRule assigned via a profile causes the TMM process to restart when trying to return to the suspended iRule.
Conditions:
This occurs when the iRule is suspended and the TMM process is trying to restart.
Impact:
TMM restarts.
Workaround:
Assign the iRule to the virtual server instead of assigning it to the profile.
Fix:
Updating a suspended iRule no longer results in TMM process restart.
348000-1 : HTTP response status 408 request timeout results in error being logged.
Component: Local Traffic Manager
Symptoms:
HTTP response status 408 request timeout results in error being logged.
Conditions:
HTTP profile is attached to a virtual server. 408 response status is received from server and is not preceded by request from the client.
Impact:
The 408 response status received is consumed and the connection is reset. The response never makes it to the client. The following error is reported in the log: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS.
Workaround:
None.
Fix:
HTTP response status 408 request timeout no longer results in error being logged.
342013-6 : TCP filter doesn't send keepalives in FIN_WAIT_2
Component: Local Traffic Manager
Symptoms:
TCP filter does not send keepalives in FIN_WAIT_2 (half close state). This may result in connections to remain open when they should be closed.
Conditions:
The problem is the BIG-IP stops sending keepalives once the connection enters half close state, and the server sends keep-alives. This ends up keeping connections open indefinitely if the client disappears, or a firewall drops its flow entry, etc. It is never swept as the server keepalives reset the idle timeout.
Impact:
Possible open idle never ending connections.
Workaround:
None.
Fix:
This is fixed by sending keepalives even in half close state, as idle connections intentionally left open will still be allowed, and clients will be detected disappearing.
340406-10 : Localization of BIG-IP Edge Client™ for Macintosh
Component: Access Policy Manager
Symptoms:
Localization of BIG-IP Edge Client for Mac is complete now. Some text was presented in English even when the OS ran in non-English locale.
Conditions:
The problem was seen with non-English locale and Edge Client for Mac.
Impact:
Some parts of Edge Client for Mac showed English text for non-English speakers.
Workaround:
Fix:
BIG-IP Edge Client for Mac is now completely localized.
226892-13 : Packet filter enabled, default action discard/reject and IP fragment drop
Component: Local Traffic Manager
Symptoms:
With packet filter enabled with a default action of discard/reject, you might encounter the following symptoms: -- Packet captures show that the BIG-IP system is receiving return traffic for one or more connections, but failing to forward those packets. -- Some connections may fail. DNS traffic, or traffic with IP fragments, are more likely to fail due to how TMM handles connections. -- If logging is enabled for the affected packet filter rule, many entries similar to the following example are logged to the /var/log/pktfilter file: 'local/tmm notice tmm[4835]: 01250004:5: test_pf_rule (56687): reject on external, len: 98 [IPv4 84 192.168.1.1 -- 192.168.1.2 ICMP 0:0]'
Conditions:
After configuring packet filters, you may notice that the BIG-IP system is incorrectly dropping the return packets of certain connections. This issue occurs when all of the following conditions are met: -- The BIG-IP platform and software version support Clustered Microprocessing (CMP). -- CMP is enabled globally. -- CMP is enabled for the specific traffic-handling object. -- Packet filtering is enabled with the Filter established connections option disabled (this is the default setting).
Impact:
The BIG-IP system incorrectly drops return packets, which may cause your applications to fail or work intermittently.
Workaround:
To work around this issue, you can either define additional packet filter rules that explicitly allow return traffic, or disable CMP for the affected traffic-handling object. If the object does not allow CMP to be disabled (for example a SNAT), you can first replace it with a virtual server. For more information, see SOL12831: Using packet filters in conjunction with CMP may cause intermittent drops on return traffic, available here" http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12831.html.
Fix:
Resolved intermittent issue when return packets were dropped after configuring packet filters for DNS traffic or traffic with IP fragments.
224903-5 : CounterBaseGauge64 MIB values will not work with Network Management Systems
Component: TMOS
Symptoms:
CounterBaseGauge64 MIB values will not work with Network Management Systems. The MIB will need to be changed to Gauge32
Conditions:
CounterBasedGauge64 MIB values
Impact:
CounterBasedGauge64 MIB values do not work with Network Management Systems
Workaround:
N/A
Fix:
MIB changed to Gauge32
Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release
Note: F5 has recently changed the bug numbering scheme in our bug tracking database. Now all bugs have a single version assigned to them and so bugs can now have sub bugs denoted by a '-' and then the sub bug number, i.e. 404716-4 with 404716 being the parent bug. The release notes for previous rollups will also reflect this change so some bugs may now contain a sub bug prefix.
TMOS Fixes
| ID Number | Description |
| 523032-6 | qemu-kvm VENOM vulnerability CVE-2015-3456 |
| 520349 | iControl portal restarts |
| 519877 | External pluggable module interfaces not disabled correctly. |
| 516073 | Revised AWS Setup Guide |
| 514564 | Special internal handling needed when hotfixing the f5base RPM. |
| 514450-4 | VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs. |
| 512485-3 | Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding |
| 510597-3 | SNAT Origin Address List is now stored correctly when first created |
| 510393-1 | TMM may occasionally restart with a core file when deployed VCMP guests are stopped |
| 510049 | Revised BIG-IP CGNAT Implementations content |
| 509475 | spdy profile with activation-mode always may not load on upgrade to 11.6.0 or later |
| 509276-4 | VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device |
| 507842-2 | Patch for BIND Vulnerability CVE-2015-1349 |
| 507487-1 | ZebOS Route not withdrawn when VAddr/VIP down and no default pool |
| 507461-6 | Net cos config may not persist on HA unit following staggered restart of both HA pairs. |
| 507327-1 | Programs that read stats can leak memory on errors reading files |
| 506281 | F5 Internal tool change to facilitate creating Engineering Hotfixes. |
| 505878 | Configuration load failure on secondary blades may occur when the chassis is rebooted |
| 505323-1 | NSM hangs in a loop, utilizing 100% CPU |
| 504572-4 | PVA accelerated 3WHS packets are sent in wrong hardware COS queue |
| 504508-1 | IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled |
| 504490-1 | The BIG-IP system sometimes takes longer on boot up to become Active. |
| 503875-1 | Configure bwc policy category max rate |
| 503604-3 | Tmm core when switching from interface tunnel to policy based tunnel |
| 502675-1 | Improve reliability of LOP/LBH firmware updates |
| 501953-2 | HA failsafe triggering on standby device does not clear next active for that device. |
| 501371-4 | mcpd sometimes exits while doing a file sync operation |
| 501343-3 | In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle |
| 499947 | Improved performance loading thousands of Virtual Servers |
| 495862-1 | Virtual status becomes yellow and gets connection limit alert when all pool members forced down |
| 495335-1 | BWC related tmm core |
| 494978-1 | The hostagentd daemon should not be running in non-vcmp mode. |
| 494367-2 | HSB lockup after HiGig MAC reset |
| 493223-3 | syscalld core dumps now keep more debugging information |
| 492458-1 | BIOS initial release |
| 492422-4 | HTTP request logging reports incorrect response code |
| 491791-3 | GET on non-existent pool members does not show error |
| 490414-1 | /shared/vmisolinks present on systems running versions where block-devices are not present |
| 490171-1 | Cannot add FQDN node if management route is not configured |
| 489750-3 | Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config |
| 488916 | CIDR can now be used for SNAT Origin Address List |
| 488374-2 | Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation |
| 487552-3 | triplets-not-allowed threshold too high because LTM minimum requirements for 6G guests are coming from 8G table |
| 487233-1 | vCMP guests are unable to access NTP or RSYNC via their management network. |
| 486512-7 | audit_forwarder sending invalid NAS IP Address attributes |
| 485939-1 | OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair. |
| 485833-7 | File descriptor leak in MCP when modifying users |
| 484861-5 | A standby-standby state can be created when auto failback acts in a CRC disagreement scenario |
| 484733-4 | aws-failover-tgactive.sh doesn't skip network forwarding virtuals |
| 483762-3 | Overlapping vCMP guest MAC addresses |
| 483751-1 | Internal objects can have load failures on restarted blades |
| 483699-1 | No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list |
| 483683-3 | MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error |
| 482434 | Possible performance degradation in AWS cloud |
| 481082-2 | Software auto update schedule settings can be reset during a full sync |
| 480811-2 | qkview will not collect lib directories. |
| 480679-1 | The big3d daemon does not receive config updates from mcpd |
| 478761-1 | load sys config default does not work with iControl Rest |
| 477859-1 | ZebOS config load may fail if password begins with numeric character |
| 477789-4 | SSL Certificate can accommodate and in Common Name, Organization Name, Division and SAN. |
| 477281-4 | Improved XML Parsing |
| 477111-5 | Dual management routes in the main routing table |
| 476288-1 | Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault |
| 476157-3 | Fix for CVE-2014-4341, CVE-2014-4342, and CVE-2014-4343. |
| 475592-2 | Per-core and system CPU usage graphs do not match |
| 474751-1 | IKEv1 daemon crashes when flushing SAs |
| 474323 | ePVA IPv6 feature is not available |
| 473517-2 | 'OID not increasing error' during snmpwalk |
| 473200-2 | Renaming a virtual server causes unexpected configuration load failure |
| 473037-1 | BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP |
| 472365-4 | The vCMP worker-lite system occasionally stops due to timeouts |
| 471496-2 | Standby node sends a summary LSA for the default route into a stub area with the same metric value as that of Active node. |
| 468517-8 | Multi-blade systems can experience active/standby flapping after both units rebooted |
| 468517-5 | Multi-blade systems can experience active/standby flapping after both units rebooted |
| 468175-8 | IPsec interop with Cisco systems intermittent outages |
| 467646 | IDE DMA timeouts can result in stuck processes |
| 467196-5 | Log files limited to 24 hours |
| 466266-1 | In rare cases, an upgrade (or a restart) can result in an Active/Active state |
| 466116-3 | Intermittent 'AgentX' warning messages in syslog/ZebOS log files |
| 464132-2 | Serverside SSL cannot be disabled if Rewrite profile is attached |
| 463959-1 | stpd attempts to connect to slots in a chassis that are empty |
| 463715-3 | syscalld logs erroneous and benign timeout messages |
| 460730-7 | On systems with multiple blades, large queries can cause TMM to restart |
| 452293-4 | Tunneled Health Monitor traffic fails on Standby device |
| 447075-1 | CuSFP module plugged in during links-down state will cause remote link-up |
| 445911-6 | TMM fast forwarded flows are offloaded to ePVA |
| 440346-5 | Monitors removed from a pool after sync operation |
| 440154-3 | When IKEv2 is in use, user can only associate one Traffic Selector object with the IKE Peer object |
| 439343 | Client certificate SSL authentication unable to bind to LDAP server |
| 436682-5 | SFP modules shows a higher optical power output for disabled switch ports |
| 431634-6 | tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails |
| 430799-3 | CVE-2010-5107 openssh vulnerability |
| 430323-4 | VXLAN daemon may restart when 8000 VXLAN tunnels are configured |
| 422460-8 | TMM may restart on startup/config-load if it has too many objects to publish back during config load |
| 420204-3 | FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long |
| 416292-1 | MCPD can core as a result of another component shutting down prematurely |
| 394236-3 | MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 - |
| 376120-4 | tmrouted restart after reconfiguration of previously deleted route domain |
| 361367-3 | Create 8MB-aligned partitions/volumes for VE images to improve disk I/O |
Local Traffic Manager Fixes
| ID Number | Description |
| 520413 | Aberrant behavior with woodside TCP congestion control |
| 517124 | HTTP::retry incorrectly converts its input |
| 516408-1 | SSL reports certificate verification OK even verification returns failure for pcm=request. |
| 516292-1 | Incorrect handling of repeated headers |
| 516179-1 | Woodside falsely detects congestion |
| 515482 | Multiple teardown conditions can cause crash |
| 514604-1 | Nexthop object can be freed while still referenced by another structure |
| 514521 | Rare TMM Cores with TCP SACK and Early Retransmit |
| 514216 | Internal unit test issue found by F5 testing prior to release. |
| 513243-1 | Improper processing of crypto error condition will cause memory double-free |
| 513034-1 | TMM may crash if Fast L4 virtual server has fragmented packets |
| 512490-3 | Increased latency during connection setup when using FastL4 profile and connection mirroring. |
| 512016-1 | DB variable added to determine DNS UDP truncation behavior. |
| 511873 | TMM core observed during SSL cert-related tmsh execution. |
| 511651-3 | Performance improvement in packet processing. |
| 511517-1 | Request Logging profile cannot be configured with HTTP transparent profile |
| 511130-3 | TMM core due to invalid memory access while handling CMP acknowledgement |
| 509416 | Suspended 'after' commands may result in unexpected behaviors |
| 509310-5 | Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances |
| 509310-3 | Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances |
| 508716-4 | DNS cache resolver drops chunked TCP responses |
| 507127-2 | DNS cache resolver is inserted to a wrong list on creation. |
| 506702-4 | TSO can cause rare TMM crash. |
| 506290-4 | MPI redirected traffic should be sent to HSB ring1 |
| 505964 | Invalid http cookie handling can lead to tmm core |
| 505331-1 | SASP Monitor may core |
| 505056-5 | Packet priority pass-through mode not implemented correctly. |
| 504306-2 | https monitors might fail to re-use SSL sessions. |
| 504225-2 | Virtual creation with the multicast IPv6 address returns error message |
| 503741-2 | DTLS session should not be closed when it receives a bad record. |
| 503620-3 | ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later |
| 503560-2 | Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server. |
| 503214-3 | Under high load, crypto queues may become stuck |
| 503118-2 | clientside and serverside command crashes TMM |
| 502959-2 | Unable get response from virtual server after node flapping |
| 502770-2 | clientside and serverside command crashes TMM |
| 502683-3 | Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on |
| 502149-3 | Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.' |
| 501690-3 | TMM crash in RESOLV::lookup for multi-RR TXT record |
| 500303-3 | Virtual Address status may not be reliably communicated with route daemon |
| 499950-5 | In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs |
| 499946-3 | Nitrox might report bad records on highly fragmented SSL records |
| 499280-1 | Backend server using a certificate signed/hashed with sha512 might refuse to establish SSL handshake using TLS1.2 with the BIG-IP system. |
| 499150-3 | OneConnect does not reuse existing connections in VIP targeting VIP configuration |
| 498597-5 | SSL profile fails to initialize and might cause SSL operation issues |
| 498334-2 | TMM will correctly send a response message back when processing a zone notify message |
| 498269-1 | 5200 does not forward STP BPDUs across VLAN groups when in PASSTHRU mode |
| 497584-2 | The RA bit on DNS response may not be set |
| 497433-2 | SSL Forward Proxy server side now supports all key exchange methods. |
| 496950-1 | Flows may not be mirrored successfully when static routes and gateways are defined. |
| 496588-1 | HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash |
| 495875-2 | Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic |
| 495574-3 | DB monitor functionality might cause memory issues |
| 495443-4 | ECDH negotiation failures logged as critical errors. |
| 495253-1 | TMM may core in low memory situations during SSL egress handling |
| 495030-1 | Segfault originating from flow_lookup_nexthop. |
| 494322-6 | The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used |
| 494319-1 | Proxy SSL caused tmm to core by dereferencing a null pointer |
| 493673-2 | DNS record data may have domain names compressed when using iRules |
| 493140-1 | iRule does not work when a cookie hash persistence profile is in use. |
| 493117-6 | Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted |
| 491518-2 | SSL persistence can prematurely terminate TCP connection |
| 491454-6 | SSL negotiation may fail when SPDY profile is enabled |
| 491030-6 | Nitrox crypto accelerator can sometimes hang when encrypting SSL records |
| 490817-1 | SSL filter might report codec alerts repeatedly |
| 490480-3 | UCS load may fail if the UCS contains FIPS keys with names containing dot |
| 490129-1 | SMTP monitor could not create socket on IPv6 node address |
| 489796-2 | TMM cores when Woodside congestion control is used. |
| 488931-1 | TMM may restart when MPTCP traffic is being handled. |
| 488908-1 | In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function. |
| 488598-1 | SMTP monitor on non-default route domain fails to create socket |
| 487757 | Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on Centaur/Treadstone/Victoria2 platforms. |
| 487592 | Change in the caching duration of OCSP response when there is an error |
| 487587-2 | The allowed range of 'status-age' in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might not be wide enough for some of the scenarios |
| 487554-2 | System might reuse TCP source ports too quickly on the server side. |
| 486724-3 | After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails |
| 486450-2 | iApp re-deployment causes mcpd on secondaries to restart |
| 485917-3 | BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060) |
| 485189-3 | TMM might crash if unable to find persistence cookie |
| 484305-2 | Clientside or serverside command with parking command crashes TMM |
| 483539-1 | With fastL4, incorrect MSS value might be used if SYN has options without MSS specified |
| 483353-1 | HTTP compression might cause TMM crash in low-memory conditions |
| 481880-5 | SASPD monitor cores |
| 481820-1 | Internal misbehavior of the SPDY filter |
| 481216-1 | Fallback may be attempted incorrectly in an abort after an Early Server Response |
| 480888-2 | Tcl parks during HTTP::collect, and serverssl is present, data can be truncated |
| 480699-2 | HA mirroring can overflow buffer limits on larger platforms |
| 480686-7 | Packet loop in VLAN Group |
| 480443-1 | Internal misbehavior of the SPDY filter |
| 480370-6 | Connections to virtual servers with port-preserve property will cause connections to leak in TMM |
| 480299-1 | Delayed update of Virtual Address might not always happen. |
| 480113-4 | Install of FIPS exported key files (.exp) causes device-group sync failure |
| 479682-4 | TMM generates hundreds of ICMP packets in response to a single packet |
| 479674-1 | bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors. |
| 479176-1 | TMM hangs and receives SIGABRT due to race condition during DNS db load |
| 479171-3 | tmm might crash when DSACK is enabled |
| 478983-1 | TMM core during certificate verification against CRL |
| 478840-1 | Cannot delete keys in subfolders using the BIG-IP GUI |
| 478734-5 | Incorrect 'FIPS import for failed for key' failure when operation actually succeeds |
| 478195-4 | Installation of FIPS .exp key files sets incorrect public exponent. |
| 477375-5 | SASP Monitor may core |
| 477064-1 | TMM may crash in SSL |
| 476683-2 | Suspended DNS_RESPONSE events are not resumed |
| 476599-4 | TMM may panic when resuming DNS_REQUEST iRule event |
| 475791-4 | Ramcache profile may dispatch internal messages out-of-order leading to assert |
| 475408-1 | SSL persistence profile does not find the server certificate. |
| 475322-2 | cur_conns number different in tmstat and snmp output. |
| 475231-5 | TCP::close in CLIENTSSL_CLIENTCERT iRule event may result in tmm crash |
| 474974-3 | Fix ssl_profile nref counter problem. |
| 474584-2 | igbvf driver leaks xfrags when partial jumbo frame received |
| 474388-3 | TMM restart, SIGSEGV messages, and core |
| 474226-2 | LB_FAILED may not be triggered if persistence member is down |
| 474002-4 | Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys |
| 473759-1 | Unrecognized DNS records can cause mcpd to core during a DNS cache query |
| 472585-3 | tmrouted crashes after a series configuration changes |
| 472148-7 | Highly fragmented SSL records can result in bad record errors on Nitrox based systems |
| 471821-1 | Compression.strategy "SIZE" is not working |
| 471625-8 | After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM |
| 470394-2 | Priority groups may result in traffic being load balanced to a single pool member. |
| 470191-2 | Virtual with FastL4 with loose initiation and close enabled might result in TMM core |
| 469739-4 | ConfigSync may fail if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile |
| 469705-4 | TMM might panic when processing SIP messages due to invalid route domain |
| 469115-3 | Management client-ssl profile does not support multiple key/cert pair. |
| 468472-7 | Unexpected ordering of internal events can lead to TMM core. |
| 467868-3 | Leak due to monitor status reporting |
| 464651-2 | Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core. |
| 464163-3 | Customized cert-key-chain of a client ssl profile might be reverted to its parent's. |
| 463696-5 | FIPS keys might not be recoverable from UCS |
| 460627-3 | SASP monitor starts a new connection to the GWM server when a connection to it already exists |
| 457934-4 | SSL Persistence Profile Causing High CPU Usage |
| 456763-5 | L4 forwarding and TSO can cause rare TMM outages |
| 456413-5 | Persistence record marked expired though related connection is still active |
| 455840-7 | EM analytic does not build SSL connection with discovered BIG-IP system |
| 451224-3 | IP packets that are fragmented by TMM, the fragments will have their DF bit |
| 449891-7 | Fallback source persistence entry is not used when primary SSL persistence fails |
| 447272-2 | Chassis with MCPD audit logging enabled, will sync updates to device group state |
| 444710-6 | Out-of-order TCP packets may be dropped |
| 443006-1 | In low memory situations initializing the HTTP parser will cause the TMM to crash |
| 438792-5 | Node flapping may, in rare cases, lead to inconsistent persistence behavior |
| 428163-3 | Removing a DNS cache from configuration can cause TMM crash |
| 417068-6 | Key install or deletion failure on FIPS key names longer than 32 chars on some platforms |
| 384451-6 | Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions |
Performance Fixes
| ID Number | Description |
| 497619-6 | tmm performance may be impacted when server node is flapping and persist is used |
| 476144-1 | TMM generates a core file when dynamically loading a shared library. |
| 426939-5 | APM Polices does not work in VIPRION P8 chassis if there is no slot1 |
Global Traffic Manager Fixes
| ID Number | Description |
| 491554-2 | [big3d] Possible memory leakage for auto-discovery error events. |
| 477240-2 | iQuery connection resets every 24 hours |
| 468519-1 | GTM configuration load failure from invalid bigip_gtm.conf file. |
Application Security Manager Fixes
| ID Number | Description |
| 517245-2 | A request that should be blocked was forwarded to the server |
| 516523-2 | Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group |
| 515449-1 | bd agent listens on all addresses instead of the localhost only |
| 515433-1 | BD crash on specific signature sets configuration. |
| 515190-2 | Event Logs -> Brute Force Attacks can't show details after navigating to another page |
| 514093-1 | Allow request logs to be filtered by destination IP. |
| 513763 | Slow response from GUI when listing Event Logs |
| 512668-1 | ASM REST: Unable to Configure Clickjacking Protection via REST |
| 512616-1 | BD crash during brute force attack on cluster environement |
| 512001-1 | Using REST API to Update ASM Attack Signatures Fails |
| 512000-1 | Event Log Filter using Policy Group isn't accurate |
| 511947-1 | Policy auto-merge of Policy Diff |
| 511488-1 | Correlation restarting on a multi bladed VCMP guest |
| 511477-2 | Manage ASM security policies from BIG-IQ |
| 510499-2 | Enforcer Crashes after Sync in an ASM-only Device Group |
| 509968-3 | BD crash when a specific configuration change happens |
| 509873-1 | Rare crash and core dump of tmm or bd after rebooting a device or joining a trust domain. |
| 509495 | A TMM memory leak when HTTP protocol security enabled profile and no AFM license |
| 508908-1 | Enforcer crash |
| 508519-4 | Performance of Policy List screen |
| 508338-1 | Under rare conditions cookies are enforced as base64 instead of clear text |
| 507919-1 | Updating ASM through iControl REST does not affect CMI sync state |
| 507905 | Saving Policy History during UCS load causes DB deadlock/timeout |
| 507902-1 | Failure and restart of mcpd in secondary blade when cluster is part of a trust domain. |
| 507289-3 | User interface performance of Web Application Security Editor users |
| 506407 | Certain upgrade paths to 11.6.x would lose the redirect URL configuration for Alternate Response Pages |
| 506386-2 | [CMI] Automatic ASM sync group remains stuck in init state when configured from tmsh |
| 506372 | XML validation files related errors on upgrade |
| 506355-1 | Importing an XML file without defined entity sections |
| 506110-1 | Log flood within datasyncd.log in clustered environment |
| 504973-1 | Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead |
| 504718-2 | Policy auto-merge of Policy Diff |
| 504232-2 | Attack signatures are not blocked after signature/set change |
| 504182-1 | Enforcer cores after upgrade upon the first request |
| 503169-1 | XML validation files are not correctly imported/upgraded |
| 502852-2 | Deleting an in-use custom policy template |
| 501612-4 | Spurious Configuration Synchronizations |
| 500544-1 | XML validation files are not correctly imported/upgraded |
| 498708-1 | Errors logged in bd.log coming from the ACY module |
| 498189-3 | ASM Request log does not show log messages. |
| 497769 | Policy Export: BIG-IP does not export redirect URL for "Login Response Page" |
| 496565-1 | Secondary Blades Request CMI Sync |
| 496264-1 | SOAP Methods Were Not Being Validated For WSDL Based XML Profiles |
| 493401-2 | Concurrent REST calls on a single endpoint may fail |
| 492978-1 | All blades in a cluster remain offline after provisioning ASM or FPS |
| 490284-3 | ASM UI extremely slow to respond (e.g. >2 minutes to render policy list) |
| 489648-1 | Empty violation details for attack signatures |
| 488306-1 | Requests not logged locally on the device |
| 487420-1 | BD crash upon stress on session tracking |
| 486323-1 | The datasyncd process may keep restarting during the first 30 minutes following a hotfix installation |
| 485764-5 | WhiteHat vulnerability assessment tool is configured but integration does not work correctly |
| 484079-1 | Change to signature list of manual Signature Sets does not take effect. |
| 482915-1 | Learning suggestion for the maximum headers check violation appears only for blocked requests |
| 481476-5 | MySQL performance |
| 478674-1 | ASM internal parameters for high availability timeout was not handled correctly |
| 475819-4 | BD crash when trying to report attack signatures |
| 471103-1 | Ignoring null values for parameters with different content types |
Application Visibility and Reporting Fixes
| ID Number | Description |
| 508544-1 | AVR injects CSPM JavaScript when the payload does not contain an HTML tag |
| 504414-1 | AVR HTTP External log - missing fields |
| 503683 | Configuration upgrade failure due to change in an ASM predefined report name |
| 503471-1 | Memory leak can occur when there is a compressed response, and abnormal termination of the connection |
| 500457-1 | Synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash |
| 500034-1 | [SMTP Configuration] Encrypted password not shown in GUI |
| 497681-1 | Tuning of Application DoS URL qualification criteria |
| 497376-1 | Wrong use of custom XFF headers when there are multiple matches |
| 488713-1 | Corrupt memory |
Access Policy Manager Fixes
| ID Number | Description |
| 523803 | Support two-factor authentication for Citrix Receivers in StoreFront proxy mode |
| 517146-1 | Log ID 01490538 may be truncated |
| 516075-6 | Linux command line client fails with on-demand cert |
| 515387 | Update EPSEC package to latest verified in 11.6.0 branch |
| 514636-1 | SWG Category Lookup using Subject.CN results in a crash if the certificate presented does not have a Subject.CN. |
| 514277-1 | Provide a way to enable connection bar for Citrix desktops only |
| 513795-1 | HTML5 client is not available on APM Full Webtop when using VMware Horizon 6.1 |
| 513646-1 | APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer |
| 513382-13 | Resolution of multiple OpenSSL vulnerabilities |
| 512999-1 | LDAP Query may fail if user belongs to a group from foreign domain |
| 512378-1 | Changing per request policy in the middle of data traffic can cause tmm to crash |
| 511961-1 | BIG-IP Edge Client does not display logon page for FirePass |
| 511648-2 | On standby tmm can core when active system sends leasepool HA commands to standby device |
| 511441-3 | Memory leak on request Cookie header longer than 1024 bytes |
| 510596-6 | Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty |
| 509956-4 | Improved handling of cookie values inside SWG blocked page. |
| 509758-2 | EdgeClient shows incorrect warning message about session expiration |
| 509010 | Adding/Deleting a local user takes 30 seconds to complete |
| 508719-1 | APM logon page missing title |
| 508630-4 | The APM client does not clean up DNS search suffixes correctly in some cases |
| 507782-1 | TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data |
| 507318-3 | JS error when sending message from DWA new message form using Chrome |
| 506349-4 | BIG-IP Edge Client for Mac identified as browser by APM in some cases |
| 506235-2 | SIGSEGV caused by access_redirect_client_to_original_uri |
| 505797-1 | Citrix Receiver for Android fails to authenticate with APM configured as StoreFront proxy and Access Gateway |
| 505662-1 | Signed SAML IdP/SP exported metadata contains some elements in wrong order |
| 504880-2 | tmm may crash when RDP client connects to APM configured as Remote Desktop Gateway |
| 504606-3 | Session check interval now has minimum value |
| 504461-2 | Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it. |
| 503319-4 | After network access is established browser sometime receives truncated proxy.pac file |
| 502441-5 | Network Access connection might reset for large proxy.pac files. |
| 502016-4 | MAC client components do not log version numbers in log file. |
| 501498-1 | APM CTU doesn't pick up logs for Machine Certificate Service |
| 499620-6 | BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated. |
| 499427-1 | Windows File Check does not work if the filename starts with an ampersand |
| 498993-1 | it is possible to get infinite loop in LDAP Query while resolving nested groups |
| 498782-2 | Config snapshots are deleted when failover happens |
| 498469-5 | Mac Edge Client fails intermittently with machine certificate inspection |
| 497662-3 | BIG-IP DoS via buffer overflow in rrdstats |
| 497455-1 | MAC Edge client crashed during routine Network Access. |
| 497436-4 | Mac Edge Client behaves erratically while establishing network access connection |
| 497325-1 | New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment |
| 496894-1 | TMM may restart when accessing SAML resource under certain conditions. |
| 496817-1 | Big-IP Edge client for windows fails to connect to firepass server if tunnel is established through a proxy |
| 495901-3 | Tunner Server crash if probed on loopback listener. |
| 495702-4 | Mac Edge Client cannot be downloaded sometimes from management UI |
| 495319-3 | Connecting to FP with APM edge client is causing corporate network to be inaccessible |
| 495273-1 | LDAP extended error info only available at debug log level which could affect Branch rules |
| 495265-1 | SAML IdP and SP configured in same access profile not supported |
| 494176-5 | Network access to FP does not work on Yosemite using APM Mac Edge Client. |
| 494088-4 | APD or APMD should not assert when it can do more by logging error message before exiting. |
| 493385-6 | BIG-IP Edge Client uses generic icon set even if F5 icon set is configured |
| 493360-1 | Fixed possible issue causing Edge Client to crash during reconnect |
| 490681-1 | Memcache entry for dynamic user leaks |
| 490675-1 | User name with leading or trailing spaces creates problems. |
| 489382-7 | Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert |
| 489328-9 | When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash. |
| 487170-1 | Enahnced support for proxy servers that resolve to multiple IP addresses |
| 486597-1 | Fixed Network Access renegotiation procedure |
| 486268-1 | APM logon page missing title |
| 485355-3 | Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace) |
| 485202-1 | LDAP agent does not escape '=' character in LDAP DN |
| 484582-2 | APM Portal Access is inaccessible. |
| 483526-1 | Rarely seen Edge Client for Mac crash on session disconnect |
| 482269-1 | APM support for Windows 10 out-of-the-box detection |
| 482134-1 | APD and APMD cores during shutdown. |
| 480817-3 | Added options to troubleshoot client by disabling specific features |
| 480242-5 | APD, APMD, MCPD communication error failure now reported with error code |
| 477898-1 | Some strings on BIG-IP APM EDGE Client User Interface were not localized |
| 477278-5 | CVE-2014-6032 and CVE-2014-6033 |
| 476038-1 | Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name |
| 475505-6 | Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system. |
| 474698-2 | BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions. |
| 474582-3 | Add timestamps to logstatd logs for Policy Sync |
| 473697-6 | HD Encryption check should provide an option to choose drive |
| 473386-11 | Improved Machine Certificate Checker matching criteria for FQDN case |
| 473129-5 | httpd_apm access_log remains empty after log rotation |
| 473092-1 | Transparent Proxy + On-Demand Cert Auth will reset |
| 471452-2 | Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed. |
| 471421-5 | Ram cache evictions spikes with change of access policy leading to slow webtop rendering |
| 471331-2 | APM::RBA reset due to a leaked HUDEVT_REQUEST_DONE |
| 468137-7 | Network Access logs missing session ID |
| 465012-4 | Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access |
| 464992-7 | Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria |
| 461597-11 | MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate |
| 460715-5 | Changes in captive portal probe URL |
| 460427-2 | Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment. |
| 456911-3 | Add BIG-IP hostname to system's static DNS host entries |
| 452464-4 | iClient does not handle multiple messages in one payload. |
| 452416-1 | tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values |
| 437744-4 | SAML SP service metadata exported from APM may fail to import. |
| 437743-6 | Import of Access Profile config that contains ssl-cert is failing |
| 436201-6 | JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11 |
| 433972-13 | New Event dialog widget is shifted to the left and Description field does not have action widget |
| 433847-1 | APD crashes with a segmentation fault. |
| 432900-9 | APM configurations can fail to load on newly-installed systems |
| 431980-1 | SWG Reports. Overview and Reports do not show correct data. |
| 431149-6 | APM config snapshot disappears and users see "Access Policy configuration has changed on gateway" |
| 416115-14 | Edge client continues to use old IP address even when server IP address changed |
| 410089-2 | Linux client hangs after receiving the application data |
| 403991-8 | Proxy.pac file larger than 32 KB is not supported |
WebAccelerator Fixes
| ID Number | Description |
| 514838-1 | TMM Crash on Relative URL |
| 514785-2 | TMM crash when processing WA-optimized video URLs |
| 511534-1 | A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load, |
| 488917-2 | Potentially confusing wamd shutdown error messages |
| 486346-3 | Prevent wamd shutdown cores |
| 481431-1 | AAM concatenation set memory leak on configuration change |
| 467633-5 | WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases) |
| 447254-1 | Core in parked transaction due to evicted stand-in document |
Service Provider Fixes
| ID Number | Description |
| 512054-1 | CGNAT SIP ALG - RTP connection not created after INVITE |
| 511326-2 | SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation. |
| 507143-1 | Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion |
| 504348-1 | iRules in event ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT cannot see modified headers |
| 503676-4 | SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events |
| 500365-3 | TMM Core as SIP hudnode leaks |
| 499701-1 | SIP Filter drops UDP flow when ingressq len limit is reached. |
| 486356-1 | unable to configure a virtual with stats profile and sip profile in 11.6.0 |
| 482436-1 | Inefficient handling of invalid SIP request |
| 478442-5 | Core in sip filter due to sending of HUDEVT message while processing of HUDCTL message |
| 477318-1 | Fixes possible segfault |
| 472376-3 | SIP Filter crash in egress because the ingress pcb is already released |
| 466761-4 | Hearbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss. |
| 455006-7 | Invalid data is merged with next valid SIP message causing SIP connection failures |
| 448493-10 | SIP response from the server to the client get dropped |
Advanced Firewall Manager Fixes
| ID Number | Description |
| 517019-1 | AVR-HTTP (and Application DoS): Detection of pool-member is sometimes incorrect |
| 515562-1 | Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned. |
| 515187-2 | Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules. |
| 513565-1 | AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept. |
| 513403-1 | TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration. |
| 512609 | Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses |
| 511406-1 | Pagination issue on firewall policy rules page |
| 505624-1 | Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration |
| 503541-2 | Use 64 bit instead of 10 bit for Rate Tracker library hashing. |
| 503085-3 | Make the RateTracker threshold a constant |
| 502414-2 | Make the RateTracker tier3 initialization number less variant. |
| 501986-3 | Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process |
| 501480-3 | AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic. |
| 500925-3 | Introduce a new sys db variable to control number of mergers per second of Rate Tracker library. |
| 500449 | "Any IPv4 or IPv6" choice in sweep attack has atypical definition |
| 497311 | Can't add a ICMPv6 type and code to a FW rule. |
| 496278-2 | Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name |
Policy Enforcement Manager Fixes
| ID Number | Description |
| 519407-1 | PEM session lookup by subscriber ID in TMSH fails if same IP is being used to create session with different subscriber ID |
| 518967-1 | tmm may induce a run away strncpy |
| 515638 | 5% drop in Webroot cloud lookup performance with mixed upper/lowercase URLs |
| 512734 | Socket error when Webroot cloud lookup is enabled under stress condition |
| 512663 | Added urlcatblindquery iRule command |
| 511064-1 | Repeated install/uninstall of policy with usage monitoring stops after second time |
| 510811-1 | PEM::info irule does not take effect if used right after PEM::session config policy irule |
| 510721-1 | PEM::enable / PEM::disable iRule errors out with an error message |
| 509105-1 | TMM core some times if provisioning hold time is set to non-zero |
| 508051-1 | DHCP response may return to wrong DHCP client |
| 507753 | URL categorization missed if HTTP1.0 header does not have HOST |
| 507549-1 | PEM may ignore a RAR if the target session is in the Provision-Pending state |
| 506734 | Cloud lookup stress condition |
| 506578 | Webroot cloud lookup does not yield a category. |
| 506283 | 100% TPS drop when webroot cloud lookup is enabled under stress condition |
| 505986 | Extra Webroot cloud lookup requests when cache is full |
| 505529 | wr_urldbd restarts continuously on VIPRION chassis with webroot lookup enabled. |
| 505069 | Webroot cloud lookup granularity |
| 504028-1 | Generate CCR-T first and then CCR-I if session being replaced |
| 503381-2 | SSL persistence may cause connection resets |
| 500219-1 | TMM core if identical radius starts messages received |
| 496976-2 | Crash when receiving RADIUS message to update PEM static subscriber. |
| 495913-2 | TMM core with CCA-I policy received with uninstall |
| 489767 | Webroot cloud lookup support |
| 488166-1 | Provide an option to delete the session if IP class address Limit reached when new IP being added and create a new one instead. |
| 484278-4 | BIG-IP crash when processing packet and running iRule at the same time |
| 484095 | RADIUS accounting message with multiple IPv6 prefix causes TMM crash |
| 480544-1 | Secondary IP flows are not forwarded in multiple IP session |
| 478399-2 | PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured. |
| 473680-1 | Multiple DHCP solicit packets may not succeed. |
| 467106-1 | Loading ucs file after install 11.6.0 on top of 11.5.0 failed when Gx reporting is enabled. |
Carrier-Grade NAT Fixes
| ID Number | Description |
| 519723 | dnatutil utility needs update because DAG changed. |
| 494280-3 | TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel |
| 493807-5 | TMM might crash when using PPTP with profile logging enabled |
| 482202-1 | Very long FTP command may be ignored. |
Fraud Protection Services Fixes
| ID Number | Description |
| 513871 | Tab collisions |
| 487553 | FPS alerts |
| 482788-3 | GUID in Source integrity alerts |
| 479554-1 | TMM core |
Global Traffic Manager Fixes
| ID Number | Description |
| 499719-1 | Order Zones statistics would cause database error |
| 494305-3 | [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list. |
| 475092 | DNS::Zones:Zones:Zones List:Statistics |
Anomaly Detection Services Fixes
| ID Number | Description |
| 461949 | Virtual server with Portal Access and DOS profile resets connection |
Traffic Classification Engine Fixes
| ID Number | Description |
| 513215 | Only one of the tmms load the classification library after an IM package upgrade |
| 508660-1 | Intermittent tmm crash in classification library |
| 484483-2 | TCP and UDP was classified as Unknown by classification library |
Cumulative fix details for BIG-IP v11.6.0 Hotfix 5 that are included in this release
523803 : Support two-factor authentication for Citrix Receivers in StoreFront proxy mode
Component: Access Policy Manager
Symptoms:
Citrix Receivers do not detect 2-factor authentication when connecting to APM.
Conditions:
APM is configured as StoreFront proxy and 2-factor authentication is used.
Impact:
Citrix Receivers do not detect 2-factor authentication.
Workaround:
To enable 2-factor authentication, put a Variable Assign agent in front of the Logon Page in VPE with the following expression: session.citrix.client_auth_type = expr {"1"}.
Fix:
Added support for two-factor authentication for Citrix Receivers in StoreFront proxy mode.
523032-6 : qemu-kvm VENOM vulnerability CVE-2015-3456
Component: TMOS
Symptoms:
A vCMP hosted guest may be able to execute code in the context of the vCMP host hypervisor.
Conditions:
An attacker with root access on a vCMP guest may be able to crash the guest instance and/or execute code in the context of the vCMP hypervisor.
Impact:
A attacker in a vCMP guest can crash the guest system and/or execute code in the context of the hypervisor.
Workaround:
None.
Fix:
Integrated fixes to resolve CVE-2015-3456.
520413 : Aberrant behavior with woodside TCP congestion control
Component: Local Traffic Manager
Symptoms:
Potential tmm core.
Conditions:
Woodside congestion control along with multiple profile options enabled and certain traffic may cause an issue where tmm may core.
Impact:
With woodside and other necessary options, TMM may core. Without woodside, or the other necesssary options, which has negative performance implications and might trigger other unexpected behaviors.
Workaround:
Switching from woodside to illinois congestion control avoids issue.
520349 : iControl portal restarts
Component: TMOS
Symptoms:
iControl portal can restart during EM discovery.
Conditions:
EM discovery/device refresh
Impact:
iControl portal restarts causing an outage of using iControl
Workaround:
519877 : External pluggable module interfaces not disabled correctly.
Component: TMOS
Symptoms:
External pluggable module interface may show link UP status, when administratively disabled.
Conditions:
Disable any external pluggable module interface that is connected to an enabled peer interface.
Impact:
Disabled external pluggable module interface may link UP and potentially pass traffic.
Workaround:
Fix:
Software fix prevents disabled external pluggable module interface from being re-enabled, as a result of periodic linkscan operations.
519723 : dnatutil utility needs update because DAG changed.
Component: Carrier-Grade NAT
Symptoms:
dnatutil utility needs update because DAG changed.
Conditions:
CGNAT configured
Impact:
STDERR: dnatutil: Newer version of the utility is required to process the data (required daglib id: 5666df06f3570ad26976e607e02f71f7).
Workaround:
None
Fix:
dnatutil utility has been updated because DAG changed.
519407-1 : PEM session lookup by subscriber ID in TMSH fails if same IP is being used to create session with different subscriber ID
Component: Policy Enforcement Manager
Symptoms:
IF an existing session is being replaced by new session with same IP address but different subscriber ID then if we try to lookup the session based on new subscriber ID from tmsh, then lookup will fail.
Conditions:
Existing session replaced by new session with same IP and different subscriber ID.
Impact:
Lookup for new session fails and replacing of new session will fail too.
Workaround:
Fix:
This issue has been fixed and should work as expected.
518967-1 : tmm may induce a run away strncpy
Component: Policy Enforcement Manager
Symptoms:
Due to a parsing bug in code, it is possibly that a run away strncpy could occur for certain URL categorization input, which may lead to tmm restart.
Conditions:
Enable PEM url categroziation feature to categorize the URLs from traffic process by PEM virtuals.
Impact:
This bug could lead to tmm restart, and introduce service interruption during the tmm restart.
Workaround:
Fix:
The parsing code for the URL input has been fixed to handle multipler corner cases of the URLs.
517245-2 : A request that should be blocked was forwarded to the server
Component: Application Security Manager
Symptoms:
A request that should be blocked is forwarded to to the server.
Conditions:
The following conditions - 1. The "do nothing" header content profile on the request URL OR the request is longer than the max buffer size. while the exceed buffer length violation is turned off. (both cases causes an ignore payload state). 2. An irule or session tracking is assigned on the virual server.
Impact:
In case the request should have been blocked, it will arrive to the server.
Workaround:
N/A
Fix:
A scenario when a request that should have been blocked reached the server was fixed.
517146-1 : Log ID 01490538 may be truncated
Component: Access Policy Manager
Symptoms:
Log ID 01490538 may appear truncated in /var/log/apm. It is supposed to say "Configuration snapshot deleted by Access".
Conditions:
Access profile snapshots are timing out and being deleted by the system.
Impact:
Most likely just corrupted log messages. A very slight chance of a crash, due to the string terminator being written to the wrong location in memory.
Workaround:
No workaround.
Fix:
Log ID 01450538 prints correctly to /var/log/apm now.
517124 : HTTP::retry incorrectly converts its input
Component: Local Traffic Manager
Symptoms:
HTTP::retry converts its input into UTF8. If the input is a bytearray using some other locale, then bytes with the high-bit set may be corrupted. The resulting corrupted request will then be sent to the server as the retried request.
Conditions:
The input to HTTP::retry is a TCL bytearray rather than a TCL string. The output from some commands i.e. HTTP::payload is a bytearray. Strings are in the UTF8 format, Bytearrays are not.
Impact:
Non-ascii characters may be corrupted when HTTP::retry is used.
Workaround:
Fix:
The HTTP::retry command no longer corrupts input that isn't in the UTF8 format.
517019-1 : AVR-HTTP (and Application DoS): Detection of pool-member is sometimes incorrect
Component: Advanced Firewall Manager
Symptoms:
AVR sometimes detects the incorrect BIG-IP module that created a response to an HTTP transaction.
Conditions:
Using AVR HTTP profile or Application DoS, and having a transaction that was responded to by a BIG-IP modules, such as DoS, Cache, iRules, and so on.
Impact:
1. AVR report an incorrect module. 2. Application DoS is using this information for its decisions, and thus can choose a mitigation action that is different from the desired one.
Workaround:
None.
Fix:
The detection of the internal module is done correctly, so that the correct mitigation action is chosen.
516523-2 : Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group
Component: Application Security Manager
Symptoms:
ASM is only supposed to request a Full Sync if there has been a Manual Full Sync request, or if an incremental / auto sync indicates that the state is inconsistent with that of its peers. The system was mistakenly requesting a Full Sync on every config change in an Auto-Sync, Full Sync group even when it was in a consistent state.
Conditions:
A Device Group is configured with Auto-Sync, Full Sync, and ASM enabled.
Impact:
Noise on the network, extra CPU usage, Policy Builder restarting on receiving peer.
Workaround:
Disable "Full Sync" on the device group
Fix:
Do not request a Full ASM Configuration Sync on every full auto sync in a device group.
516408-1 : SSL reports certificate verification OK even verification returns failure for pcm=request.
Component: Local Traffic Manager
Symptoms:
When peer certificate mode (PCM) is configured as request, even if the certificate is invalid (certificate verification returns failure), SSL returns OK.
Conditions:
Client authenticate is configured with pcm=request.
Impact:
SSL returns the incorrect verification result.
Workaround:
Fix:
Client authentication is configured with pcm=request, SSL should return the correct verification result.
516292-1 : Incorrect handling of repeated headers
Component: Local Traffic Manager
Symptoms:
If a http/2 request, forwarded to an http/1.1, produces a response that has the same header occurring more than once, the http/2 response would be encoded incorrectly and can't be processed by the http/2 browser.
Conditions:
Responses that contain the same header (with possibly different values) more than once.
Impact:
Browser fail to process responses.
Workaround:
For the set-cookie header there is no work-around because each cookie requires its own header. For other headers, an iRule could potentially be used to concatenate the values of repeated headers.
Fix:
The http/2 protocol handling now correctly encodes repeated headers.
516179-1 : Woodside falsely detects congestion
Component: Local Traffic Manager
Symptoms:
The TCP profile Congestion Control Woodside falsely detect congestion and might reduce its own performance.
Conditions:
High-bandwidth, low-delay connections (i.e., a large congestion window).
Impact:
Performance impact when using the Woodside congestion control algorithm, and TMM might crash.
Workaround:
Use a TCP profile Congestion Control other than Woodside.
Fix:
The Woodside congestion control algorithm now correctly detects congestion without performance impact.
516075-6 : Linux command line client fails with on-demand cert
Component: Access Policy Manager
Symptoms:
Linux command line client fails with on-demand cert.
Conditions:
End user needs to be running Linux command line client and the on-demand cert agent.
Impact:
Depending upon the access policy, the user might fail to log in and establish a Network Access connection.
Workaround:
none
Fix:
Linux command line client works with on-demand cert now.
516073 : Revised AWS Setup Guide
Component: TMOS
Symptoms:
tmsh is now the default shell for AWS VE. Documentation revised to remove "tmsh" from all tmsh command line entries.
Conditions:
Log in to an SSH session with the AWS VE. Initiate any tmsh command by starting the entry with "tmsh." The result is a syntax error.
Impact:
No tmsh commands can be executed. Without the ability to revise the AWS virtual machine (VM) password using tmsh, the VM can not be used.
Workaround:
Omit the word "tmsh" from command entries.
Fix:
Documentation revised to clarify tmsh command entries.
515638 : 5% drop in Webroot cloud lookup performance with mixed upper/lowercase URLs
Component: Policy Enforcement Manager
Symptoms:
When Webroot cloud lookup is enabled, and URL inputs cannot be categorized by the local Webroot database managed on the BIG-IP system because the URLs contain a mix of upper/lowercase characters, there may be 5% drop in the Webroot cloud lookup performance.
Conditions:
If Webroot cloud lookup is enabled, and all URLs are unknown to the local databasedand consist of a mix of upper/lowercase letters.
Impact:
There could be 5% drop for Webroot cloud lookup performance in this case. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.
Workaround:
None.
Fix:
The issue has been fixed by improving/optimizing URL normalization prior to Webroot cloud lookup.
515562-1 : Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned.
Component: Advanced Firewall Manager
Symptoms:
When AFM is not not licensed or provisioned, the user might still be able to enable Sweep and Flood.
Conditions:
Enable Sweep and Flood vector when AFM is not not licensed or provisioned.
Impact:
TMM might crash.
Workaround:
Avoid configuring Sweep and Flood vectors when AFM is not licensed or provisioned
Fix:
Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned, user should avoid configuring sweep and flood vectors when AFM is not licensed or provisioned.
515482 : Multiple teardown conditions can cause crash
Component: Local Traffic Manager
Symptoms:
When iRules direct the teardown of a TCP connection after some delay, another event might tear down the connection during the delay. When the iRule-directed abort finally arrives, the system crashes.
Conditions:
Virtual Server is using the TCP stack that supports advanced features.
Impact:
TMM crashes
Workaround:
Suspend iRules with this behavior.
Fix:
When receiving ABORT commands, modify TCP to catch cases where the connection is already closed.
515449-1 : bd agent listens on all addresses instead of the localhost only
Component: Application Security Manager
Symptoms:
bd agent listens on all addresses instead of the localhost only.
Conditions:
ASM provisioned.
Impact:
bd agent might crash in reponse to a simple telnet request from an external connection.
Workaround:
None.
Fix:
bd agent now listens on localhost only.
515433-1 : BD crash on specific signature sets configuration.
Component: Application Security Manager
Symptoms:
A BD crash, failover and/or traffic interruption.
Conditions:
Two different signature sets with different sizes (i.e, number of signatures in a set) are assigned to two different security policies. The issue relates to a scenario where there is traffic that generates a lot of violations/staging or suggestions.
Impact:
A BD crash, a failover, and/or traffic interruption.
Workaround:
Assign the same set(s) to all the security policies.
Fix:
Crash issue that is related to a specific configuration was fixed.
515387 : Update EPSEC package to latest verified in 11.6.0 branch
Component: Access Policy Manager
Symptoms:
EPSEC was out of date and we are updating to the latest.
Conditions:
Impact:
EPSEC contains old package and some endpoint security checks like machine cert, antivirus, firewall might fail.
Workaround:
Fix:
11.6.0 branch contains most recent verified EPSEC package.
515190-2 : Event Logs -> Brute Force Attacks can't show details after navigating to another page
Component: Application Security Manager
Symptoms:
After using the pagination mechanism on the Brute Force Attacks screen, the user is unable to open the attack details.
Conditions:
Navigate to another page on Event Logs -> Brute Force Attacks
Impact:
The user is unable to see the brute force attack details.
Workaround:
N/A
Fix:
Pagination mechanism was fixed on the Brute Force Attacks screen.
515187-2 : Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.
Component: Advanced Firewall Manager
Symptoms:
Certain ICMP packets (such as ICMPv6 Destination Unreachable) match twice against Global and Route-Domain ACL rules.
Conditions:
AFM provisioned and licensed. Create a Global and/or Route Domain ACL policy with a rule matching ICMP traffic. Send ICMP packet such as Destination Unreachable.
Impact:
Global and Route-Domain ACL rules are evaluated twice under conditions specified above. This causes the rule counters to be incremented by 2 (instead of 1) and may cause double logging if enabled.
Workaround:
None
Fix:
The above mentioned anomaly has been fixed and now, ICMP traffic is evaluated only once against Global and Route-Domain ACL rules.
514838-1 : TMM Crash on Relative URL
Component: WebAccelerator
Symptoms:
When a relative path that starts with ../ is presented to WAM, the code that attempts to rewrite the URL into an absolute, regular form potentially causes TMM to crash.
Conditions:
AAM profile on VIP.
Impact:
Temporary outage while TMM reboots.
Workaround:
An irule that removes or modifies the URL path to be non-relative, or at least to start with a forward slash will protect WAM from this issue.
Fix:
Fix for relative paths that do not start with a forward slash, but do include parent directory references.
514785-2 : TMM crash when processing WA-optimized video URLs
Component: WebAccelerator
Symptoms:
TMM can crash when processing HTTP requests for certain types of WA-optimized videos.
Conditions:
WA enabled VIP Video optimization and IBR enabled by WA policy HTTP request with a URL query string containing both the "vo=" and "/".
Impact:
Potential TMM crash.
Workaround:
# Disable WAM processing when the URL contains both a vo= parameter and a / character. when HTTP_REQUEST { if { [HTTP::query] contains "vo=" && [HTTP::query] contains "/" } { WAM::disable } }
514636-1 : SWG Category Lookup using Subject.CN results in a crash if the certificate presented does not have a Subject.CN.
Component: Access Policy Manager
Symptoms:
When accessing HTTPS websites (via SWG) that present a certificate without a CN in the subject, a TMM crash occurs.
Conditions:
SWG explicit or transparent proxy using Category Lookup in the per-request access policy with Subject.CN as input. The crash only happens when accessing a site that has no CN in the Certificate's subject - this is not a common condition.
Impact:
This results in a TMM crash and failover.
Workaround:
Use Category lookup with SNI as input.
Fix:
When Category Lookup is configured to use Subject.CN as input, it logs and errors out if the certificate subject does not contain a CN.
514604-1 : Nexthop object can be freed while still referenced by another structure
Component: Local Traffic Manager
Symptoms:
Use after free of the Nexthop object may cause memory corruption or tmm core.
Conditions:
This can happen if the proxy connection takes some time to complete, creating a large enough time window where the nexthop object might be freed.
Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.
Workaround:
None.
514564 : Special internal handling needed when hotfixing the f5base RPM.
Component: TMOS
Symptoms:
Hotfixing f5base could cause LOP based platforms to fail to come up due to the roundabout way management port network config is stored / regenerated.
Conditions:
f5base added to a hotfix rollup or EHF.
Impact:
The issue needed to be corrected before a hotfix containing a new f5base RPM could be released. Not seen in the field.
Workaround:
A work-around was included in the hotfix; changes to the way the management port is configured were introduced into the upcoming release code to avoid similar problems in the future.
514521 : Rare TMM Cores with TCP SACK and Early Retransmit
Component: Local Traffic Manager
Symptoms:
In certain isolated cases, TCP profiles with Early Retransmit and SACK enabled will cause a TMM Crash.
Conditions:
The connection is not in fast recovery but a SACK hole has been retransmitted.
Impact:
Rare TMM core.
Workaround:
Disable Early Retransmit in the TCP profile.
Fix:
Early retransmit now checks for the corner case to avoid crash.
514450-4 : VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.
Component: TMOS
Symptoms:
In a VXLAN tunnel, a remote MAC address movement from one endpoint to another does not trigger ARL updates across all TMMs. As a result, some TMMs may contain stale ARL entries which can impact traffic forwarding. Also, when using 'tmsh show net fdb tunnel', there is a duplicated MAC address associated with different endpoints in the same tunnel.
Conditions:
When a remote MAC address is moved from one endpoint to another. For example, when a BIG-IP system in an HA setup configured with a masquerading MAC address changes its state from 'standby' to 'active'.
Impact:
This issue could impact traffic forwarding in VXLAN tunnels.
Workaround:
Although there is no complete workaround, you can mitigate the situation by making sure that the network is properly configured so that every device uses a unique MAC address. For example, in a network with an HA setup, try not to use masquerading MAC addresses.
Fix:
This version of software more consistently handles the condition of a remote MAC address being moved from one endpoint to another.
514277-1 : Provide a way to enable connection bar for Citrix desktops only
Component: Access Policy Manager
Symptoms:
When connection bar is enabled via Custom Parameters in a Citrix resource it's applied to both applications and desktops.
Conditions:
APM is configured for Citrix replacement mode and connection bar is enabled via Custom Parameters in a Citrix resource.
Impact:
Connection bar is displayed for applications where it may not be needed.
Workaround:
Fix:
APM now enables connection bar for Citrx desktops by default. This can be disabled by specifying ConnectionBar=0 in Custom Parameters of the Citrix Remote Desktop resource.
514216 : Internal unit test issue found by F5 testing prior to release.
Component: Local Traffic Manager
Symptoms:
Internal unit test fails, catching an issue with SPDY.
Conditions:
Impact:
Unable to compile tmm.
Workaround:
None
Fix:
Resolve an internal build issue found by F5 testing before release.
514093-1 : Allow request logs to be filtered by destination IP.
Component: Application Security Manager
Symptoms:
Request Log: Missing useful filter by Destination IP.
Conditions:
Impact:
Missing a useful filter.
Workaround:
Fix:
Filter by Destination IP added to the Request log.
513871 : Tab collisions
Component: Fraud Protection Services
Symptoms:
Multiple tabs writing to the same cookie with different keys.
Conditions:
This occurs when using FPS.
Impact:
False positive alerts for automatic transactions.
Workaround:
Fix:
Fix case of multiple tabs writing to the same cookie with different keys.
513795-1 : HTML5 client is not available on APM Full Webtop when using VMware Horizon 6.1
Component: Access Policy Manager
Symptoms:
When Horizon v6.1 is deployed using an APM Full webtop, the option to launch the View HTML5 client is missing.
Conditions:
VMware Horizon and VMware View agents have been upgraded to v6.1 (v3.4 for clients) or a new v6.1 deployment.
Impact:
Users are not able to use HTML5 View client to launch View remote desktops from an APM full webtop.
Workaround:
An alternative access methods are available as a temporary workaround to provide access for Horizon users. Administrators can have users use the native VMware View clients instead of using the APM full webtop with the HTML5 View client.
Fix:
Starting with release v6.1 of VMware Horizon, the public API which APM uses for integration with View Connection Server has changed. This causes an issue where the View HTML5 client is no longer available to launch View desktops when deployed on an APM Full Webtop. The option to launch a View HTML5 client is now available again on the APM Full Webtop.
513763 : Slow response from GUI when listing Event Logs
Component: Application Security Manager
Symptoms:
Slow GUI performance in Request Log for Internet Explorer browser.
Conditions:
IE8-IE11 used
Impact:
Slow GUI performance in Request Log for Internet Explorer browser.
Workaround:
User can remove all columns with IP in configuration or reduce number of entries per page
Fix:
GeoIP tooltip library rewritten to improve performance in all browsers.
513646-1 : APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer
Component: Access Policy Manager
Symptoms:
APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer.
Conditions:
APM(ACCESS)/SWG.
Impact:
This results in rare TMM crashes/cores. The backtrace from cores usually point to the timer.
Workaround:
Fix:
APM(ACCESS)/SWG filter operation no longer results in orphaned timers.
513565-1 : AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept.
Component: Advanced Firewall Manager
Symptoms:
Existing flows are not re-evaluated against Virtual Server AFM policies in Kill-on-the-fly if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.
Conditions:
AFM provisioned and licensed. Have a Global AFM (or route domain) rule with action = Accept Decisive and also have a virtual server AFM rule. Initial flow will be allowed due to global AFM rule action being Accept-decisively and will not be matched against Virtual Server Rule. Now, modify the global AFM rule action to Accept. This should trigger Kill-on-the-fly to re-evaluate all existing flows against AFM policies.
Impact:
Existing flows bypass Virtual Server AFM Policy match evaluation in the sweeper under the conditions specified above.
Workaround:
None
Fix:
The above mentioned anomaly has been fixed. With this fix, existing flows will be evaluated against virtual server ACL policy if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.
513403-1 : TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.
Component: Advanced Firewall Manager
Symptoms:
TMM asserts when certain ICMP packets are classified by AFM and match rules at the Global and Route Domain context with logging and log-translations enabled.
Conditions:
This might occur in the following configurations: -- AFM Rule Logging is enabled and Log Translations is enabled in Log Profile, -- Server side AVR Statistics collection is enabled under Security :: Reporting. -- Certain ICMP packets (such as multicast ICMP echo) are classified and match AFM rules at Global and Route Domain contexts.
Impact:
TMM crashes (assert). Traffic disruption due to TMM process crashing.
Workaround:
Disabling log-translations in AFM Logging Profile configuration can prevent the TMM crash for these types of ICMP packets.
Fix:
TMM crash (assert) for certain ICMP packets when classified by AFM and logging is enabled with log-translations has been fixed.
513382-13 : Resolution of multiple OpenSSL vulnerabilities
Component: Access Policy Manager
Symptoms:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288
Conditions:
None.
Impact:
Update of OpenSSL to resolve multiple vulnerabilities.
Workaround:
Fix:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288
513243-1 : Improper processing of crypto error condition will cause memory double-free
Component: Local Traffic Manager
Symptoms:
Error handling in crypto code can lead to a double free.
Conditions:
Error in crypto handling in specific portion of the code can cause a double free to occur.
Impact:
The double-free will likely cause the TMM crash.
Workaround:
Fix:
If certain crypto command return an error, but memory is allocated successfully, we now protect against the double free scenario.
513215 : Only one of the tmms load the classification library after an IM package upgrade
Component: Traffic Classification Engine
Symptoms:
Not all traffic is processed by the classification library from the newly installed IM package. Flows that go through tmms that didn't load the new library will continue being classified by the old library.
Conditions:
Impact:
Possible misclassification of some of the flows since they will be processed by the old library.
Workaround:
run the following command after the upgrade 'bigstart restart tmm'
Fix:
The fix addresses the problem by loading the library on all tmms.
513034-1 : TMM may crash if Fast L4 virtual server has fragmented packets
Component: Local Traffic Manager
Symptoms:
tmm crashes.
Conditions:
This might occur when the following conditions are met: Fast L4 virtual server. -- Incoming fragmented packets.
Impact:
tmm might crash.
Workaround:
In the Fast L4 profile, enable the option 'Reassemble IP Fragments'.
Fix:
TMM no longer crashes if Fast L4 virtual servers have fragmented packets
512999-1 : LDAP Query may fail if user belongs to a group from foreign domain
Component: Access Policy Manager
Symptoms:
LDAP Query might fail if a user belongs to a group from a foreign domain.
Conditions:
LDAP Query is configured with option 'Fetch groups to which the user or group belong', and the user belongs to a group from a foreign domain.
Impact:
Login fails. LDAP Query fails with error: Referral, 0000202B: RefErr: DSID-03100747, data 0, 1 access points ref 1: 'example.domain'.
Workaround:
None.
Fix:
Do not try to resolve a group's membership if the group belongs to a foreign domain.
512734 : Socket error when Webroot cloud lookup is enabled under stress condition
Component: Policy Enforcement Manager
Symptoms:
When Webroot cloud lookup is enabled and the BIG-IP system is under stress load with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system, the wr_urldbd daemon may return the socket error 'EAI_AGAIN error'. As a result, some of the Webroot cloud lookups are not performed, and relevant URLs are categorized as UNKNOWN. After a large number of cloud lookups, the daemon runs out of sockets. The cloud queries do not go through. URLs get categorized as UNKNOWN.
Conditions:
If Webroot cloud lookup is enabled while there is heavy traffic with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system.
Impact:
Due to the socket error under stress load for Webroot cloud lookups relevant URLs could be categorized as UNKNOWN. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.
Workaround:
None.
Fix:
This issue has been fixed by releasing sockets properly, so that the wr_urldbd will recover from temporary socket exhaustion.
512668-1 : ASM REST: Unable to Configure Clickjacking Protection via REST
Component: Application Security Manager
Symptoms:
The REST API for URLs was missing a field for Clickjacking Protection configuration. When trying to configure that Rendering in Frames should only be allowed from a single URL, there is no field to specify that URL.
Conditions:
REST API is being used to configure Clickjacking Protection for URLs.
Impact:
A REST API client is unable to correctly configure protection that is meant to only be allowed from a specified URL.
Workaround:
Configure via GUI instead of REST.
Fix:
Missing field for REST to specify the "only-from" clickjacking URL has been added "allowRenderingInFramesOnlyFrom".
512663 : Added urlcatblindquery iRule command
Component: Policy Enforcement Manager
Symptoms:
It was desired to allow the existing PEM customers the ability to query the customDB that is encrypted using an iRule command. When the urlcatblindquery iRule is used, PEM will not try to parse the input, rather it will allow direct queries against the customDB and categorize the input accordingly.
Conditions:
This is a special enhancement that only applies when the new urlcatblindquery iRule is specified by a PEM customer who needs it.
Impact:
This has no impact to existing PEM URL Categorization features and it's behavior.
Workaround:
Fix:
The new iRule comamnd, urlcatblindquery is added to support existing customer use cases.
512616-1 : BD crash during brute force attack on cluster environement
Component: Application Security Manager
Symptoms:
A BD crash happens when there is a brute force attack on a blade environment.
Conditions:
Brute force attack, blade environment.
Impact:
BD crash, traffic sessions reset, failover.
Workaround:
N/A
Fix:
Fixed a BD crash on blade system when brute force attack happens.
512609 : Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses
Component: Advanced Firewall Manager
Symptoms:
A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) matches any IPv6 traffic which is correct, but also matches any IPv4 traffic which is incorrect.
Conditions:
Network Firewall Rule with wildcard IPv6 source or destination address ::0 or 0::0/0.
Impact:
IPv4 traffic will match.
Workaround:
None
Fix:
A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) no longer incorrectly matches any IPv4 traffic.
512490-3 : Increased latency during connection setup when using FastL4 profile and connection mirroring.
Component: Local Traffic Manager
Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.
Conditions:
FastL4 profile with connection mirroring.
Impact:
Slight delay during connection setup.
Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.
Fix:
Disable Nagle algorithm on TCP/HA profile to improve performance.
512485-3 : Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding
Component: TMOS
Symptoms:
In VXLAN overlays, unicast frames are flooded (via multicast or unicast replication) when the destination MAC address is known and the remote endpoint is unknown. Upon receiving a flooded unicast frame, the BIG-IP system might forward the frame again to yet another endpoint. Eventually an additional L2 hop might be introduced between the sender and the receiver. This applies to both the multicast and the multipoint (unicast replication) configurations of VXLAN.
Conditions:
This affects deployments with three or more VXLAN endpoints.
Impact:
The introduction of an additional hop adds unnecessary latency.
Workaround:
Fix:
In this release, the system does no L2 forwarding of encapsulated frames received from one endpoint and destined to another within the same overlay (VXLAN VNI/Tunnel), so no extra hop is added.
512378-1 : Changing per request policy in the middle of data traffic can cause tmm to crash
Component: Access Policy Manager
Symptoms:
Changing per request policy while BIG-IP serving the user requests can cause TMM to restart. This makes the TMM services unavailable until TMM is back.
Conditions:
Administrator has to change the per-request policy while TMM serving user requests.
Impact:
BIG-IP services unavailable for some time.
Workaround:
Change per-request policy in planned scheduled maintenance window where there is no user traffic expected.
Fix:
TMM does not crash and administrator can change per-request policy any time now.
512054-1 : CGNAT SIP ALG - RTP connection not created after INVITE
Component: Service Provider
Symptoms:
The client has no audio when it makes a call.
Conditions:
This occurs when a client initiates a call with a CSeqID value greater than 64 KB.
Impact:
The BIG-IP system fails to create a media channel for audio/video traffic.
Workaround:
None.
Fix:
The BIG-IP system now correctly creates a media channel for audio/video traffic when the CSeqID value greater than 64 KB.
512016-1 : DB variable added to determine DNS UDP truncation behavior.
Component: Local Traffic Manager
Symptoms:
The field wants to change the value to something other than 512 bytes where UDP DNS truncation occurs.
Conditions:
Impact:
Certain network topologies may require the UDP DNS to be passed through or have a higher limit.
Workaround:
Fix:
db variable added to manipulate handling UDP DNS responses
512001-1 : Using REST API to Update ASM Attack Signatures Fails
Component: Application Security Manager
Symptoms:
The Attack Signature Update task remains in "STARTED" status.
Conditions:
ASM REST API is being used with the /mgmt/tm/asm/tasks/update-signatures endpoint.
Impact:
REST API cannot be used to trigger an immediate download of new Attack Signatures.
Workaround:
Use scheduled updates or GUI to update Attack Signatures.
Fix:
REST Update Signatures Task now works correctly.
512000-1 : Event Log Filter using Policy Group isn't accurate
Component: Application Security Manager
Symptoms:
Request Log - filter by policy group does not work.
Conditions:
At least one policy group created and used.
Impact:
Request Log - filter by policy group does not work.
Workaround:
N/A
Fix:
Request Log - filter by policy group now works correctly.
511961-1 : BIG-IP Edge Client does not display logon page for FirePass
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client cannot display FirePass logon page: "Connecting..." status; instead, Edge Client displays blank pages. As a result, clients cannot use the latest BIG-IP Edge Client for Mac with FirePass.
Conditions:
Firepass and APM-supplied build of BIG-IP Edge Client for Mac.
Impact:
User cannot log in to Firepass if using BIG-IP Edge Client for Mac.
Workaround:
Update to latest client
Fix:
Clients using the BIG-IP Edge Client for Mac supplied with this APM release can continue to log in and do not get stuck at a "Connecting..." screen.
511947-1 : Policy auto-merge of Policy Diff
Component: Application Security Manager
Symptoms:
Running auto-merge on the Diff of two policies fails.
Conditions:
Running auto-merge on the Diff results of two policies.
Impact:
Policies cannot be auto-merged after viewing Diff.
Workaround:
None.
Fix:
The auto-merge functionality of Policy Diff now works as expected.
511873 : TMM core observed during SSL cert-related tmsh execution.
Component: Local Traffic Manager
Symptoms:
A crash could be seen when SSL forward proxy is enabled.
Conditions:
TMM core observed during SSL cert-related tmsh execution.
Impact:
TMM core and crash.
Workaround:
None.
Fix:
This release fixes a core observed when SSL forward proxy is enabled.
511651-3 : Performance improvement in packet processing.
Component: Local Traffic Manager
Symptoms:
There is a potential memory leak.
Conditions:
Undisclosed conditions for fragmented packet processing.
Impact:
Memory leak.
Workaround:
1. External Firewall 2. F5 AFM product can be used.
511648-2 : On standby tmm can core when active system sends leasepool HA commands to standby device
Component: Access Policy Manager
Symptoms:
On standby system tmm can core after it comes up when the active system sends leasepool HA commands to the standby device.
Conditions:
This occurs on standby systems when the active system sends it leasepool HA commands.
Impact:
The tmm process cores.
Workaround:
Fix:
On standby system tmm no longer cores after it comes up when active system sends leasepool HA commands to the standby device.
511534-1 : A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
Component: WebAccelerator
Symptoms:
When loading an AAM policy, the tmm compiles the rules to an internal structure that is efficient for execution. Some conditions however may cause this process to take too long and the tmm gets halted before the system has finished compiling the policy.
Conditions:
The compilation time increases dramatically when regular expressions are used on more than one or 2 operands. Since you can have conditions on many different path-segments (e.g. the 1st, 2nd, 3rd, etc), using regular expression on path-segments are a likely way to trigger this condition.
Impact:
The compilation time increases dramatically when regular expressions are used on more than one or two operands. Since conditions might exist on many different path-segments (e.g., the 1st, 2nd, 3rd, etc.), using regular expression on path-segments is a likely way to trigger this condition.
Workaround:
None.
Fix:
Now, you can prevent AAM policy compilation from taking too long by turning the regular expression into plain matches using the '\' character to escape those symbols that turn a string into a regular expression. For example, previously, 'favicon.ico' was treated as a regular expression because '.' means 'any character'. Now the user can specify 'favicon\\.ico' (double '\' required by tmsh), which causes the '.' to mean the period character, thus avoiding the (unintended) regular expression.
511517-1 : Request Logging profile cannot be configured with HTTP transparent profile
Component: Local Traffic Manager
Symptoms:
Cannot configure both a Request Logging profile and an HTTP transparent profile on the same virtual server.
Conditions:
HTTP transparent profile is attached to a virtual server.
Impact:
Request Logging profile cannot be configured on the same virtual server.
Workaround:
Fix:
The system now supports a simultaneously configuring both a Request Logging profile and an HTTP transparent profile on a single virtual server.
511488-1 : Correlation restarting on a multi bladed VCMP guest
Component: Application Security Manager
Symptoms:
The following error will appear in ASM log: Watchdog detected failure for process. Process name: correlation, Failure: Insufficient number of threads
Conditions:
ASM provisioned on a multi bladed VCMP guest
Impact:
Correlation daemon endlessly restarting
Workaround:
N/A
Fix:
To prevent endless restarting, correlation is now disabled on a multi bladed VCMP guest.
511477-2 : Manage ASM security policies from BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.
Conditions:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
Fix:
This is a part of ID 498361.
511441-3 : Memory leak on request Cookie header longer than 1024 bytes
Component: Access Policy Manager
Symptoms:
Memory leak on request Cookie header longer than 1024 bytes.
Conditions:
Client is sending 'Cookie' request header with more than 1024 bytes of data to APM Portal Access host.
Impact:
Memory used by 'rewrite' process keeps increasing and leads to 'out of memory' logs and possibly failover.
Workaround:
Fix:
Portal Access no longer leaks memory on large Cookie request headers from the client.
511406-1 : Pagination issue on firewall policy rules page
Component: Advanced Firewall Manager
Symptoms:
Firewall policy rules page shows only the first 100 rules in the policy.
Conditions:
This is an issue when there are more than 100 rules configured in a policy.
Impact:
User is only able to see the first 100 rules in the policy
Workaround:
Fix:
Firewall policy rules page is now able to view more than 100 rules.
511326-2 : SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.
Component: Service Provider
Symptoms:
The BIG-IP system does not forward messages when configured as SIP ALG with translation.
Conditions:
The BIG-IP system is configured as SIP ALG with translation, and the subscriber sends a SUBSCRIBE message to receive a notification.
Impact:
The Subscriber does not receive any notification regarding the subscribed events.
Workaround:
None.
Fix:
The BIG-IP system now correctly forwards messages when configured as SIP ALG with translation.
511130-3 : TMM core due to invalid memory access while handling CMP acknowledgement
Component: Local Traffic Manager
Symptoms:
Rarely, TMM might core due to invalid memory access while handling a CMP acknowledgement.
Conditions:
Memory is not validated before handling a CMP acknowledgement.
Impact:
tmm restarts with a segfault.
Workaround:
Fix:
Memory is now validated before handling a CMP acknowledgement.
511064-1 : Repeated install/uninstall of policy with usage monitoring stops after second time
Component: Policy Enforcement Manager
Symptoms:
Usage monitoring as required by the policy stops working.
Conditions:
Policy configured with usage monitoring is installed/uninstalled multiple times within a session.
Impact:
Usage reporting stops working.
Workaround:
None.
Fix:
The system now correctly handles the case in which a policy with usage monitoring is installed and removed multiple times.
510811-1 : PEM::info irule does not take effect if used right after PEM::session config policy irule
Component: Policy Enforcement Manager
Symptoms:
Using the PEM::info irule to set the session attribute right after PEM::session config policy irule set the referential policy does not work. The session attribute is not set correctly in this case.
Conditions:
Use the PEM::session config policy irule and PEM::info irule one after the other.
Impact:
PEM::info irule does not set the session attribute as expected.
Workaround:
Putting a delay, "after 10" in between these two irules in the irule script.
Fix:
After the fix, the PEM::session info irule is setting the pem session attribute correctly, even using immediately after the PEM::session config policy irule.
510721-1 : PEM::enable / PEM::disable iRule errors out with an error message
Component: Policy Enforcement Manager
Symptoms:
When trying to use PEM::enable and PEM::disable irule, error message is shown, indicating the irule procedure is undefined.
Conditions:
Using PEM::enable or PEM::disable irule in the irule script
Impact:
PEM::enable and PEM::disable irule cannot be used.
Workaround:
Fix:
Add correct validation to the PEM::enable and PEM::disable irule. After the fix, the irules can be used, no more error message.
510597-3 : SNAT Origin Address List is now stored correctly when first created
Component: TMOS
Symptoms:
Creating a SNAT under Local Traffic :: Address Translation : SNAT List and specifying an address list under origin, there is no host or network SNAT type to select from.
Conditions:
This occurs in this scenario: 1. Create a SNAT and specify an address list with a /24 mask and update. 2. Run the command: tmsh list ltm snat SNAT_created.
Impact:
A /32 IP address will show instead. For example, 1.1.1.0/24 will be translated to 1.1.1.0/32.
Workaround:
Fix:
SNAT Origin Address List is now stored correctly when first created.
510596-6 : Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty
Component: Access Policy Manager
Symptoms:
DNS resolution can break for a Linux client when the "DNS Default Domain Suffix" setting is empty in a Network Access configuration in APM.
Conditions:
BIG-IP Edge Gateway, Linux CLI and empty "DNS Default Domain Suffix" in Network Access configuration
Impact:
DNS resolution might not work on Linux
Workaround:
Configure "DNS default domain suffix" in network access configuration
Fix:
DNS resolution on Linux works now even when the "DNS Default Domain Suffix" setting in the Network Access configuration is empty.
510499-2 : Enforcer Crashes after Sync in an ASM-only Device Group
Component: Application Security Manager
Symptoms:
Enforcer crashes after an ASM Sync in an ASM-only CMI Device Group
Conditions:
A Device group is set up to be Manual Sync + ASM Sync only (Not failover). A policy is associated with a virtual server on both devices. The policy is then deactivated on one device.
Impact:
Peer Device is left in an inconsistent state and BD crashes.
Workaround:
None
Fix:
ASM Configuration Sync will gracefully handle not being able to deactivate when it conflicts with LTM config.
510393-1 : TMM may occasionally restart with a core file when deployed VCMP guests are stopped
Component: TMOS
Symptoms:
VCMP guest shutdown can interfere with execution of the VCMP hypervisor TMM, causing 'Clock advanced' messages and TMM restarts wit corresponding core files.
Conditions:
vCMP guests in state 'deployed' are modified to state 'provisioned' or 'configured', or are deleted entirely. The likelihood of a TMM restart increases with the number of guests that are stopping at the same time.
Impact:
* 'Clock advanced' messages in the VCMP hypervisor /var/log/ltm that correspond with guest shutdowns. * TMM restarts with corresponding core files. * Potential for traffic to be impacted while the TMM process restarts.
Workaround:
Shut down vCMP guests one at a time to reduce the likelihood of encountering this issue.
Fix:
Resolved occasional TMM restarts when stopping vCMP guests on 12050 and 10350N appliances
510049 : Revised BIG-IP CGNAT Implementations content
Component: TMOS
Symptoms:
The BIG-IP 11.6.0 CGNAT Implementations manual includes SIP ALG content for security, dialog_aware, insert_record_route_header settings. Also, content refers to the SIP Security check box, instead of the SIP Firewall check box.
Conditions:
Content for a SIP profile includes steps for configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box, which cause an error. Content also refers to the SIP Security check box, instead of the SIP Firewall check box.
Impact:
Configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box, causes an error. Content incorrectly refers to the SIP Security check box, instead of the SIP Firewall check box.
Workaround:
Deleted content for configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box. Changed content referring to the SIP Security check box to the SIP Firewall check box.
Fix:
Documentation is revised to omit content for configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box. Documentation also now refers to the SIP Firewall check box instead of the SIP Security check box.
509968-3 : BD crash when a specific configuration change happens
Component: Application Security Manager
Symptoms:
A reconfiguration or security application attaching to a VIP or a new security policy or other big config change followed by a traffic halting/resetting, a shrinking message in the bd.log followed by A BD crash.
Conditions:
Remote logger with "report anomalies" attached to the virtual, a session transaction attack is on-going and a configuration change of the session transaction configuration together with a custom header (for XFF) configuration. This can happen also when adding new web applications to existing virtual server or attaching existing web application to a virtual server while there is a session transaction attack on a virtual server.
Impact:
Traffic halted, a failover and traffic resets. BD will startup with the updated configuration in place.
Workaround:
Don't add security policies or attach security policies to a virtual server or reconfigure security policy or change the session transaction configuration together with the custom header configuration while there is a session transaction attack going on a virtual that has remote logger attached.
Fix:
A crash that happens upon a specific configuration change was fixed.
509956-4 : Improved handling of cookie values inside SWG blocked page.
Component: Access Policy Manager
Symptoms:
Certain components of cookies are not escaped and might negatively impact functionality.
Conditions:
Use of a reject ending in a per-request access policy.
Impact:
Potential disruption of functionality.
Workaround:
None.
Fix:
Improved the way that we process cookie values in an SWG blocked page.
509873-1 : Rare crash and core dump of tmm or bd after rebooting a device or joining a trust domain.
Component: Application Security Manager
Symptoms:
The tmm process or bd daemon may crash and core dump within 24 hours of either rebooting a device, restarting tmm, or joining a trust domain. This may also happen on a standalone device that has been rebooted.
Conditions:
Traffic arrives to a virtual server that is configured with: an anti-fraud profile, an ASM Security Policy, or a DOS profile that has 'Application Security' enabled.
Impact:
The crash might happen only within 24 hours of either rebooting a device, restarting tmm, or joining a trust domain. The tmm or bd crash causes the device to not handle traffic while the process is being restarted.
Workaround:
Performing the following actions prevents the crash from happening. Requires shell access to the device. ( 1. ) Edit the file /etc/bigstart/scripts/datasyncd: Remove the last line, which contains: exec /usr/share/datasync/bin/datasyncd >> /var/log/datasync/datasyncd.log In its place, add this: exec >> /var/log/datasync/datasyncd.log 2>&1 echo "`date`: fix start." set -x tmsh list security datasync local-profile tmsh list security datasync local-profile | grep '^security' | awk '{print $4}' | while read -r table; do tmsh modify security datasync local-profile $table max-gen-rows infinite; done tmsh list security datasync local-profile set +x echo "`date`: fix end." exec /usr/share/datasync/bin/datasyncd ( 2. ) Run 'bigstart restart tmm'. NOTE: This causes the device to be offline and not handle traffic while tmm restarts.
Fix:
This release fixes a potential (but rare) crash of either tmm or bd that may happen within 24 hours of either rebooting a device, or joining a trust domain.
509758-2 : EdgeClient shows incorrect warning message about session expiration
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client shows an incorrect warning message once a network access connection is established.
Conditions:
Access Policy has disabled Maximum Session timeout (set to 0) and Network Access webtop is used.
Impact:
Versions that have session expiration timeout display all zeroes instead of the timeout value. This is a cosmetic issue that does not indicate incorrect system functionality.
Workaround:
None.
Fix:
Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message.
509495 : A TMM memory leak when HTTP protocol security enabled profile and no AFM license
Component: Application Security Manager
Symptoms:
This command : tmctl memory_usage_stat | (head -n 2; grep httpsec) shows increased memory on the httpsec::httpsec_plugin per transaction.
Conditions:
HTTP protocol security profile is enabled while AFM is not licensed.
Impact:
TMM memory increased on each transaction.
Workaround:
License AFM
Fix:
Fixed a memory leak on TMM when AFM is not licensed and HTTP security enabled profile is assigned to a virtual server.
509475 : spdy profile with activation-mode always may not load on upgrade to 11.6.0 or later
Component: TMOS
Symptoms:
In 11.5.x and earlier versions it was possible to have a spdy profile with the following combination of settings: activate-mode always, and protocol-versions { spdy3 spdy2 http1.1 }. In 11.6.0 this was changed to allow only a single protocol-version in conjunction with 'activation-mode always'.
Conditions:
A spdy profile with activate-mode always and multiple protocol versions for protocol-versions.
Impact:
This might cause a failure when upgrading from prior versions to 11.6.0 or later.
Workaround:
Before upgrading make sure all spdy profiles with 'activation-mode always' only have a single 'protocol-versions' value set.
Fix:
A spdy profile with 'activation-mode always' and multiple 'protocol-versions' no longer causes an upgrade to fail. Instead upgrade changes the profile such that the 'protocol-versions' field only contains the highest spdy protocol version that was listed before the upgrade.
509416 : Suspended 'after' commands may result in unexpected behaviors
Component: Local Traffic Manager
Symptoms:
Unexpected iRule behavior, crashes or aborts.
Conditions:
Can occur when a virtual server has a OneConnect profile and an iRule using the 'after' command.
Impact:
tmm crash.
Workaround:
Fix:
Connections are ineligible for re-use while there is still a pending, suspended or in-progress 'after' iRule. This is correct behavior.
509310-5 : Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances
Component: Local Traffic Manager
Symptoms:
The egress VxLAN traffic on VIPRION chassis and 5000 series appliances has bad UDP checksum in its outer UDP header. The BIG-IP hardware does not support UDP checksum offload for VxLAN traffic if the outer UDP header is IPv4. The BIG-IP hardware uses UDP destination port 4789 to identify VxLAN traffic.
Conditions:
The outer UDP header of egress VxLAN traffic on VIPRION chassis and 5000 series appliances is IPv4 and has destination port equal to 4789.
Impact:
The egress VxLAN traffic is dropped due to bad UDP checksum.
Workaround:
Set db variable iptunnel.vxlan.udpport to 0. So the BIG-IP system hardware does not classify UDP destination port equal to 4789 as VxLAN traffic.
Fix:
VIPRION chassis and 5000 series appliances no longer generate bad bad outer IPv4 UDP checksums on egressing VxLAN traffic.
509310-3 : Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances
Component: Local Traffic Manager
Symptoms:
The egress VxLAN traffic on VIPRION chassis and 5000 series appliances has bad UDP checksum in its outer UDP header. The BIG-IP hardware does not support UDP checksum offload for VxLAN traffic if the outer UDP header is IPv4. The BIG-IP hardware uses UDP destination port 4789 to identify VxLAN traffic.
Conditions:
The outer UDP header of egress VxLAN traffic on VIPRION chassis and 5000 series appliances is IPv4 and has destination port equal to 4789.
Impact:
The egress VxLAN traffic is dropped due to bad UDP checksum.
Workaround:
Set db variable iptunnel.vxlan.udpport to 0. So the BIG-IP system hardware does not classify UDP destination port equal to 4789 as VxLAN traffic.
Fix:
VIPRION chassis and 5000 series appliances no longer generate bad bad outer IPv4 UDP checksums on egressing VxLAN traffic.
509276-4 : VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device
Component: TMOS
Symptoms:
VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on the standby device.
Conditions:
A VXLAN tunnel with a floating local address on the standby device.
Impact:
Incorrect gratuitous ARPs are generated on the standby device.
Workaround:
Fix:
VXLAN tunnels with floating local addresses no longer generate incorrect gratuitous ARPs on the standby device.
509105-1 : TMM core some times if provisioning hold time is set to non-zero
Component: Policy Enforcement Manager
Symptoms:
TMM might core sometimes if provisioning hold time is set. When a multiple IP session is created with IPV4 and IPV6 address and lets say we remove one of the IP address via radius stop then TMM might core.
Conditions:
Provisioning hold time is set to non-zero
Impact:
TMM core leading to restart and disruption of service.
Workaround:
Disable provisioning hold time. setting following DB variable to 0 list sys db tmm.pem.session.radius.provisioning.hold.time sys db tmm.pem.session.radius.provisioning.hold.time { value "0" } root@(dpi-bvt2)(cfg-sync Standalone)(Active)(/Common)(tmos)#
Fix:
We fixed the issue and TMM will not core for this scenario any more
509010 : Adding/Deleting a local user takes 30 seconds to complete
Component: Access Policy Manager
Symptoms:
It takes about 30 seconds to add or to delete a local user.
Conditions:
The occurs when using the GUI to add or delete local users (on the GUI Access Policy :: Local User DB :: Manage Users screen).
Impact:
The add or delete operation incurs a delay of approximately 30 seconds.
Workaround:
None.
Fix:
Adding or deleting a local user now completes within an expected time interval.
508908-1 : Enforcer crash
Component: Application Security Manager
Symptoms:
A bd crash. Connections reset until the system restarts or a failover completes.
Conditions:
A multipart request with specific syntax error.
Impact:
A bd process crash, failover. Will reset connection until the system restarts/ failover finishes.
Workaround:
No workaround
Fix:
An Enforcer crash was fixed.
508719-1 : APM logon page missing title
Component: Access Policy Manager
Symptoms:
The title might be missing from a logon page.
Conditions:
Logon page uses field filled with dynamically assigned session variable.
Impact:
No title displays on the logon page.
Workaround:
Modify page logon.inc using customization panel. *Add function: function getSoftTokenPrompt() { if ( softTokenFieldId != "" && edgeClientSoftTokenSupport()) { var div = document.getElementById("formHeaderSoftToken"); if (div) { return div.innerHTML; } } return null; } *Replace code: function OnLoad() { var header = document.getElementById("credentials_table_header"); var softTokenHeaderStr = getSoftTokenPrompt(); if ( softTokenHeaderStr ) { header.innerHTML = softTokenHeaderStr; } By: function OnLoad() { var header = document.getElementById("credentials_table_header"); var softTokenHeaderStr = "<? echo $formHeaderSoftToken; ?>" if ( softTokenFieldId != "" && softTokenHeaderStr != "" && edgeClientSoftTokenSupport()) { header.innerHTML = softTokenHeaderStr; } else { header.innerHTML = "<? echo $formHeader; ?>"; } * Replace code <td colspan=2 id="credentials_table_header" ></td> By <td colspan=2 id="credentials_table_header" ><? echo $formHeader; ?></td> * Add code before </body> tag: <div id="formHeaderSoftToken" style="overflow: hidden; visibility: hidden; height: 0; width: 0;"><? echo $formHeaderSoftToken; ?></div>
Fix:
The title displays on the logon page now.
508716-4 : DNS cache resolver drops chunked TCP responses
Component: Local Traffic Manager
Symptoms:
DNS cache resolver drops chunked TCP responses
Conditions:
If the cache resolver uses TCP to resolve a query, and a nameserver does not include the complete reply in the first TCP segment.
Impact:
The response will be discarded, the connection dropped, and the query retried
Workaround:
Fix:
DNS cache resolver no longer drops chunked TCP responses
508660-1 : Intermittent tmm crash in classification library
Component: Traffic Classification Engine
Symptoms:
tmm crashes sporadically without apparent triggers when using classification on the virtual server.
Conditions:
Using classification on the virtual server.
Impact:
tmm crash.
Workaround:
Disable classification on the virtual server if not needed.
Fix:
Most recent classification library that has memory allocation fixes was integrated
508630-4 : The APM client does not clean up DNS search suffixes correctly in some cases
Component: Access Policy Manager
Symptoms:
The APM client does not clean up DNS search suffixes correctly when DSN suffixes configured on a client contain names configured in APM network access resource
Conditions:
When a suffix name is configured in a network access resource matches the suffix configured locally on users machine.
Impact:
DNS suffixes are not restored correctly.
Workaround:
Fix:
Additional fix to restore DNS suffixes correctly.
508544-1 : AVR injects CSPM JavaScript when the payload does not contain an HTML tag
Component: Application Visibility and Reporting
Symptoms:
AVR injects CSPM JavaScript when the payload does not contain an HTML tag.
Conditions:
This occurs when the following conditions are met. -- The page-load-time feature turned on. -- The HTTP content is not compressed. -- The HTTP content-type is text or HTML. -- The HTTP content does not contain an html tag.
Impact:
JavaScript included in non html flows.
Workaround:
Use iRules. This way, CSPM can be enabled and disabled and can be controlled for particular pages. If the user can determine which URLs are fit for CSPM or by some specific content in the response, then it is possible to use iRules. In order to do so, the page-load-time feature should be turned on in the Analytics profile and an iRule should be used. See details here: https://support.f5.com/kb/en-us/solutions/public/13000/800/sol13859.html
Fix:
AVR injects CSPM JavaScript only when the payload contains an HTML tag. This is correct behavior.
508519-4 : Performance of Policy List screen
Component: Application Security Manager
Symptoms:
There is a performance issue with the Policy List/Import Policy/PCI report configuration utility screens.
Conditions:
20+ active security policies in the system
Impact:
With 160 active security policies it took about 10 second to load Policy List/Import Policy/PCI report configuration utility screens.
Workaround:
There is no workaround at this time.
Fix:
A performance issue with the Policy List/Import Policy/PCI report configuration utility screen was fixed.
508338-1 : Under rare conditions cookies are enforced as base64 instead of clear text
Component: Application Security Manager
Symptoms:
False positive "modified domain cookie" violation or false positive "illegal base64 value" violation created.
Conditions:
No specific condition, rare.
Impact:
The violation "illegal base64 value" on a cookie appears on transactions, even for cookies that are not marked as base64 value cookies.
Workaround:
No workaround
Fix:
An issue that rarely caused a false positive illegal base64 value, or false positive modified domain cookie violation, was fixed.
508051-1 : DHCP response may return to wrong DHCP client
Component: Policy Enforcement Manager
Symptoms:
When there are multiple DHCP solicits messages from different clients with different source IPs, the DHCP responses may return to the client/source IP which sends the first DHCP request to BIGIP/PEM.
Conditions:
The issue may occur when multiple DHCP clients send DHCP solicits messages to BIGIP/PEM in DHCP relay mode.
Impact:
When it occurs, DHCP responses may be returned to wrong DHCP clients who are requesting solicits messages in DHCP relay mode.
Workaround:
Fix:
The bug has been fixed that multiple DHCP solicits requests from different clients/source IPs are handled properly, and the response will be sent back to the proper client/source IPs accordingly.
507919-1 : Updating ASM through iControl REST does not affect CMI sync state
Component: Application Security Manager
Symptoms:
Updates through REST in a manual sync CMI device group do not change the sync status to PENDING.
Conditions:
ASM is configured in a manual sync group and REST API is utilized.
Impact:
Sync status will now be changed after updates through REST in a manual sync CMI device group.
Workaround:
There is no workaround at this time.
Fix:
Sync status is now changed after updates through REST in a manual sync CMI device group.
507905 : Saving Policy History during UCS load causes DB deadlock/timeout
Component: Application Security Manager
Symptoms:
Loading a UCS from an older version for upgrade can cause DB timeouts
Conditions:
Having two devices with different versions installed on them in a CMI device group.
Impact:
An intermittent issue where an error state was received after upgrading a CMI device group was fixed.
Workaround:
Do not have BIG-IP devices with different versions in the same CMI device group
Fix:
We corrected an intermittent issue where an error state was received after upgrading a CMI device group.
507902-1 : Failure and restart of mcpd in secondary blade when cluster is part of a trust domain.
Component: Application Security Manager
Symptoms:
The mcpd daemon of a secondary blade reports failure and is restarted, causing the blade to be offline and not handle traffic for a few minutes.
Conditions:
A multi-blade device (cluster) is part of a trust domain, and one of the other devices in the trust domain is being rebooted. The mcpd failure may occur within a time frame of between a few minutes, and up to 24 hours. The failure should only happen once, and not repeat until the next time that a device in the trust-domain is being rebooted.
Impact:
During the mcpd restart, the blade is offline and not handling traffic for a few minutes. There is no impact to traffic handled by the primary blade.
Workaround:
The mcpd failure is caused by inconsistency between the primary and the secondary blades, after a reboot of a different device in the trust domain. So, the workaround is to check and fix the inconsistency after every reboot of any device in the trust domain. There is no need to do this when only one of the blades is being rebooted. After any reboot of a device in the trust-domain, perform the following actions: ( 1. ) Check for inconsistency: On each blade of each cluster in the trust-domain, run the following command: tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table' You should see an object for each of the devices (clusters) in the trust domain. For example, if two multi-blade devices are joined in the trust-domain: vcmp1 and vcmp2, both having 2 blades. [root@vcmp1:/S2-green-S:Active:In Sync (Sync Only)] config # tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table' security datasync device-stats datasync-device-vcmp1.qa.com/datasync-device-vcmp1.qa.com-cs-asm-dosl7-stats { table cs-asm-dosl7 } security datasync device-stats datasync-device-vcmp2.qa.com/datasync-device-vcmp2.qa.com-cs-asm-dosl7-stats { table cs-asm-dosl7 } This shows both vcmp1 and vcmp2, so the state is good, no further action needed on this device. However, in the faulty state, the secondary blade of vcmp2 will show: [root@vcmp2:/S2-green-S:Active:In Sync (Sync Only)] config # tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table' security datasync device-stats datasync-device-vcmp1.qa.com/datasync-device-vcmp1.qa.com-cs-asm-dosl7-stats { table cs-asm-dosl7 } The vcmp2 device is missing. The means that the state is inconsistent, and an mcpd failure may happen sometime within 24 hours. ( 2. ) Fix the inconsistency if needed: To fix the state, force a sync of the datasync device groups from vcmp1 (if vcmp2 had the faulty state). If vcmp2 had the inconsistency, run the following commands on vcmp1 : tmsh modify cm device-group datasync-global-dg devices modify { vcmp1.qa.com { set-sync-leader } } Wait a few seconds tmsh modify cm device-group datasync-device-vcmp1.qa.com-dg devices modify { vcmp1.qa.com { set-sync-leader } } tmsh modify cm device-group datasync-device-vcmp2.qa.com-dg devices modify { vcmp1.qa.com { set-sync-leader } } Wait a few more seconds, then check again the state using the instructions in step #1. (tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table') All blades should be good now. Repeat steps #1 and #2 on each of the blades, in each of the clusters that are part of a trust-domain, when a device is being rebooted.
Fix:
The mcpd daemon of a secondary blade in a cluster no longer fails and restarts, when the cluster is part of a trust domain, and one of the other devices in the trust-domain is being rebooted.
507842-2 : Patch for BIND Vulnerability CVE-2015-1349
Component: TMOS
Symptoms:
The named daemon can exit or crash under certain conditions.
Conditions:
When BIND's DNSSEC validation and the managed-keys features are enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit, or daemon crash) by triggering an incorrect trust-anchor management scenario in which no key is ready for use.
Impact:
Temporary DoS for backend BIND server
Workaround:
Disable BIND's DNSSEC validation and managed-key features. These are not enabled by default on a BIGIP
Fix:
CVE-2015-1349
507782-1 : TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data
Component: Access Policy Manager
Symptoms:
TMM crashes on an attempt to open Citrix connection
Conditions:
Unpatched/malformed ICA file received by the client
Impact:
Network outage for all the clients served by TMM
Workaround:
Fix:
Fixed validation for the input data sent in the ICA connection so that for the invalid/non-patched Address it will reject the connection instead of crashing.
507753 : URL categorization missed if HTTP1.0 header does not have HOST
Component: Policy Enforcement Manager
Symptoms:
If a URL does not contain input from HTTP host header in the URL request (which is a valid HTTP 1.0 request, but not valid on HTTP 1.1), the categorization does not happen.
Conditions:
When PEM URLCAT is enabled, and the URL input from HTTP host header is not available, which is possible for HTTP 1.0 request.
Impact:
URL is categorized as UNKNOWN under the condition.
Workaround:
None.
Fix:
Now, when the HTTP host header is not present in the HTTP request, the PEM categorization engine still considers and processes it.
507549-1 : PEM may ignore a RAR if the target session is in the Provision-Pending state
Component: Policy Enforcement Manager
Symptoms:
A session may remain in the Provision-Pending state longer than desirable resulting in the wrong policies being applied for the session.
Conditions:
When a new session is created, PEM sends out a CCR-I and expects a CCA-I within a certain time. If the CCA-I from the PCRF is delayed/lost, this can result in the session remaining in the Provision-Pending state (which implies waiting for PCRF to provide a policy update for the session) for longer than desired. PEM will continue to retransmit CCR-I until a CCA-I is received from the PCRF. During this time period if a RAR is received from the PCRF, it will be ignored and thus the PCRF is unaware of the state of the session.
Impact:
While in the Provision-Pending state, PEM does not have any specific policies to apply to the new session. Consequently, it will continue to apply the Unknown-subscriber policies for the session as long as it continues to stay in the P-P state.
Workaround:
Fix:
Modified the state machine to generate an RAA with an error status to indicate to the PCRF that the RAR was not accepted.
507487-1 : ZebOS Route not withdrawn when VAddr/VIP down and no default pool
Component: TMOS
Symptoms:
BIG-IP continues announcing RHI routes when VIPs and Virtual Addresses are down.
Conditions:
The issue occurs in the following case: -- Have a VIP with pool selection via iRule. -- Configure RHI on the VAddr corresponding to the VIP. -- Down the pools (for example, toggling between HTTP monitor (up) and UDP monitor (down)). -- VIP, VAddr, and pools are red. -- Run the imish command.
Impact:
The kernel route still is announced, which might cause other network devices to be confused on the network status, so the impact varies.
Workaround:
Configure virtual server with default pool instead of iRule.
Fix:
Added validation for virtual server iRule pools.
507461-6 : Net cos config may not persist on HA unit following staggered restart of both HA pairs.
Component: TMOS
Symptoms:
The net cos global-settings may be cleared on a HA unit, as a result of a HA pair configuration sync.
Conditions:
With fully synced pair of HA chassis, restart active chassis blade and then restart standby chassis blade.
Impact:
Portion of cos config information on active chassis blade is missing, resulting in incongruent cos behavior between active and standby.
Workaround:
None.
Fix:
The system no longer resets active net cos settings during device/group HA configuration sync operations.
507327-1 : Programs that read stats can leak memory on errors reading files
Component: TMOS
Symptoms:
Daemons that read statistics might leak memory over time so the amount of memory they use continues to grow.
Conditions:
There is an error reading a statistics file. For example, permissions on the file or directory prohibit access.
Impact:
Eventually the daemon or system might run out of memory.
Workaround:
Remove anything causing an error reading a stats file such as deleting unneeded files or fixing permissions.
Fix:
The memory is now freed when reading stats.
507318-3 : JS error when sending message from DWA new message form using Chrome
Component: Access Policy Manager
Symptoms:
When using Chrome to send a new message on DWA, a JavaScript 'toString' error occurs.
Conditions:
If user clicks on the Send button on the new message form, then JavaScript errors appear: -- cache-fm.js:5 Uncaught TypeError: Cannot read property 'toString' of undefined ?. -- OpenDocument&Form=l_ScriptFrame&l=en&CR&MX&TS=20140915T180028,72Z&charset=UTF-8&charset=UTF-8&KIC&...:37 Uncaught TypeError: Cannot read property 'EgI' of undefined.
Impact:
The message is sent, but the tab is not closed.
Workaround:
None.
Fix:
When using Chrome to send a new message on DWA, a JavaScript error occurred. The message was sent but the tab did not close. This no longer occurs.
507289-3 : User interface performance of Web Application Security Editor users
Component: Application Security Manager
Symptoms:
Slow GUI performance for Web Application Security Editor users
Conditions:
At least 100 active security policies in the system
Impact:
Most ASM pages takes more than 5 seconds to load for Web Application Security Editor users
Workaround:
There is no workaround at this time.
Fix:
ASM Configuration utility pages load faster than they did previously for Web Application Security Editor users.
507143-1 : Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion
Component: Service Provider
Symptoms:
tmm cores due to 'valid pcb' assertion.
Conditions:
This can happen when the Diameter filter: - Receives and queues HUDCTL_SHUTDOWN event. - Receives a HUDCTL_ABORT event before HUDCTL_SHUTDOWN has been unqueued.
Impact:
tmm abort and restart.
Workaround:
Fix:
Diameter filter will now queue HUDCTL_ABORT events to prevent leapfrogging previously queued events.
507127-2 : DNS cache resolver is inserted to a wrong list on creation.
Component: Local Traffic Manager
Symptoms:
When a DNS cache resolver is created, it should be added to the cache resolver linklist. However, it is instead added to an incorrect linklist.
Conditions:
When creating a new DNS cache resolver.
Impact:
Unable to find the DNS cache resolver when search the resolver link list.
Workaround:
None.
Fix:
DNS cache resolver is added to the correct linklist on creation and removed from the correct linklist on deletion.
506734 : Cloud lookup stress condition
Component: Policy Enforcement Manager
Symptoms:
This is a problem specific to a URL Cloud lookup.
Conditions:
When the number of URLs that require cloud lookup exceed TMM limits (currently unprocessed 64 requests), TMM slows down. Data path traffic is throttled.
Impact:
TMM slows down. Data path traffic is throttled.
Workaround:
Self correcting after the normal URL traffic resumes.
Fix:
Thresholds were introduced in TMM. When the number of URLs that require cloud lookup exceed TMM limits (currently unprocessed 64 requests), URL cloud categorization is not attempted.
506702-4 : TSO can cause rare TMM crash.
Component: Local Traffic Manager
Symptoms:
TSO can cause rare TMM crash.
Conditions:
When TSO is used.
Impact:
tmm crash.
Workaround:
None.
Fix:
TSO no longer causes rare TMM crash.
506578 : Webroot cloud lookup does not yield a category.
Component: Policy Enforcement Manager
Symptoms:
If the URL portion of the cloud query (HOST and URL) consists of uppercase letters, the returned result consists of lowercase URL. This converted URL does not match a subsequent request to same URL in cloud. The URL goes uncategorized.
Conditions:
This occurs when Webroot cloud lookup is enabled, and the incoming HTTP request has a URL with some uppercase letters (host portion is case insensitive). This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.
Impact:
Additional Webroot cloud lookup request are sent to Webroot cloud service under certain condition.
Workaround:
None.
Fix:
Webroot cloud lookup is now categorized correctly. The request URL is stored without case conversion in the cache. A subsequent HTTP request with same URL is found in cache.
506407 : Certain upgrade paths to 11.6.x would lose the redirect URL configuration for Alternate Response Pages
Component: Application Security Manager
Symptoms:
Redirect Response pages would become 'invalid' and lose their redirect URL configuration after upgrade.
Conditions:
1) In 11.2.x a policy existed with a redirect response page where the Response Header had a 'Location' command in it. 2) Policy or device is upgraded to 11.4.x or 11.5.x 3) Policy or device is upgraded to 11.6.x
Impact:
The Alternate Response Page would no longer be valid and would no longer redirect users to the desired URL. Additionally on systems affected by Bug 504182, this configuration may cause upgrade to fail and leave the system in an invalid state causing crashes.
Workaround:
Before upgrade ensure the redirect URL is correctly configured.
Fix:
Upgrade to 11.6.x now correctly retains redirect URLs for Alternate Response Pages.
506386-2 : [CMI] Automatic ASM sync group remains stuck in init state when configured from tmsh
Component: Application Security Manager
Symptoms:
When a failover device group (without ASM enabled) is in a fully synchronized state, and then ASM and auto-sync are enabled on the device group through tmsh, the units sit waiting for an "initial sync" event which never comes. All subsequent sync events are Incremental and never Full.
Conditions:
A failover device group (without ASM enabled) is in a fully synchronized state, and then ASM and auto-sync are enabled on the device group through tmsh.
Impact:
Infrequently an initial sync event fails after ASM and auto-sync are enabled on a failover device group that did not have ASM enabled.
Workaround:
ASM device sync flag should be configured before initial sync, or from GUI.
Fix:
We fixed an issue that occurred rarely when an initial sync event did not occur after ASM and auto-sync were enabled on a failover device group that did not have ASM enabled.
506372 : XML validation files related errors on upgrade
Component: Application Security Manager
Symptoms:
The following error appears in the ASM log after upgrade: PLC.PL_XML_PROFILE_VALIDATION_FILES is missing xml_validation_file_id (0) -- skipping
Conditions:
ASM provisioned. ASM policy with XML profile and validation files are assigned.
Impact:
XML validation files are not properly upgraded.
Workaround:
N/A
Fix:
XML validation files are now properly upgraded.
506355-1 : Importing an XML file without defined entity sections
Component: Application Security Manager
Symptoms:
Importing an XML file without entity sections defined will not create default wildcard entities in the security policy.
Conditions:
Importing a partially defined XML security policy file.
Impact:
Policy was not created with default entities as expected.
Workaround:
Add the missing entities after importing the incomplete XML file.
Fix:
Previously, importing an XML file without defining the entity sections resulted in an empty URL wildcard list. Now, this process creates default wildcard entities in the security policy, as expected.
506349-4 : BIG-IP Edge Client for Mac identified as browser by APM in some cases
Component: Access Policy Manager
Symptoms:
APM sometimes determines that BIG-IP Edge Client for Mac is a browser. This can happen if user connects again using the link on the logout page that says "Click here to open new session"
Conditions:
APM, MAC Edge client
Impact:
Impact depends upon access policy but user might not be able to connect.
Workaround:
Click the Disconnect/Connect buttons on BIG-IP Edge Client instead of clicking the links on the logout page.
Fix:
APM now correctly identifies BIG-IP Edge Client for Mac as an Edge Client even if the user opens a new session by clicking the link on the logout page that says "Click here to open new session".
506290-4 : MPI redirected traffic should be sent to HSB ring1
Component: Local Traffic Manager
Symptoms:
The MPI redirected traffic is the traffic between two TMMs. It is currently sent to HSB ring0. HSB ring0 has small packet buffers and is used to handle the traffic of highest priority. Large amount of MPI redirect traffic can cause packet drops on HSB ring0.
Conditions:
Large amount of MPI redirect traffic.
Impact:
Potential packet drops on HSB ring0.
Workaround:
None.
Fix:
Send MPI redirected traffic to HSB ring1, which is correct behavior.
506283 : 100% TPS drop when webroot cloud lookup is enabled under stress condition
Component: Policy Enforcement Manager
Symptoms:
When Webroot cloud lookup is enabled and the BIG-IP system is under stress load with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system, the TPS of the data path traffic slows down as it gets throttled.
Conditions:
If Webroot cloud lookup is enabled while there is heavy traffic with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system.
Impact:
The TPS Throughput may be reduced when this condition persists. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.
Workaround:
None.
Fix:
The system now throttles URL cloud lookup requests when PEM detects that the number of URLs that requires cloud lookup exceed TMM limits/thresholds.
506281 : F5 Internal tool change to facilitate creating Engineering Hotfixes.
Component: TMOS
Symptoms:
F5 Internal tool change to facilitate creating Engineering Hotfixes.
Conditions:
Engineering Hotfix creation.
Impact:
No customer impact.
Workaround:
Fix:
Configuration Management tools fix for better reliability.
506235-2 : SIGSEGV caused by access_redirect_client_to_original_uri
Component: Access Policy Manager
Symptoms:
TMM might core, possibly more than once in quick succession (within a few minutes).
Conditions:
BIG-IP v11.5.1 HF6 or later with APM provisioned.
Impact:
TMM core: -- Failover to standby (if applicable). -- Possible additional TMM cores on active and Standby units. If the BIG-IP system is configured in an HA pair, TMM might core on the Standby unit shortly after the Active unit. The TMM log entries reporting the TMM core might not include any stack trace details.
Workaround:
Fix:
This release fixes a TMM core that occurred with APM provisioned.
506110-1 : Log flood within datasyncd.log in clustered environment
Component: Application Security Manager
Symptoms:
Log flooding occurs within datasyncd.log every few seconds: rsync: failed to connect to 127.3.0.3: No route to host (113).
Conditions:
Within clustered environment, and one or more of the blades are either down, powered off, disabled, or not populated. This may happen in a blade that is powered on, or when the cluster is added to a trust-domain. The logged messages continue for a duration from a few minutes to a few hours.
Impact:
No impact to traffic. Messages are added to datasyncd.log every few seconds.
Workaround:
None.
Fix:
datasyncd.log no longer causes a log flood in clustered environments where one or more of the blades are either down, powered off, disabled, or not populated.
505986 : Extra Webroot cloud lookup requests when cache is full
Component: Policy Enforcement Manager
Symptoms:
When the Webroot cloud lookup cache is full, additional Webroot cloud lookup requests are made to Webroot cloud services when URL inputs cannot be categorized by local Webroot database and cloud lookup cache managed on the BIG-IP system.
Conditions:
This occurs when Webroot cloud lookup is enabled, and the 128 KB-sized cloud-entries internal cache is full.
Impact:
Additional Webroot cloud lookup request are sent to Webroot cloud service under certain conditions. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.
Workaround:
None.
Fix:
Webroot cloud lookup requests are no longer sent out to the cloud if the cloud lookup cache is full. This is correct behavior.
505964 : Invalid http cookie handling can lead to tmm core
Component: Local Traffic Manager
Symptoms:
If an http cookie is invalid, then subsequent modifications to http cookie entries can result in a tmm core.
Conditions:
This issue can occur with an HTTP virtual server that performs cookie processing (either via an iRule, profile configuration, or as a result of persistence) and also performs header manipulation.
Impact:
TMM restart.
Workaround:
None.
Fix:
A crash in the HTTP profile implementation of cookie handling has been fixed.
505878 : Configuration load failure on secondary blades may occur when the chassis is rebooted
Component: TMOS
Symptoms:
On secondary blades, errors similar to the following appear in the ltm log: -- err mcpd[8115]: 01070821:3: User Restriction Error: User (Unknown) may not change the role of Administrator (t004576a). -- err mcpd[8115]: 01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide(). -- err mcpd[8115]: 01070734:3: Configuration error: MCPProcessor::check_initialization:.
Conditions:
A multi-bladed system is required, along with the presence of a user account (other than admin or root) that has Administrator privileges. The issue may then occur with a reboot of some or all of the blades.
Impact:
Secondary blades are offline.
Workaround:
None.
Fix:
Configuration now loads to completion on secondary blades.
505797-1 : Citrix Receiver for Android fails to authenticate with APM configured as StoreFront proxy and Access Gateway
Component: Access Policy Manager
Symptoms:
Citrix Receiver for Android fails to authenticate with APM when it is configured in StoreFront proxy mode for AGEE authentication.
Conditions:
APM is configured in StoreFront proxy mode for AGEE authentication and Citrix Receiver for Android is used.
Impact:
Citrix Receiver for Android is unable to authenticate with APM.
Workaround:
Fix:
Now Citrix Receiver for Android can successfully authenticate with APM when it is configured in StoreFront proxy mode for AGEE authentication.
505662-1 : Signed SAML IdP/SP exported metadata contains some elements in wrong order
Component: Access Policy Manager
Symptoms:
Location of <Signature> element is incorrect when exporting signed metadata from BIG-IP as SAML IdP/SP
Conditions:
BIG-IP is configured as IdP or SP. Administrator chooses to sign exported metadata.
Impact:
External SAML product may not be able to import metadata produced by BIG-IP system.
Workaround:
Metadata could be edited manually in text editor to move <Signature> element to correct location.
Fix:
<Signature> element is now located in correct location.
505624-1 : Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration
Component: Advanced Firewall Manager
Symptoms:
A remote logger will continue to get DoS layer 7 messages after it was removed from the virtual server configuration.
Conditions:
A remote logger was connected to a virtual server and the user removed it from the virtual server configuration.
Impact:
That remote logger will continue to get DoS layer 7 messages.
Workaround:
bigstart restart dosl7d
Fix:
An issue where the DoS profile continued to write to a removed logging profile was fixed.
505529 : wr_urldbd restarts continuously on VIPRION chassis with webroot lookup enabled.
Component: Policy Enforcement Manager
Symptoms:
On VIPRION chassis the wr_urldbd may restart.
Conditions:
If webroot cloud lookup is enabled on a specific platform, such as VIPRION.
Impact:
When webroot cloud lookup is enabled on certain platform such as VIPRION, the PEM URL categorization feature is disrupted due to wr_urldbd daemon restart.
Workaround:
None.
Fix:
wr_urldbd no longer restarts on VIPRION chassis with webroot lookup enabled.
505331-1 : SASP Monitor may core
Component: Local Traffic Manager
Symptoms:
The SASP monitor unexpectedly terminates with a core dump.
Conditions:
More than one Group Workload Manager (GWM) server, and all servers are down at the same time.
Impact:
When the monitor cores, a pool member gets marked down, which might lead to an outage.
Workaround:
None.
Fix:
SASP monitor no longer cores when multiple Group Workload Manager (GWM) servers are down.
505323-1 : NSM hangs in a loop, utilizing 100% CPU
Component: TMOS
Symptoms:
NSM daemon hangs in an endless loop searching recursive nexthop in a trie. This causes NSM to be unresponsive.
Conditions:
Configure BGP with recursive nexthop.
Impact:
Dynamic routing fails to be responsive to imish commands, and NSM might not update routes.
Workaround:
None.
Fix:
NSM endless loop issue has been fixed and does not hang. Dynamic routing operation is normal.
505069 : Webroot cloud lookup granularity
Component: Policy Enforcement Manager
Symptoms:
When Webroot cloud lookup is enabled and a URL that can not be categorized using the local Webroot database managed on the BIG-IP system, the Webroot cloud database look up is performed in a way that the entire URL is considered as one query rather than by its subparts.
Conditions:
If Webroot cloud lookup is enabled, and if the first request is: amazon.com/url1 and second request is amazon.com/url2, the second URL request results in an unnecessary cloud lookup.
Impact:
Potential performance impact due to additional, unnecessary Webroot cloud lookup. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.
Workaround:
None.
Fix:
The issue has been addressed with granular Webroot cloud lookup so that the 1st URL Webroot cloud lookup request gets all cloud results, so that additional Webroot cloud lookups could be avoided.
505056-5 : Packet priority pass-through mode not implemented correctly.
Component: Local Traffic Manager
Symptoms:
When the hardware COS queue feature is enabled, in some cases the BIG-IP system sends an egress packet with a priority different from that of ingress packet on the same flow.
Conditions:
Hardware COS queue feature is enabled.
Impact:
Egress packets are sent with an incorrect packet priority and delivered on the incorrect switch COS queues, resulting in lower performance.
Workaround:
None.
Fix:
Packet priority passthrough mode is now sending correct packet priority and delivering on the correct switch COS queue.
504973-1 : Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead
Component: Application Security Manager
Symptoms:
When creating a policy using a route domain and a full 32 bit subnet mask, the ASM saves it as a 128 bit mask.
Conditions:
Provisioned ASM
Impact:
Wrong 128 bit subnet mask is saved instead of the configured 32 bit mask.
Workaround:
There is no workaround at this time.
Fix:
When creating a security policy using a route domain and a full 32 bit subnet mask, ASM no longer saves it as a 128 bit mask.
504880-2 : tmm may crash when RDP client connects to APM configured as Remote Desktop Gateway
Component: Access Policy Manager
Symptoms:
tmm may crash when RDP client connects to APM configured as Remote Desktop Gateway.
Conditions:
APM configured as Remote Desktop Gateway. RDP client connects to APM.
Impact:
tmm crash.
Workaround:
None.
Fix:
tmm crash is fixed for the scenario where RDP client connects to APM configured as Remote Desktop Gateway
504718-2 : Policy auto-merge of Policy Diff
Component: Application Security Manager
Symptoms:
Running auto-merge on the Diff of two policies fails.
Conditions:
Running auto-merge on the Diff results of two policies.
Impact:
Policies cannot be auto-merged after viewing Diff.
Workaround:
None.
Fix:
The auto-merge functionality of Policy Diff now works as expected.
504606-3 : Session check interval now has minimum value
Component: Access Policy Manager
Symptoms:
Session check interval can be changed or turned off completely for debug purposes.
Conditions:
Using the session check interval.
Impact:
Session check interval may be set to excessively short value.
Workaround:
None.
Fix:
Session check interval now has a minimum (5000 msec), which prevents the value from being too small.
504572-4 : PVA accelerated 3WHS packets are sent in wrong hardware COS queue
Component: TMOS
Symptoms:
Under full ePVA acceleration, 3WHS (3-way handshake) packets from VIP to node will always egress on hardware COS queue 3, regardless of COS queue mapping configured on the system.
Conditions:
The packets needs to be fully accelerated by ePVA.
Impact:
Potential performance downgrade.
Workaround:
None.
Fix:
PVA accelerated 3WHS packets are new egressed on correct hardware COS queue.
504508-1 : IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled
Component: TMOS
Symptoms:
When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.
Conditions:
An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled
Impact:
IPsec tunnel goes down, traffic stops.
Workaround:
Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.
Fix:
IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.
504490-1 : The BIG-IP system sometimes takes longer on boot up to become Active.
Component: TMOS
Symptoms:
The system takes several minutes longer than normal after boot up to go from Offline to Active.
Conditions:
This timing issue occurs rarely on boot up. This might more frequently occur on older platforms running newer versions of the software.
Impact:
Because of a timing issue during system load, it takes longer for the system to become ready to pass traffic after being deployed or rebooted.
Workaround:
None.
Fix:
A BIG-IP system no longer take longer than normal to become Active on boot up due to this particular underlying issue.
504461-2 : Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.
Component: Access Policy Manager
Symptoms:
APM is unable to complete the access policy when there is a Variable Assign agent in front of a Logon Page agent.
Conditions:
Access policy has a Variable Assign agent in front of a Logon Page agent.
Impact:
APM is unable to complete the access policy.
Workaround:
Fix:
Now APM can successfully run access policies where a Variable Assign agent resides in front of a Logon Page agent.
504414-1 : AVR HTTP External log - missing fields
Component: Application Visibility and Reporting
Symptoms:
New fields were added to HTTP statistics in version 11.6 and they are available in the Configuration utility, but they were not exported out to the external log.
Conditions:
Use AVR HTTP profile, with the external log option.
Impact:
Some information that AVR can provide is missing.
Workaround:
No workaround
Fix:
The following missing fields were added to the external report: DosL7ProfileName TransactionOutcome DosL7AttackID
504348-1 : iRules in event ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT cannot see modified headers
Component: Service Provider
Symptoms:
ADAPT iRules cannot inspect adapted headers because the rule sees the original headers before the request is adapted. Similarly for the ADAPT_RESPONSE_RESULT event.
Conditions:
Using request-adapt or response-adapt profiles, and an internal virtual server that can modify the HTTP headers. Along with an iRule such as: when ADAPT_REQUEST_RESULT { log local0. "Modified host = [HTTP::host]" }.
Impact:
Impossible to inspect the modified headers. One consequence is that if a request adaptation modifies the 'Host:' value, it is not possible to use an iRule to apply that to the transport connection, so the modified request goes to the original server.
Workaround:
None.
Fix:
Two new ADAPT iRule events have been added (ADAPT_REQUEST_HEADERS and ADAPT_RESPONSE_HEADERS) which trigger after ADAPT has received the modified headers, when the IVS is returning a modified request or response. They do not trigger when the IVS has instructed ADAPT to bypass or a service-down condition has occurred.
504306-2 : https monitors might fail to re-use SSL sessions.
Component: Local Traffic Manager
Symptoms:
SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.
Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur. For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.
Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers. BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.
Workaround:
None.
Fix:
https monitors now properly perform SSL session re-use.
504232-2 : Attack signatures are not blocked after signature/set change
Component: Application Security Manager
Symptoms:
System wide signature updates, like Attack Signature Update, can cause some security policies to erroneously change their enforcement of attack signatures to Transparent mode.
Conditions:
There are security policies in both Transparent and Blocking mode, and there is an update to the system's attack signatures.
Impact:
A security policy will not block attack signatures that are meant to be blocked.
Workaround:
Toggle the transparent/enforce flag on a security policy, and apply the security policy.
Fix:
We fixed an issue that caused false positives or a lack of enforcement (such as not blocking) when attack signatures were updated or modified.
504225-2 : Virtual creation with the multicast IPv6 address returns error message
Component: Local Traffic Manager
Symptoms:
When LTM has DHCPv6 profile attached to a virtual server with relay mode configured with multicast IPv6 address, it will return error message, '01020064:3: IPv6 Address ff02::1:2 is invalid, Multicast address not allowed.'
Conditions:
Create an IPv6 virtual with multicast IPv6 address with DHCPv6 profile (relay mode) attached.
Impact:
Cannot create a IPv6 virtual server with multicast IPv6 address and DHCPv6 relay mode profile attached.
Workaround:
None.
Fix:
Can now create an IPv6 virtual with multicast IPv6 address with DHCPv6 profile (relay mode) attached.
504182-1 : Enforcer cores after upgrade upon the first request
Component: Application Security Manager
Symptoms:
If an ASM security policy contains entities with invalid configuration from a previous version, UCS load will fail and leave the device in an inconsistent state, leading to BD crash.
Conditions:
An ASM security policy contains entities with invalid configuration from a previous version.
Impact:
UCS load will fail and leave the device in an inconsistent state, leading to BD crash.
Workaround:
Correct ASM entity configuration before upgrade.
Fix:
We fixed an upgrade issue where the Enforcer crashed after the upgrade upon the first request (this was due to a missing data protection configuration).
504028-1 : Generate CCR-T first and then CCR-I if session being replaced
Component: Policy Enforcement Manager
Symptoms:
CCR-I was send first and then CCR-T was sent if same subscriber session is created with different IP. This could cause confusion to PCRF when it sees at period of time 2 active sessions for the same subscriber.
Conditions:
A session is created with subscriber ID say S1 and IP1 and new radius start or session create request arrives with S1 and IP2.
Impact:
CCR-I generated first and then CCR-T which will cause confusion to PCRF who maintain subscriber ID as their key to subscriber session.
Workaround:
Fix:
Upgrade to latest hotfix or version which has the fix for the issue.
503875-1 : Configure bwc policy category max rate
Component: TMOS
Symptoms:
When category max rate percentage is configured with a low value, for example, a lower value relative to the policy max user rate, some packets might be dropped.
Conditions:
The bwc policy is configured as dynamic, with categories. And the category max rate is configured to low value when the policy is being provisioned and mapped to traffic flows.
Impact:
The packets in flows using the bwc policy and category may be dropped, the flows mapped to the category might not be able to pass packets.
Workaround:
Configure category rate in absolute value and higher value relative to policy max user rate.
Fix:
Category max rate percentage is now configured to ensure valid settings.
503741-2 : DTLS session should not be closed when it receives a bad record.
Component: Local Traffic Manager
Symptoms:
According to RFC6347: 4.1.2.7. Handling Invalid Records: 'Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.' In the BIG-IP implementation, DTLS chooses to disconnect the session when it receives invalid record.
Conditions:
DTLS receives a bad record packet.
Impact:
DTLS disconnects the session.
Workaround:
None.
Fix:
The system now silently discards all of the invalid records and preserves the association. This is correct behavior.
503683 : Configuration upgrade failure due to change in an ASM predefined report name
Component: Application Visibility and Reporting
Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version and upgrading.
Conditions:
Define scheduled report on top of 'Top alerted URLs' on previous version and upgrade the version.
Impact:
Version upgrade fails, and the BIG-IP system is not usable.
Workaround:
Change the '/Common/Top Alerted URLs' reference in the bigip.conf file of the UCS to '/Common/Top Alarmed URLs', and then load the modified UCS.
Fix:
A configuration load failure no longer occurs after creating an ASM predefined report in a previous version and upgrading.
503676-4 : SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events
Component: Service Provider
Symptoms:
SIP REFER, INFO, and UPDATE requests do not trigger iRule events.
Conditions:
The occurs when the following conditions are met: -- Virtual server has a SIP profile. -- Virtual server has iRule(s) containing SIP_REQUEST or SIP_REQUEST_SEND events. -- SIP REFER, INFO, or UPDATE request is received on the virtual server.
Impact:
iRule event is not executed.
Workaround:
Fix:
SIP REFER, INFO, and UPDATE requests now trigger the SIP_REQUEST and SIP_REQUEST_SEND iRule events. This is the correct behavior.
503620-3 : ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later
Component: Local Traffic Manager
Symptoms:
BIG-IP SSL when using ciphers ECDHE_ECDSA and DHE_DSS does not work consistently with OpenSSL clients using OpenSSL versions 1.0.1k or later.
Conditions:
When the ciphers used are ECDHE_ECDSA or DHE_DSS, and the OpenSSL clients have versions later than OpenSSL 1.0.1k.
Impact:
SSL handshake failed. The OpenSSL clients might encounter a decryption error while reading the server key exchange.
Workaround:
Use OpenSSL versions earlier than OpenSSL 1.0.1k.
Fix:
BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS with OpenSSL client version OpenSSL 1.0.1k and later.
503604-3 : Tmm core when switching from interface tunnel to policy based tunnel
Component: TMOS
Symptoms:
When the configuration is changed from interface tunnel to policy based tunnel, tmm crashes. Most likely this is a timing issue where the pnh is not updated while the policy was updated. So the policy_type (policy_interface vs policy_ipsec) mismatched.
Conditions:
Traffic passing in the background and change the configuration from interface tunnel to policy based tunnel.
Impact:
Tmm core and traffic loss
Workaround:
No workaround
Fix:
When switching from interface tunnel to policy based tunnel, tmm cores.
503560-2 : Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
Component: Local Traffic Manager
Symptoms:
Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
Conditions:
HTTP transparent profile is attached to a virtual server. Statistics profile now cannot be attached to the same virtual server.
Impact:
Only a Statistics profile or an HTTP transparent profile may be assigned to a single virtual server.
Workaround:
None.
Fix:
The validation logic is now changed so as to allow a Statistics profiles and an HTTP transparent profile to be attached to the same virtual server simultaneously.
503541-2 : Use 64 bit instead of 10 bit for Rate Tracker library hashing.
Component: Advanced Firewall Manager
Symptoms:
Rate Tracker 10 bit hashing may cause unbalanced traffic distribution.
Conditions:
When sweep and flood vector is enabled in AFM module.
Impact:
Impact to Sweep and Flood detection rate accuracy.
Workaround:
None.
Fix:
The system now uses 64 bit instead of 10 bit for Rate Tracker hashing, which results in more balanced traffic distribution.
503471-1 : Memory leak can occur when there is a compressed response, and abnormal termination of the connection
Component: Application Visibility and Reporting
Symptoms:
Memory utilization grows over time.
Conditions:
send compressed response, and abnormal termination of the connection.
Impact:
Memory leak in TMM that grows over time.
Workaround:
Avoid configuration of Application DoS with Client-side mitigation.
Fix:
Memory leak is fixed.
503381-2 : SSL persistence may cause connection resets
Component: Policy Enforcement Manager
Symptoms:
If SSL persistence is enabled, and the resulting connection does not use SSL (that is, it is plaintext), the connection may be reset.
Conditions:
SSL persistence is enabled on a virtual that does not use SSL.
Impact:
The connection is reset.
Workaround:
None.
Fix:
SSL persistence no longer cause the connection to be reset with non-SSL traffic.
503319-4 : After network access is established browser sometime receives truncated proxy.pac file
Component: Access Policy Manager
Symptoms:
After network access is established, poxy.pac received by the browser is truncated.
Conditions:
This occurs if proxy.pac file is larger than 65535 bytes (~65 KB).
Impact:
Large proxy.pac file might not be downloaded or might be truncated.
Workaround:
Reduce proxy.pac file size so that merge file is less than ~65 KB.
Fix:
Merged (by F5 tunnel server) proxy.pac is now NOT truncated when sent to the browser even if its size is greater than ~65 KB.
503214-3 : Under high load, crypto queues may become stuck
Component: Local Traffic Manager
Symptoms:
When the BIG-IP is under high load, it may erroneously determine that the hardware crypto queues are stuck and trigger an HA failover event.
Conditions:
BIG-IP under high load and using hardware crypto.
Impact:
HA failover.
Workaround:
None
Fix:
BIG-IP now performs an extra check to determine whether the crypto hardware queues are really stuck.
503169-1 : XML validation files are not correctly imported/upgraded
Component: Application Security Manager
Symptoms:
XML validation files are not assigned to the correct XML profiles after upgrade/policy import.
Conditions:
ASM provisioned XML profiles with XML validation files assigned.
Impact:
XML validation files are not assigned to the correct XML profiles.
Workaround:
N/A
Fix:
XML validation files are now assigned to the correct XML profiles.
503118-2 : clientside and serverside command crashes TMM
Component: Local Traffic Manager
Symptoms:
When parking command is used inside clientside or serverside, tmm crashes.
Conditions:
Parking command, e.g., the table command, is used inside clientside or serverside command.
Impact:
tmm crashes.
Workaround:
Move the parking command outside clientside or serverside command.
Fix:
Parking command can run inside clientside and serverside. The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail.
503085-3 : Make the RateTracker threshold a constant
Component: Advanced Firewall Manager
Symptoms:
Dynamic detection threshold may impact Sweep and Flood detection rate accuracy under high traffic conditions.
Conditions:
When Sweep and Flood is enabled in AFM module.
Impact:
Some Sweep and Flood functionality might not provide sufficient detection rate accuracy.
Workaround:
None.
Fix:
The RateTracker threshold is now a constant, which improves detection rate accuracy.
502959-2 : Unable get response from virtual server after node flapping
Component: Local Traffic Manager
Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently.
Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.
Impact:
Persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). In certain circumstances, requests may hang (the client is connected, waiting for a response).
Workaround:
None.
Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.
502852-2 : Deleting an in-use custom policy template
Component: Application Security Manager
Symptoms:
If a user tries to delete a custom policy template while there are still security policies on the system that were created from that template, the delete will fail, but leave the custom template in an unusable state that can neither be used to create further Policies or ever be deleted.
Conditions:
A security policy exists on the system that was created from a custom template. The user then tries to delete the template before removing the policy from the system.
Impact:
The custom template becomes unusable for creating new Policies, and cannot be deleted even after there are no longer any policies created from it left on the system.
Workaround:
Contact support for a script that will disassociate all user defined policy templates from existing policies. This will allow any user defined template to be successfully deleted.
Fix:
Failing to delete a custom policy template due to an existing security policy that refers to it, no longer leaves the custom policy template in an unusable state.
502770-2 : clientside and serverside command crashes TMM
Component: Local Traffic Manager
Symptoms:
When the parking command is used inside clientside or serverside, tmm crashes.
Conditions:
Parking command, e.g. table command, is used inside clientside or serverside command.
Impact:
tmm crashes.
Workaround:
Move the parking command outside clientside or serverside command.
Fix:
Parking command can run inside clientside and serverside. The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail.
502683-3 : Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on
Component: Local Traffic Manager
Symptoms:
In certain corner cases, BIG-IP software rejects valid SYN-Cookie responses due to incorrect hardware algorithm masking on the software side.
Conditions:
This issue appears only on hardware-SYN-Cookie-capable platforms when running the hardware SYN-Cookie algorithm.
Impact:
Intermittent connection failures.
Workaround:
Run software SYN-Cookie algorithm. Use the DB variable. This makes sure software is running correct generation and validation algorithm.
Fix:
Traffic is now handled correctly in syncookie mode when hardware syncookie is on.
502675-1 : Improve reliability of LOP/LBH firmware updates
Component: TMOS
Symptoms:
Certain F5 appliances and blades implement the Always On Management functionality via a LOP (Lights Out Processor) or LBH (Lights Out Processor/Backplane Microcontroller Hybrid) device. Under rare conditions, if a critical kernel event occurs while the LOP/LBH firmware is being updated to a newer version, the LOP/LBH firmware image may become corrupted on the LOP/LBH device.
Conditions:
This issue may occur on the following F5 Network appliances and blades: -- BIG-IP 2000-/4000-series, 5000-/7000-series, 10000-/12000-series appliances. -- VIPRION B2100, B2150, B2250 blades.
Impact:
If the LOP/LBH firmware becomes corrupted, the LOP/LBH device does not function properly, affecting critical chassis-management functionality such as identification of platform details including a blade's current slot in the chassis, obtaining current license state, and monitoring of chassis health information.
Workaround:
None.
Fix:
LOP/LBH firmware updates are protected against rare corruption by critical kernel events.
502441-5 : Network Access connection might reset for large proxy.pac files.
Component: Access Policy Manager
Symptoms:
Network Access connection might reset when large proxy.pac files are configured in the access policy.
Conditions:
MAC Edge client, browsers, Network Access, large proxy.pac file.
Impact:
Network Access connection might reset.
Workaround:
Reduce the proxy.pac file size to be less than 10 KB.
Fix:
Network Access connection does not reset if a large proxy.pac file is configured.
502414-2 : Make the RateTracker tier3 initialization number less variant.
Component: Advanced Firewall Manager
Symptoms:
Sweep and Flood vectors may exceed configured rate limit values by 10%-30$.
Conditions:
When Sweep and Flood vector is enabled in AFM module.
Impact:
Sweep and Flood attack detection at higher than configured levels.
Workaround:
None.
Fix:
An optimization was made to Rate Tracker that makes attack detection more accurate.
502149-3 : Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'
Component: Local Traffic Manager
Symptoms:
When archiving cert/key via GUI, the following error message is displayed : 'EC keys are incompatible for Webserver/EM/iQuery.'
Conditions:
When archiving cert/key via GUI.
Impact:
Intermittently, an error is received when trying to archive key or certificates via GUI.
Workaround:
None.
Fix:
iControl stores the mode info and set a default value to it, so no error is reported..
502016-4 : MAC client components do not log version numbers in log file.
Component: Access Policy Manager
Symptoms:
Some client components do not log version numbers in the log file.
Conditions:
MAC client components.
Impact:
Lack of version numbers in the log file.
Workaround:
NOne.
Fix:
Client components for Mac now log version numbers in log files.
501986-3 : Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process
Component: Advanced Firewall Manager
Symptoms:
There is a need for Sweep and Flood vectors to be very accurate (+-5%). To ensure that Sweep and Flood can be very accurate we have to add a mode in which the Sweep and Flood vectors work per TMM process. In this case the traffic must be very well distributed for it to be effective. So, now we have a sys db tunable which is: dos.globalsflimits which is true by default. If the tunable is set to false then the Sweep and Flood vectors work per TMM process. The limits that have been configured by the user are divided up equally among the various TMM processes, and because the traffic is well-distributed among the TMM processes we will get close to the limits specified.
Conditions:
When Sweep and Flood vector is enabled in AFM module.
Impact:
If the db variable is changed to false, the incoming traffic must be well distributed.
Workaround:
None.
Fix:
Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process.
501953-2 : HA failsafe triggering on standby device does not clear next active for that device.
Component: TMOS
Symptoms:
An HA failsafe triggering on a standby device that is marked at next active for a traffic group does not clear the next active setting for that device. This leaves the system in a state when the device designated as next active cannot take over for the active device in the case of a failure.
Conditions:
HA setup with two or more devices in a device trust and device group. HA failsafes are configured on one or more devices in the device group. The HA failsafes are triggered on a device that is currently in the standby state and designated next active for a traffic group.
Impact:
A device marked as next active for a traffic group with a triggered HA failsafe does not take over a traffic group in the case of a failure on the active switch.
Workaround:
Workaround is to force the device in question offline, so that another device is marked as next active.
Fix:
The fix correctly removes the next active setting for a device when it is in standby mode and a HA failsafe triggers. This causes a new device to be picked as next active if one is in standby mode and capable of running the traffic group.
501690-3 : TMM crash in RESOLV::lookup for multi-RR TXT record
Component: Local Traffic Manager
Symptoms:
TMM crashes with a specific ASSERT-based backtrace.
Conditions:
Requires an LTM listener with an iRule that has a RESOLV::lookup command querying for a TXT record and receiving multiple RRs.
Impact:
Failover momentary halt to traffic processing.
Workaround:
None.
Fix:
TMM no longer crashes due to the behavior of the LTM listener with an iRule that has a RESOLV::lookup command when parsing its return values.
501612-4 : Spurious Configuration Synchronizations
Component: Application Security Manager
Symptoms:
Some items (for example, Incidents) were considered to be config elements that require synchronization when their status changes (such as being read), but are not actually synchronized in a device group.
Conditions:
Event Correlation Incidents occur and are read by the user while in a manual sync device group for ASM.
Impact:
The synchronization state of a device group erroneously changes to "Pending"
Workaround:
None.
Fix:
Items that are not synchronized across a device group no longer cause changes to the synchronization state.
501498-1 : APM CTU doesn't pick up logs for Machine Certificate Service
Component: Access Policy Manager
Symptoms:
CTU report does not contain logs from Machine Certificate Service.
Conditions:
When the CTU report is run, it does not contain data in the logs.
Impact:
Logs are not available to technical staff
Workaround:
You can pick up logs manually from C:\Windows\Temp\logterminal.txt.
Fix:
CTU correctly pick ups logs for Machine Cert service.
501480-3 : AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.
Component: Advanced Firewall Manager
Symptoms:
With AFM DoS Single Endpoint Sweep and Flood Vectors configured, TMM might crash while processing a huge amount of the configured attack traffic.
Conditions:
AFM DoS Single Endpoint Sweep and Flood attack vector is enabled in the AFM module.
Impact:
TMM crash and restart.
Workaround:
Do not configure the AFM DoS Single Endpoint Sweep and Flood Vector.
Fix:
AFM DoS Single Endpoint Sweep and Flood Vectors now correctly handles traffic so that TMM does not crash.
501371-4 : mcpd sometimes exits while doing a file sync operation
Component: TMOS
Symptoms:
mcpd exits randomly. If mcpd debug logging is enabled, the system might post an operation similar to the following: Received request message from connection 0x5fe47008 (user %cmi-mcpd-peer-/Common/LNJDCZ-VPN1.example): query_all { sync_file { sync_file_file_to_sync "/var/apm/localdb/mysql_bkup.sql" sync_file_target_dg "/Common/HA_Rhodes_APM" sync_file_postprocess_action "/usr/libexec/localdb_mysql_restore.sh" sync_file_originator "/Common/LNJDCZ-VPN1.example" } }
Conditions:
mcpd is performing a file sync.
Impact:
Randomly, mcpd exits, triggering a failover.
Workaround:
None.
Fix:
Ensured mcpd no longer exits while performing a file sync.
501343-3 : In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle
Component: TMOS
Symptoms:
In FIPS HA setup when the FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B, Device B (the HA peer) gets the configuration from Device A and operates as if the handle is correct because the modulus matches, but it actually is the public-handle and not the private-handle.
Conditions:
FIPS HA setup and FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B.
Impact:
With this configuration, when the device fails over, it can lead to traffic failure. This occurs because TMM tries to use the public-handle when it should be using the private-handle.
Workaround:
Fix:
FIPS HA peer verifies the FIPS handle type to confirm that it uses only the private FIPS handles.
500925-3 : Introduce a new sys db variable to control number of mergers per second of Rate Tracker library.
Component: Advanced Firewall Manager
Symptoms:
The accuracy of the rate limit for the Sweep and Flood vectors is affected by the number of merges per second in Rate Tracker library.
Conditions:
When sweep and flood vector is enabled in AFM module.
Impact:
No way to control number of mergers per second of Rate Tracker
Workaround:
None.
Fix:
Introduce a new sys db variable to control number of mergers per second of Rate Tracker library.
500544-1 : XML validation files are not correctly imported/upgraded
Component: Application Security Manager
Symptoms:
XML validation files are not assigned to the correct XML profiles after upgrade/policy import.
Conditions:
ASM provisioned XML profiles with XML validation files assigned
Impact:
XML validation files are not assigned to the correct XML profiles.
Workaround:
N/A
Fix:
XML validation files are now assigned to the correct XML profiles.
500457-1 : Synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash
Component: Application Visibility and Reporting
Symptoms:
There is a synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash.
Conditions:
AVR and DOS profiles assigned to all virtual servers.
Impact:
TMM and other daemons, such as the Enforcer, crashes.
Workaround:
N/A
Fix:
Fixed synchronization problem in AVR lookups that sometimes caused TMM and other daemons, such as the Enforcer, to crash.
500449 : "Any IPv4 or IPv6" choice in sweep attack has atypical definition
Component: Advanced Firewall Manager
Symptoms:
OLH does not convey the function of Any IPv4 or Any IPv6 choice in single endpoint sweep attack configuration.
Conditions:
When one of these options is chosen, the configuration does not behave as expected and detect "any" traffic.
Impact:
When selected, the endpoint sweep attack detects only traffic "other than TCP, UDP, ICMP, or IGMP."
Workaround:
Fix:
In the DoS Device Protection configuration for a Single Endpoint Sweep attack, the packet types "Any IPv4" and "Any IPv6" do not actually apply to all IPv4 and IPv6 traffic. Rather, these categories apply to any traffic other than TCP, UDP, ICMP, or IGMP. This has been clarified in the system online help.
500365-3 : TMM Core as SIP hudnode leaks
Component: Service Provider
Symptoms:
There is a memory leak when using SIP in TCP/ClientSSL configurations.
Conditions:
The leak occurs when the clientside flow is torn down in response to the SSL handshake not completing.
Impact:
Because the SSL handshake is not complete, the SIP handler cannot complete the operation as expected, which results in an error and a memory leak of the SIP handler. The tmm memory increases, which eventually requires restarting tmm as a workaround.
Workaround:
Although there is no workaround to prevents the issue, you can recover from the memory-leak condition by restarting tmm.
Fix:
This release fixes a memory leak that occurred when using SIP in TCP/ClientSSL configurations, when the clientside flow was torn down in response to the SSL handshake not completing. The system now frees the SIP handler upon receiving the notification of a failed SSL handshake, so that the connection is rejected, the system performs the proper cleanup of the SIP handler, and no memory leak occurs.
500219-1 : TMM core if identical radius starts messages received
Component: Policy Enforcement Manager
Symptoms:
TMM cores and restarts with identical radius start messages are received by bigip when PEM provisioned.
Conditions:
Identical radius start message received by PEM to create session.
Impact:
TMM core and hence restart which will cause traffic disruption.
Workaround:
Fix:
Fixed tmm core issue when duplicate radius start messages are received by handling it properly.
500034-1 : [SMTP Configuration] Encrypted password not shown in GUI
Component: Application Visibility and Reporting
Symptoms:
Under SMTP configuration, when authentication is enabled (the "use authentication" check box is checked) and a user name and password are configured, the password field is empty in the configuration utility when accessing the newly created SMTP object. TMSH shows the password in hash format.
Conditions:
1. authentication is enabled. 2. username and password are configured.
Impact:
SMTP authentication fails.
Workaround:
After saving the SMTP configuration for the first time using the configuration utility, use only TMSH, REST API, or iControl to edit it or re-enter the password. Note: This will not fix sending AVR e-mails. The only way to send e-mail before this fix is using a non-authenticated SMTP server.
Fix:
Under SMTP configuration, when authentication is enabled (the "use authentication" check box is checked) and a user name and password are configured, the password is correctly decrypted using standard BIG-IP tools.
500303-3 : Virtual Address status may not be reliably communicated with route daemon
Component: Local Traffic Manager
Symptoms:
Occasionally, when the Virtual Server status changes, the Virtual Address status may not me communicated to the routing services (that is, the tmrouted service). This can result in incorrect routes.
Conditions:
Exact conditions unknown, but it can occur when the Virtual Server status changes.
Impact:
Virtual Addresses may have advertised routes when they are down, or vice versa.
Workaround:
Fix:
The Virtual Address state change code was improved in multiple areas: 1. GTM is checked for provisioning. 2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast. 3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority. 4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3. 5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.
499950-5 : In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs
Component: Local Traffic Manager
Symptoms:
Inconsistent persistence entries across TMMs.
Conditions:
This occurs under the following conditions are met: -- intra_cluster HA configuration. -- node flapping.
Impact:
Inconsistent persistence behaviors.
Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be: when PERSIST_DOWN { persist delete source_addr [IP::client_addr] } For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.
Fix:
The inconsistent behavior of persist is fixed.
499947 : Improved performance loading thousands of Virtual Servers
Component: TMOS
Symptoms:
In v11.5.1 and newer, when loading thousands of Virtual Servers, mcpd might become overloaded, causing loads to take a long time, or fail entirely when mcpd times out and is restarted. This might be more severe if GTM was enabled.
Conditions:
Thousands of Virtual Servers, GTM enabled. The problem is caused when tracking the state of Virtual Address changes and broadcasting those state changes under certain circumstances.
Impact:
Might cause long load times or configuration load failure because of mcpd timeout and restart.
Workaround:
Disable GTM. Reduce the number of Virtual Addresses.
Fix:
The Virtual Address state change code was improved in multiple areas: 1. GTM is checked for provisioning. 2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast. 3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority. 4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3. 5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.
499946-3 : Nitrox might report bad records on highly fragmented SSL records
Component: Local Traffic Manager
Symptoms:
When using an AES-GCM cipher on highly fragmented SSL records, platforms with Cavium Nitrox cards might report Bad records.
Conditions:
The negotiated cipher is one of the AES-GCM ciphers, and the MTU is such that the SSL records are highly fragmented.
Impact:
The BIG-IP system disconnects Client SSL connections prematurely. The SSL profile shows a number of Bad records.
Workaround:
None.
Fix:
The processing buffers reserve the proper number of subsequent parameters.
499719-1 : Order Zones statistics would cause database error
Component: Global Traffic Manager
Symptoms:
'General database error retrieving information' error in GUI.
Conditions:
This occurs when using the GUI to view Statistics for DNS zones.
Impact:
Not able to view Statistics from GUI for DNS zones.
Workaround:
Use tmsh to view Statistics for DNS zones.
Fix:
'General database error retrieving information' error no longer occurs when viewing DNS zone statistics from the GUI.
499701-1 : SIP Filter drops UDP flow when ingressq len limit is reached.
Component: Service Provider
Symptoms:
UDP stats shows increase in the number of flows and valid SIP messages are dropped.
Conditions:
This occurs when an iRule processing delay occurs (session db operations) combined with increase in the SIP incoming flow.
Impact:
SIP UDP flows are dropped.
Workaround:
None.
Fix:
The SIP UDP flow now remains when the ingress len limit is reached.
499620-6 : BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.
Component: Access Policy Manager
Symptoms:
The BIG-IP Edge Client for Mac shows the wrong SSL protocol version in Details; it does not display the protocol version that was negotiated.
Conditions:
BIG-IP Edge Client for Mac.
Impact:
The BIG-IP Edge Client for Mac displays the incorrect SSL protocol version now in Details.
Workaround:
None.
Fix:
The BIG-IP Edge Client for Mac displays the correct SSL protocol version now in Details.
499427-1 : Windows File Check does not work if the filename starts with an ampersand
Component: Access Policy Manager
Symptoms:
Windows File Check does not work if the filename starts with an ampersand.
Conditions:
Run Windows file check and add a file name that starts with an ampersand.
Impact:
Depends upon access policy, but in the worst case a user might be allowed to log in.
Workaround:
Fix:
Windows File check now works with a file name that starts with an ampersand (&).
499280-1 : Backend server using a certificate signed/hashed with sha512 might refuse to establish SSL handshake using TLS1.2 with the BIG-IP system.
Component: Local Traffic Manager
Symptoms:
Backend server using a certificate signed/hashed with sha512 might refuse to establish SSL handshake using TLS1.2 with the BIG-IP system.
Conditions:
The issue is seen when it meets the following 3 conditions. 1. The SSL connection is using TLS1.2 2. The backend server's certificate is signed/hashed with sha512. 3. The backend server is Microsoft IIS server. More precisely, a server that strictly enforces the RFC policy for TLS1.2: 'If the client provided a 'signature_algorithms' extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension.' This kind of server rejects the SSL connection if the BIG-IP system does not advertise sha512 when sending the clienthello message. Microsoft IIS server does strictly enforce this rejection behavior, although Apache and OpenSSL servers do not.
Impact:
Bigip cannot establish SSL connection with the backend server.
Workaround:
To workaround this: -- Use TLS1/TLS1.1/SSL3 instead of TLS1.2. -- Configure the backend server to use certificates signed/hashed with something other than sha512. -- Use a backend server other than Microsoft IIS.
Fix:
For the serverside, the system now contains sha512 in the signature_algorithms extension when sending the clienthello with TLS1.2 (when the user configures 'ANY' in the SSL sign hash option in the serverssl profile), so that the server does not reject the SSL connection because the BIG-IP system does not contain sha512 in the clienthello. sha512 is also included on the clientside so that if the client uses sha512 to hash/sign the certvfy message, the BIG-IP system (acting as a server) does not reject to verify it (when the user configures 'ANY' in the SSL sign hash option in the clientssl profile).
499150-3 : OneConnect does not reuse existing connections in VIP targeting VIP configuration
Component: Local Traffic Manager
Symptoms:
Significant increase in Active Connections and Connections per Second for virtual servers that receive connections from another virtual server with the Policy action "virtual" or iRule command "virtual" and the client virtual server has a OneConnect profile. The connections per second will match the rate of HTTP requests sent to the server virtual server. A packet capture would reveal that OneConnect is not reusing previously opened connections, and previously opened connections remain idle until timeout.
Conditions:
Virtual-to-virtual configuration with OneConnect profile.
Impact:
An increase in CPU and memory resources will occur due to the increase in connections established and connections that remain in memory.
Workaround:
If not required, remove the OneConnect profile from the client virtual server.
Fix:
Connections will be reused even with VIP on VIP configuration.
498993-1 : it is possible to get infinite loop in LDAP Query while resolving nested groups
Component: Access Policy Manager
Symptoms:
Processing nested groups might cause an infinite loop.
Conditions:
LDAP query is configured to get group membership using 'member' attribute. On the LDAP server, group1 has group2 as a member and group2 has group1 as a membermember (membership loop), then the LDAP Query falls into an infinite loop trying to resolve nested groups.
Impact:
User cannot pass access policy that contains the affected agent. The apd process must be restarted to re-initialize LDAP agent.
Workaround:
None.
Fix:
The LDAP Query resolves group membership including nested groups as expected.
498782-2 : Config snapshots are deleted when failover happens
Component: Access Policy Manager
Symptoms:
When failover occurs, the config snapshots on the new active node might be deleted during the HA state transition. As a result, a user might encounter one of the errors below: 1. Login failure/denied. 2. Some webtop resources are missing after successful login.
Conditions:
When the standby node switches to active.
Impact:
User cannot login or access some resources after login.
Workaround:
Restart APD by running the command: bigstart restart apd.
Fix:
Now APD uses a short time interval for periodic checking of config snapshots right after failover happens. If config snapshots are found to be missing, APD recreates them. After a few such cycles, APD reverts to using a long time interval for the check.
498708-1 : Errors logged in bd.log coming from the ACY module
Component: Application Security Manager
Symptoms:
Cosmetic errors logged in bd.log from the ACY module: 'acy_prepare_RWdas failed to init rwkm-report_kw_data report'.
Conditions:
Configuration changes between signature sets on a security policy.
Impact:
False errors appear constantly. These errors are cosmetic, and do not indicate a problem with the system.
Workaround:
None.
Fix:
Fixed false error logs coming from ACY module.
498597-5 : SSL profile fails to initialize and might cause SSL operation issues
Component: Local Traffic Manager
Symptoms:
When the SSL profile fails to initialize, it causes the SSL enter pass-through mode instead of rejecting traffic.
Conditions:
SSL profile fails to initialize, for example, due to failure to load cert/key files.
Impact:
SSL enters pass-through mode instead of rejecting traffic. As a side effect, ConfigSync might fail, as the communication channel does not establish because of a hung SSL connection.
Workaround:
Make sure cert/key is available and has the proper grant access mode.
Fix:
When the SSL profile fails to initialize, it now causes the SSL to reject traffic correctly.
498469-5 : Mac Edge Client fails intermittently with machine certificate inspection
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac fails intermittently with machine certificate inspection when "Match CN with FQDN" setting is configured.
Conditions:
The problem occurs with BIG-IP Edge Client for Mac and machine certificate agent when in the access policy "Match CN with FQDN" is set.
Impact:
Edge ClienT fails to pass machine certificate inspection.
Workaround:
Fix:
BIG-IP Edge Client for Mac does not fail intermittently with machine certificate inspection agent.
498334-2 : TMM will correctly send a response message back when processing a zone notify message
Component: Local Traffic Manager
Symptoms:
When a virtual server on the BIG-IP system receives a zone notify message, it does not send a response message back. Instead, it sends the original notify message back to the remote name server.
Conditions:
A zone notify message is sent to a virtual server with a DNS profile. The zone is configured to allow notify from the sender and the notify action is set to be consumed.
Impact:
The remote name server sends the notify message to the BIG-IP system several times since the remote name server does not receive a response message.
Workaround:
None.
Fix:
TMM will correctly send a response message back when processing a zone notify message from a remote name server.
498269-1 : 5200 does not forward STP BPDUs across VLAN groups when in PASSTHRU mode
Component: Local Traffic Manager
Symptoms:
When configured for bridging all traffic, 5200 platform does not bridge STP BPDUs when in PASSTHRU mode.
Conditions:
This occurs under the following conditions: -- Configure a VLAN group and configure to bridge all traffic. -- Configure STP in PASSTHRU mode.
Impact:
The 5200 platform does not forward STP BPDUs across VLAN groups when in PASSTHRU mode, so STP PASSTHRU mode does not work correctly between VLAN groups.
Workaround:
Fix:
The 5200 platform now forwards STP BPDUs across VLAN groups when in PASSTHRU mode.
498189-3 : ASM Request log does not show log messages.
Component: Application Security Manager
Symptoms:
The request log does not show ASM-related log messages.
Conditions:
This occurs when first assigning the application logging profile, and then assigning the DOS logging profile on the same virtual server.
Impact:
There will not be ASM-related log messages.
Workaround:
Remove the ASM logging profile, apply and re-add the application logging profile.
Fix:
ASM request log now shows ASM-related log messages, even if the application logging profile was assigned to the virtual server before the DOS logging profile was assigned to it.
497769 : Policy Export: BIG-IP does not export redirect URL for "Login Response Page"
Component: Application Security Manager
Symptoms:
ASM does not export redirect URLs in "Login Response Page" for XML policies.
Conditions:
Redirect URL in "Login Response Page" is used in ASM security policy.
Impact:
We fixed an issue with XML policy export where the redirect response page was missing from the security policy.
Workaround:
Use binary policy export for exporting redirection response pages for login url.
Fix:
We fixed an issue with XML policy export where the redirect response page was missing from the security policy.
497681-1 : Tuning of Application DoS URL qualification criteria
Component: Application Visibility and Reporting
Symptoms:
Application DoS can not be tuned in order to tell which transactions are qualified for client side mitigation.
Conditions:
1. Create new L7-DoS profile, enable CS injection prevention 2. Sent more than 10 requests to qualified URL. Make sure that URL detected as qualified (I used avrstat tool) 3. Send 1 request with HEAD or TRACE methods. URL will be detected as non-qualified.
Impact:
AVR didn't qualify URLs according to the system's qualification criteria.
Workaround:
N/A
Fix:
We tuned the Application DoS URL qualification criteria.
497662-3 : BIG-IP DoS via buffer overflow in rrdstats
Component: Access Policy Manager
Symptoms:
BIG-IP DoS via buffer overflow in rrdstats
Conditions:
rrdstats given malformatted input
Impact:
Crash in rrdstats - some services unavailable while rrdstats down
Workaround:
No workaround. rrdstats will be restarted by bigip
Fix:
Improved request parsing to make it more robust against invalid formats.
497619-6 : tmm performance may be impacted when server node is flapping and persist is used
Component: Performance
Symptoms:
TMM consumes a higher percentage of the CPU resources when handling traffic.
Conditions:
This intermittent issue occurs when a pool members goes up and down when using source_addr persistence.
Impact:
System performance is impacted.
Workaround:
This issue has no workaround at this time.
Fix:
The intermittent performance impact no longer occurs when a pool members goes up and down when using source_addr persistence.
497584-2 : The RA bit on DNS response may not be set
Component: Local Traffic Manager
Symptoms:
Under some circumstances, the recursion available (RA) bit may be unset in responses from DNS cache.
Conditions:
If the system caches a message from the authoritative server without the rd bit, and subsequent queries with rd set find that message, the first message will not be used because the rd bit is not set. In this case, the operation falls back to the rrset cache and composes a message, but leaves the RA bit unset. This is appropriate for the transparent cache, but not the non-transparent cache.
Impact:
The impact of this issue is that recursion available is not signaled to clients so they may not treat the DNS cache as an available resolver.
Workaround:
To work around this issue, write an iRule to set the RA bit when the cache is a resolver. Must also check origin for CACHE.
Fix:
The RA bit is set for the response when the cache resolver answers the query from the fast path.
497455-1 : MAC Edge client crashed during routine Network Access.
Component: Access Policy Manager
Symptoms:
MAC Edge client crashes during routine Network Access operations.
Conditions:
MAC Edge client and BIG-IP v11.6.0. This is a rarely occurring issue. Specific conditions are unknown.
Impact:
MAC Edge client crashes.
Workaround:
Restart MAC Edge client.
Fix:
BIG-IP Edge Client for Mac doesnt crash randomly during regular network access connection.
497436-4 : Mac Edge Client behaves erratically while establishing network access connection
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac does not establish a network access connection, or if it can establish a connection, then it drops the connection. A user might see a cycle of connect/re-connect again.
Conditions:
OS X Yosemite, network access, BIG-IP Edge Client for Mac.
Impact:
User cannot establish network access connection.
Workaround:
None.
Fix:
BIG-IP Edge Client for Mac can now establish a connection correctly. An issue with routing table patch coding deleting an essential route has been resolved.
497433-2 : SSL Forward Proxy server side now supports all key exchange methods.
Component: Local Traffic Manager
Symptoms:
SSL Forward Proxy implementation requires the clientssl and serverssl profiles to configure at least one RSA ciphersuite. If the backend server uses ciphersuites other than RSA key exchange such as (ECDHE-ECDSA, ECDH-ECDSA, DHE-DSS), the connection fails.
Conditions:
Must use RSA key exchange on the server side, meaning that it is not possible to have server side SSL uses key exchange methods--such as ECDHE-ECDSA, ECDH-ECDSA, DHE-DSS--while the client side still uses RSA key exchange.
Impact:
SSL Forward Proxy on the server side cannot be configured to use all key exchange methods the SSL module supports, and is limited to RSA.
Workaround:
None.
Fix:
SSL Forward Proxy server side supports all key exchange methods. Previously, SSL Forward Proxy on the server side only supported RSA, ECDHE-RSA, and EDH-RSA key exchange methods.
497376-1 : Wrong use of custom XFF headers when there are multiple matches
Component: Application Visibility and Reporting
Symptoms:
A specific case of multiple matching XFF headers and special settings, that lead to treating one of the supplied XFF headers, but not the desired one.
Conditions:
1. Configuring at least one custom XFF header in the HTTP profile. 2. The incoming request has at least 2 headers that match the custom headers. 3. The DB variable avr.alwaysuselastxff is set to 0.
Impact:
The incoming request is treated as coming from an IP address that is not the desired address, this affects the reports and the identification of this request by the DoS system.
Workaround:
It is possible to set an iRule that will do the logic of the comparing the XFF headers, remove the unnecessary ones, and keep only the desired one.
Fix:
The desired XFF header is taken as the one that represents the HTTP request IP address.
497325-1 : New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment
Component: Access Policy Manager
Symptoms:
New users cannot log in to Windows-based systems after installing BIG-IP Edge client in certain deployments.
Conditions:
This is a rare, environment-based issue.
Impact:
New users cannot log in to Windows-based systems
Workaround:
Remove \F5 Networks\VPN\client.f5c file.
Fix:
A rare, environment-based issue that prevented new users from logging in to Windows-based systems has been fixed.
497311 : Can't add a ICMPv6 type and code to a FW rule.
Component: Advanced Firewall Manager
Symptoms:
Can't add a ICMPv6 type and code to a FW rule
Conditions:
choose the protocol as ICMPv6 and try to add a type and code.
Impact:
Firewall Rule Creation Page gets affected.
Workaround:
Use tmsh to add ICMPv6 type and code to a FW rule.
Fix:
Choose the protocol as ICMPv6 and adding a type and code works now.
496976-2 : Crash when receiving RADIUS message to update PEM static subscriber.
Component: Policy Enforcement Manager
Symptoms:
Crash when receiving RADIUS message to update PEM static subscriber.
Conditions:
1) A large number of PEM static subscribers in the system, for example, 100K. 2) Sends RADIUS messages for these 100K subscribers to update info.
Impact:
System crash.
Workaround:
Fix:
BIG-IP system no longer crashes when updating the static subscribers with RADIUS messages.
496950-1 : Flows may not be mirrored successfully when static routes and gateways are defined.
Component: Local Traffic Manager
Symptoms:
In certain circumstances, some L4 flows may not be successfully remirrored when a standby BIG-IP comes online. This involves a race condition when there are multiple routes and/or gateways defined; if the new standby device does not yet have the lasthop information when it gets the mirrored flow.
Conditions:
Using mirroring with layer 4 virtuals, with gateways and/or static routes defined.
Impact:
Not all flows will have been successfully remirrored to the standby device.
Workaround:
Usually "bigstart restart tmm" will recover most or all of the L4 flows. This does not work perfectly all of the time, but is far less likely to encounter the error condition than a "bigstart restart" or "shutdown -r".
Fix:
The standby device ignores the route to the client when accepting mirrored connections. If failover occurs without a route back to the client, the connection will still fail on failover.
496894-1 : TMM may restart when accessing SAML resource under certain conditions.
Component: Access Policy Manager
Symptoms:
When user performs IdP-initiated SAML Web SSO using Artifact binding, but Artifact Resolution Service is not configured on IdP, tmm may restart.
Conditions:
The BIG-IP system is configured as IdP. IdP object does not have Artifact Resolution Service configured. Corresponding bound SP Connector object has Artifact binding configured. SAML Resource from this IdP is published on webtop.
Impact:
tmm restarting.
Workaround:
Configure Artifact Resolution Service, and assign it to IdP object.
Fix:
Issue where tmm would restart under certain conditions is now fixed.
496817-1 : Big-IP Edge client for windows fails to connect to firepass server if tunnel is established through a proxy
Component: Access Policy Manager
Symptoms:
In a reconnect scenario, Big-IP edge client cannot connect to a FirePass server if the tunnel was established through a proxy server.
Conditions:
Proxy is used to create VPN tunnel The server is FirePass.
Impact:
The client fails to restore the VPN connection to the FirePass server.
Workaround:
Restart client.
Fix:
Added backward compatibility changes to edge client, to work properly with FirePass.
496588-1 : HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash
Component: Local Traffic Manager
Symptoms:
This bug can cause TMM to crash.
Conditions:
Turn on "page load time" in analytic profile. AVR need to get request with HTTP header that bigger than 64K.
Impact:
This bug can cause TMM crash.
Workaround:
There is no workaround.
Fix:
Fixed a problem that occurred when extracting request headers. This problem could sometimes cause TMM to crash.
496565-1 : Secondary Blades Request CMI Sync
Component: Application Security Manager
Symptoms:
Secondary blades requesting ASM sync "ASM is now entering sync recovery state. Requesting complete configuration from" noise in the logs, and needless sync work done. This issue does not affect enforcement or the actual sync state of the devices, it is just requesting extra synchronizations when they may not be needed.
Conditions:
Secondary blade restarts in unsynchronized mode.
Impact:
CMI sync is no longer requested from secondary blades
Workaround:
Restarting the asm_config_server process on the secondary blade should alleviate the issue, but it may recur.
Fix:
To optimize the system, CMI synchronization is no longer requested from secondary blades. This issue did not affect enforcement or the actual synchronization state of the devices.
496278-2 : Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name
Component: Advanced Firewall Manager
Symptoms:
Disabling/enabling Rule within Rule List causes disabling/enabling of a different but same-named Rule in a single Policy on the Active Rule Page in the GUI.
Conditions:
Only happens it the Rule names are the same with a single policy.
Impact:
Potentially, the incorrect Rule is disabled.
Workaround:
Make sure Rules have different names.
Fix:
The system now enables/disables only the selected Rule, regardless of the existence of other, same-name Rules in the policy.
496264-1 : SOAP Methods Were Not Being Validated For WSDL Based XML Profiles
Component: Application Security Manager
Symptoms:
After configuring an XML Content Profile from a WSDL file, the system was not validating the SOAP Methods.
Conditions:
WSDL Based XML Content Profiles with SOAP Methods are used on the system.
Impact:
SOAP Traffic was not properly validated.
Workaround:
None
Fix:
WSDL based XML Content Profiles are now enforced correctly.
495913-2 : TMM core with CCA-I policy received with uninstall
Component: Policy Enforcement Manager
Symptoms:
If a CCA-I is received with Charging-Rule-Remove AVP for the session then TMM will core.
Conditions:
CCA-I message received with charging-rule-remove AVP
Impact:
TMM core, leading to restart and disruption of traffic.
Workaround:
Fix:
Fixed the tmm crash when CCA-I with policy uninstall is received.
495901-3 : Tunner Server crash if probed on loopback listener.
Component: Access Policy Manager
Symptoms:
VPN client might disconnect and reconnect.
Conditions:
Unexpected request is sent on tunnel server loopback listener.
Impact:
Tunnel server crashes resulting in VPN disconnection and reconnection.
Workaround:
NOne.
Fix:
Additional check implemented in tunnel server before accepting incoming connection.
495875-2 : Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic
Component: Local Traffic Manager
Symptoms:
TMM might experience an infinite loop when selecting an available node for load balancing under heavy traffic conditions.
Conditions:
This occurs when the connection limit is specified for nodes, and there is heavy traffic.
Impact:
This causes a 10-second TMM heartbeat failure and a SIGABRT in TMM. The device goes offline and traffic processing is disrupted.
Workaround:
None.
Fix:
Connection limit on nodes now works correctly, and no longer causes tmm to loop indefinitely with heavy traffic.
495862-1 : Virtual status becomes yellow and gets connection limit alert when all pool members forced down
Component: TMOS
Symptoms:
Invalid display of virtual status.
Conditions:
When all pool members forced down and the pool member's connection limit has been reached.
Impact:
Virtual monitor status becomes yellow and receives the following connection limit alert: The pool member's connection limit has been reached.
Workaround:
None.
Fix:
Virtual status now stays red if all the pool members are down.
495702-4 : Mac Edge Client cannot be downloaded sometimes from management UI
Component: Access Policy Manager
Symptoms:
Sometimes BIG-IP Edge Client for Mac cannot be downloaded from the management GUI.
Conditions:
Mac Edge Client, BIG-IP management UI.
Impact:
Mac Edge Client cannot be downloaded.
Workaround:
None.
Fix:
BIG-IP Edge Client for Mac can now be downloaded from the connectivity profile screen of the APM GUI.
495574-3 : DB monitor functionality might cause memory issues
Component: Local Traffic Manager
Symptoms:
TMM restarts continuously.
Conditions:
DB monitors configured
Impact:
System stops responding. System posts message: notice panic: FATAL: mmap of: /dev/mprov/tmm/tmm.4 length 1480589312 offset 4441767936 failed 12 (Cannot allocate memory).
Workaround:
Either kill the DB monitor java process or issue a bigstart restart.
Fix:
DB monitor functionality might cause memory issues.
495443-4 : ECDH negotiation failures logged as critical errors.
Component: Local Traffic Manager
Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.
Conditions:
An SSL negotiation failure involving ECDH key agreement.
Impact:
Spurious critical error logs.
Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.
Fix:
These ECDH failures are now logged as non-critical errors.
495335-1 : BWC related tmm core
Component: TMOS
Symptoms:
tmm coredumps while BWC is processing packets.
Conditions:
BWC is being enabled on a virtual server that does not have any BWC iRules enabled. Reasons for this are being investigated.
Impact:
BWC related tmm core. BIG-IP fails to pass traffic when tmm coredumps.
Workaround:
Fix:
Avoid a divide by zero while computing average packet size.
495319-3 : Connecting to FP with APM edge client is causing corporate network to be inaccessible
Component: Access Policy Manager
Symptoms:
Connecting to FirePass with a BIG-IP Edge Client for Mac that was downloaded from APM might not provide complete network access.
Conditions:
APM Edge Client, Firepass server, network access connection.
Impact:
Incomplete network access.
Workaround:
None.
Fix:
All configured networks are now reachable when connecting to FirePass using a BIG-IP Edge Client for Mac downloaded from APM.
495273-1 : LDAP extended error info only available at debug log level which could affect Branch rules
Component: Access Policy Manager
Symptoms:
LDAP session variable contains only simple error message at INFO log level and requires DEBUG log level to display the full error message. This variable is displayed in the logon page after logon failure.
Conditions:
LDAP Auth/Query is configured and there is need for extended error details at NON debug log level.
Impact:
Branch rules in visual policy editor based on extended error message will not work correctly in 11.6.
Workaround:
Fix:
A new session variable is introduced: session.ldap.last.errmsgext which contains extended error information at any log level. The existing session.ldap.last.errmsg variable contains only simple error message (decoded error code).
495265-1 : SAML IdP and SP configured in same access profile not supported
Component: Access Policy Manager
Symptoms:
SLO might not work properly under certain conditions. When a user attempts to start SLO, the connection gets reset. The system logs messages such as the following: RST sent from x.x.x.x:433 to x.x.x.x:xxxx, [0xxxxxx:xxx] Internal error ((APM::SSO) Error in reading sp info from session db failed)
Conditions:
All conditions must be met: 1. Both BIG-IP as SP and BIG-IP as IdP are configured on the same access profile. 2. SLO is configured for both BIG-IP as IdP and BIG-IP as SP. 3. SLO is executed in multiple TCP sessions between the user's browser and the BIG-IP system.
Impact:
SLO is not properly executed; users's session might not be terminated.
Workaround:
None.
Fix:
A problem with SAML single-logout has been fixed.
495253-1 : TMM may core in low memory situations during SSL egress handling
Component: Local Traffic Manager
Symptoms:
TMM may core in low memory situations during SSL egress handling.
Conditions:
This occurs when the following conditions are met: -- Low memory. -- SSL connections
Impact:
Segmentation fault / tmm outage.
Workaround:
Fix:
TMM no longer cores in low-memory situations during SSL egress handling.
495030-1 : Segfault originating from flow_lookup_nexthop.
Component: Local Traffic Manager
Symptoms:
Segfault originating from flow_lookup_nexthop when neighbor_resolve is not able to determine the next hop.
Conditions:
Memory pressure or error condition.
Impact:
tmm core and tmms restart.
Workaround:
Fix:
Segfault originating from flow_lookup_nexthop problem has been corrected.
494978-1 : The hostagentd daemon should not be running in non-vcmp mode.
Component: TMOS
Symptoms:
The hostagentd daemon is running when vCMP is not provisioned.
Conditions:
This issue occurs on all platforms that support vCMP.
Impact:
In non-vCMP mode, hostagentd is an unnecessary system process. It may use a small amount of memory and cpu but does not otherwise impact system performance or traffic passing.
Workaround:
Hostagentd may be disabled by issuing 'bigstart disable hostagentd' on all blades of a chassis or on an appliance system.
Fix:
The hostagentd daemon is no longer started when the BIG-IP system is not provisioned for vCMP.
494367-2 : HSB lockup after HiGig MAC reset
Component: TMOS
Symptoms:
HSB lockups can occur after a HiGig MAC reset on BIG-IP 5000-series and 7000-series platforms.
Conditions:
This occurs after a HiGig MAC reset on BIG-IP 5000-series and 7000-series platforms.
Impact:
An HSB lockup results in a NIC failsafe and reboot of the unit. The system posts messages similar to the following in the LTM log: -- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is DOWN. -- bcm56xxd[8161]: 012c0012:6: Reset HSBe2 (bus 1) HGM0 MAC completed on higig2 link 4.1 down event. -- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is UP. ... -- tmm2[13842]: 01230111:2: Interface 0.3: HSB DMA lockup on transmitter failure.
Workaround:
None.
Fix:
HSB lockups no longer occur after a HiGig MAC reset on BIG-IP 5000-series and 7000-series platforms.
494322-6 : The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used
Component: Local Traffic Manager
Symptoms:
If the flow inside a HTTP_REQUEST event raised by the explicit proxy is expired, the TMM may crash.
Conditions:
The explicit proxy is configured for HTTP, and the HTTP_REQUEST iRule event is used.
Impact:
If state-changing commands are used within the HTTP_REQUEST event raised by the explicit proxy, they may not work correctly, and TMM might crash.
Workaround:
Avoid the HTTP_REQUEST event if possible.
Fix:
The TMM no longer crashes when under load when the HTTP_REQUEST iRule handler is used with the explicit proxy. HTTP state-changing commands used within HTTP_REQUEST on the explicit proxy works correctly.
494319-1 : Proxy SSL caused tmm to core by dereferencing a null pointer
Component: Local Traffic Manager
Symptoms:
When server side SSL decides to 'passthrough' the traffic, it requests that the client side convert itself to 'passthrough' mode, but the client side SSL was already in a closing state (due to timeout).
Conditions:
When both Proxy SSL and Proxy SSL Passthrough are enabled. Proxy SSL changes to passthrough mode, but the client side is closed or has timed out.
Impact:
The TMM crashes.
Workaround:
None.
Fix:
The system now checks that the state is not in closing state before updating the statistics.
494305-3 : [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list.
Component: Global Traffic Manager
Symptoms:
Cannot use the GUI to remove the first virtual server listed in alphabetical order from the dependent list of virtual server if there are multiple virtual servers in the dependency list.
Conditions:
Virtual server with several dependency virtual servers configured.
Impact:
Cannot manage virtual server dependency list using GUI as expected.
Workaround:
Use the corresponding tmsh commands to manage the virtual server dependency list.
Fix:
You can now use the GUI to remove the alphabetically first virtual server from the dependent list of virtual servers.
494280-3 : TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel
Component: Carrier-Grade NAT
Symptoms:
TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel.
Conditions:
PPTP-ALG and CGNAT on a chassis system when a blade has been added with a stale PPTP tunnel.
Impact:
TMM crashes/cores.
Workaround:
Fix:
The system now drops the new flow/tunnel and allow it to clean up, so TMM no longer crashes when PPTP finds a redirected flow when checking for an existing tunnel.
494176-5 : Network access to FP does not work on Yosemite using APM Mac Edge Client.
Component: Access Policy Manager
Symptoms:
If APM BIG-IP Edge Client for Mac on OS X Yosemite attempts to connect to FirePass, network access cannot be established.
Conditions:
APM Edge Client for Mac on OS X Yosemite connecting to FirePass.
Impact:
Network access cannot be established with FirePass.
Workaround:
None.
Fix:
Network access can now be established with FirePass using APM BIG-IP Edge Client for Mac on OS X Yosemite.
494088-4 : APD or APMD should not assert when it can do more by logging error message before exiting.
Component: Access Policy Manager
Symptoms:
APD or APMD asserts and exits without logging error messages to aid in debugging the error.
Conditions:
In some rare situation apmd (for example, access 'profile not found', failure in 'loading policy object'), apd, apmd assert. This results in dumping core.
Impact:
Restarting of apd, apmd and core file.
Workaround:
None.
Fix:
Now, in some rare situations where previously apd or apmd would assert, the system logs proper error messages before exiting. This results in restarting apd, apmd.
493807-5 : TMM might crash when using PPTP with profile logging enabled
Component: Carrier-Grade NAT
Symptoms:
TMM might crash when using PPTP with profile logging enabled.
Conditions:
This occurs when the following conditions are met: -- PPTP-ALG with log profile enabled. -- CGNAT configured.
Impact:
TMM might crash, resulting in disruption to traffic.
Workaround:
Disable logging from the PPTP profile.
Fix:
Using PPTP with profile logging now works correctly and no longer causes TMM to crash.
493673-2 : DNS record data may have domain names compressed when using iRules
Component: Local Traffic Manager
Symptoms:
Some DNS record types forbid dns name compression in their record data, e.g., the NAPTR Replacement field. For certain parts of the DNS feature set, some of these record datum may have compressed names, e.g., DNS iRules, DNSSEC, GTM.
Conditions:
Using iRules.
Impact:
Some clients may expect uncompressed names and may not be able to follow compression pointers. This may cause the client to fail to use the RR.
Workaround:
None.
Fix:
Fields are properly not compressed, e.g., the NAPTR Replacement field.
493401-2 : Concurrent REST calls on a single endpoint may fail
Component: Application Security Manager
Symptoms:
Concurrent REST PATCH calls on a particular endpoint, or configuration by BIG-IQ, may fail due to database deadlocks.
Conditions:
Concurrent REST PATCH calls were made on a particular endpoint, or device was configured by BIG-IQ.
Impact:
Configuration changes fail due to database deadlock.
Workaround:
Return values from REST calls should be checked before proceeding to next call.
Fix:
We fixed a MySQL deadlock that occurred when using REST API to send several patch requests to parameters of a security policy.
493385-6 : BIG-IP Edge Client uses generic icon set even if F5 icon set is configured
Component: Access Policy Manager
Symptoms:
BIG-IP Edge client uses generic icon set even if F5 icon set is configured.
Conditions:
BIG-IP MAC Edge client customized for a specific language.
Impact:
The UI might show the generic icon set for MAC edge client in the system menu.
Workaround:
Remove customization for that language.
Fix:
Now BIG-IP Edge Client uses the set of icons that the configuration specifies. Also, F5 icons no longer display for a split second during application launch when the configuration specifies the generic set of icons.
493360-1 : Fixed possible issue causing Edge Client to crash during reconnect
Component: Access Policy Manager
Symptoms:
Edge Client may rarely crash during reconnect.
Conditions:
Session reconnection using Edge Client. When APM session closes on BIG-IP (by a timeout, or by other options, for example, 'Restrict to Single Client IP') the Edge Client starts new session. Occasionally when reestablishing connection to the BIG-IP system, the Edge Client crashes.
Impact:
Rarely encountered crash.
Workaround:
None.
Fix:
Fixed possible issue causing Edge Client to crash during reconnect.
493223-3 : syscalld core dumps now keep more debugging information
Component: TMOS
Symptoms:
syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump has little visibility into what commands were being run at the time.
Conditions:
syscalld is mostly invoked by the GUI or CMI sync to trigger the configuration being saved.
Impact:
syscalld core dumps will occur and generate customer cases, but it is difficult for a developer to obtain any useful information.
Workaround:
None.
Fix:
syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump used to have little visibility into what commands were being run at the time. It now maintains a list of the most recently run commands that will be written into the core file.
493140-1 : iRule does not work when a cookie hash persistence profile is in use.
Component: Local Traffic Manager
Symptoms:
When using a cookie hash persistence profile and an iRule to provide finer granularity, the system creates persistence entries with incorrect cookies.
Conditions:
When using cookie hash persistence and invoking cookie hash persistence from within an iRule.
Impact:
iRules do not work if cookie hash persistence is in use.
Workaround:
Fix:
Using cookie hash persistence and invoking cookie hash persistence from within an iRule now works as expected.
493117-6 : Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted
Component: Local Traffic Manager
Symptoms:
After changing the netmask of an advertised virtual address, the address is no longer advertised.
Conditions:
Must have an advertised virtual address, and change its netmask.
Impact:
tmrouted must be restarted whenever the netmask of an advertised virtual address is changed.
Workaround:
Restart tmrouted whenever the netmask of an advertised virtual address is changed.
Fix:
Now, an advertised route remains advertised after its netmask is changed.
492978-1 : All blades in a cluster remain offline after provisioning ASM or FPS
Component: Application Security Manager
Symptoms:
After provisioning either ASM or FPS on a cluster, the system may reach a state in which the datasyncd process will keep all of the blades offline. The system will repeatedly switch the primary blade, but never successfully transition to online.
Conditions:
This is a rare scenario that may happen when provisioning either ASM or FPS on a cluster.
Impact:
If this state is reached, all of the blades will remain offline and not handle incoming traffic until the entire chassis is rebooted.
Workaround:
If this scenario happens, the workaround is to reboot the entire chassis, or individually reboot all of the blades roughly at the same time.
Fix:
Fixed a rare scenario in which all the blades in a cluster remain offline after provisioning either ASM or FPS.
492458-1 : BIOS initial release
Component: TMOS
Symptoms:
This is a report of the initial release of BIOS 1.05.033.0.
Conditions:
New BIOS release.
Impact:
BIOS is updated to BIOS 1.05.033.0.
Workaround:
None.
Fix:
Initial BIOS BIOS 1.05.033.0 release. No issues.
492422-4 : HTTP request logging reports incorrect response code
Component: TMOS
Symptoms:
HTTP request logging reports 200/OK response code before any response has been received.
Conditions:
HTTP request logging enabled.
Impact:
Misleading messages in the logs. These messages are benign and can safely be ignored.
Workaround:
Fix:
Response code now reported only in HTTP response logs.
491791-3 : GET on non-existent pool members does not show error
Component: TMOS
Symptoms:
Performing a GET on nonexistent pool members does not show an error.
Conditions:
This occurs when using iControl REST with nonexistent pool members.
Impact:
The returned response typically indicates an almost-empty resource instead of a not-found error.
Workaround:
Use members GET for all members and iterate through the items returned to determine if a pool member exists.
Fix:
Performing a GET on nonexistent pool members now shows an error when using iControl REST with nonexistent pool members.
491554-2 : [big3d] Possible memory leakage for auto-discovery error events.
Component: Global Traffic Manager
Symptoms:
Big3d may leak memory when auto-discovery is enabled and error events occur.
Conditions:
Auto-discovery is enabled on a BIG-IP system.
Impact:
big3d consumes an increasing amount of memory.
Workaround:
None.
Fix:
big3d no longer leaks memory during auto-discovery failure events.
491518-2 : SSL persistence can prematurely terminate TCP connection
Component: Local Traffic Manager
Symptoms:
SSL [session id] persistence might prematurely close (FIN) a TCP connection before forwarding all data.
Conditions:
SSL persistence must be in use. A slow client side (WAN) exacerbates the issue.
Impact:
Premature close of TCP connection and potential data loss.
Workaround:
Disable SSL persistence.
Fix:
SSL [session id] persistence no longer prematurely terminate TCP connection.
491454-6 : SSL negotiation may fail when SPDY profile is enabled
Component: Local Traffic Manager
Symptoms:
SSL handshake fails when SPDY profile is attached.
Conditions:
This occurs when the following conditions are met: -- Client (i.e., Chrome for Android) attempts to use SPDY protocol using Next Protocol Negotiation (NPN) during SSL handshake. -- BIG-IP system has a Cavium Nitrox card.
Impact:
SSL handshake or other connection failure.
Workaround:
Remove SPDY profile.
Fix:
SSL handshake now completes successfully when a SPDY profile is attached when Next Protocol Negotiation (NPN) is detected on a BIG-IP system with a Cavium Nitrox accelerator.
491030-6 : Nitrox crypto accelerator can sometimes hang when encrypting SSL records
Component: Local Traffic Manager
Symptoms:
Sometimes when encrypting certain SSL records, the Cavium Nitrox crypto accelerator can hang with the LTM log message "request queue stuck".
Conditions:
Certain SSL records on a system with a Cavium Nitrox card.
Impact:
Nitrox crypto accelerator can hang.
Workaround:
This issue has no workaround at this time.
Fix:
The Nitrox crypto accelerator will no longer hang with certain SSL records.
490817-1 : SSL filter might report codec alerts repeatedly
Component: Local Traffic Manager
Symptoms:
TMM cores due to Out of Memory (OOM), and xdata is the majority of the memory consumption.
Conditions:
The SSL enters a failure mode where it appears to transmit alert messages repeatedly until TMM is OOM, which causes the transmissions to stop due to lack of memory. TMM then cores due to lack of memory.
Impact:
The system might crash. (Massive xfrag usage, degraded performance, eventual TMM OOM.)
Workaround:
Fix:
Clear codec alert after propagation so SSL filter no longer reports alerts indefinitely.
490681-1 : Memcache entry for dynamic user leaks
Component: Access Policy Manager
Symptoms:
A race condition causes a memcache entry to remain in memcache forever.
Conditions:
Due to a race condition between identifying dynamic users in MySQL and removing them from memcache (based on timestamp), some memcache entries remain. Although the entry is removed from MySQL, it remains in memcache.
Impact:
The user state information for the user remains unchanged. If the user is locked out in memcache, the user state remains locked out.
Workaround:
The only way to recover is to remove the user using telnet to access memcache (which is not a typical operation and is difficult to perform).
Fix:
Now a self expiry is set for each memcache object (which is configurable). With this change, each user remains in the cache only for the configured duration.
490675-1 : User name with leading or trailing spaces creates problems.
Component: Access Policy Manager
Symptoms:
User creates dynamic user with leading and trailing spaces. In the case user name will look like " user1 ". When the user entry gets created in MySQL it treats the user name " user1 " same as "user1", by eliminating the spaces at the beginning and the end. The memcache entry does not do the same.
Conditions:
Create a dynamic user with a regular name. Then retry the same username with leading and trailing spaces. There will be multiple entries for the same user (one regular and another with spaces). When the dynamic user gets deleted, the regular user name is deleted from memcache and from MySQL; the other user entry remains in memcache.
Impact:
Unnecessary memcache entries.
Workaround:
This issue has no workaround at this time.
Fix:
In this fix, we trim leading and trailing spaces from the user name before using it. So the user name is uniform everywhere.
490480-3 : UCS load may fail if the UCS contains FIPS keys with names containing dot
Component: Local Traffic Manager
Symptoms:
UCS load may fail if the UCS file contains FIPS keys with names containing dot ( . ).
Conditions:
This occurs when the configuration includes at least one FIPS key with name containing a dot ( . ).
Impact:
UCS loading fails.
Workaround:
Fix:
UCS load now completes successfully if the saved configuration includes FIPS keys with names containing dot ( . ).
490414-1 : /shared/vmisolinks present on systems running versions where block-devices are not present
Component: TMOS
Symptoms:
/shared/vmisolinks is not removed from vCMP hosts when booting into builds that do not support block-device-image and block-device-hotfix vcmp installations.
Conditions:
This occurs in 11.6.0 or later with vCMP provisioned. In pre-11.6.0 versions, vCMP does not have to be provisioned.
Impact:
/shared/vmisolinks is present and takes up space. /shared can artificially fill up and cause warnings.
Workaround:
/shared/vmisolinks can be safely removed from older versions with the following command sequence: -- 'clsh rm -rf /shared/vmisolinks'. -- 'clsh ls -al /shared/vmisolinks'. After removing the /shared/vmisolinks directory from each cluster member or the appliance as a vCMP host, the space warnings related to /shared/vmisolinks will cease.
Fix:
/shared/vmisolinks is now properly cleaned up upon system startup.
490284-3 : ASM UI extremely slow to respond (e.g. >2 minutes to render policy list)
Component: Application Security Manager
Symptoms:
ASM screens take a long time to load, MySQL spikes in usage.
Conditions:
Occurs after several thousand policy configuration changes have been made to the system.
Impact:
Slow ASM GUI pages.
Workaround:
There is no workaround at this time.
Fix:
We reduced the time it takes for ASM screens to load.
490171-1 : Cannot add FQDN node if management route is not configured
Component: TMOS
Symptoms:
Upon trying to create a FQDN (Fully Qualified Domain Name) node without the management route configured, an error is displayed: 01070734:3: Configuration error: Please configure a default gateway.
Conditions:
A basic LTM configuration with DNS lookup server setup
Impact:
User must configure a management route - even if they otherwise do not need one or have one configured.
Workaround:
Create a temporary management-route default gateway in order to add nodes using their FQDN: 1) tmsh create sys management-route default gateway 172.28.22.254 == create default management-route. 2) tmsh create ltm node mydomain.com fqdn { name mydomain.com } == create FQDN node. 3) tmsh delete sys management-route default == remove default management-route.
Fix:
It is no longer required that a default management route is setup in order to add nodes via their FQDN.
490129-1 : SMTP monitor could not create socket on IPv6 node address
Component: Local Traffic Manager
Symptoms:
SMTP Tcl monitor cannot create socket on IPv6 node address.
Conditions:
Conditions leading to this issue include SMTP monitors with IPv6 pool members.
Impact:
SMTP monitor IPv6 pool members are DOWN.
Workaround:
Create a External monitor using SMTP_monitor
Fix:
SMTP monitor successfully monitors IPv6 pool members
489796-2 : TMM cores when Woodside congestion control is used.
Component: Local Traffic Manager
Symptoms:
In Woodside congestion control, the congestion window is used to calculate the minimum delay. During this calculation, if congestion window is 0, division by congestion window (0) causes a core during the calculation.
Conditions:
The congestion window becomes 0.
Impact:
TMM crashes and produces a core file.
Workaround:
Use another congestion control rather than Woodside.
Fix:
The issue is fixed by preventing division by 0.
489767 : Webroot cloud lookup support
Component: Policy Enforcement Manager
Symptoms:
PEM does not have the ability to query the Webroot cloud database for URLs that are only available in the Webroot server in the cloud. There is one global Webroot database on the BIG-IP system, which contains millions of URLs it can categorize. However, the Webroot URL categorization database is hosted on their cloud, and can categorize billions of URLs. In certain countries, some of the popular URLs can only be categorized by the Webroot cloud database.
Conditions:
This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.
Impact:
Certain URLs are categorized as unknown by the local Webroot database that is managed on the BIG-IP system, even though they could be categorized by the Webroot cloud service.
Workaround:
None.
Fix:
The support is added, so that PEM can perform the Webroot cloud lookup asynchronously and cache the categorization result. When feature requests with the same URL arrives, PEM will be able to categorize the URL based on the cached Webroot cloud lookup result.
489750-3 : Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config
Component: TMOS
Symptoms:
11.4.0 onwards, deletion of FIPS keys by-handle is expected to throw error if the BIG-IP config contains that key object. However, if the key name is different from the FIPS-label of the key, such deletion by-handle will delete key from FIPS card without checking BIG-IP config. It will not delete that key from BIG-IP config.
Conditions:
Delete FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.
Impact:
FIPS key deletion by-handle may not throw expected error when the FIPS handle corresponds to a key in the BIG-IP config and will delete the key from FIPS card without deleting the key in the BIG-IP config.
Workaround:
First, FIPS key deletion by-handle should be used only for FIPS key handles that don't have corresponding key objects in the BIG-IP config. If the FIPS key deletion was desired and by-handle deletion is already performed which did not delete the key from BIG-IP config, then follow the below workaround: After executing: 'tmsh delete sys crypto fips by-handle <handle-number>' check if the corresponding key still exists in BIG-IP config by executing: 'tmsh list sys crypto key' If the concerned key did not get deleted, execute: 'tmsh delete sys crypto key <keyname>'
Fix:
The system now handles the case in which deleting FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.
489648-1 : Empty violation details for attack signatures
Component: Application Security Manager
Symptoms:
Attack signatures detected on a transaction. The reporting does not show the details of all attack signatures.
Conditions:
Different signature sets are applied to different policies, and then a transaction with attack signatures appears on a request.
Impact:
Not all the detected attack signature details are shown. In some cases, there are empty violation details for certain attack signatures.
Workaround:
None.
Fix:
All attack signature details are now shown.
489382-7 : Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert
Component: Access Policy Manager
Symptoms:
Browser clients allow machine certificate agent to pass even if "match SubjectCN and FQDN" criteria is not satisfied. It only happens if certificate selected is recognized by BIG-IP but doesn't fit the machine certificate selection criteria
Conditions:
MAC, browsers, machine certificate agent in access policy, valid certificate
Impact:
Browser allow network access to be established even though it should not
Workaround:
Add more search criteria in machine certificate agent
Fix:
Browser client now selects the appropriate certificate when "match SubjectCN and FQDN" criteria is specified in Machine Cert.
489328-9 : When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
Component: Access Policy Manager
Symptoms:
If a BIG-IP virtual server is accessed from multiple tabs with long initial URLs before session creation, this might cause TMM to crash.
Conditions:
Rare condition: a user opens the browser and different tabs in the browser pointing to BIG-IP APM virtual server and they cause the access policy to run from both tabs. If the length of the encoded URL falls into 4K boundary then TMM might crash.
Impact:
Rarely encountered BIG-IP service unavailable.
Workaround:
None.
Fix:
Proper checks were added before processing the URL so that, if there is a long initial URL, the BIG-IP system does not process it, and a user might see a reset. After establishing the session in other tabs, the user can access the long URL again.
488931-1 : TMM may restart when MPTCP traffic is being handled.
Component: Local Traffic Manager
Symptoms:
There are some conditions where when multi-path TCP (MPTCP) traffic is being handled by an MPTCP-enabled virtual server might cause TMM to restart.
Conditions:
MPTCP traffic is being handled by a L7 virtual server.
Impact:
The TMM might restart when this condition occurs.
Workaround:
None.
Fix:
TMM may restart when multi-path TCP (MPTCP) traffic is being handled.
488917-2 : Potentially confusing wamd shutdown error messages
Component: WebAccelerator
Symptoms:
When shutting down, wamd might log debug messages that appear serious.
Conditions:
wamd shutdown.
Impact:
Unnecessary log messages generated, similar to the following: -- WA Debug (17637): * WARNING: The server encountered an unexpected condition. -- WA Debug (17637): * Contact F5 support if you are experiencing problems and include -- WA Debug (17637): * the following diagnostic information. These messages are cosmetic and do not indicate a problem with the system.
Workaround:
None.
Fix:
wamd no longer issues alarming debug messages when shutting down.
488916 : CIDR can now be used for SNAT Origin Address List
Component: TMOS
Symptoms:
A validation error occurred when address in IP/CIDR format is entered into the address list field, although it still accepts an address in IP/IP format.
Conditions:
When address in IP/CIDR format is entered into the address list field.
Impact:
Validation error occurs, although the field still accepts an address in IP/IP format.
Workaround:
Fix:
Validation error is no longer thrown and address in IP/CIDR format is now handled correctly.
488908-1 : In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function.
Component: Local Traffic Manager
Symptoms:
In client-ssl profile that serves as the server side. BIG-IP SSL does not initialize some parameters.
Conditions:
In client-ssl profile which serves as the server side and retransmitting fragmented datagrams.
Impact:
SSL handshake fails. Datagram Transport Layer Security (DTLS) crash while retransmitting fragmented datagrams.
Workaround:
None.
488713-1 : Corrupt memory
Component: Application Visibility and Reporting
Symptoms:
The Thrift server raises an unhandled exception.
Conditions:
Using Thrift server when encountering an unhandled exception.
Impact:
AVRD crashes.
Workaround:
None.
Fix:
Avrd now handles the exception.
488598-1 : SMTP monitor on non-default route domain fails to create socket
Component: Local Traffic Manager
Symptoms:
SMTP monitor on non-default route domain fails to create socket
Conditions:
SMTP monitors on a non-default route domain.
Impact:
SMTP monitor pool members are DOWN. If debug logging is enabled for the monitor, the system posts messages in the monitors debug log: Notice 'ERROR: failed to connect 10.50.1.100%20:25 error: couldn't open socket: host is unreachable'.
Workaround:
Create an External monitor using SMTP_monitor.
Fix:
SMTP monitor no longer fails when using a non-default route domain.
488374-2 : Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation
Component: TMOS
Symptoms:
Mismatched IPsec policy configuration causes racoon to core intermittently after failed IPsec tunnel negotiation.
Conditions:
During IPsec Tunnel negotiation, IKE Phase 1 negotiation succeeds and ISAKMP security association is created, but phase 2 (Quick mode) for IPsec security associations fails due to mismatched IPsec policy configuration. This intermittent error occurs because of a memory issue that causes heap corruption.
Impact:
Intermittently, the racoon daemon cores and crashes when there are earlier failed phase 2 negotiations.
Workaround:
Make sure IPsec policies such as encryption/authentication algorithms for the data going through IPsec tunnel on the remote device match the IPsec policy configured on the BIG-IP system for the same IPsec Tunnel.
Fix:
The racoon daemon no longer crashes due to mismatched IPsec policy configuration.
488306-1 : Requests not logged locally on the device
Component: Application Security Manager
Symptoms:
After deactivating or deleting security policies and then activating other policies, sometimes requests would not be logged on the local device.
Conditions:
Deactivating/deleting security policies and then activating other policies.
Impact:
Requests would not be logged on the local device
Workaround:
Restart ASM
Fix:
ASM now properly tracks security policy changes and correctly logs requests.
488166-1 : Provide an option to delete the session if IP class address Limit reached when new IP being added and create a new one instead.
Component: Policy Enforcement Manager
Symptoms:
When Multiple IP feature is supported, If a new IP needs to be add to session will fail if IP address limit is reached for particular class of IP addresses. So, if old IPs are not removed from the session even though subscriber may not be using it, we disallow new IP assignment and hence subscriber traffic might be blocked/not polcied as IP address was not added to session.
Conditions:
IP class address limit for the session and new IP address add for the same same subscriber session arrives.
Impact:
Session does not get created by radius, but by traffic and there is no subscriber ID assigned to it. PCRF may decline to give policy and hence Subscriber traffic may not be policed as expected.
Workaround:
Fix:
Now added a db variable Tmm.pem.session.delete.if.max.ipaddr.per.class.exceeded which is by default set to TRUE. Now. when a new IP address add request comes via Radius and Session IP limit has reached, then we delete the current session and create a new one altogether. So that new Subscriber session is not affected.
487757 : Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on Centaur/Treadstone/Victoria2 platforms.
Component: Local Traffic Manager
Symptoms:
Different discard configurations as set on B4300/B2200/10000/12000 family platform interfaces, may result in different packet discard type counts, when the switch encounters bursty or severe MMU congestion.
Conditions:
Dissimilar congestion discard counts observed for switch ports supporting normal v.s. extended unicast queues.
Impact:
When switch ports encounters congestion, ports supporting extended unicast queue ports may show ingress back-pressure discard counts, as opposed to egress queue discard counts for ports supporting regular unicast queue ports.
Workaround:
None
Fix:
Enabled egress CoS queue discard settings also for switch ports supporting extended unicast queues, as currently set for ports supporting normal unicast queues.
487592 : Change in the caching duration of OCSP response when there is an error
Component: Local Traffic Manager
Symptoms:
Some of the OCSP responses that indicate an error (such as 'unauthorized' response from the responder) are cached indefinitely.
Conditions:
Some of the OCSP responses that indicate an error (such as 'unauthorized' response from the responder).
Impact:
Responses are cached indefinitely.
Workaround:
The response can be deleted from the cache so as to obtain a new response. The new response will be cached based on whether it is valid, and whether the responder indicates an error.
Fix:
Except when the responder sends a certificate-status 'revoked', or a response status 'signature required', the response is cached for the duration given by the 'cache-error-timeout' field.
487587-2 : The allowed range of 'status-age' in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might not be wide enough for some of the scenarios
Component: Local Traffic Manager
Symptoms:
The allowed range of 'status-age' in OCSP Stapling Parameters was 0 - 86400 (0 to 1 day in seconds). This range might not be enough to support some of the scenarios wherein the acceptable value could be as high as a 7-10 days.
Conditions:
Impact:
OCSP response is discarded even when it is acceptable as valid.
Workaround:
This issue has no workaround at this time.
Fix:
The allowed range of 'status-age' has been changed to 0 - MAX_INT, with 0 indicating that the status-age check is not performed. That is, it is not checked if the 'thisUpdate' value in the OCSP response is lagging in time by a specified value. Also, the default value of the status-age has been changed to 86400 (one day in seconds).
487554-2 : System might reuse TCP source ports too quickly on the server side.
Component: Local Traffic Manager
Symptoms:
System might reuse TCP source ports too quickly on server side when dag hash is ip-only and sourceport mode is set to change.
Conditions:
This occurs when the dag-cmp hash is ip-only, and the virtual server or PEM-forwarding endpoints sourceport mode is set to change. The BIG-IP system might reuse some TCP source ports on the server side.
Impact:
Conflicting flows result in connections being reset.
Workaround:
Fix:
In this release, reuse of TCP source ports is sequential, which eliminates the issue of TCP source ports being used too quickly on the server side.
487553 : FPS alerts
Component: Fraud Protection Services
Symptoms:
Fraud Protection Service (FPS) alerts are not being sent.
Conditions:
This occurs when using FPS.
Impact:
Alerts for the user credentials are not being sent.
Workaround:
Fix:
Improved alerting for Fraud Protection Service (FPS).
487552-3 : triplets-not-allowed threshold too high because LTM minimum requirements for 6G guests are coming from 8G table
Component: TMOS
Symptoms:
The system might post the following error when the provisioned modules should be supported: 01071008:3: Provisioning failed with error 255 - 'Physical memory (6144MiB) insufficient for 3 or more modules.'
Conditions:
VCMP guests and VE guests with memory between 5632 MiB and 6250 MiB.
Impact:
Not allowed to provision more than 3 modules.
Workaround:
Create VCMP guests with 4 or more CPUs. Configure the VE guests with more than 6250 MiB of memory available.
Fix:
Three or more modules can be provisioned on VCMP guests and VE guests having 5632 MiB or more memory.
487420-1 : BD crash upon stress on session tracking
Component: Application Security Manager
Symptoms:
A BD crash on a specific scenario that involves stress and session tracking, or the crash can be reached rarely from slow responses/servers with session tracking.
Conditions:
ASM under high load, session tracking is running.
Impact:
A BD process crash with the given stack trace, a failover, and/or traffic resets.
Workaround:
N/A
Fix:
Fixed a BD crash scenario with session tracking.
487233-1 : vCMP guests are unable to access NTP or RSYNC via their management network.
Component: TMOS
Symptoms:
Attempts to access an external NTP server or RSYNC server from within a vCMP guest over the management network fails to pass traffic.
Conditions:
This issue affects vCMP guests running any BIG-IP software version when running on a vCMP hypervisor running software version 11.6.0.
Impact:
vCMP guests are unable to configure an external NTP server reachable over the management network.
Workaround:
An NTP server may be configured using a self-ip and the data plane network without issue. If access is required via the management port, execute the following steps: 1) Add the commands iptables -t nat -D PREROUTING -m physdev --physdev-in mgmt_vm_tap_+ -j ACCEPT iptables -t nat -I PREROUTING 1 -m physdev --physdev-in mgmt_vm_tap_+ -j ACCEPT to /config/startup on the vCMP hypervisor. This will ensure the workaround persists across reboots. 2) Run the following command at the vCMP hypervisor bash prompt: clsh iptables -t nat -I PREROUTING 1 -m physdev --physdev-in mgmt_vm_tap_+ -j ACCEPT Rebooting the hypervisor or affected guests is not required.
Fix:
An issue has been corrected which affected NTP and RSYNC access via the management network in vCMP guests.
487170-1 : Enahnced support for proxy servers that resolve to multiple IP addresses
Component: Access Policy Manager
Symptoms:
VPN might fail to connect in environments where DNS returns multiple IP address for the proxy server host name. This includes both Edge client and web client.
Conditions:
Proxy server name is resolved to multiple IP address, or the proxy server IP address changes on a subsequent call to the DNS resolver.
Impact:
VPN connection might fail.
Workaround:
Configure DNS to persist an IP addresses for the proxy host name.
Fix:
Added support for scenarios where proxy host name resolves to multiple addresses.
486724-3 : After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails
Component: Local Traffic Manager
Symptoms:
After upgrading from TMOS v10 to TMOS v11 in a FIPS HA setup, config-sync will fail.
Conditions:
In a FIPS HA setup, upgrade from v10 to v11. After upgrade, trigger config-sync.
Impact:
HA devices will be in sync failed state
Workaround:
This issue has no workaround at this time.
Fix:
Config-sync will now be successful after upgrading from v10
486597-1 : Fixed Network Access renegotiation procedure
Component: Access Policy Manager
Symptoms:
Network Access reconnects on every SSL renegotiation attempt on Windows 7 for TLS1.2 and TLS1.1 if client cert is requested.
Conditions:
This occurs when the following conditions are met: Windows 7. -- TLS 1.1/TLS1.2. -- Client cert set to 'required' at Virtual Server's Client Cert profile.
Impact:
Reconnect on every SSL renegotiation attempt.
Workaround:
None.
Fix:
Fixed Network Access renegotiation procedure on TLS1.1 and TLS1.2 for Windows 7.
486512-7 : audit_forwarder sending invalid NAS IP Address attributes
Component: TMOS
Symptoms:
Forwarded auditing messages contain the incorrect nas-ip-address attribute. It should be the local IP of the box. Instead nas-ip-address is another, random IP address.
Conditions:
This seems to work fine when the BIG-IP is a virtual machine.The issue reproduces only on the actual hardware.
Impact:
Cannot pass certification because config auditing is not working as expected (invalid NAS IP Address).
Workaround:
Fix:
Forwarded auditing messages now contain the correct nas-ip-address attribute, so config auditing is now working as expected.
486450-2 : iApp re-deployment causes mcpd on secondaries to restart
Component: Local Traffic Manager
Symptoms:
iApp redeployment causes mcpd on secondaries to restart.
Conditions:
This occurs when redeploying iApps with the locally cached files in place.
Impact:
mcpd restarts on secondaries.
Workaround:
Fix:
iApp redeployment now works correctly, and no longer causes mcpd on secondaries to restart.
486356-1 : unable to configure a virtual with stats profile and sip profile in 11.6.0
Component: Service Provider
Symptoms:
Changes in profile validation logic unintentionally blocked using a stats profile with a sip profile in the same virtual server.
Conditions:
Impact:
Unable to add a stats profile to a virtual containing a sip profile.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed mcpd validation to allow a stats profile to be included in a sip virtual server.
486346-3 : Prevent wamd shutdown cores
Component: WebAccelerator
Symptoms:
Under some circumstances, wamd cores while trying to exit.
Conditions:
wamd during shutting down
Impact:
Unnecessary core files generated consuming some resources
Workaround:
Fix:
wamd now exits gracefully.
486323-1 : The datasyncd process may keep restarting during the first 30 minutes following a hotfix installation
Component: Application Security Manager
Symptoms:
After an installation of an 11.6.0 hotfix, the datasyncd process may keep restarting during 30 minutes. This is rare, but if it does happen, the system will remain offline during this time, until the state is automatically recovered.
Conditions:
An 11.6.0 hotfix is being installed on a system that is already running 11.6.0, and has either ASM or FPS provisioned.
Impact:
During 30 minutes following the hotfix installation, the system remains offline and does not handle traffic.
Workaround:
This issue has no workaround at this time.
Fix:
A rare scenario that caused a machine to remain offline during 30 minutes after an 11.6.0 hotfix installation is now fixed.
486268-1 : APM logon page missing title
Component: Access Policy Manager
Symptoms:
On the BIG-IP APM logon page, a title may not appear.
Conditions:
RSA 8.1 is used with default RSA error messages which contains newline symbols.
Impact:
May cause usability issues.
Workaround:
Fix:
Now the title displays correctly on the logon page; RSA error messages are now sanitized.
485939-1 : OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.
Component: TMOS
Symptoms:
In a HA pair setup, the active node is sending an As_External Link-State Advertisement (LSA) with infinity metric value for the redistributed connected subnets that are configured in the network element of the OSPF.
Conditions:
HA pair with redistributed connected subnets and subnets configured in the network element in the OSPF.
Impact:
The active node in the HA pair sends an LSA with infinity metric that gets exchanged in the other networks affecting the routing process.
Workaround:
Clear ip ospf process fixes the issue. However, it is not an effective solution in a production environment.
Fix:
OSPF sessions in an HA pair doesn't send an As_External LSA for the subnets that are configured as network element and redistributed as connected subnets.
485917-3 : BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)
Component: Local Traffic Manager
Symptoms:
When remote attackers spoof a TCP flow on BIG/IP and forge/send an ICMP "Fragmentation Needed and Don't Fragment was Set" packet with a very low next-hop MTU value to BIG/IP, BIG/IP will take it without proper validation check on sequence numbers.
Conditions:
This issue is possible as soon as the attacker can send a flow that can reach the BIG-IP. Attack tools are downloadable from the Internet that allow forging ICMP packets and sending them to any target(including BIG-IP). The attacker can then send and ICMP packet with an embedded TCP packet that spoofs a valid connection flow on the BIG-IP(same source IP address, destination IP address, source TCP port and destination TCP port). The ICMP packet can then specify a new PATH MTU, per RFC1191. BIG-IP would then adopt this new MTU value as the PATH MTU for that connection. Using smaller MTU results in lower performance over the target connection.
Impact:
Lower MTU will result in packets being sent in smaller sizes and much lower network performance.
Workaround:
Fix:
The fix is based on verifying the validity of the TCP sequence number of the TCP packet embedded inside the PATH MTU discovery ICMP packet. If the TCP sequence number is valid for the targeted TCP connection, the ICMP packet is considered a legitimate PATH MTU Discovery packet sent by a router on the connection PATH and therefore the MTU value it carries is adopted as the new PATH MTU. If the TCP sequence number is not valid for the target connection, the ICMP packet is ignored.
485833-7 : File descriptor leak in MCP when modifying users
Component: TMOS
Symptoms:
File descriptors pointing to /home/<username> are leaked whenever a user attribute is modified.
Conditions:
Modifying a user attribute.
Impact:
File descriptors leak.
Workaround:
This issue has no workaround at this time.
Fix:
Ensure all user directory file descriptors are closed.
485764-5 : WhiteHat vulnerability assessment tool is configured but integration does not work correctly
Component: Application Security Manager
Symptoms:
When the WhiteHat vulnerability assessment tool is configured on an already existing policy the proper response headers are not added to traffic that are needed for full integration.
Conditions:
The WhiteHat vulnerability assessment tool is configured on an already existing policy.
Impact:
Proper response headers are not added to traffic to integrate fully.
Workaround:
None.
Fix:
The system now adds correct response headers to traffic after the WhiteHat vulnerability assessment tool is configured.
485355-3 : Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace)
Component: Access Policy Manager
Symptoms:
Click-to-Run Office 2013 applications fail to start inside PWS without any error message.
Conditions:
Click-to-Run version of Office 2013 is used under PWS
Impact:
Click-to-Run version of Office 2013 does not work inside PWS
Workaround:
Use full installation of Office 2013.
Fix:
Click-to-Run Office 2013 applications can start inside PWS now.
485202-1 : LDAP agent does not escape '=' character in LDAP DN
Component: Access Policy Manager
Symptoms:
Starting from BIG-IP 11.6.0, session variables may have modifiers when used in configuration, such as: %{session.logon.last.ldap.dn:ldapdn} With session variable modifier "ldapdn", the resultant value should be escaped by LDAP DN rules. The rules include an equals (=) character which should be escaped, but it is not.
Conditions:
LDAP session variable that contains LDAP DN is used in configuration with "ldapdn" session variable modifier.
Impact:
Depends on the purpose of usage session variable with "ldapdn" modifier in a configuration.
Workaround:
It is possible to escape '=' character using the Variable Assign agent before using that session variable with the modifier in other configurations.
Fix:
Now the session variable modifier "ldapdn" escapes the equal sign (=) character as well as other characters that require escaping.
485189-3 : TMM might crash if unable to find persistence cookie
Component: Local Traffic Manager
Symptoms:
TMM might crash and generate a core if unable to find persistence cookie.
Conditions:
Although specific conditions for this issue are unknown, it is possibly due to having a virtual with cookie persistence enabled and iRules that disable persistence.
Impact:
System outage.
Workaround:
Fix:
TMM now verifies that a persistence cookie was successfully found before extracting it from HTTP responses.
484861-5 : A standby-standby state can be created when auto failback acts in a CRC disagreement scenario
Component: TMOS
Symptoms:
A standby-standby state can occur after a failback if there is a CRC disagreement between peers.
Conditions:
HA pair using auto failback. There must be a CRC disagreement between peers. The failback preferred system must have a lower traffic group score than its peers. NOTE: CRC disagreements may lead to other issues and the customer is strongly advised to sync the devices to remove the disagreement.
Impact:
It's a site down situation as all the objects in the traffic group will become unreachable.
Workaround:
Sync devices to remove the CRC disagreement.
Fix:
Ensure that the preferred system goes active after auto failback, even if its traffic group score is lower than that of its peers.
484733-4 : aws-failover-tgactive.sh doesn't skip network forwarding virtuals
Component: TMOS
Symptoms:
When there are forwarding virtual servers with SNATs defined in the configuration, the reassignment of IP addresses for virtual servers does not happen correctly in Amazon Web Services (AWS).
Conditions:
Forwarding virtual servers with SNATs defined.
Impact:
HA failover is impacted.
Workaround:
Fix:
The reassignment of IP addresses for forwarding virtual servers with SNATs defined in the configuration now occurs as expected in Amazon Web Services (AWS).
484582-2 : APM Portal Access is inaccessible.
Component: Access Policy Manager
Symptoms:
APM Portal Access is inaccessible.
Conditions:
One of sessions reaches 64 KB of Portal Access application cookie storage.
Impact:
Rewrite plugin crashes; APM Portal Access becomes inaccessible. Shortly after this plugin crashes with *** glibc detected *** memory-corruption-message. The rewrite daemon log contains following lines: - notice rewrite - cookie.cpp:543 : updateCookieSessionStore : expiring cookie ...
Workaround:
None.
Fix:
Rewrite plugin no longer crashes when Portal Access application cookies require more than 32 KB of storage.
484483-2 : TCP and UDP was classified as Unknown by classification library
Component: Traffic Classification Engine
Symptoms:
When traffic didn't map to any of the supported Application Layer protocol/service it was classified as Unknown which is misleading and doesn't provide enough granularity.
Conditions:
Traffic didn't map to any of the supported Application Layer protocol.
Impact:
Misleading classification results
Workaround:
Fix:
Instead of classifying traffic as Unknown we will now tag flows as TCP or UDP depending what type of traffic is seen by the classification library
484305-2 : Clientside or serverside command with parking command crashes TMM
Component: Local Traffic Manager
Symptoms:
Any parking iRule command used inside clientside or serverside crashes TMM.
Conditions:
Parking command used inside clientside or serverside.
Impact:
The impact of this issue is that TMM crashes.
Workaround:
See if you really need to run the parking command inside clientside/serverside, if not, move the command outside.
Fix:
TMM no longer crashes when an iRule executes a parking command inside a 'clientside' or 'serverside' context-switching command.
484278-4 : BIG-IP crash when processing packet and running iRule at the same time
Component: Policy Enforcement Manager
Symptoms:
The BIG-IP system sometimes crashes if it is processing packets and iRules at the same time.
Conditions:
Conditions leading to this issue include having iRule scripts and processing iRule tasks, and processing incoming traffic along with the iRule tasks.
Impact:
The impact of this issue is that the BIG-IP system goes to crash intermittently.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed the iRule processing problem that is causing the BIG-IP to crash while processing incoming packets.
484095 : RADIUS accounting message with multiple IPv6 prefix causes TMM crash
Component: Policy Enforcement Manager
Symptoms:
When RADIUS Accounting message contains multiple Framed-IPv6-Prefix AVPs all these AVPs except the first one are parsed incorrectly, and in some cases may lead to tmm crash with core.
Conditions:
RADIUS Subscriber discovery is enabled in PEM. RADIUS Accounting message contains multiple Framed-IPv6-Prefix AVPs.
Impact:
Incorrect PEM sessions created. TMM may crash with core.
Workaround:
For adding multiple IPv6 prefixes into a single PEM session use multiple RADIUS Accounting messages containing a single Framed-IPv6-Prefix AVP for each. The tmm.pem.session.provisioning.continuous sys db variable should be set to true.
Fix:
Fixes the TMM crash problem, and radius accounting message with multiple IPv6-prefix is now parsed correctly.
484079-1 : Change to signature list of manual Signature Sets does not take effect.
Component: Application Security Manager
Symptoms:
When the signature list of a manual Attack Signature Set is modified, the change does not affect enforcement or remote logging.
Conditions:
The signature list of a manual Attack Signature Set is modified (with no other change to the Signature Set).
Impact:
The change does not take effect in signature enforcement or remote logging.
Workaround:
Any spurious change to the signature set (such as unchecking/checking 'Assign to Policy by Default'), or unassigning and reassigning the signature set to the affected policy.
Fix:
When the signature list of a manual Attack Signature Set is modified, enforcement and remote logging are updated correctly.
483762-3 : Overlapping vCMP guest MAC addresses
Component: TMOS
Symptoms:
Intermittent traffic disruptions such as unexpected resets and drops may occur as the result of MAC address conflicts between vCMP guests on an affected hypervisor and/or conflict with other F5 devices with adjacent MAC address ranges.
Conditions:
MCPD has restarted on a vCMP hypervisor, and vCMP guest instances with more than 2 VLANs are deployed after the MCPD restart.
Impact:
Intermittent traffic disruptions such as unexpected resets and drops.
Workaround:
1. Restart vCMPD on the hypervisor. 2. Re-deploy the vCMP Guest by setting it to "Configured", then "Deployed" again. Note, you need to set to "Configured", not "Provisioned".
Fix:
MAC address conflicts no longer occur between vVMP guests.
483751-1 : Internal objects can have load failures on restarted blades
Component: TMOS
Symptoms:
If the primary blade of a chassis is reset, once it rejoins the cluster as a secondary its configuration may fail to load with errors that look like this: 01070088:3: The requested object name (/Common/default-eviction-policy) is invalid. 01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide(). 01070734:3: Configuration error: MCPProcessor::check_initialization: 01070734:3: Configuration error: URL category (/Common/Abortion) cannot be deleted. It is being used by a URL filter.
Conditions:
This only affects chassis.
Impact:
The impact of this issue is that mcpd will not finish startup unless the workaround steps are performed.
Workaround:
Log in to the affected blade, remove the binary database (/bin/rm -v /var/db/mcp*), and restart all services on the blade (bigstart restart).
Fix:
Formerly, the primary blade of a chassis is reset, once it rejoins the cluster as a secondary its configuration may fail to load with errors that look like this: 01070088:3: The requested object name (/Common/default-eviction-policy) is invalid. 01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide(). 01070734:3: Configuration error: MCPProcessor::check_initialization: 01070734:3: Configuration error: URL category (/Common/Abortion) cannot be deleted. It is being used by a URL filter. The system will now load successfully and not hit this error.
483699-1 : No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list
Component: TMOS
Symptoms:
After uploading a file to the system and creating the iFile object, the user is unable to access the object.
Conditions:
Uploading a file to the system and creating the iFile object.
Impact:
The system posts a No Access error is shown, and the user is unable to access the iFile object
Workaround:
Fix:
Accessing iFile object in Local Traffic :: iRules : iFile list now works correctly and no longer produces No Access error.
483683-3 : MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
Component: TMOS
Symptoms:
"Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error on secondary blades when starting up. When this happens, MCP is left in a bad state and several issues (not obviously related to this error) can occur.
Conditions:
Only occurs on a chassis system, and only on secondary blades.
Impact:
This error is the precursor to bad behavior on the system. The exact issues seen are hard to quantify, as they vary depending on what state MCP's database is in when the exception is thrown.
Workaround:
Fix:
Added code to catch exceptions in rm_DBLowHighWide. We now delete the binary MCP database when an exception is caught, and restart MCP. This restart without a binary database bypasses rm_DBLowHighWide and allows the secondary MCP to receive its configuration from the primary MCP.
483539-1 : With fastL4, incorrect MSS value might be used if SYN has options without MSS specified
Component: Local Traffic Manager
Symptoms:
Due to the incorrect MSS value, TMM might core because based on the MSS value the outgoing packet attempts to use TSO, which is not correct. This can result in a crash with the following stack trace: #2 <signal handler called> #3 tcp_tso_pkt_cleanup at ../netinet/tcp_tso.c:136 #4 tcp_tso_split (orig_pkt=0x570001574680) at ../netinet/tcp_tso.c:487 #5 nexthop_tso_output (nexthop=<value optimized out>, orig_pkt=0xe) at ../net/nexthop.c:395 #6 flow_output (cf=0x5700010c0700, pkt=0x570001574680) at ../base/flow_table.c:1861 #7 bigproto_output (cf=0x5700010c0700, conn=0x218, pkt=0x570001574680) at ../modules/hudproxy/bigproto/bigproto.c:3035
Conditions:
A virtual using fastL4 where a SYN packet with options is received, but the SYN packet does not contain an MSS option.
Impact:
If this issue occurs, then TMM will core resulting in a failover/reboot of the system.
Workaround:
None.
Fix:
The correct MSS value is now used when SYN has options without MSS specified, so TMM no longer cores.
483526-1 : Rarely seen Edge Client for Mac crash on session disconnect
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client crashed a couple of times in persistent testing on session disconnect.
Conditions:
Long persistent connection to APM.
Impact:
Edge Client crashes on session disconnect, but restarting Edge Client works fine.
Workaround:
To work around the problem, restart Edge Client for Mac.
Fix:
BIG-IP Edge Client for Mac now gracefully handles session disconnect on long-lived persistent connections.
483353-1 : HTTP compression might cause TMM crash in low-memory conditions
Component: Local Traffic Manager
Symptoms:
TMM might crash in HTTP compression in low-memory conditions when unable to initialize the compression provider.
Conditions:
HTTP compression is configured and TMM is low on memory.
Impact:
TMM crashes and traffic outage may occur.
Workaround:
Remove HTTP compression from the virtual to avoid the issue.
Fix:
HTTP compression now gracefully handles failed compression provider initialization.
482915-1 : Learning suggestion for the maximum headers check violation appears only for blocked requests
Component: Application Security Manager
Symptoms:
There are no learning suggestions for the Maximum headers sub-violation if the HTTP protocol compliance violation is in Alarm only (not in Blocking).
Conditions:
If the HTTP compliance is in Alarm only (not in Blocking) and the Maximum number of headers sub-violation is enabled, and there is a violation for the maximum number of headers (which is not blocking) and no other violation in the request is blocking.
Impact:
There will not be a learning suggestion for this violation and no automated learning will happen for the number of headers.
Workaround:
No workaround
Fix:
Previously, Manual Learning of the sub-violation Maximum number of headers happened only for blocked requests. The system now produces learning suggestions for the Maximum number of headers sub-violation even if the HTTP protocol compliance violation is in Alarm only (not in Blocking).
482788-3 : GUID in Source integrity alerts
Component: Fraud Protection Services
Symptoms:
GUID field was not sent in Source integrity alerts
Conditions:
Source integrity alerts
Impact:
Username would not be associated with these alerts after login
Workaround:
Fix:
Source integrity alerts are now sent with non-empty GUID field from the BIG-IP.
482436-1 : Inefficient handling of invalid SIP request
Component: Service Provider
Symptoms:
Potentially CPU impacting.
Conditions:
Invalid SIP request may require more CPU than necessary.
Impact:
High CPU usage.
Workaround:
None.
Fix:
Improved security of invalid SIP messages.
482434 : Possible performance degradation in AWS cloud
Component: TMOS
Symptoms:
Throughput and new connections per/sec might be up to 4 times slower in AWS for SR-IOV enabled instances.
Conditions:
This might occur when a BIG-IP virtual server is configured with a Standard profile.
Impact:
Performance is 3-to-4 times slower than the license limit. Slow throuhgput and new connections per/second
Workaround:
If throughput performance is 3x-4x times slower than license limit for virtual servers with 'Standard' profile, consider disabling interruptible sleep. To do so, use the following commands to: 1. set the appropriate DB variable to 0 (zero), and 2. restart tmm: 1. setdb Scheduler.UnicAsleepRxLimit.LTM 0. 2. bigstart restart tmm.
Fix:
Throughput and new connections per/sec are now comparable in AWS for SR-IOV enabled instances and in other instances.
482269-1 : APM support for Windows 10 out-of-the-box detection
Component: Access Policy Manager
Symptoms:
APM does not support out-of-the-box detection for Windows 10 in visual policy editor configuration.
Conditions:
Windows 10, APM
Impact:
Windows 10 cannot be detected in visual policy editor rules.
Workaround:
Fix:
APM now supports out-of-the-box detection of Windows 10 in visual policy editor action items, such as, Client OS and Client Type.
482202-1 : Very long FTP command may be ignored.
Component: Carrier-Grade NAT
Symptoms:
FTP commands are delimited with carriage returns. If the BIGIP receives a large buffer with no carriage return then it passes the data through without inspecting for or acting on commands. Since the only commands we act on should be delimited within a reasonable size this does not affect FTP behavior and protects the BIGIP against DDOS attacks where large amounts of data that is not FTP command data is passed across FTP.
Conditions:
If the FTP profile encounters command buffers that contain many carriage returns without valid command data then the buffers are passed on without inspection.
Impact:
Under normal conditions there is no impact. If there is invalid data followed by valid data then the valid data may be ignored.
Workaround:
Do not use the FTP profile for traffic other than FTP.
Fix:
The FTP profile does not process invalid command data
482134-1 : APD and APMD cores during shutdown.
Component: Access Policy Manager
Symptoms:
When apd and apmd shutdown while they are still processing, the system cores while accessing policy configuration data.
Conditions:
This occurs with a second apd or apmd process while an apd or apmd process is already running. The second apd or apmd process goes down (because one process is already up).
Impact:
During this shutdown process, the system cores.
Workaround:
None.
Fix:
APD and APMD no longer cores during shutdown of a second occurrence of apd or apmd.
481880-5 : SASPD monitor cores
Component: Local Traffic Manager
Symptoms:
SASP monitor process core dumping during a state change.
Conditions:
This occurs when the SASP monitor is configured in push mode.
Impact:
Pool member is marked down, which leads to monitor outage.
Workaround:
Fix:
SASP monitor no longer core dumps during a state change in push mode.
481820-1 : Internal misbehavior of the SPDY filter
Component: Local Traffic Manager
Symptoms:
The SPDY filter incorrectly handles the error case in which a child flow is aborted.
Conditions:
A child flow that is aborted for any reason would trigger an superfluous ABORT event to be sent by SPDY.
Impact:
Potential disruption of valid client traffic, in theory.
Workaround:
None.
Fix:
SPDY no longer sends superfluous aborts to an already aborting child flow.
481476-5 : MySQL performance
Component: Application Security Manager
Symptoms:
MySQL usage would spike to 100% for extended periods of time.
Conditions:
Occurs after several thousand policy configuration changes have been made to the system.
Impact:
Slow ASM GUI pages.
Workaround:
There is no workaround at this time.
Fix:
A MySQL performance issue was fixed.
481431-1 : AAM concatenation set memory leak on configuration change
Component: WebAccelerator
Symptoms:
When AAM configuration is reloaded, it can leak some data structures associated with concatenation sets
Conditions:
AAM provisioned and concatenation sets defined
Impact:
tmm memory consumption will slowly grow
Workaround:
restart tmm to free memory
Fix:
Reloading AAM configuration no longer leaks memory associated with concatenation sets.
481216-1 : Fallback may be attempted incorrectly in an abort after an Early Server Response
Component: Local Traffic Manager
Symptoms:
After an Early Server Response, the BIG-IP system might attempt to generate a fallback response if an error occurs. However, the response has already partially egressed, so this does not work correctly.
Conditions:
Fallback configured or enabled by an iRule. An early server response triggers an error that leads to an Abort being raised. The Abort triggers a fallback response inappropriately.
Impact:
The server-side might read HTTP data structures after they have already been freed. A fallback can be generated on the server-side, leading to a use-after-free if the client side has already aborted.
Workaround:
Fix:
A fallback response is no longer inappropriately generated after an error after an Early Server Response.
481082-2 : Software auto update schedule settings can be reset during a full sync
Component: TMOS
Symptoms:
After performing a full sync, the auto update settings of the target machine are reset to defaults.
Conditions:
Perform a full sync to a system that has non-default auto update settings.
Impact:
Auto update settings can get out of sync, and be incorrect.
Workaround:
After a full sync, ensure that the auto update settings on both systems are set as desired.
Fix:
The auto update settings no longer reset during a sync operation.
480888-2 : Tcl parks during HTTP::collect, and serverssl is present, data can be truncated
Component: Local Traffic Manager
Symptoms:
If Tcl parks during HTTP::collect, and serverssl is present, data can be truncated. serverssl can send an 'early' EOF when notified by the server.
Conditions:
serverssl with a server that notifies SSL of connection termination. If Tcl is parked during a HTTP::collect call, then it is possible for the EOF to be placed before the data collected. If that occurs, then the data is dropped. Use of HTTP::collect in an iRule on the server-side. If HTTP::collect is called within the HTTP_RESPONSE_DATA event, the occurrence is much more likely.
Impact:
The server response is truncated.
Workaround:
Fix:
A response from the server is no longer truncated in some situations when the serverssl profile is combined with the use of the HTTP::collect iRule command.
480817-3 : Added options to troubleshoot client by disabling specific features
Component: Access Policy Manager
Symptoms:
It is impossible to turn off specific features on specific clients for troubleshooting purposes.
Conditions:
Always using Edge client
Impact:
Lack of these options made client troubleshooting difficult as the options could only be set on the server.
Workaround:
Fix:
Added following features: DWORD key Default value HKLM only ------------------------------------------------------------------ UseLocalProxy false yes EnableEdgeClientUpdate true yes EnableWebComponentsUpdate true yes EnableDTLSTransport (Bug484847) true no EnableNACompression true no EnableOptimizedTunnelCompression true no SessionChecksInterval 10000 no ------------------------------------------------------------------ ("false" == 0, "true" - any value except 0); Key: HKLM( or HKCU)\Software\F5 Networks\RemoteAccess Zero value for SessionChecksInterval disables this features completely. "HLKM only" means that that feature can be only be disabled/enabled by value located at HKLM sub-tree, features with "no" can be disabled using both HKLM (Local Machine) and HKCU (current User). CLIENT control channel is not yet implemented
480811-2 : qkview will not collect lib directories.
Component: TMOS
Symptoms:
qkview collects subdirectories in /var/run. In 11.6.0, this directory contains symbolic links to /lib64 and /usr/lib64. These directories contain a lot of files that are static and not required for problem diagnosis.
Conditions:
Impact:
qkviews can take a long time to transmit and to interpret due to the large file size.
Workaround:
This issue has no workaround at this time.
Fix:
The lib directories /usr/lib64 and /lib64 will no longer be collected in qkview.
480699-2 : HA mirroring can overflow buffer limits on larger platforms
Component: Local Traffic Manager
Symptoms:
When using mirroring, some connections between HA peers may overflow buffers and enter a state in which the buffer is repeatedly reset due to overflow.
Conditions:
LTM logs show resets, usually within one minute of each other. Viewing tmctl ha_stat shows the 'overflows' count incrementing by one approximately every minute or less. The 'buffered' count then increases, until at the maximum the 'overflows' count increments again. This does not apply to cases in which client and server bandwidth are far in excess of mirroring bandwidth, nor to cases in which there are occasional but not frequent overflows.
Impact:
In this state, failover can lose more than the expected number of L4 connections, and no L7 connections are mirrored. Note that any failure invalidates L7 mirroring; L4 mirroring recovers from occasional HA connection failures including those related to overflow (provided the HA connection remains up for at least one minute after reconnecting).
Workaround:
Try increasing the statemirror.queuelen to 256 MB (the current maximum) until repeated buffer overflows stop. If overflows continue after the maximum is set, there is no further workaround.
Fix:
Increased the maximum statemirror.queuelen db variable limits. If necessary, the statemirror.queuelen can now be increased beyond 256 MB up to 1 GB. Note that increasing the statemirror.queuelen increases memory requirements to approximately twice the queuelen multiplied by the number of tmms, and also increases the time required to detect an error in the mirroring connection. The statemirror.queuelen should be kept as low as possible to prevent repeated failure.
480686-7 : Packet loop in VLAN Group
Component: Local Traffic Manager
Symptoms:
On an active VIPRION or vCMP guest with a VLAN Group configuration, the CPU usage unexpectedly rises, and traffic flowing through the device may experience high latency and packet drops. A packet capture shows packets looping internally between VLAN members of the VLAN Group.
Conditions:
This occurs when using a VLAN Group (in Translucent or Transparent mode) on VIPRION hardware (including vCMP guest of a VIPRION), and an IP address conflict exists between the BIG-IP and another device on the VLAN Group. Note: The device causing the IP conflict may be unrelated to packets that are found looping in a packet capture.
Impact:
This results in high CPU usage and potentially unresponsive GUI. Traffic flowing through the VLAN Group may experience high latency and packet drops. The Self IP on the affected VLAN becomes almost impossible to reach.
Workaround:
Disable vlangroup.flow.allocate db variable to prevent flow creation for vlangroup forwarded packets.
Fix:
Internal vlangroup loop no longer occurs when the Translucent/Transparent vlangroup setting exists with a duplicate IP address.
480679-1 : The big3d daemon does not receive config updates from mcpd
Component: TMOS
Symptoms:
Any Enterprise Manager device connected to a BIG-IP v11.6.0 will not receive configuration change notifications (including status) for nodes, pool members, or pools and will require manual refresh of configuration for those types. Stats and other configuration items remain unaffected.
Conditions:
This only affects EM devices and potentially MangementPack connections to a BIG-IP. The BIG-IP must be version 11.6.0 only, but the EM may be any version.
Impact:
The impact of this bug is that Enterprise Manager devices will not receive configuration update notifications for nodes, pool members, or pools. This includes status changes. Stats and other configuration items remain unaffected.
Workaround:
This issue has no workaround at this time.
Fix:
The mapping for subscription groups has been fixed so that the SUBSCRIPTION_NODE_ADDRESS and other similar subscription groups will not be overwritten by the SUBSCRIPTION_MONITOR group.
480544-1 : Secondary IP flows are not forwarded in multiple IP session
Component: Policy Enforcement Manager
Symptoms:
If a session is created with 2 IP address then flows associated to secondary IP (2nd IP of the session) are not forwarded properly and consequently policies are not applied.
Conditions:
A multiple IP session with 2 IP address in the session.
Impact:
Policies are not applied accordingly for all the flows associated to secondary IP of the session.
Workaround:
Fix:
Have to upgrade to hotifix or new version with this fix.
480443-1 : Internal misbehavior of the SPDY filter
Component: Local Traffic Manager
Symptoms:
The SPDY filter may send events to a child flow, after that child flow has been deleted. When a filter for the delete child flow processes this event, it may crash.
Conditions:
The conditions that trigger this are unclear. The fix eliminates the behavior that caused a crash. The crash only occurs with a complex virtual server configuration and even then very rarely.
Impact:
The tmm crashes.
Workaround:
This issue has no workaround at this time.
Fix:
The SPDY filter no longer sends events up on deleted child flows, thus preventing a possible crash.
480370-6 : Connections to virtual servers with port-preserve property will cause connections to leak in TMM
Component: Local Traffic Manager
Symptoms:
Connections leak, exhausting the memory over time and causing TMM to re-start.
Conditions:
Virtual server with port-preserve setting. Tunneled APM connections in a CMP environment (many TMM processes).
Impact:
TMM process re-starts causing traffic disruption. Low performance is also seen due to the high number of leaked connections.
Workaround:
None.
Fix:
The internal listeners that are created to forward the connections between TMM processes are now deleted when no longer needed, so new connections are not created, which prevents a memory leak.
480299-1 : Delayed update of Virtual Address might not always happen.
Component: Local Traffic Manager
Symptoms:
When a Virtual IP status changes such that a Virtual Address should transition from down to up, the update does not always get to all subscribers.
Conditions:
Route Health Injection (RHI)-enabled Virtual Address and routing protocol on the Virtual IP.
Impact:
RHI might never be re-announced. The delayed update might not propagate the status change, because of the assumption that the previous update reached all subscribers, and might skip the delayed update.
Workaround:
None.
Fix:
Virtual Address delayed update mechanism now sends delayed updates approximately three seconds after change, regardless of previous status, guaranteeing that Virtual Address status reaches all subscribers.
480242-5 : APD, APMD, MCPD communication error failure now reported with error code
Component: Access Policy Manager
Symptoms:
When an unexpected error is received during communication between apd, apmd, and mcpd, it throws an exception.
Conditions:
Rarely reproducible, failed communication between apd, apmd, and mcpd.
Impact:
The system cores without an error code indicating the reason. This hampers finding the actual cause for the error.
Workaround:
None.
Fix:
Now, when an error occurs, the system prints an error code in hex, which facilitates finding the reason for the error.
480113-4 : Install of FIPS exported key files (.exp) causes device-group sync failure
Component: Local Traffic Manager
Symptoms:
Install of FIPS exported key files (.exp) on one BIG-IP causes device group sync to fail.
Conditions:
With two or more FIPS BIG-IPs configured in a device group, install a correct FIPS exported key file (.exp key) on bigip1. This exp file must be from a FIPS box belonging to the same FIPS security domain.
Impact:
Device group sync failed.
Workaround:
Copy the FIPS .exp file to the peer. Install this .exp key file on the peer also, similar to how it was installed on the first BIG-IP.
Fix:
FIPS exported keys can now be successfully installed in FIPS cards without causing config-sync failure.
479682-4 : TMM generates hundreds of ICMP packets in response to a single packet
Component: Local Traffic Manager
Symptoms:
TMM generates hundreds of ICMP packets in response to a single packet.
Conditions:
This occurs on a VIP2VIP configuration when the server on the second virtual server becomes unreachable.
Impact:
tmm sends hundreds of ICMP packets to the client upon receiving single packet from client.
Workaround:
Fix:
TMM no longer generates hundreds of ICMP packets when the server on the second virtual server in a VIP2VIP configuration becomes unreachable.
479674-1 : bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.
Component: Local Traffic Manager
Symptoms:
bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.
Conditions:
Tcl Monitors: FTP, SMTP, POP3, IMAP, when the timeout is less than the interval. Might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.
Impact:
bigd crashes and posts an error message similar to the following: Received invalid magic value in the stream'.
Workaround:
Correct the monitor timeout to be higher than interval. Generally, the timeout should be ((3 * interval) + 1) seconds. Note: This workaround might not work in cases where the failure is due to Tcl worker being in a stuck state due to the pool member not responding within the configured timeout.
Fix:
The system no longer crashes when Tcl monitors are improperly configured, that is, when the timeout specified is less than the interval.
479554-1 : TMM core
Component: Fraud Protection Services
Symptoms:
TMM crashed
Conditions:
Debug level was enabled for FPS module and load traffic was sent to machine
Impact:
Machine in offline state
Workaround:
Do not enable debug level during load traffic
Fix:
TMM should no longer crash after enabling debug level of FPS module.
479176-1 : TMM hangs and receives SIGABRT due to race condition during DNS db load
Component: Local Traffic Manager
Symptoms:
The TMM attempts a DNS db load while starting.
Conditions:
This is a potential race condition that might occur intermittently after the restart.
Impact:
One thread hangs indefinitely and tmm receives a SIGABRT after a period of time.
Workaround:
Fix:
This release fixes a potential race condition that occurred during DNS db load.
479171-3 : tmm might crash when DSACK is enabled
Component: Local Traffic Manager
Symptoms:
tmm might crash when DSACK is enabled
Conditions:
This occurs rarely on a virtual server configured with a TCP profile that has DSACK (Duplicate Selective Acknowledgement) enabled.
Impact:
Outage/failover dues to tmm crash. This occurs rarely.
Workaround:
Do not use TCP profile with the DSACK feature enabled.
Fix:
tmm no longer attempts to transmit DSACKs after reassembly queue has been purged, so no tmm crash occurs.
478983-1 : TMM core during certificate verification against CRL
Component: Local Traffic Manager
Symptoms:
TMM core during certificate verification against CRL.
Conditions:
Conditions leading to this issue include a Client/Server SSL profile with CRL enabled.
Impact:
This issue causes traffic disruption.
Workaround:
Disable CRL on the Client/Server SSL profile
Fix:
Prevent TMM core during certificate verification against CRL
478840-1 : Cannot delete keys in subfolders using the BIG-IP GUI
Component: Local Traffic Manager
Symptoms:
Cannot delete keys in subfolders using the BIG-IP GUI.
Conditions:
Deletion of keys in subfolders using web GUI.
Impact:
Keys are not deleted.
Workaround:
To work around this issue, delete keys in subfolders using tmsh.
Fix:
Keys in subfolders can now be successfully deleted using web GUI.
478761-1 : load sys config default does not work with iControl Rest
Component: TMOS
Symptoms:
The user attempts to run the command load sys config default command through the iCR interface, which fails. An error similar to the one below is returned. "{ "code": 500, "errorStack": [], "message": "Failed to append to temp tar file \"/var/tmp/tmsh/9X0zkv/data\" cache path \"/config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca.crt_37022_1\"exit code (2).\n" }"
Conditions:
Impact:
iCR cannot be used for loading default system config.
Workaround:
Use tmsh to load the default configuration
Fix:
The load sys config default command functions correctly through iCR. Here is the syntax for it: curl -sk -u admin:muadib https://<ip-address>/mgmt/tm/sys/config -H 'Content-Type: application/json' -X POST -d '{"command":"load","name":"default"}'
478734-5 : Incorrect 'FIPS import for failed for key' failure when operation actually succeeds
Component: Local Traffic Manager
Symptoms:
Incorrect debug failure log.
Conditions:
Found internally by test, conditions for this issue are unknown.
Impact:
False failure logged.
Workaround:
None.
Fix:
Fix debug failure log found by internal F5 testing.
478674-1 : ASM internal parameters for high availability timeout was not handled correctly
Component: Application Security Manager
Symptoms:
The internal parameters bd_hb_interval and bd_hb_interval_low_platforms were not handled correctly and a different value was registered against the high availability (HA) system. This caused the system to have faster than expected failovers. Also, when bypass asm was turned on and a bigstart restart asm was applied, a failover happened.
Conditions:
Two possible conditions: 1. An internal parameter is configured for the timeout to the HA system. When ASM does not send a lifesign to the HA system for 10 seconds (instead of the configured time) 2. bypass asm is internal parameter is applied and a bigstart restart asm happens.
Impact:
A failover happens.
Workaround:
N/A
Fix:
Fixed internal parameter processing for the high availability lifesign timeout.
478442-5 : Core in sip filter due to sending of HUDEVT message while processing of HUDCTL message
Component: Service Provider
Symptoms:
There is a tmm core caused by the looping of the SIP message.
Conditions:
The looping back of the message might occur because of a timing error, for example, in response to iRule logic that sends a HUDEVT message while processing a HUDCTL message.
Impact:
The system cores. This might result in SIP traffic not being forwarded to the server.
Workaround:
Fix:
Core in sip filter no longer occurs when sending HUDEVT message while processing of HUDCTL message.
478399-2 : PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.
Component: Policy Enforcement Manager
Symptoms:
If LTM virtual has the radius profile "radiusLB-subscriber-awre" configured, the PEM subscriber session will be created even if the BIG-IP system is not licensed for PEM, which can cause 100% TMM usage due to the overhead of processing radius messages for PEM use case.
Conditions:
The radius profile "radiusLB-subscriber-awre" configured on the LTM virtual.
Impact:
100% TMM usage due to PEM subscriber session creations if the radius profile "radiusLB-subscriber-awre" is mistakenly configured to the LTM virtual for non-PEM use case, even if the BIG-IP system is not licensed for PEM module.
Workaround:
The workaround is to avoid the misconfiguratoin by not associating the radius profile "radiusLB-subscriber-awre" to LTM virtuals for non-PEM use cases (i.e, when there is no PEM license for the BIG-IP).
Fix:
The intended fix will be adding a validation to prevent such mis-configuration when the BIG-IP system is not licensed to PEM.
478195-4 : Installation of FIPS .exp key files sets incorrect public exponent.
Component: Local Traffic Manager
Symptoms:
Newer FIPS platforms use NGFIPS devices, which seem to be returning the public exponent in little-endian format, when the FIPS exported keys (.exp key files) are imported into FIPS cards. Since F5's code was expecting this in big-endian format, this leads to incorrect public exponent value being written in the key file.
Conditions:
Using FIPS platforms (except the older 8900/6900 FIPS platforms): 1. Put two FIPS platforms in the same FIPS security domain without configuring them in a device group. 2. Create or install a key into FIPS card on box1. 3. Copy the key's FIPS exported key (from /config/ssl/ssl.cavfips/) to box2. 4. Install this FIPS .exp key file on box2 using: 'tmsh install sys crypto key <keyname> from-local-file <.exp file path> security-type fips'
Impact:
If the corresponding certificate was copied from box1 to box2 and then installed on box2, configuring this key/cert on a SSL profile will lead to the error 'key and certificate do not match'. If the corresponding certificate is newly created on box2 after the key install, then SSL traffic using this key/cert will fail.
Workaround:
Fix:
FIPS exported keys can now be correctly installed on other FIPS platforms that belong to the same FIPS security domain.
477898-1 : Some strings on BIG-IP APM EDGE Client User Interface were not localized
Component: Access Policy Manager
Symptoms:
Some text in internationalized edge client was still shown in English.
Conditions:
Use of internationalized edge client
Impact:
Some strings were displayed in English instead of localized language.
Workaround:
None.
Fix:
BIG-IP APM EDGE Client User Interface Translation has been updated. UI messages and labels have now been translated into several languages.
477859-1 : ZebOS config load may fail if password begins with numeric character
Component: TMOS
Symptoms:
ZebOS config load might fail if a password begins with a number.
Conditions:
In config file, set a password that begins with a number. e.g., neighbor 1.2.3.4 password 0abcdefghijkl
Impact:
ZebOS config load fails.
Workaround:
Use a password beginning with an alpha character.
Fix:
ZebOS config now loads correctly when the password begins with a number.
477789-4 : SSL Certificate can accommodate and in Common Name, Organization Name, Division and SAN.
Component: TMOS
Symptoms:
When an & (ampersand) character is entered for Common Name, Organization Name, Division or SAN in an SSL Certificate, the ampersand is escaped and replaced with an & string.
Conditions:
Create or renew an existing certificate with an ampersand in the Common Name, Organization Name, Division, or SAN.
Impact:
The system escapes the ampersand with an & string. Names such as AT&T that generate certificates that escape the ampersand character do not work as expected.
Workaround:
Fix:
The system now correctly converts the '&' (ampersand) character in the Certificate and ensures that the Peer Device process is still operating.
477375-5 : SASP Monitor may core
Component: Local Traffic Manager
Symptoms:
Rarely, the SASP monitor cores.
Conditions:
This occurs when the SASP monitor is configured in push mode.
Impact:
When the monitor cores, a pool member gets marked down, which might lead to an outage. This occurs rarely.
Workaround:
Fix:
SASP monitor no longer cores when configured in push mode.
477318-1 : Fixes possible segfault
Component: Service Provider
Symptoms:
When generic message is configured with the message parser disabled and messages are pushed to the outgoing connection faster than it is able to receive them, a segfault may occur.
Conditions:
When generic message is configured with the message parser disabled and messages are pushed to the outgoing connection faster than it is able to receive them.
Impact:
Generic Message is not in use in the field yet. There should be no impact.
Workaround:
None known
Fix:
Fix segfault that occures in generic message when a HUDEVT_SENT is received and the parser is disabled.
477281-4 : Improved XML Parsing
Component: TMOS
Symptoms:
With certain requests, XML parsing improperly returns the incorrect document.
Conditions:
A certain set of parameters are sent to pages which utilize DocumentBuilderFactory to process and return XML documents.
Impact:
The document that was requested is not returned. Another document is returned instead.
Workaround:
None.
Fix:
XML Parser configuration was changed to ensure only correct documents are returned to all requests.
477278-5 : CVE-2014-6032 and CVE-2014-6033
Component: Access Policy Manager
Symptoms:
This release fixes CVE-2014-6032 and CVE-2014-6033.
Conditions:
Impact:
Potential base OS vulnerability where with the fix we are no longer susceptible.
Workaround:
None.
Fix:
This release fixes CVE-2014-6032 and CVE-2014-6033.
477240-2 : iQuery connection resets every 24 hours
Component: Global Traffic Manager
Symptoms:
An iQuery connection attempts to renegotiate SSL keys every 24 hours.
Conditions:
Once every 24-hours after an iQuery connection is established.
Impact:
The response to this by big3d is to close the connection. All virtual servers go red.
Workaround:
None.
Fix:
SSL properly renegotiates rather than terminates connections when the session expires.
477111-5 : Dual management routes in the main routing table
Component: TMOS
Symptoms:
Dual management routes might exist in the default routing table, main. On version 11.6.0, the the system also produces an error message when querying SNMP ipCidrRouteTable.
Conditions:
In versions earlier that 11.6.0, conditions are unknown other than observing the dual management routes in the main routing table. On version 11.6.0, the condition is snmpwalking ipCidrRouteTable.
Impact:
On affected versions earlier than 11.6.0, there are dual management routes in the main routing table. On version 11.6.0, you might also receive an error upon querying SNMP ipCidrRouteTable and/or snmpd core.
Workaround:
To recover from this issue, delete the duplicate route.
Fix:
The main routing table now has a single entry for the management network.
477064-1 : TMM may crash in SSL
Component: Local Traffic Manager
Symptoms:
When SSL is configured in TMM, a crash might occur if events happen in a specific (unknown) order.
Conditions:
ClientSSL is configured on a virtual.
Impact:
The impact of this issue is a TMM crash.
Workaround:
This issue has no workaround at this time.
Fix:
The crash no longer occurs.
476683-2 : Suspended DNS_RESPONSE events are not resumed
Component: Local Traffic Manager
Symptoms:
iRules that cause the DNS_RESPONSE event to suspend will not be resumed.
Conditions:
DNS_RESPONSE event with command that causes it to be suspended.
Impact:
DNS_RESPONSE event does not complete execution.
Workaround:
Do not use iRule commands in DNS_RESPONSE event that result in suspension.
Fix:
DNS_RESPONSE events are now resumed after suspension.
476599-4 : TMM may panic when resuming DNS_REQUEST iRule event
Component: Local Traffic Manager
Symptoms:
TMM panic when executing DNS_REQUEST event.
Conditions:
The TMM panics when the following events have occurred: - DNS_RESPONSE event has been suspended. - DNS_REQUEST event is executed.
Impact:
TMM restart.
Workaround:
None.
Fix:
In this release, the system clears suspended iRules that have failed before executing new events.
476288-1 : Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault
Component: TMOS
Symptoms:
When multiple route domains and multiple routing protocols per route domain are repeatedly created and deleted, the tmrouted crashes and restarts.
Conditions:
multiple route domains with multiple routing protocols per each route domain are created and deleted repeatedly in a short time intervals.
Impact:
The routing information is lost and the tables need to be built again. This might cause packet loss.
Workaround:
None.
Fix:
Repeated creation and deletion of route domains and routing protocols led to a race condition between the start timer of the routing protocols and inconsistent memory state of the deleted routing protocols. This fix resolves the race condition.
476157-3 : Fix for CVE-2014-4341, CVE-2014-4342, and CVE-2014-4343.
Component: TMOS
Symptoms:
Vulnerabilities from upstream vendor that need to be fixed.
Conditions:
Impact:
Potential attack vectors on the base OS that could be utilized by an attacker.
Workaround:
Fix:
This release fixes CVE-2014-4341, CVE-2014-4342, and CVE-2014-4343.
476144-1 : TMM generates a core file when dynamically loading a shared library.
Component: Performance
Symptoms:
When attempting to dynamically link a shared library, TMM cores.
Conditions:
Dynamically loading more than a certain number of shared libraries will result in a tmm core.
Impact:
The impact of this issue is that the TMM cores.
Workaround:
This issue has no workaround at this time.
Fix:
Invalid attempt to free TMM memory is ignored.
476038-1 : Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac crashes on OS X 10.7 if a user adds a new server using its IP address rather than its DNS name.
Conditions:
Create an APM virtual server IP address using the Edge Client for Mac
Impact:
Edge Client crashes
Workaround:
Use DNS name rather than IP address when adding a new server.
Fix:
On BIG-IP Edge Client for Mac on OS X 10.7, a user can successfully add a new server using IP address.
475819-4 : BD crash when trying to report attack signatures
Component: Application Security Manager
Symptoms:
The Enforcer rarely crashes when logging attack signatures.
Conditions:
A rare issue that happens suddenly when reporting attack signatures to the logs.
Impact:
Traffic resets, failover.
Workaround:
No workaround.
Fix:
We fixed an issue that rarely caused the Enforcer to crash when logging attack signatures.
475791-4 : Ramcache profile may dispatch internal messages out-of-order leading to assert
Component: Local Traffic Manager
Symptoms:
Ramcache profile might dispatch internal messages out-of-order, leading to assert.
Conditions:
Assert may occur when the following conditions are met: - Virtual server uses ramcache profile. - Virtual server has mirroring enabled. - Device is in standby mode. - Active unit is unable to fulfill incoming HTTP request (ramcache entry is invalid / no pool members). - Standby unit is able to fulfill mirrored request (ramcache entry is valid).
Impact:
Due to this rarely occurring race condition, a tmm_panic occurs ('valid pcb') when a connection is being closed and the ramcache feature is able fulfill an incoming request. Standby unit becomes temporarily unavailable.
Workaround:
Do not use ramcache profile and connection mirroring feature together.
Fix:
Removed ramcache race condition, so that connection teardown messages are processed in the correct order.
475592-2 : Per-core and system CPU usage graphs do not match
Component: TMOS
Symptoms:
There are discrepancies between the per-core CPU usage graphs and the system CPU usage graph.
Conditions:
Normal running conditions.
Impact:
The system does not report the actual CPU usage. In some places the per-core usage is high while the system usage does not reflect that, and in other places the system usage is high, while the per-core usage is flat.
Workaround:
Fix:
System now reports matching CPU usage in the per-core CPU usage graphs and the system CPU usage graph.
475505-6 : Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.
Component: Access Policy Manager
Symptoms:
Windows Phone 8.1 built-in browser is not properly detected by the BIG-IP system.
Conditions:
Windows Phone 8.1 built-in browser.
Impact:
Built-in browser is not properly detected.
Workaround:
Fix:
Windows Phone 8.1 built-in browser is now properly detected by the BIG-IP system.
475408-1 : SSL persistence profile does not find the server certificate.
Component: Local Traffic Manager
Symptoms:
When an SSL record is constructed in a certain way, the SSL persistence code might not detect the server certificate.
Conditions:
SSL persistence profile is configured.
Impact:
Loss of functionality
Workaround:
None.
Fix:
SSL now correctly parses the handshake records.
475322-2 : cur_conns number different in tmstat and snmp output.
Component: Local Traffic Manager
Symptoms:
The current connections (cur_conns) number different in tmstat and snmp output.
Conditions:
This problem occurs when MPTCP is used.
Impact:
Incorrect cur_conns counting when using MPTCP.
Workaround:
None.
Fix:
The discrepancies in current connections (cur_conns) between tmstat and snmp has been corrected.
475231-5 : TCP::close in CLIENTSSL_CLIENTCERT iRule event may result in tmm crash
Component: Local Traffic Manager
Symptoms:
TCP::close in CLIENTSSL_CLIENTCERT iRule event may cause tmm to crash.
Conditions:
This occurs when TCP::close is called within a CLIENTSSL_CLIENTCERT iRule event.
Impact:
The tmm process crashes, which can cause an outage.
Workaround:
Do not use TCP::close in CLIENTSSL_CLIENTCERT iRule event
Fix:
Connection remains open after dispatching CLIENTSSL_CLIENTCERT iRule event, which prevents accessing invalid memory.
475092 : DNS::Zones:Zones:Zones List:Statistics
Component: Global Traffic Manager
Symptoms:
DNS::Zones:Zones:Zones List:Statistics shows the error 'An error has occurred while trying to process your request'.
Conditions:
View DNSX Zone Status through the GUI.
Impact:
Cannot view statistics for DNSX Zones.
Workaround:
Use tmsh instead.
Fix:
No error occurs while navigating to DNS::Zones:Zones:Zones List:Statistics.
474974-3 : Fix ssl_profile nref counter problem.
Component: Local Traffic Manager
Symptoms:
ssl_profile memory leak.
Conditions:
This occurs after several iterations of the following steps: (1) Create ssl_profiles (2) Use ssl_profiles to complete a number of handshake operations. (3) Delete ssl_profiles.
Impact:
ssl_profile memory leak.
Workaround:
None.
Fix:
ssl_profile no longer leaks memory when creating and deleting a number of profiles that have completed handshake operations.
474751-1 : IKEv1 daemon crashes when flushing SAs
Component: TMOS
Symptoms:
IKEv1 daemon (racoon) may occasionally crash because of freeing null pointer when the IKEv1 negotiation data is flushed.
Conditions:
The IKEv1 security associations are flushed by user issued commands.
Impact:
IKEv1 daemon (racoon) crashes and restarts, losing unrelated but useful state information. IKEv1 daemon (racoon) can re-establish security associations on demand by user traffic.
Workaround:
None.
Fix:
A safety check during memory management function can prevent such erroneous memory freeing event. Crash is no longer seen.
474698-2 : BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.
Component: Access Policy Manager
Symptoms:
When client initiates Single Logout (SLO) on the BIG-IP system as IdP which is associated with multiple SP connectors, IdP will send SLO request message to each SP to which user has connected within this session. If user has connected to multiple SP (bound to different IdP) within the same session, the SLO messages f is sent with 'Issuer'element referencing the name of the last IdP service user has accessed.
Conditions:
This issue occurs when: 1.BIG-IP is configured as IdP. 2.BIG-IP has more then one IdP configuration object. 3.IdP objects are assigned as resources to the same Access Policy. 4.Each IdP configuration is bound to at least one SP-connector. 5.Client initiated SLO on IdP.
Impact:
Impact is based on recipient of the message. Recipient (SP) may reject the SLO request, or process it successfully based on implementation.
Workaround:
Disable SLO on BIG-IP.
474584-2 : igbvf driver leaks xfrags when partial jumbo frame received
Component: Local Traffic Manager
Symptoms:
On platforms utilizing the igbvf driver, xfrags can be leaked if a partial jumbo frame is received.
Conditions:
On platforms utilizing the igbvf driver, xfrags can be leaked if a partial jumbo frame is received.
Impact:
TMM memory usage increases over time and eventually TMM crashes due to lack of memory.
Workaround:
Fix:
The igbvf driver no longer leaks xfrags when a partial jumbo frame is received.
474582-3 : Add timestamps to logstatd logs for Policy Sync
Component: Access Policy Manager
Symptoms:
Log messages in /var/tmp/logstatd.log used for Policy Sync do not have timestamps which makes troubleshooting very difficult.
Conditions:
Run Policy Sync.
Impact:
Serviceability. logstatd.log used for Policy Sync do not have timestamps.
Workaround:
None.
Fix:
A timestamp is now prepended to each log message line in logstatd.log for Policy Sync.
474388-3 : TMM restart, SIGSEGV messages, and core
Component: Local Traffic Manager
Symptoms:
Certain conditions might produce error messages similar to the following, in the core file/tmm.log: -- RVAvpBigIP01 notice RIP=0x8cc872 -- RVAvpBigIP01 notice session_process_pending_event_callback ERROR: could not send callback to 192.168.96.27:50441 - 192.168.96.28:443 ERR_NOT_FOUND.
Conditions:
This occurs because of a race condition, for example, one between the HTTP and APM-related profiles during which an APM-profile-related action completes after the HTTP-profile closes the connection.
Impact:
When the APM profile attempts to access the closed connection, TMM restarts.
Workaround:
Fix:
The race condition that occurred has been fixed, so no APM-profile-related actions complete after the HTTP-profile closes the connection.
474323 : ePVA IPv6 feature is not available
Component: TMOS
Symptoms:
IPv6 full hardware acceleration with ePVA feature is disabled. An issue was uncovered in the Aluminum bitstream that results in Flow Status Updates (FSUs) due to a collision eviction being corrupted in certain cases. This occurs when the flow cache entry being evicted and the incoming snoop are different sizes. In the Aluminum design, the IPv4 and SYN VIP flow cache entries and snoops are the same size, and the IPv6 flow cache entries and snoops are larger than IPv4/SYN VIP. There are no FSU-related issues when a cache entry is evicted due to a collision by a same size snoop, and there are no issues when an eviction is explicitly requested by software via the evict opcode.
Conditions:
Hardware platform with ePVA acceleration, IPv6.
Impact:
Cannot enable full acceleration for an IPv6 VIP.
Workaround:
None.
Fix:
ePVA IPv6 feature is now available in this release.
474226-2 : LB_FAILED may not be triggered if persistence member is down
Component: Local Traffic Manager
Symptoms:
LB_FAILED may not be triggered if persistence member is down.
Conditions:
This occurs when the following conditions exist: - Incoming connection has cookie matching persistence entry. - Persisted pool member has been marked down. - No other pool members are available.
Impact:
Cannot utilize LB::reselect command.
Workaround:
None.
Fix:
LB_FAILED event is correctly triggered when persistence pool member is not available or offline.
474002-4 : Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys
Component: Local Traffic Manager
Symptoms:
If a BIG-IP virtual server is configured with a Server SSL profile, and a pool member or server selects a DHE-based ciphersuite (e.g. DHE-RSA-AES128-SHA), the BIG-IP system might not successfully complete an SSL handshake with the server.
Conditions:
This occurs when the following conditions exist: - HTTPS Pool member or server. - Virtual server with Server SSL profile. - Server is configured with 2048-bit or larger Diffie-Hellman keys.
Impact:
Traffic to affected pool members fails, although the pool members are marked up by HTTPS monitors.
Workaround:
Either disable the use of ephemeral Diffie-Hellman (DHE) key exchange on the backend servers, select a smaller set of DH parameters on the backend servers, or disable DHE ciphersuites in affected virtual servers' Server SSL profiles.
Fix:
BIG-IP system now successfully completes an SSL handshake with a server that is using Diffie-Hellman parameters that are 2048-bits or larger.
473759-1 : Unrecognized DNS records can cause mcpd to core during a DNS cache query
Component: Local Traffic Manager
Symptoms:
mcpd cores during a DNS cache record query if a DNS record with an unknown type is in the cache. mcpd attempts to translate the record's type into a text string, but ends up with a NULL pointer instead.
Conditions:
A DNS record with a type unknown by mcpd must exist in the DNS cache during the query.
Impact:
mcpd cores, causing either a failover (if there is a standby unit) or an outage while mcpd restarts (if there is no standby unit).
Workaround:
Fix:
Unrecognized DNS records no longer cause mcpd to core during a DNS cache query.
473697-6 : HD Encryption check should provide an option to choose drive
Component: Access Policy Manager
Symptoms:
HD Encryption check only allows the administrator to check for all HD encryption status of all drives on the system, including temporary drives like USB. There is no way for the administrator to check the encryption status of only the system drive.
Conditions:
APM, HD encryption check, and Edge client
Impact:
Cannot check encryption status of only the system drive.
Workaround:
None.
Fix:
HD Encryption check now provides a way to check encryption status of all drives or system drive only.
473680-1 : Multiple DHCP solicit packets may not succeed.
Component: Policy Enforcement Manager
Symptoms:
If the same server flow is used for multiple requests only one of them will succeed, the other request may never succeed. The request is dropped by BIGIP.
Conditions:
Impact:
It impacts customer using DHCP.
Workaround:
Fix:
The fix is to allow multiple requests to succeed using single server flow. And send the request back to the client using original connflow.
473517-2 : 'OID not increasing error' during snmpwalk
Component: TMOS
Symptoms:
The following message when querying SNMP ipCidrRouteTable: 'Error: OID not increasing: IP-FORWARD-MIB::ipCidrRouteDest.172.27.96.0.255.255.255.0.0.0.0.0.0 >= IP-FORWARD-MIB::ipCidrRouteDest.172.27.96.0.255.255.255.0.0.0.0.0.0'. Also, querying specifically for ipCidrRouteAge OID under ipCidrRouteTable, can cause snmpd to core.
Conditions:
This occurs when there are dual management routes in the default routing table, main. For example: # ip route show table main / ip route show ... 172.27.96.0/24 dev eth0 proto kernel scope link src 172.27.96.18 172.27.96.0/24 dev eth0 scope link src 172.27.96.18 metric 9 ...
Impact:
snmpwalk error and/or snmpd core.
Workaround:
Delete the duplicate route with metric 9: ip route del 172.27.96.0/24 dev eth0 scope link src 172.27.96.18 metric 9
Fix:
snmpwalk now finishes successfully without 'OID not increasing' error, so snmpd no longer core.
473386-11 : Improved Machine Certificate Checker matching criteria for FQDN case
Component: Access Policy Manager
Symptoms:
Machine cert check agent might fail if the certificate was issued with extended fields or to a domain machine.
Conditions:
Machine is outside of domain Certificate is issued to domain machine
Impact:
Machine cert check agent might fail on MAC OS X/Windows for the machines currently outside of domain.
Workaround:
Fix:
Machine cert check agent matching criteria for FQDN has been improved.
473200-2 : Renaming a virtual server causes unexpected configuration load failure
Component: TMOS
Symptoms:
Manually renaming a virtual server causes unexpected configuration load failure.
Conditions:
This occurs when attempting to reload a BIG-IP system configuration containing a virtual server with an empty pool that was renamed by editing bigip.conf manually.
Impact:
Cannot reload configuration. The system posts the following error: 01020056:3: Error computing object status for virtual_server broken (old_virtual_server_name). Unexpected Error: Loading configuration process failed.
Workaround:
Perform any one of the following: -- Remove the pool assignment from the virtual before renaming. -- b.) Ensure the pool contains members before renaming. -- c.) After renaming, issue 'bigstart restart'. Please note, some of these workarounds might result in a temporary service disruption.
Fix:
Manually editing the system configuration and renaming a virtual server with an empty pool no longer causes an unexpected error when reloading the configuration.
473129-5 : httpd_apm access_log remains empty after log rotation
Component: Access Policy Manager
Symptoms:
The /var/log/httpd/access_log file remains empty after log rotation.
Conditions:
At least one log rotation which happens at 4:00am every day of the box time
Impact:
access_log are missing
Workaround:
"bigstart restart httpd_apm" must be part of the cronjob every day [around 4:30am] after log rotation.
Fix:
Logging to access_log continues after log rotation.
473092-1 : Transparent Proxy + On-Demand Cert Auth will reset
Component: Access Policy Manager
Symptoms:
After evaluating the access policy with an on-demand cert auth agent, there will be a connection reset.
Conditions:
This issue occurs under these conditions: SWG Transparent Proxy with a On-Demand Cert Auth agent.
Impact:
The user is not redirected back to their original landing URI. However, in known reproductions the access policy has already completed, and been set to allow. Future requests from the user will be correctly proxied to the backend.
Workaround:
If on-demand cert auth is needed, there is no workaround.
473037-1 : BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP
Component: TMOS
Symptoms:
BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP. If multiple connections are attempted, the same port is computed.
Conditions:
This occurs on BIG-IP 2000/4000 platforms with SCTP configured.
Impact:
This causes 'Inet port collision' log errors, and the connection is terminated.
Workaround:
None.
Fix:
BIG-IP 2000/4000 platforms now support RSS with L4 data on SCTP.
472585-3 : tmrouted crashes after a series configuration changes
Component: Local Traffic Manager
Symptoms:
when multiple route domains with multiple routing protocols with heartbeat enabled are repeatedly created and deleted, the tmrouted daemon may restart.
Conditions:
heartbeat enabled. multiple route domains and routing protocols are created and deleted in a short time interval.
Impact:
The tmrouted crashes and it might lead to packet loss with regard toforwarding.
Workaround:
Fix:
The tmrouted functionals normally when multiple route domains with multiple routing protocols, with heartbeat enabled, are created and deleted repeatedly.
472376-3 : SIP Filter crash in egress because the ingress pcb is already released
Component: Service Provider
Symptoms:
Analyzing the tmm core you will notice that the ingress pcb state is SIP_ST_NULL, hudnode pointer is NULL. Flow belongs to server.
Conditions:
Ingress flow terminated. Egress flow access the ingress pcb and cores.
Impact:
Accessing the ingress PCB causes a tmm core.
Workaround:
Fix:
Drop processing the message if the ingress pcb is not present anymore.
472365-4 : The vCMP worker-lite system occasionally stops due to timeouts
Component: TMOS
Symptoms:
The VCMP host side of the worker-lite system has a shorter timeout that the VCMP guest side. This can cause a worker-lite VCMP host to silently stop processing worker-lite requests for a VCMP guest.
Conditions:
This issue affects worker-lite based VCMP hosts running any version of VCMP guests that are processing SSL and compression traffic.
Impact:
SSL and compression traffic does not pass through VCMP guests running on an affected VCMP host. The system posts error messages in /var/log/ltm, similar to the following: Device error: crypto codec 'device-name' queue is stuck.
Workaround:
To resume processing of SSL and compression traffic in a VCMP guest, restart the guest tmm by issuing a 'bigstart restart tmm' from within the guest. Restarting a VCMP guest by setting its state from 'deployed' to 'provisioned' and then back to 'deployed' also resumes processing of SSL and compression traffic.
Fix:
Corrected a VCMP timeout issue that might have prevented a VCMP guests from processing SSL and compression traffic.
472148-7 : Highly fragmented SSL records can result in bad record errors on Nitrox based systems
Component: Local Traffic Manager
Symptoms:
If a highly fragmented SSL record is decrypted by a system with a Cavium Nitrox card, the system will incorrectly respond with a bad SSL record error.
Conditions:
Highly fragmented SSL records and a system with a Cavium Nitrox card.
Impact:
Lost SSL connections.
Workaround:
This issue has no workaround at this time.
Fix:
The Nitrox driver was updated to properly handle highly fragmented SSL records.
471821-1 : Compression.strategy "SIZE" is not working
Component: Local Traffic Manager
Symptoms:
The Compression strategy Size is not working as expected. Instead of performing compression in the software, the system use the hardware compression provider to compress HTTP server responses.
Conditions:
1. Compression.strategy "SIZE" 2. Create a http vs with http compress profile
Impact:
Compression data is done in hardware rather than software.
Workaround:
Set compression.providerbusy to 0
Fix:
Compression.strategy "SIZE" would cause software to do the compression.
471625-8 : After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM
Component: Local Traffic Manager
Symptoms:
After deleting external data-group, importing a new or existing external data-group does not propagate to TMM. Although the import/modify individually seem to work as expected with no errors displayed in the web interface, the ltm log shows 'update queued', but does not show 'update finished' for the imported/modified datagroup. tmctl ext_class_stat command shows that the deleted data-groups are still in the TMM and existing data-groups stay the same and do not reflect the modification that are made to them via GUI.
Conditions:
The issue occurs when working in an administrative partition other than Common.
Impact:
iRules associated with the data-groups do not behave as expected if data-group is deleted and afterwards when data-group modifications are made.
Workaround:
There are two options for workarounds: 1. Use short names for the data-group files. It is the long names that are problematic. This is the recommended workaround. 2. Reboot. This causes the mcpd to re-load the data-groups and corrects the situation.
Fix:
After deleting external data-group, importing a new or editing existing external data-group now works as expected.
471496-2 : Standby node sends a summary LSA for the default route into a stub area with the same metric value as that of Active node.
Component: TMOS
Symptoms:
Active and standby nodes are sending summary LSAs for a default route into a stub area with a metric value of 1. sh ip route displays default route with active and standby nodes as gateways.
Conditions:
HA pair is configured to be in an ospf session for a stub area with DR and BDR ospf routers. Area 0 is configured on the HA pair.
Impact:
The traffic from DR or BDR nodes in the stub area might be sent to the standby node.
Workaround:
Fix:
Standby node sends LSA summary for the default route with a value of 16777215. The OSPF routers in the stub area pick an active node as the gateway for the default route.
471452-2 : Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.
Component: Access Policy Manager
Symptoms:
When URLs from multiple browser tabs start an access policy, the session is created with the landing URL from the first tab that started the session, not with URL that continued and finished creating the access session.
Conditions:
Accessing the access policy VIP with different landing URLs before access policy session created. This causes the access policy to run from two different landing URLs.
Impact:
This may cause BIG-IP as SAML SP unable to establish a session with IdP. In the case of LTM and APM, the user is always redirected to the URL from first tab after policy execution finishes.
Workaround:
None.
Fix:
When URLs from multiple browser tabs start an access policy, the landing URL is set to the URL from the browser that finished the access policy execution.
471421-5 : Ram cache evictions spikes with change of access policy leading to slow webtop rendering
Component: Access Policy Manager
Symptoms:
When there is a high load on the system and a user changes an access policy, it can lead to slow rendering of the webtop or the access page.
Conditions:
High load with change of access policy around that time.
Impact:
Slow webtop/access page rendering.
Workaround:
Fix:
Access policy changes are now handled gracefully.
471331-2 : APM::RBA reset due to a leaked HUDEVT_REQUEST_DONE
Component: Access Policy Manager
Symptoms:
Sometimes the APM RBA plugin resets and writes an error to the log that includes this phrase: [0x19fd874:459] Internal error (APM::RBA requested abort (trans end error)). The problem can happen intermittently and usually occurs when multiple tabs are used.
Conditions:
Most reproductions involve multiple tabs. End user starts access policy in one tab, and is delivered a login page. Then the end user opens a new tab, and attempts to evaluate the access policy in that tab. The reset comes from the RBA plugin, but this can be reproduced without Kerberos being configured.
Impact:
There are intermittent connection resets. Depending on the URL of the second tab, it should have terminated the existing session and started a new one, or it should have rendered a 404 page explaining that the access policy is already running in a different tab.
Workaround:
None.
Fix:
Fixed intermittent resets when access policy execution in progress simultaneously from multiple browser tabs.
471103-1 : Ignoring null values for parameters with different content types
Component: Application Security Manager
Symptoms:
You cannot configure the system to ignore a null value for parameters defined as file upload regardless of the content-type of the parameter in the request. Following the multipart null flow, the system first looks into the content type defined for the parameter in the request itself. If the parameter is defined as textual, the system does not allow a null to appear there, regardless of the policy configuration for that parameter.
Conditions:
Parameter is defined in the multipart request as textual and has a null in it.
Impact:
A null in request violation occurs.
Workaround:
N/A
Fix:
There is a new internal parameter: 'ignore_null_in_multipart_text'. When the internal parameter is set, a null in request violation is not issued when a null appears in the request. If the parameter is defined as file upload in the security policy, no violation is issued. If the parameter is defined as something else, the violation 'null in multipart request' is issued. If the parameter is not defined in the security policy, the violation 'null in request' is issued.
470394-2 : Priority groups may result in traffic being load balanced to a single pool member.
Component: Local Traffic Manager
Symptoms:
Priority groups may result in traffic being load balanced to a single pool member.
Conditions:
This occurs when the following conditions are met: -- Multiple priority groups. -- Slow ramp feature enabled (TCP profile). -- Active priority group goes offline. -- Member in the newly active group goes offline then online (triggering slow ramp feature).
Impact:
Traffic is improperly load balanced.
Workaround:
Disable slow ramp feature in the TCP profile.
Fix:
The BIG-IP system calculates the correct number of members in the active priority group when the slow ramp feature is triggered.
470191-2 : Virtual with FastL4 with loose initiation and close enabled might result in TMM core
Component: Local Traffic Manager
Symptoms:
Virtual with FastL4, loose initiation and loose close enabled might result in TMM core.
Conditions:
The problem can occur when the following conditions are met: - Virtual server with FastL4 profile. - FastL4 profile has loose initiation and loose close enabled. - TCP FIN is received that is not associated with an existing connection.
Impact:
TMM core due to segfault in bigproto. System outage due to TMM shutdown.
Workaround:
Do not enable loose initiation and loose close on FastL4 profile
Fix:
FastL4 component now validates existence of connection peer upon reception of TCP FIN.
469739-4 : ConfigSync may fail if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile
Component: Local Traffic Manager
Symptoms:
MCPD may generate one of the following validation errors as a result of a ConfigSync, or a config load, or attaching an SSL profile to a virtual server, or modifying a virtual server: 0107149e:3: Virtual server /Common/name-of-virtual-server has more than one clientssl/serverssl profile with same server name. 010717e1:3: Client SSL profile cannot contain more than one set of same certificate/key type.
Conditions:
This occurs when an HA pair has dissimilar cert-key-chain sub-object names within an SSL profile, and the changes were synchronized to the peer device. Either the ConfigSync will fail (if the SSL profile was attached to a virtual server), or the ConfigSync will succeed, but on the receiving device, the SSL profile will have two cert-key-chain objects. This happens given the following conditions: - Systems are performing a full (not incremental) sync - SSL profile is attached to a virtual server - cert-key-chain sub-object has differing names on the two devices
Impact:
Depending on the manifestation of this issue one of the following can happen: - administrator may be prevented from performing further configuration operations - administrator may be prevented from synchronizing the configuration - the configuration may not load
Workaround:
Manually match up the cert-key-chain object names on both devices, and then synchronize the configuration.
Fix:
The ConfigSync operation completes successfully if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile.
469705-4 : TMM might panic when processing SIP messages due to invalid route domain
Component: Local Traffic Manager
Symptoms:
TMM might panic when processing SIP messages due to invalid route domain.
Conditions:
SIP Requests are being processed with a via header that does not contain an 'rport' attribute. SIP profile attached to the virtual server has 'dialog aware' enabled.
Impact:
TMM panics with following string: 'domain != RT_DOMAIN_NONE'.
Workaround:
Disable the 'dialog aware' option on the SIP profile, or configure SIP OneConnect.
Fix:
TMM sets a known route domain when processing SIP Requests to prevent panics caused by an invalid route domain.
469115-3 : Management client-ssl profile does not support multiple key/cert pair.
Component: Local Traffic Manager
Symptoms:
Management SSL client-ssl profile does not support multiple key/cert pair.
Conditions:
Management client-ssl profile.
Impact:
It supports only one key/cert pair which is stored in profile key/cert/chain/passphrase. cert-key-chain in client-ssl profile is not a valid selection. Selecting cert/key pair from cert-key-chain could cause problem.
Workaround:
Fix:
Management SSL client-ssl profile should ignore cet-key-chain structures and get the unique cert/key pair from profile key/cert/chain/passphrase.
468519-1 : GTM configuration load failure from invalid bigip_gtm.conf file.
Component: Global Traffic Manager
Symptoms:
Config reload fails when renewing the license or performing a new install based on the current config. This appears to be the result of a invalid bigip_gtm.conf which is used to load the config rather than the mcpdb.bin.
Conditions:
If any virtual servers are configured with a dependency list that includes other virtual servers from the same BIG-IP system, GTM creates an invalid bigip_gtm.conf file.
Impact:
GTM config will fail to load when triggered to load from config file
Workaround:
None.
Fix:
Depends-on block is populated correctly with the VS info and no error was thrown when reloading gtm config.
468517-8 : Multi-blade systems can experience active/standby flapping after both units rebooted
Component: TMOS
Symptoms:
After rebooting multi-bladed BIG-IP systems configured for failover, one or more of the systems has some of its blades flap from active to standby.
Conditions:
Rebooting systems fairly close in time from one another (about a minute apart). Traffic group must reference an HA group.
Impact:
Invalid redundant status.
Workaround:
Modify the traffic group to no longer reference an HA group: tmsh modify cm traffic-group traffic-group-1 ha-group none.
Fix:
Multi-blade systems no longer experience active/standby flapping after both units are rebooted, so the following MCPD error message no longer occur at the secondary blades: err mcpd[6528]: 010717b5:3: HA group (HA) cannot be removed. It is used by traffic group (/Common/traffic-group-1 ).
468517-5 : Multi-blade systems can experience active/standby flapping after both units rebooted
Component: TMOS
Symptoms:
After rebooting multi-bladed BIG-IP systems configured for failover, one or more of the systems has some of its blades flap from active to standby.
Conditions:
Rebooting systems fairly close in time from one another (about a minute apart). Traffic group must reference an HA group.
Impact:
Invalid redundant status.
Workaround:
Modify the traffic group to no longer reference an HA group: tmsh modify cm traffic-group traffic-group-1 ha-group none.
Fix:
Multi-blade systems no longer experience active/standby flapping after both units are rebooted, so the following MCPD error message no longer occur at the secondary blades: err mcpd[6528]: 010717b5:3: HA group (HA) cannot be removed. It is used by traffic group (/Common/traffic-group-1 ).
468472-7 : Unexpected ordering of internal events can lead to TMM core.
Component: Local Traffic Manager
Symptoms:
TMM may core and failover with the following tcp4 assert: "../modules/hudfilter/tcp4/tcp4.c:937: %svalid pcb%s"
Conditions:
If the tcp profile receives a spurious event it can cause TMM to crash.
Impact:
TMM will crash and failover.
Workaround:
This issue has no workaround at this time.
468175-8 : IPsec interop with Cisco systems intermittent outages
Component: TMOS
Symptoms:
Occasionally, traffic going through an IPsec tunnel from BIG-IP systems to Cisco systems stops after a certain period of time and recovers after an hour.
Conditions:
This issue occurs when there is more than one pair of IPsec SAs negotiated and triggers redundant SA removal on the Cisco router.
Impact:
IPsec tunnel stops passing traffic until the trouble IPsec SA expires and the new set of IPsec SAs are negotiated.
Workaround:
Delete the trouble IPsec SAs
Fix:
The system now works correctly, without stopping traffic going through an IPsec tunnel from BIG-IP systems to Cisco systems.
468137-7 : Network Access logs missing session ID
Component: Access Policy Manager
Symptoms:
Without session ID in client logs, it's hard to correlate client and server-side logs.
Conditions:
Impact:
Hard to troubleshoot client logs
Workaround:
Fix:
Now Network Access components print session ID in four messages: -Starting pending session ID: %sessionid -Session %sessionid established -Session %sessionid closed: Satus -Failed to open session %sessionid
467868-3 : Leak due to monitor status reporting
Component: Local Traffic Manager
Symptoms:
The mcpd memory steadily increases until it runs out. Running "strings" on the resulting core file reveals many instances of a monitor error message.
Conditions:
Must have a monitor configured that generates an error message.
Impact:
Slow system performance, unexpected crash and failover.
Workaround:
Disable the monitor.
Fix:
Previously, mcpd might leak memory when returning an error message that contained the reason for a monitor failure. The message now reports the reason without leaking memory.
467646 : IDE DMA timeouts can result in stuck processes
Component: TMOS
Symptoms:
If the device experiences an IDE DMA timeout, some processes become unresponsive and the kernel logs messages containing 'DMA timeout error' in kern.log. An unfulfilled request from the kernel of the IDE device might result in uninterruptible, stuck processes.
Conditions:
This occurs on VIPRION B4100/B4100N (A100), B4200/B4200N (A107) blades and on Virtual Edition (VE) configurations deployed with IDE storage drivers (Xen, Hyper-V).
Impact:
This condition can cause the i/o request to never complete and result in unresponsive and uninterruptible processes. Various symptoms result depending on the affected process. Some conditions might require a power cycle to correct.
Workaround:
Fix:
IDE DMA timeouts no longer result in become unresponsive on VIPRION B4100/B4100N (A100), B4200/B4200N (A107) blades and on Virtual Edition (VE) configurations deployed with IDE storage drivers (Xen, Hyper-V).
467633-5 : WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases)
Component: WebAccelerator
Symptoms:
TMM coring, or exhibiting strange behavior. Checking the WAM stats reveals an underflow for bytes_minified in wam_css_stat, for example: active parses bytes_parsed bytes_queued partial_parses partial_parse_bytes ------ ------ ------------ ------------ -------------- ------------------- 0 4 612 0 4 586 annotations resets parser_errors bytes_minified images_inlined ----------- ------ ------------- -------------------- -------------- 5 0 0 18446744073709551564 0 images_bytes_inlined images_uninlined images_uninlined_expiry -------------------- ---------------- ----------------------- 0 0 0
Conditions:
The CSS data that is being minified must already be minified and contain no extraneous whitespace.
Impact:
TMM may core or behave unexpectedly. The wam_css_stat stat's bytes_minified will be incorrect.
Workaround:
Disable CSS minification.
Fix:
Extra spaces are no longer added to the minified CSS.
467196-5 : Log files limited to 24 hours
Component: TMOS
Symptoms:
In this release, the max log size setting is 1024. This causes large systems (multiple blades, high-availability) to truncate log files, and often prevent log files from storing messages for more than 24 hours.
Conditions:
Multiple blades in a high-availability configuration.
Impact:
Cannot have log files spanning more than 24 hours. This makes it very difficult to use the log when diagnosing problems, because the system overwrites the files before the customer can report the issue.
Workaround:
Change the max-file-size for logrotate from '1024' (the default) to '0' to prevent logrotate from truncating log files. This workaround is also documented in SOL16015: The BIG-IP system may truncate log files, available here: https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16015.html. This can be done from tmsh by running a command such as: tmsh modify /sys log-rotate max-file-size 0
Fix:
The max log size setting is now greater than 1024, which allows large systems (multiple blades, high-availability) to store messages for more than 24 hours.
467106-1 : Loading ucs file after install 11.6.0 on top of 11.5.0 failed when Gx reporting is enabled.
Component: Policy Enforcement Manager
Symptoms:
After installing BIG-IP 11.6.0 on top of BIG-IP 11.5.0, a saved ucs file might need to be loaded. If the Gx reporting is enabled, the ucs file loading will fail.
Conditions:
1. upgrade from BIG-IP 11.5.0 to BIG-IP 11.6.0 2. load saved ucs file
Impact:
Old ucs file cannot be used after upgrading from BIG-IP 11.5.0 to BIG-IP 11.6.0
Workaround:
disable Gx reporting
Fix:
After the fix, an upgrade to BIG-IP 11.6.0 from BIG-IP 11.5.0 followed by a UCS load completes successfully.
466761-4 : Hearbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.
Component: Service Provider
Symptoms:
loss of connection
Conditions:
SIP heart beat message, a UDP packet with DOUBLE CRLF, sent by the client to the server.
Impact:
Connection will be terminated
Workaround:
none
Fix:
The heatbeat SIP message which is a UDP packet with CRLF is ignored and connection is not terminated.
466266-1 : In rare cases, an upgrade (or a restart) can result in an Active/Active state
Component: TMOS
Symptoms:
After upgrading or restarting, the system starts up in an active state even if the peer system is already active.
Conditions:
An upgrade or system restart for an active/standby pair. The issue occurs intermittently and is timing-dependent. There is code executed during sod's initialization that attempts to detect when communication between mcpd and sod has gone bad; this code does this by checking for "end transaction" messages. If 30 or more messages from mcpd are received without an "end transaction" message, sod will reset its connection with mcpd. While the connection is being reset, it is possible for sod to miss messages from mcpd. Depending on which messages it misses, sod may end up in a bad state and exhibit the symptoms of this bug. If this occurs after an upgrade, it does not matter which version one is upgrading from.
Impact:
The impact of this issue is that both systems take traffic.
Workaround:
Running 'bigstart restart sod' on the system (after the upgrade or restart) clears the condition.
Fix:
In this release, the system ensures that an upgrade or a restart can never result in an Active/Active state.
466116-3 : Intermittent 'AgentX' warning messages in syslog/ZebOS log files
Component: TMOS
Symptoms:
When routing protocols ospfv2, ospfv3, bgp, rip, ripng are configured to exchange routing information, the system posts agentx-related warning messages in the syslog/zebos log files similar to the following: <date+time> warnings: <protocol> : AgentX: process_packet (<state name> state), ... <date+time> warnings: <protocol> : AgentX: requested pdu : 1
Conditions:
This occurs when a BIG-IP system is configured for SNMP traps on the ZebOS routing protocols.
Impact:
These warning messages are cosmetic and may be logged intermittently, possibly resulting in a large number of messages.
Workaround:
Fix:
Benign agentx warning messages are no longer logged for the routing protocols ospfv2, ospfv3, bgp, rip, ripng.
465012-4 : Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access
Component: Access Policy Manager
Symptoms:
Rewrite plugin may crash on large javascript files and tags when webtrace or debug log for Portal Access is enabled.
Conditions:
Portal Access log level is set to "Debug", or Web Application Trace feature of Portal Access is active.
Impact:
Portal Access is temporarily unavailable. Core file for 'rewrite' process is generated.
Workaround:
Disable webtrace Change Portal Access log level to Notice
Fix:
Fixed an issue where Rewrite plugin could crash when collecting webtrace or debug logs for Portal Access.
464992-7 : Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac fails to recognize DC component in certificate common name field. Edge Client fails to pass machine certificate inspection if domain component is included in search regular expression.
Conditions:
BIG-IP Edge Client for Mac, machine certificate agent, DC component in common name search regex
Impact:
BIG-IP Edge Client for Mac might fail to log in.
Workaround:
Fix:
BIG-IP Edge Client for Mac now passes machine certificate inspection when domain component is included in search criteria.
464651-2 : Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core.
Component: Local Traffic Manager
Symptoms:
Two or more root certificates with the same 'subject' and 'issuer' but different serial numbers may cause the tmm to core. The core was due to an assert failure in size caused by a loop in certificate chain construction.
Conditions:
When multiple certificates with the same 'subject' and 'issuer' are in a CA file, and the CA file is configured in SSL profile as trusted CAs.
Impact:
TMM may crash.
Workaround:
Keep only one certificate for a given 'subject' and 'issuer' in CA file. Do not leave two certificates with the same 'subject' and 'issuer' in a CA file.
Fix:
Resolved a failure when the customer installs another self-signed certificate with same subject/issuer before a self-signed certificate expires.
464163-3 : Customized cert-key-chain of a client ssl profile might be reverted to its parent's.
Component: Local Traffic Manager
Symptoms:
In some circumstance, when loading the configuration a client ssl profile with a custom cert-key-chain might be overwritten.
Conditions:
Customized cert-key-chain of a client ssl profile.
Impact:
The cert-key-chain of a profile is not what is expected.
Workaround:
Fix:
Customized cert-key-chain of the child client-ssl profile is reverted to parent's profile cert-key-chain during config load.
464132-2 : Serverside SSL cannot be disabled if Rewrite profile is attached
Component: TMOS
Symptoms:
Cannot disable serverside SSL via iRule command or CPM policy.
Conditions:
This occurs on a virtual server that meets the following conditions: - Rewrite profile - Serverssl profile - iRule using the 'SSL::Disable serverside' command in an HTTP_REQUEST event or a CPM policy with a 'server-ssl disable' action and an http-uri condition.
Impact:
Cannot disable serverside SSL.
Workaround:
Utilize iRule with 'SSL::Disable serverside command in the SERVER_CONNECTED event.
Fix:
Allows serverside SSL to be disabled by iRule or CPM policy.
463959-1 : stpd attempts to connect to slots in a chassis that are empty
Component: TMOS
Symptoms:
In a chassis environment stpd attempts to connect to slots that are empty. These connection attempts are unsuccessful and will result in repeated stpd errors in the ltm log: err stpd[7707]: 01290003:3: Attempt to send 15 bytes to inettcp://127.3.0.4:4401 timed out after 8 seconds
Conditions:
This issue exists when there is one or more empty slots in a chassis.
Impact:
There will be repeated stpd errors in the ltm log.
Workaround:
Fix:
Have stpd check that a slot is populated before stpd attempts to connect to that slot.
463715-3 : syscalld logs erroneous and benign timeout messages
Component: TMOS
Symptoms:
The syscalld timeout mechanism might cause premature logging of OPERATION_TIMEOUT messages.
Conditions:
No specific configuration is required.
Impact:
The system posts the message: syscalld[21190]: 0127000a:3: OPERATION_TIMEOUT 'command' may be hung or taking a long time. This may cause some operations, such as establishing CMI trust, to fail and need to be launched again.
Workaround:
Fix:
syscalld's timeout mechanism no longer emits an OPERATION_TIMEOUT message, unless the message appropriately reflects the condition of the system.
463696-5 : FIPS keys might not be recoverable from UCS
Component: Local Traffic Manager
Symptoms:
FIPS exported keys get created only on the unit on which the FIPS key is created or imported. This FIPS exported key does not get created on the HA peer.
Conditions:
HA setup with multiple FIPS devices.
Impact:
The UCS created on such a HA peer does not contain the FIPS .exp key files. Restoring such a UCS does not recover the FIPS keys. If a FIPS unit is returned to F5 Networks for a replacement unit, the recovery of FIPS keys is not straightforward on the new unit, or might not be possible.
Workaround:
Manually copy the .exp file from the peer or generate the UCS on the peer and load it manually. You can use the command line to scp copy all FIPS exported keys from /config/ssl/ssl.cavfips/ from one HA peer to the other and also vice versa, so that each of them have all the FIPS exported key files.
461949 : Virtual server with Portal Access and DOS profile resets connection
Component: Anomaly Detection Services
Symptoms:
Virtual server resets connection.
Conditions:
Requests are dropped on a virtual server that meets all of the following criteria: -- APM Access Policy. -- DOS Profile with Application Enabled. -- SSL profile on serverside.
Impact:
The system posts an error similar to the following: err apd[4646]: 01490000:3: AccessPolicyD.cpp func: 'process_request()' line: 736 Msg: EXCEPTION AccessPolicyD.cpp line:653 function: process_request - error 4 reading/parsing response from socket.
Workaround:
Either disable the DOS profile on the virtual server, or disable the SSL profile on the serverside.
Fix:
Virtual server with Portal Access, DOS profile, and SSL profile configuration no longer resets connections.
461597-11 : MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac does not follow HTTP 302 redirect if new site has an untrusted self-signed certificate.
Conditions:
BIG-IP Edge Gateway and Mac Edge Client and HTTP 302 redirect to new site with untrusted certificate
Impact:
User might not be able to log in if HTTP 302 redirect is configured for a site with an untrusted certificate.
Workaround:
Configure APM with trusted certificate or configure client machine to trust APM's certificate
Fix:
BIG-IP Edge Client for Mac now follows HTTP 302 redirect if the new site has an untrusted self-signed certificate and the user will be able to log in successfully.
460730-7 : On systems with multiple blades, large queries can cause TMM to restart
Component: TMOS
Symptoms:
When executing a chunked query (such as "show sys connection") that returns a lot of data, the primary MCP can get overwhelmed by the amount of data it is receiving from both its blade's TMMs and the secondary MCPs. It gives the data from its own TMMs priority, which eventually causes the secondary MCPs to run out of memory. At this point the MCP memory safeguards kick in and the secondary MCPs stop receiving data from their TMMs. The TMMs wait 20 seconds under these conditions, and if they have been unable to send data to MCP during that time, they exit and restart.
Conditions:
System must have multiple blades and execute a chunked query (for connection data or persistence records, for example) that returns a lot of data.
Impact:
TMM restarts and the system is unusable during that time.
Workaround:
This issue has no workaround at this time.
Fix:
Increased MCP's throughput by limiting the amount of data sent in a given chunk.
460715-5 : Changes in captive portal probe URL
Component: Access Policy Manager
Symptoms:
The system uses a Microsoft-specific captive portal detection URL (http://www.msftncsi.com/ncsi.txt).
Conditions:
Using APM.
Impact:
With this bug we are trying trying to change it to F5 captive portal detection URL (http://www.f5.com/apps/all/avail.txt), and at the same time provide an ability for the customers to change behavior through modifying client settings in the registry.
Workaround:
None.
Fix:
The system now uses an F5 Networks-specific captive portal probe URL in BIG-IP Edge Client for Windows instead of default Microsoft-specific captive portal detection URL. A Windows administrator can override use of the F5 captive portal URL by changing following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\F5 Networks\RemoteAccess.[ActiveWebProbeHost| ActiveWebProbePath | ActiveWebProbeContent].
460627-3 : SASP monitor starts a new connection to the GWM server when a connection to it already exists
Component: Local Traffic Manager
Symptoms:
When the SASP monitor starts up, it can attempt to open a new TCP connection to the GWM server when another connection exists to it.
Conditions:
This happens when a GWM server sends the SendWeight messages to SASP monitor immediately after the registration of the pool member is complete, but the registration of all the pool members is not complete.
Impact:
The SASP monitor fins an existing TCP connection to the GWM server.
Workaround:
This issue has no workaround at this time.
Fix:
The Send Weight messages are processed only after the registration of all the pool members is complete. Monitor logging has been vastly improved. In addition, there was a crashing bug that caused the SASPD_montitor process to be restarted. That bug has been fixed.
460427-2 : Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.
Component: Access Policy Manager
Symptoms:
In Chassis IntraCluster environment; when the Primary blade or its TMM goes down for any reason, (e.g., crash, restart, or shut down) the system posts 'IPv4 Addr collision' messages in APM logs.
Conditions:
This happens when a Chassis platform is used in IntraCluster mode with APM's Network Access.
Impact:
Address collision is reported in the logs, and affected clients (that have duplicate IP addresses - both the original ones and the new ones) might intermittently lose connectivity.
Workaround:
None.
Fix:
Now the primary blade's TMM leasepool IP information is mirrored on the oldest secondary blade, so the system no longer posts 'IPv4 Addr collision' messages.
457934-4 : SSL Persistence Profile Causing High CPU Usage
Component: Local Traffic Manager
Symptoms:
Some connections through a virtual server using SSL persistence hang and cause a high CPU condition in tmm.
Conditions:
This occurs only when SSL persistence is configured as the default persistence profile, and there is a fallback profile of either source_addr or dest_addr.
Impact:
Large increase in CPU usage on the box and a percentage of SSL connections through the virtual server are delayed and eventually reset
Workaround:
None.
Fix:
SSL Persistence Profile now operates correctly, and does not cause high CPU usage.
456911-3 : Add BIG-IP hostname to system's static DNS host entries
Component: Access Policy Manager
Symptoms:
In a GTM deployed configuration BIG-IP resolves to different IP addresses. If the IP address used when establishing a network access connection is different while accessing (after the network access is established) a corporate resource, then this corporate URL access will be denied.
Conditions:
GTM deployment. BIG-IP network access configuration and corporate resource resolves to different BIG-IP than the one to which network access is established.
Impact:
Access to corporate resources might be denied.
Workaround:
Configure BIG-IP system with static host DNS entry.
Fix:
A certain scenario in GTM deployment was fixed where access to certain corporate resource might be denied despite network access connection.
456763-5 : L4 forwarding and TSO can cause rare TMM outages
Component: Local Traffic Manager
Symptoms:
In certain rare circumstances using L4 forwarding and TSO, the MSS sizes on client and server sides in combination with internal processing can cause an internal mismatch resulting in a TMM crash.
Conditions:
This applies only when using L4 forwarding virtuals with TSO; additional exact external conditions are still under investigation.
Impact:
This issue causes a failover or TMM outage.
Workaround:
This issue has no workaround at this time.
Fix:
TMM will properly handle cases when the MSS sizes would have led to underflow.
456413-5 : Persistence record marked expired though related connection is still active
Component: Local Traffic Manager
Symptoms:
A persistence record might be marked expired even though its corresponding connection is still active and passing traffic.
Conditions:
This occurs when using persistence.
Impact:
Persist records disappear in spite of flow activity that is more recent than the persist timeout.
Workaround:
Set the timeout of persist to at least 33 seconds longer than the related flow timeout.
Fix:
Persistence records are maintained when connection and persistence timeouts are with 33 seconds of each other.
455840-7 : EM analytic does not build SSL connection with discovered BIG-IP system
Component: Local Traffic Manager
Symptoms:
EM analytic does not build SSL connection with discovered BIG-IP system.
Conditions:
When using management SSL client profile.
Impact:
EM analytic cannot connect to discovered BIG-IP system.
Workaround:
Fix:
Enterprise Manager analytics now works with BIG-IP systems running version 11.5.0 or later.
455006-7 : Invalid data is merged with next valid SIP message causing SIP connection failures
Component: Service Provider
Symptoms:
SIP phone connections fail.
Conditions:
SIP over UDP.
Impact:
SIP phone connections fail.
Workaround:
Create a packet filter to discard the invalid UDP datagrams.
Fix:
Invalid UDP datagrams that interfered with SIP processing are now dropped.
452464-4 : iClient does not handle multiple messages in one payload.
Component: Access Policy Manager
Symptoms:
iClient does not handle multiple messages in one payload leading to possible memory leak symptoms.
Conditions:
If by chance multiple messages arrive as one from the BIG-IP Edge Client.
Impact:
Possible memory leak symptoms.
Workaround:
This issue has no workaround.
Fix:
If multiple messages arrive from BIG-IP Edge Client in one payload, the system processes them correctly.
452416-1 : tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values
Component: Access Policy Manager
Symptoms:
On a multi-blade chassis, tmctl leasepool_stat for some slots may not be in sync. In addition, query of snmp apmLeasepoolStatTable returns values that do not match the tmctl leasepool_stat output for the current primary slot.
Conditions:
The issue occurs after a blade or tmm of a blade restarts.
Impact:
Incorrect stats only. No impact to fuctionality.
Workaround:
Fix:
The system now uses the correct system object to track current primary slot, which ensures that counters in leasepool_stat that have global context (that is, cur_member, cur_assigned, cur_free, max_assigned) are synced to all blades.
452293-4 : Tunneled Health Monitor traffic fails on Standby device
Component: TMOS
Symptoms:
Monitor traffic fails on the Standby devices when using a floating local endpoint address for the tunnels.
Conditions:
Tunnels are configured with a floating local endpoint address.
Impact:
Failover takes longer because the status of the pool server on the Standby device needs to be rediscovered upon failover.
Workaround:
This issue has no workaround at this time.
Fix:
Monitors now work on the Standby devices in an HA configuration.
451224-3 : IP packets that are fragmented by TMM, the fragments will have their DF bit
Component: Local Traffic Manager
Symptoms:
IP packets that are fragmented by TMM, the fragments will have their DF bit set if tm.pathmtudiscovery is set to enable (this is the default setting for this dbvar). This is perfectly compliant with RFC standards, and it is the correct thing to do.
Conditions:
IP packet that needs to be fragmented by TMM due to MTU restriction on the egress VLAN/interface. Non RFC compliant downstream switches that do not want to see the DF bit set in IP fragments.
Impact:
Non-RFC compliant switches by other vendors may reject a fragment with DF bit leading to packet being dropped or treated as a bad packet by them.
Workaround:
Setting tm.pathmtudiscovery to disable results in DF bit not being set on the fragments.
Fix:
tm.pathmtudontfragoverride dbvar introduced. If the value is changed from 'disable' (this is the default) to 'enable', then DF bit will not be set in IP fragments generated by TMM.
449891-7 : Fallback source persistence entry is not used when primary SSL persistence fails
Component: Local Traffic Manager
Symptoms:
The existing source persistence record is not used as fallback for a second SSL request from the same source. The second request may be load balanced to a different pool member than the first one. Sometimes multiple source persistence records may be created pointing to different pool members.
Conditions:
SSL persistence configured as primary persistence method on a SSL VIP. Source persistence configured as fallback persistence method. The same client sends a second SSL request, but sends a different session ID so that SSL persistence look up fails.
Impact:
Requests are load balanced to different pool members instead of the same one. In other words, source fallback persistence does not work.
Workaround:
There is no workaround for this issue.
Fix:
Fallback source persistence record will be used and the second ssl request will be load balanced to the same pool member that the first one went to.
448493-10 : SIP response from the server to the client get dropped
Component: Service Provider
Symptoms:
SIP responses are not forwarded to the client. Instead, the system drops those SIP responses.
Conditions:
This occurs when using SIP OneConnect with an iRule that uses the node/snat command in SIP_RESPONSE event in the iRule to direct the SIP response from the server.
Impact:
Some SIP flows do not complete, which affects the SIP clients.
Workaround:
Remove the node/snat command from SIP_RESPONSE event processing in the iRule.
Fix:
iRules node/snat command in the iRule SIP_RESPONSE event now works correctly.
447272-2 : Chassis with MCPD audit logging enabled, will sync updates to device group state
Component: Local Traffic Manager
Symptoms:
If mcpd audit logging is enabled on a chassis, updates to device group state will be recorded on every configuration change, even if CMI is not configured or no synchronizable object was modified.
Conditions:
This only applies on chassis systems with at least one secondary blade, and the log messages only appear if mcpd audit logging is enabled.
Impact:
Updates to device group state will be recorded on every configuration change.
Workaround:
Fix:
If mcpd audit logging is enabled on a chassis, updates to device group state were in past versions recorded on every configuration change, even if CMI was not configured or no synchronizable object was modified. This no longer happens, and these log messages are now only generated if the state actually changes.
447254-1 : Core in parked transaction due to evicted stand-in document
Component: WebAccelerator
Symptoms:
TMM core error in a previously parked transaction
Conditions:
* Stand-is enabled on the policy. * Request queueing is turned on in the policy * Document may have been removed from entity due to not matching policy on node.
Impact:
Loss of service.
Workaround:
* Disable stand-in and/or Request queueing
Fix:
TMM will no longer crash. If the stand-in document is NULL, the transaction will be bypassed and treated as if not found in cache.
447075-1 : CuSFP module plugged in during links-down state will cause remote link-up
Component: TMOS
Symptoms:
If a CuSFP module is plugged into a port that is in a links-down state while connected via a cable to a remote switch or other network connection, the remote switch will report a links-up state. A port on the BIG-IP or VIPRION device may be in a links-down state while BIG-IP is not in a running state, or if the network interface has been administratively disabled.
Conditions:
Issue has been primarily observed with VIPRION B2100 or B2150 blades. However, the problem could potentially occur on other VIPRION blades or BIG-IP appliances which employ a Broadcom hardware switch (i.e., most F5 hardware products). BIG-IP appliances which do NOT employ a Broadcom hardware switch include: BIG-IP 2000-/4000-series appliances.
Impact:
The remote switch may erroneously attempt to direct traffic to what is seen as an active link, which the BIG-IP or VIPRION device will not be able to process.
Workaround:
You may work around this problem by any of the following methods: 1. Unplug the cable connecting the CuSFP (Copper SFP) module to the remote network connection before plugging the CuSFP into the port on the BIG-IP or VIPRION device. 2. Wait until the port on the BIG-IP or VIPRION device is in an enabled/links-up state before plugging in the CuSFP. 3. Enable the port on the BIG-IP or VIPRION device after plugging in the CuSFP.
Fix:
A remote network connection no longer shows as Up/Link when a CuSFP module is plugged into a port on a BIG-IP or VIPRION device that is in a links-down state, while connected via a cable to the remote switch/other network connection.
445911-6 : TMM fast forwarded flows are offloaded to ePVA
Component: TMOS
Symptoms:
TMM fast forwarded flows are offloaded to ePVA, which is incorrect behavior. The symptom various depending on the FastL4 profile's PVA acceleration setting. If PVA acceleration is set to full, then the connection is established and handled by software (TMM). It is not offloaded to the ePVA. If PVA acceleration is set to guaranteed, then the connection will be reset.
Conditions:
This occurs when a virtual is configured with a FastL4 profile using HW acceleration (ePVA).
Impact:
TMM fast forwarded flows are offloaded to ePVA, which is incorrect behavior.
Workaround:
For versions 11.3.x and 11.4.0, there is no workaround. On version 11.4.1 or later, you can use the following command to turn off tmm fast forward when using the guaranteed hardware acceleration mode: 'tmsh modify sys db tmm.ffwd.enable value false'.
Fix:
TMM fast forwarded flows are no longer offloaded to ePVA, which is correct behavior.
444710-6 : Out-of-order TCP packets may be dropped
Component: Local Traffic Manager
Symptoms:
Out-of-order TCP packet will be dropped if it occurs during 3-way handshake.
Conditions:
Client initiates TCP connection to BigIP with ACK segment arriving after (i.e. out-of-order) a second packet. Resultant sequence: 1. Client - BigIP : SYN 2. BigIP - Client : SYN-ACK 3. Client - BigIP : PSH, ACK (w/Segment #2) =-- Out-of-order ; Must be retransmitted. 4. Client - BigIP : ACK (w/Segment #1)
Impact:
Packet must be retransmitted by client.
Workaround:
None
Fix:
Out-of-order segments received before 3WHS is completed are no longer dropped.
443006-1 : In low memory situations initializing the HTTP parser will cause the TMM to crash
Component: Local Traffic Manager
Symptoms:
When the TMM is low in memory and HTTP is configured, the configuration process may initialize a new HTTP parser. If that initialization fails, then the TMM may crash.
Conditions:
A virtual containing HTTP is configured or re-configured when the TMM is under extreme memory pressure.
Impact:
The TMM will core
Workaround:
Fix:
Configuring a HTTP filter during extreme memory pressure will no longer cause the TMM to crash.
440346-5 : Monitors removed from a pool after sync operation
Component: TMOS
Symptoms:
Monitors might be removed from a pool after sync operation.
Conditions:
If devices are in a failover device group, and this group contains a pool with multiple health monitors enabled, then using the 'Overwrite Configuration' option.
Impact:
Monitors might be removed from a pool on the devices that received a sync.
Workaround:
Fix:
Monitors are no longer removed from a pool on the devices that received a sync.
440154-3 : When IKEv2 is in use, user can only associate one Traffic Selector object with the IKE Peer object
Component: TMOS
Symptoms:
Only one Traffic Selector can be associate with one IKE Peer when IKEv2 is in use.
Conditions:
When IKEv2 is selected to negotiate IPsec Tunnel
Impact:
User can only associate one Traffic Selector per IKE Peer
Workaround:
Fix:
User can associate multiple Traffic Selector MCP objects with one IKE Peer object
439343 : Client certificate SSL authentication unable to bind to LDAP server
Component: TMOS
Symptoms:
When LDAP Client Certificate SSL Authentication is configured to bind to the LDAP server with a password, the bind fails due to an incorrect password.
Conditions:
LDAP client certificate SSL authentication enabled LDAP server requires password to bind
Impact:
Client certificates cannot be authenticated
Workaround:
Fix:
LDAP client certificate SSL authentication sends correct bind password to LDAP server
438792-5 : Node flapping may, in rare cases, lead to inconsistent persistence behavior
Component: Local Traffic Manager
Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). Further requests in certain circumstances may hang (the client will be left waiting for a response).
Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.
Impact:
Inconsistent persistence behaviors. If persistence records are examined, you might find multiple, conflicting entries. This is an intermittent issue.
Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be: when PERSIST_DOWN { persist delete source_addr [IP::client_addr] } For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.
Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.
437744-4 : SAML SP service metadata exported from APM may fail to import.
Component: Access Policy Manager
Symptoms:
SAML SP service metadata exported from APM contains elements in incorrect order which might cause it to fail to be imported by other implementations.
Conditions:
When SAML metadata is exported from BIG-IP when it is acting as SAML Service Provider, the order of 'SingleLogoutService' and 'AssertionConsumerService' are not right.
Impact:
Import of SAML metadata with SAML IdP from BIG-IP as SP might fail.
Workaround:
Edit exported metadata: change the order of elements in the SPSSODescriptor so that SingleLogoutService element goes first in the sequence.
Fix:
Metadata elements are exported in correct order.
437743-6 : Import of Access Profile config that contains ssl-cert is failing
Component: Access Policy Manager
Symptoms:
An access profile configuration that uses an SSL Certificate fails to import. This happens because of a change in the method to import SSL certificates.
Conditions:
Access Profile configuration contains (SSL) Certificate File object, that is configurations that include OCSP responder, Certificate Authority Profile or ServerSSL Profile.
Impact:
Serious. It's not possible to import configs that contain mentioned above objects to other box, which might prevent users from distributing profiles manually or properly import backup
Workaround:
You can either exclude above-mentioned objects prior to export and then recreate them after the import or (not recommended) edit the config manually and import the SSL certificate prior to import.
Fix:
You can import an access profile that includes an SSL certificate object in its configuration objects.
436682-5 : SFP modules shows a higher optical power output for disabled switch ports
Component: TMOS
Symptoms:
Some SFP modules show a higher optical power output for disabled switch ports, which can attribute to false link states.
Conditions:
This occurs on SFP modules with disabled switch ports.
Impact:
When this occurs, it produces false link states.
Workaround:
None.
Fix:
Some SFP modules now show the correct optical power output for disabled switch ports, which no longer attributes to false link states.
436201-6 : JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
Component: Access Policy Manager
Symptoms:
JavaScript can misbehave when encountering the 'X-UA-Compatible' META tag from clients using Microsoft Internet Explorer 11.
Conditions:
Internet Explorer 11 and meta http-equiv='X-UA-Compatible' content='IE=10'.
Impact:
Web application malfunction.
Workaround:
Use an iRule.
Fix:
JavaScript now correctly handles the X-UA-Compatible meta tag from clients using Microsoft Internet Explorer 11.
433972-13 : New Event dialog widget is shifted to the left and Description field does not have action widget
Component: Access Policy Manager
Symptoms:
When you access SharePoint 2013 through APM and use a rewrite profile, the rewritten New Event dialog box is shifted to the left and action widgets are not displayed above the Description field.
Conditions:
Internet Explorer 11 and meta http-equiv='X-UA-Compatible' content='IE=10'.
Impact:
SharePoint 2013 malfunction.
Workaround:
Potential for iRule mitigation
Fix:
SharePoint 2013 now is correctly handled with IE11.
433847-1 : APD crashes with a segmentation fault.
Component: Access Policy Manager
Symptoms:
Uninitialized CRLDP or OCSP field might cause a crash because of possible memory corruption.
Conditions:
This occurs when there is an uninitialized field in the Crldp or OCSP module.
Impact:
APD crashes with a segmentation fault. Uninitialized field might cause a crash trying to free the client connection.
Workaround:
Fix:
Uninitialized CRLDP or OCSP field no longer causes crashes because of an uninitialized field in the CRLDP or OCSP module.
432900-9 : APM configurations can fail to load on newly-installed systems
Component: Access Policy Manager
Symptoms:
APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this: Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: EPSEC::In copy_file - src (/config/filestore/files_d/Common_d/epsec_package_d/:Common:EPSEC:Images:epsec-1.0.0-160.0.iso_14866_1) dst (/shared/apm/images/epsec-1.0.0-160.0.iso) Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: Failed in file copy errno=(No such file or directory) .... 01071558:3: EPSEC - File Copy to /shared location failed Unexpected Error: Loading configuration process failed.
Conditions:
If the system is fresh from manufacturing or has had a recent formatting installation, it is vulnerable to this upgrade defect. The failure is only observed if the configuration being applied contains elements of APM.
Impact:
After booting into an upgraded system, the configuration will fail to load. A load failure can also be observed when manually loading a UCS file.
Workaround:
Create the directory /shared/apm and try to load the configuration again.
Fix:
Releases with this fix will load the configuration properly. There is no need for users to first create the /shared/apm directory.
431980-1 : SWG Reports. Overview and Reports do not show correct data.
Component: Access Policy Manager
Symptoms:
When traffic is very sparse, report may be incorrect and omit information due to skipped aggregation process of collected data. The original fix caused heavy spikes to the CPU every 5 minutes.
Conditions:
Very sparse traffic with significant gaps.
Impact:
AVR reports may be incorrect.
Workaround:
No workaround
Fix:
Aggregation of data when traffic is very sparse with significant gaps is now done correctly, and also occurs when data is queried, instead of every 5 minutes in order to avoid a 5 minute CPU spiking issue.
431634-6 : tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails
Component: TMOS
Symptoms:
If you have a gtm server object for which you wish to modify its virtual servers, the following tmsh command fails: modify gtm server <gtm-server-name> virtual-servers replace-all-with <vs-name> with this error: "The requested Virtual Server (/Common/<gtm-server-name> ) was not found."
Conditions:
You have a gtm server object whose virtual servers you are attempting to modify via the replace-all-with method.
Impact:
You cannot set the virtual server(s) on a gtm server object via the replace-all-with method in tmsh.
Workaround:
You still can still add and delete virtual servers to the gtm server object via tmsh, you just cannot use the replace-all-with method to accomplish this.
Fix:
Fixed replace-all-with command in relation to GTM Virtual Servers.
431149-6 : APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"
Component: Access Policy Manager
Symptoms:
In scenarios where there are multiple slots on a chassis in an HA pair (in both vCMP and chassis only mode), the error "Access Policy configuration has changed on gateway" might be displayed when a user connects to a virtual server.
Conditions:
It can occur in conditions when : - right after when the whole chassis is rebooted - secondary/slave slot's tmm cores. - disabling a slot on chassis
Impact:
Customer would see following message when they connect to virtual server "Access Policy configuration has changed on gateway"
Workaround:
To work around the problem, type the command "bigstart restart apd" on the primary slot.
Fix:
The issue is fixed by having the primary blade of the chassis/VCMP to recreate config snapshots if a secondary blade transitions from online to offline and vice versa.
430799-3 : CVE-2010-5107 openssh vulnerability
Component: TMOS
Symptoms:
The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which could enable a denial of service.
Conditions:
Confidentiality Impact None (There is no impact to the confidentiality of the system.) Integrity Impact None (There is no impact to the integrity of the system) Availability Impact Partial (There is reduced performance or interruptions in resource availability.) Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist
Impact:
CVE-2010-5107 openssh vulnerability
Workaround:
Update the configuration of OpenSSH to prevent this issue.
430323-4 : VXLAN daemon may restart when 8000 VXLAN tunnels are configured
Component: TMOS
Symptoms:
VXLAN daemon may restart when 8000 VXLAN tunnels are configured.
Conditions:
8000 VXLAN tunnels are configured.
Impact:
VXLAN daemon restart.
Workaround:
Fix:
VXLAN daemon does not restart when 8000 VXLAN tunnels are configured.
428163-3 : Removing a DNS cache from configuration can cause TMM crash
Component: Local Traffic Manager
Symptoms:
Removing a DNS cache from the configuration with outstanding packets on the server side can cause a TMM crash if those responses time out after the resolver removed.
Conditions:
This occurs with DNS traffic in progress when removing a configured DNS cache from the configuration.
Impact:
TMM crash and restart. Traffic served by that TMM will be temporarily impacted until the service restarts.
Workaround:
This occurs with DNS traffic in progress. Disabling the listener using that cache and waiting 60 seconds before removing the cache prevents this from occurring.
Fix:
Deleting a cache resolver no longer results in outstanding packet issues.
426939-5 : APM Polices does not work in VIPRION P8 chassis if there is no slot1
Component: Performance
Symptoms:
Access policies does not get executed according to the configuration in a VIPRION P8 chassis. User will not be able to use those policies.
Conditions:
This issue happens only on VIPRION P8 and only if there is no active slot1 as primary or standby
Impact:
User will not be able to use the access polices that are configured in BIG-IP
Workaround:
Always use slot1 in P8
Fix:
Support access policies in P8 without slot1 also.
422460-8 : TMM may restart on startup/config-load if it has too many objects to publish back during config load
Component: TMOS
Symptoms:
TMM restarts without any core file on startup or when mcpd is loading the configuration if the size of configuration is considered big (for example over 1000 passive monitors).
Conditions:
This issue occurs when all of the following conditions are met: -- The mcpd process loads a large configuration with thousands of objects. -- The platform is running 12 or more TMM instances (BIG-IP 11000, 11050 platform, or VIPRION B4300 blade).
Impact:
Traffic processed by the affected TMM instance is interrupted while TMM restarts. TMM might enter a restart loop and restart multiple times, without producing a core file. You might see errors similar to the following in log/tmm or log/daemon: -- LTM01 notice mcp error: 0x1020003 at ../mcp/db_net.c:575. -- LTM01 crit tmm11[28599]: 01010020:2: MCP Connection aborted, exiting. -- LTM01 emerg logger: Re-starting tmm. This might cause serious traffic disruption.
Workaround:
This workaround is a mitigation and may not work in all cases; the zero-window timeout may need to be adjusted to a higher value for some customers. To work around this issue, you can increase the time-out used for the MCP connection by adding a zero_window_timeout 300000 setting to the profile tcp _mcptcp stanza in the tmm_base.tcl file. This lengthens the timeout and hence avoids the restart. For more information, see SOL14498: The mcpd connection to TMM may time out on either startup or configuration load and cause TMM to restart, available here: http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14498.html.
Fix:
TMM no longer restarts on startup/config-load if it has too many objects to publish back during config load.
420204-3 : FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long
Component: TMOS
Symptoms:
Starting 11.4.0, 'tmsh delete sys crypto fips by-handle handle#' command is expected to throw an error if the key object corresponding to this FIPS key handle exists in BIG-IP config. However, this does not work if the key name is longer than 32 characters because the operation relies on key name being the same as the FIPS key label, which is not the case for keynames of greater than 32 chars.
Conditions:
BIG-IP contains a FIPS key object with a name that is longer than 32 characters. User attempts 'tmsh delete sys crypto fips by-handle handle#' for this FIPS key handle. The expected error does not occur, and the operation deletes the FIPS key from the FIPS card, which makes the BIG-IP key object invalid.
Impact:
The corresponding BIG-IP key object is now invalid with no corresponding FIPS key in FIPS card. Traffic using this key object will fail.
Workaround:
Use keynames shorter than 32 characters for FIPS keys.
Fix:
The BIG-IP system now posts an error if the user tries to manually delete a particular FIPS key by-handle while its corresponding key object exists in BIG-IP configuration, regardless of the length of the key name. IMPORTANT: FIPS key deletion by-handle should still be executed with caution because the FIPS handle might belong to keys in different boot locations of the BIG-IP configuration. Deleting those FIPS keys does not throw an error, but will make FIPS keys in the other boot locations invalid and unusable.
417068-6 : Key install or deletion failure on FIPS key names longer than 32 chars on some platforms
Component: Local Traffic Manager
Symptoms:
Key operations might not succeed as expected when the key names are longer than 32 characters.
Conditions:
This occurs with keynames longer than 32 characters on the 6900 (D104), 8900 (D106), 8950 (D107), 11999 (E101), 11050 (E102), 10000/10050/10200/10250 (D113) platforms.
Impact:
FIPS key install and key deletion might fail. Deletion of the FIPS key with a keyname longer than 32 characters deletes the key from the BIG-IP configuration but does not delete the key from the FIPS card. Similarly, importing a key with keyname longer than 32 characters into the FIPS card fails.
Workaround:
Use keynames of a maximum of 32-characters for FIPS keys.
Fix:
FIPS key labels longer than 32 characters now get truncated to 32 characters. Those keys with the same first 32 characters are truncated, and the system attaches an underscore and number to a total of 32 characters; for example fipssamplekeylabelof32characte_1, fipssamplekeylabelof32characte_2, and so on. BIG-IP uses the FIPS handles when querying the FIPS cards for keys, so the fact that the FIPS key labels are different from the BIG-IP key names does not matter and does not affect traffic.
416292-1 : MCPD can core as a result of another component shutting down prematurely
Component: TMOS
Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.
Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.
Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.
Workaround:
Fix:
Ensured that the active CMI connection is destroyed when mcpd is shutting down.
416115-14 : Edge client continues to use old IP address even when server IP address changed
Component: Access Policy Manager
Symptoms:
Edge client goes in reconnect loop if the server it connected to went down and DNS assigned a new IP Address to server host name.
Conditions:
1) Edge clients connected successfully to a server. 2) Server goes down and DNS resolves the server host name to a different IP address
Impact:
- Client goes in a reconnect loop and needs to be restarted to successfully connect to new IP address.
Workaround:
Restart Edge Client
Fix:
Now BIG-IP Edge Client resolves the host name during reconnection and initiates full reconnection after an IP address change is detected.
410089-2 : Linux client hangs after receiving the application data
Component: Access Policy Manager
Symptoms:
Citrix Receiver for Linux hangs when connecting to APM configured as Citrix WI replacement.
Conditions:
APM is configured for Citrix WI replacement mode and Citrix Receiver for Linux is used.
Impact:
Unable to use Citrix Receiver for Linux.
Workaround:
Fix:
Now APM correctly handles connections from Citrix Receiver for Linux.
403991-8 : Proxy.pac file larger than 32 KB is not supported
Component: Access Policy Manager
Symptoms:
Proxy.pac file larger than 32 KB is not downloaded and edge client may fail to provide network access.
Conditions:
BIG-IP APM, MAC Edge Client, network access, proxy.pac URL pointing to the file greater than 32 KB.
Impact:
User might not be able to access internal resources and Edge Client might go into connect/disconnect loop.
Workaround:
Fix:
BIG-IP Edge Client for Mac now supports Proxy.pac file size of up to 1 MB; previously, the limit was 32KB.
394236-3 : MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -
Component: TMOS
Symptoms:
MCP exits unexpectedly and customer sees a trace in the ltm log file similar to: Feb 9 12:54:41 localhost err mcpd[9995]: 01070596:3: An unexpected failure has occurred, There is no active database transaction, status: 0 - EdbDbConnection.cpp, line 133, exiting...
Conditions:
Unexpected MCP exit.
Impact:
MCP is already exiting, so there is no impact.
Workaround:
Fix:
Changed ordering of shutdown operations to avoid this error.
384451-6 : Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions
Component: Local Traffic Manager
Symptoms:
SSL per-virtual stats might cause SSL profile cert/keys/chain to be instantiated per-virtual server.
Conditions:
This occurs when using cert/keys/chain in SSL profile virtual servers.
Impact:
In this case, cert/keys/chain are duplicated and those duplicates might cause excessive memory use and disk activity which might lead to SIGABRTs and low-memory conditions.
Workaround:
Fix:
Improved memory management when there are duplicated keys or certs.
376120-4 : tmrouted restart after reconfiguration of previously deleted route domain
Component: TMOS
Symptoms:
When a non-default route domain is configured for dynamic routing, then subsequently deleted and re-added, tmrouted might restart.
Conditions:
Non-default route domains in use.
Impact:
Dynamic routing for all route domains is interrupted.
Workaround:
Fix:
tmrouted no longer restarts when reconfiguring a previously deleted route domain.
361367-3 : Create 8MB-aligned partitions/volumes for VE images to improve disk I/O
Component: TMOS
Symptoms:
On certain configurations/Hypervisors local disk subsystem might be on network share or SSD drives. In such cases I/O operations get significant degradation if they are NOT aligned on 4K/8K/64K/1MB boundary (depending on the actual disk subsystem).
Conditions:
Disk subsystem used by the hypervisor is on network share, SAN or SSD disk(s).
Impact:
Low I/O performance on certain configurations where disk subsystem is on network share, SAN or SSD disk(s).
Workaround:
Fix:
We changed the policy for partition creation to align on 8MB boundary. This is much more aggressive than current disk requirements and it will be relevant for long time to come.
Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release
TMOS Fixes
| ID Number | Description |
441512-4 |
Sync now completes successfully, without sflow error. |
468021-3 |
"wom-default-clientssl" and "clientssl-insecure-compatible" were added to two fixup scripts, and code to prevent infinite recursion was added to another script. |
468514-4 |
Ensures that only one sync for a given commit transaction is sent to the remote peer. |
473409-1 |
Added backend support, so this stat reset now works. |
473641-1 |
No memory leak occurs even if a tunnel FDB endpoint is missing in the configuration and that endpoint sends traffic to the BIG-IP. |
474166-4 |
The ConfigSync operation completes successfully, and the sFlow error no longer occurs. |
474332-3 |
F5 will start releasing "base installable" VM images as part of hotfix release. The VM images will consist of base RTM + installed hotfix on top of it. Such images are going to be ready for deployment without the need to apply hotfix as an additional step. |
474805-1 |
Internal build improvement. |
475829-1 |
The public key for ssh access is obtained from AWS metadata service on 1st boot. |
476126-1 |
The latest Emulex NIC driver was included in 11.5.1-HF5. It supports SR-IOV and VLAN tagging when Emulex NICs are used. |
477031-2 |
No TMM restart when deleting multiple VXLAN tunnels with flooding type multipoint. |
479152-5 |
This release includes functionality to leverage hardware parity error mitigation capabilities, which reduces the number of fatal errors. |
479302-3 |
Remove the seldom used internal debug table which eliminates the periodic accesses. |
479359-1 |
The no-platform-check option now bypasses the platform check, which allows the user to load UCS files from other platforms. |
481073-1 |
Add needed attributes to AMI name during generation. |
481135-1 |
The pool members of a wideip in Link Controller can now be modified from the GUI pool member page. |
481410-3 |
Automated Phone Home update check time is randomized to prevent intermittent problem when all machines would access the service at once. |
482233-1 |
Improving internal build script to generate Cloud images. |
482943-1 |
Internal build changes when deploying to Cloud |
483228-3 |
This release fixes an intermittent race condition in the terminate handler of the icrd_child process, so the process no longer crashes and generates a core. |
483436-1 |
Update to AWS License files |
484399-2 |
OVA will only create 1 slot and leave the remaining disk space free. |
485352-1 |
The system now correctly handles configuration load when there is no APM license. |
485812-2 |
CVE-2014-3660: Libxml2 vulnerability. |
486137-3 |
Activation function has been modified to eliminate dependency on the MCPD. |
487567-4 |
This was due to an inconsistency in DoS profile attachment logic. The problem is now fixed and those affected from this should be able to attach such profiles with their required profiles at the same time without any issues. |
492367-4 |
CVE-2014-8500. |
492368-5 |
CVE-2014-8602. |
492809-4 |
An issue has been fixed that resulted in a small, periodic mcpd memory leak associated with APM stats. |
493275-3 |
Improved F5 automated testing. |
494078-4 |
The fix strengthens certificate validation, including hostname verification. |
497062-1 |
The case in which the PEM policy is modified while the system is processing live traffic, PEM now initiates policy re-evaluation and BWC is attached correctly to the policy, so no memory leak occurs. |
497719-1 |
CVE-2014-9295, CVE-2014-9293, CVE-2014-9294, CVE-2014-9296 |
497870-1 |
The case when PEM policy is modified on live traffic, PEM initiates policy re-evaluation. In process internally bwc is detached and attached. During this, the flow active flag is not cleared thus during flow release memory is not released. |
503237-8 |
CVE-2015-0235 is fixed. |
474172 |
Improved automation for F5 testing. |
475928 |
Improved Hot Fix installation. |
477524 |
F5 disabled ssh for root account for VMs in Amazon cloud (after Amazon mandated it). F5 enabled ssh permissions for built-in admin account. The default shell for admin account is tmsh (instead of bash). On all new Amazon deployments all management tasks should be done through admin account. |
477959 |
Internal structure improvements, no customer facing functionality changes have been made. |
478662 |
Shun-Category infrastructure code fix. |
478896 |
The internal/dev license for Hourly Billing AMIs has been replaced with proper production license. |
483511 |
Increased the timeout after starting VM. |
486638 |
Interrnal build improvement for AMI generation |
499880 |
Improved installer for HFR. |
501320 |
Recompile iControl, zrd and TS when upgrading BIND |
Local Traffic Manager Fixes
| ID Number | Description |
437627-5 |
Improved handling of a fragmented packet that could cause a crash if using a fastL4 profile. |
463902-3 |
Flat-buffer allocator for hardware compression tuned to be less greedy. |
472944-3 |
SMTP commands received after STARTTLS will be correctly buffered by SMTPS profile until the SMTP server is ready to receive them. |
474757-15 |
OpenSSL Security Advisory 8/6/14 (1.0.1i Update). |
475055-3 |
Resolved core caused by accounting miscalculation of Nitrox I/O flows |
477394-1 |
Passive FTP using FTP range iRule no longer causes out-of-ports reset. |
477924-1 |
Select provider in previously unknown case, prior to reference. New feature defers selection of provider to improve provider selection behavior. |
478812-2 |
With this fix, zone data is no longer vulnerable to corruption from power loss. |
483328-4 |
SSL virtual servers now successfully negotiate SSL handshake, so the device no longer logs the following message: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate. |
483974-2 |
Unrecognized options are now ignored. |
484429-4 |
TMM still log critical-level messages, but the system function properly and traffic is not affected. |
484948-1 |
Resolve problem of double calling functions that caused iRule to abort. |
490225-3 |
GTM/mcpd now checks for an existing key and does not import keys that already exist. |
492780-1 |
Updated Elliptic Curves Extension to support more types of clients. |
502174-4 |
DTLS ClientHello fragments are now handled. |
476281 |
tmm no longer crashes when server_key and client_key variables are uninitialized. |
Global Traffic Manager Fixes
| ID Number | Description |
495311-4 |
Resolved build issues to install updated library and include files. |
Application Security Manager Fixes
| ID Number | Description |
438809-6 |
To improve brute force mitigation, we made the following changes: -We added a new internal parameter: bf_num_sec_per_value. This defines how many seconds is a single measure unit for a failed login. For example, if you want to configure 7 failed logins per 5 seconds, in the Configuration utility configure "7" as the threshold value (the "Failed Login Attempts Rate reached" setting in the Detection Criteria area of the Brute Force Protection Configuration screen), and from the command line configure "5" as the value of this internal parameter. If this value is configured, the system will detect an attack only by the threshold (and not by the increase). If this value is configured, all traffic from suspicious IP addresses are blocked. The default value for the internal parameter is 1 second. -In the Configuration utility, we removed the validation for all the threshold and minimal values. You can put now very low values such as 1 or 2 in the detection and suspicious criteria. |
441239-1 |
Event Correlation is now enabled on vCMP guests if the disk is SSD, but only if the host is running BIG-IP version 11.6.0 or later. |
450241-3 |
EM can now discover ASM devices. |
467776-1 |
We moved the Guardium message notification from the RESPONSE event to the RESPONSE_DONE event. |
469786-1 |
When web scraping mitigation configuration mode is set to Alarm (log) and there is an ASM iRule, the iRule no longer displays requests as being blocked when they are actually logged and not blocked. |
470779-1 |
The Enforcer now excludes session awareness violations when counting illegal requests for session awareness actions. Previously, these violations were counted and therefore prematurely caused the session status to be "Blocked". |
473410-1 |
Policy Diff no longer fails when trying to merge a missing URL to another security policy. |
474430-1 |
We fixed a rare problem in the Web Scraping mitigation, where a client session would not be restored by fingerprint. |
475135-1 |
We fixed a problem where the system would become OFFLINE when moving the system time backwards soon after provisioning ASM or FPS. |
475856-1 |
The Enforcer no longer crashes when Base64 Decoding is enabled on a wildcard cookie. |
475861-1 |
Requests are no longer reset when session awareness is enabled, log all requests is enabled for a session, and a large POST request (greater than 10 MB) is sent when the "buffer exceed max length" violation is disabled. |
476179-1 |
Brute force reporting: The brute force reported operation mode (Transparent or Blocking) is now the same when the attack starts and ends. Previously, sometimes the system would change the operation mode logged when the attack ended. |
476191-1 |
To enable you to bypass unicode validation on XML and JSON profiles, we added two internal parameters: - relax_unicode_in_xml: The default is 0 which is the current behavior. When the value is changed to 1, a "bad unicode character" does not produce an XML malformed violation. A "bad unicode character" might be a legal unicode character that does not appear in the mapping of the system's XML parser. - relax_unicode_in_json: The default is 0 which is the current behavior. When the value is changed to 1, a "bad unicode character" does not produce a JSON malformed violation. A "bad unicode character" might be a legal unicode character that does not appear in the mapping of the system's JSON parser. |
477432-6 |
We fixed an error that caused the Enforcer to core if you tried to roll forward a system configuration containing an iApp (application service) from version 11.3.0 or earlier. |
478672-1 |
We fixed an issue that sometimes caused ASM to run out of memory. |
478876-2 |
After restarting the system, a BIG-IP with ASM provisioned having many active accounts no longer results in frequent restarts due to the fact ASM is marked 'ready' only after the Enforcer successfully completes a full start-up sequence. |
481792-1 |
We fixed an issue of specific requests the sometimes caused the Enforcer to crash. |
489705-2 |
We fixed an issue where the system parsed as XML a large multipart file upload. Doing that caused unnecessary memory allocations which could cause the Enforcer to run out of memory. The following error message was displayed "ASM out of memory error: event code X239 Exceeded maximum memory assigned for XML/JSON processing". |
492570-1 |
After upgrading to BIG-IP version 11.6.0, using Internet Explorer 8, there is no longer the JavaScript error "Object doesn't support this action" when using the CSRF protection feature. Note that despite the error message, there was CSRF protection. |
496011-1 |
Connection resets no longer occur when session awareness is enabled and server response took a long time. |
496845-1 |
We fixed a vulnerability in the Tree View screen. |
496849-1 |
We fixed a vulnerability in the update retrievals from the F5 website |
504232-1 |
We fixed an issue that caused false positives or a lack of enforcement (such as not blocking) when attack signatures were updated or modified. |
477846 |
Deleting a URL, that is part of a parameter extraction, from the security policy when the Automatic Policy Builder is enabled and performing a URL extraction update no longer causes the Policy Builder daemon to crash. |
Application Visibility and Reporting Fixes
| ID Number | Description |
467945-3 |
We fixed an issue where the system incorrectly displayed the following warning message in the AVR monpd log: "Some rows of load_stat_asm_http_ip_xxxxxxxxxx.x not loaded (xxxxx rows affected)" |
472969-1 |
The maximum number of AVR profiles in the system is 264. When trying to create more than 264 AVR profiles, MCP now generates the following message: "Can't generate more than 264 AVR profiles." and the profile will not be created. |
474251-1 |
IP addresses are now properly cleaned from lookup tables making room for new IP addresses to be collected. |
475439-1 |
Fixed synchronization problem in AVR lookups that sometimes caused TMM and other daemons, such as the Enforcer, to crash. |
478346-1 |
We fixed an issue that sometimes caused the system to collect incorrect AVR statistics. |
480350-1 |
We fixed an issue that intermittently caused TMM to crash when APM and AVR are provisioned together. |
481541-1 |
Memory leak in the monpd daemon that occurred in some situations has been resolved. |
486288-1 |
Fixed synchronization problem in AVR lookups that sometimes caused TMM and other daemons, such as the Enforcer, to crash. |
489682-1 |
A configuration load failure no longer occurs after creating an ASM predefined report in a previous version and upgrading. |
493825-1 |
After saving a custom filter based on a client IP address in the Requests logs, loading the configuration, or upgrading from it, no longer fails. |
496560-1 |
We fixed an issue that intermittently caused TMM to crash when APM and AVR are provisioned together. This is an additional fix on top of the one provided in ID 480350. |
496624-1 |
Supports ID496560 for better handling of ingress events. |
499299-1 |
This is a duplicate of ID 475439. |
472607 |
VCMP: We fixed an issue where the system incorrectly displayed the following warning message in the AVR log: "HTTP Main, got an entity with invalid key". |
476336 |
Resolved issue leading to tmm core when multiple modules provisioned including ASM,APM,AFM,ADM and AVR. |
499036 |
We fixed an issue where in some cases, some AVR data was formed with duplicated rows, and used to cause errors when saving the data in mysql. |
Access Policy Manager Fixes
| ID Number | Description |
398657-8 |
The active session count graphs no longer becomes significantly large at times due to a counter underflow. |
400726-4 |
We don't support multi-valued SAML attributes inside SAML assertion. |
403660-5 |
Application icons (Finder, Spotlight, Launchpad, Notification Center, Dock, Menu Bar) have been updated for retina displays. |
407350-4 |
Client side checks like antivirus/firewall, file, process etc. will be skipped for windows phone 8 |
418850-1 |
AD may now be the last auth agent in the VMWare view access policy. Username/password/domain preserved and then passed to the backend. |
421901-2 |
showrestorebutton:i:0 can be specified in RDP Custom Parameters. Users just won't see this 'Restore down' button anymore. |
428387-2 |
BIG-IP as IdP can now successfully create SAML assertions even when BIG-IP configuration contains special XML characters. |
431810-5 |
Processing is now provided for exceptions that could occur when using a Kerberos auth agent in a multi-domain SSO configuration. |
432102-6 |
BIG-IP as SAML IdP or SP now URL encodes/decodes RelayState parameter. |
432423-5 |
Added support for generating license usage alert when threshold is crossed. |
438730-5 |
Fixed BSOD caused by DNS relay filtering driver in very specific condition on Windows XP SP3. |
439518-3 |
User now can sync over the changes to all the location specific configuration such as optimized-app in network-access or pool item in pool once that 'Use Source Configuration on Target' is set to YES in policy sync dialog. |
441355-1 |
Improved VMWare View native client error reporting and prompting for the new password. |
447013-4 |
Browser detection JavaScript improved to support Internet Explorer 11 |
447302-3 |
APM correctly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode. |
450033-5 |
Windows View client 2.3 can consistently launch desktops via APM |
454493-1 |
VMWare View applications are available on APM webtop now. |
455284-4 |
Firewall rules no longer incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321. |
456403-2 |
Now APM supports native StoreFront protocol when APM is configured in proxy mode with Citrix StoreFront. To enable this protocol with existing configurations please recreate accounts in Citrix Receiver clients. |
458928-5 |
Session variable replacement function returned no error even if the session variable was not found in the local cache for APMD usecase. So the Kerberos authentication agent tried to dereference a null authparam pointer and APMD cored. With this fix, if an authparam is not found in the local cache, an empty string will be returned to caller. |
462727-1 |
Fixed to allow for "ACCESS::session create" iRule to work even when an Access Policy is not attached to the virtual. |
463230-1 |
After the fix, aced can restart child process only. There is no need to exit main process and restart all children |
463776-2 |
VMware View client does not freeze when APM PCoIP is used and user authentication fails against VCS 5.3 |
464547-1 |
Now VMware View client will show proper message when user enters invalid credentials. |
466325-6 |
Continuous policy checks now doesn't kill the session if some configuration, configured to be ignored, changes on client side. |
466797-6 |
Now EdgeClient shows warning about session expiration when maximum session timeout is reached. |
466877-6 |
Issue with signature validation is fixed |
467849-6 |
Split tunnel is improved when connecting to a FirePass with a APM build of the edge client. |
468478-5 |
When the 32k storage limit is reached, the oldest application cookie is discarded, allowing the application to continue processing new data. |
469100-5 |
Javascript index expressions with list of values are now correctly rewritten by Portal Access |
469960-1 |
In this fix we implemented a throttling mechanism, so that when number of fds in the queue reaches a certain threshold, apd will stop accepting new requests, until the number of fds in the queue decreases to a defined level. We introduced three db-variables; - to enable/disabling throttling - to define a high water mark beyond which release of any connection handle will be stopped and - a low water mark to allow further connection from tmm. |
470205-2 |
After a policy sync operation, the Policy Sync history file objects no longer remain within the /config/.../policy_sync_d directory. |
470225-4 |
Machine Certificate checker now correctly works in Internet Explorer 11 |
470414-4 |
Portal Access no longer crashes when rewriting some incorrect flash files. |
471014-14 |
CVE-2014-2970 - Openssl improvements. |
471714-1 |
The APM Email agent now generates emails using CRLF at the end of the header and as a separator between the header and the email body, conforming to RFC 5322. |
471769-1 |
Infrastructural changes for VMware View 6 support. |
471772-1 |
APM now supports VMWare View application remoting. |
471825-3 |
The Email agent was updated to comply with RFC 5322 to include the "Date:" header. |
471874-1 |
Fixed rare crash of VDI plugin during processing of VMware View client connection. |
472099-2 |
DisableCaptivePortalDetection registry key doesn't work as expected. This is now fixed. |
472216-2 |
Fixed alignment of connection duration counter for customized Edge Clients |
472825-2 |
Dashboard no longer displays a dip in active session count when primary blade is comes back from a reboot |
473344-6 |
With the fix, APMD will evaluate return code from agent name lookup and set access policy result to ACCESS_POLICY_RESULT_ERROR incase of null agent ptr. |
473377-5 |
Fixed to accept NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
473386-4 |
Improved Machine Certificate Checker matching criteria for FQDN case |
473728-3 |
Now absolute action path for any form in HTML page is rewritten correctly at submit time. |
474058-5 |
Prevented crash when BIG-IP is configured as Service Provider, APD may restart when BIG-IP is configured as a SAML Service Provider and BIG-IP receives a signed assertion that contains empty "Reference URI" in Signature element. |
474231-5 |
access policy changes to be handled gracefully. |
474392-1 |
Code signing of executables (app, plugin and installer) have been updated to Apple's latest (v2) signature requirement. |
474532-5 |
Proper validation was added to check correct messages were received on proper URL. Logging was added for failing cases. |
474730-5 |
Now forms with absolute action path and tag with id=action inside are handled correctly. |
474757-4 |
OpenSSL Security Advisory 8/6/14 (1.0.1i Update). |
474788-1 |
Infrastructural changes for VMware View 6 support. |
475049-1 |
In this release, the DC FQDN list for an NTLM Auth Configuration is mandatory. Before you upgrade, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line (dc-fqdn-list { |
475148-1 |
Microsoft RDP Client for Mac OS X ver. 8.0.9 now correctly works with BIG-IP APM. |
475163-5 |
Now HTML forms without action attribute are handled correctly. |
475262-1 |
Resolved issue when APM configured with URL ("https://....") Edge Client for Windows does not resolve APM hostname while reconnecting. |
475360-6 |
Resolved issue when Edge client remembers specific VS URI after it is redirected. |
475363-6 |
ECA data plane additional security change against empty configuration. This works together with BZ 475049 on control plane side. |
475650-5 |
Issue is fixed that caused tmm to occasionally restart when processing SLO messages. |
475682-6 |
EAM used to send multiple cookies headers in HTTP message. Multiple HTTP headers like this are treated as comma-separated by some receivers. Now EAM adds a single Cookie header with the cookies delimited by semi-colon. |
475770-1 |
Improved routing table managment for 2 and more network interfaces |
475847-3 |
Now tag end is determined correctly in case of dynamically created content. |
476032-1 |
Now EdgeClient disconnects from Firepass smoothly without delays. |
476033-1 |
Support Microsoft Remote Desktop 8.0.8 client for iOS to work via APM as RD Gateway. |
476133-1 |
_lastUseTime in OAM ObSSOCookie is updated on successful authentication and authorization process. |
476736-2 |
For certain set of IPv6 link local addresses, the IPv6 network access tunnel may not succeed due to listener lookup failure. This code change fixes this issue. |
477138-1 |
VMware View Desktop/Application pools with the same display name can now be launched from APM Webtop. |
477274-8 |
Fixed crash in mcpq with bad user input |
477445-1 |
Client modified to restore routing table state and select active interface (on a system connected to the same network segment through multiple interfaces). |
477474-3 |
HTML Attributes with names using '-' are now handled correctly in Portal Access. |
477540-1 |
apmd no longer crashes with null tcl interpreter object when used with ACCESS::policy valuate irule command.. |
477642-5 |
In Portal Access assignment of empty string to location.hash property no longer causes page reload loop in Firefox. |
477841-1 |
Safari 8 will now properly use the admin-defined proxy settings if available. |
478115-5 |
The action attribute value of a form HTML tag is now properly rewritten in the Minimal Content Rewriting mode when it starts with a "/" |
478214-1 |
APM's Native RDP Proxy will now allow users to authenticate w/o specifying domain name. Previously domain name was required. |
478285-2 |
An issue with routing table not being restored correctly in multi-homed environment when server settings disallow local subnet access is now fixed. |
478397-1 |
Now deletes AddrInfo structure correctly. |
479451-1 |
APM correctly validates Outlook credentials and creates new APM session for users that come from same IP and have identical passwords |
479524-5 |
Portal Access no longer crashes if URL in a "Refresh" header matches the a Portal Access bypass list entry. |
480047-1 |
BIG-IP EdgeClient now allows to generate CTU report. |
480247-5 |
Edge client doesn't update its application directory anymore, instead it uses /Libarary/Application\ Support/ directory. |
480360-5 |
MAC edge client was fixed so that it doesn't block textexpander's functionality. |
480827-1 |
Improved error logging to not show unnecessary messages on default level. |
480995-1 |
APM client components are now using extended logging by default. |
481020-1 |
Resolved intermittent routing table issue that caused Traffic not to flow through tunnel if proxy server is load balanced |
481046-5 |
Wrapper for scriptTag.text='source script' is fixed to rewrite 'source script' for all browsers. |
481203-5 |
While creating memcache entry, we now normalize the username into utf8 lowerecase. This makes sure, there is only one entry for all combination of usernames. |
481210-1 |
after fix, all values are populated as session variables as expected |
481257-5 |
CTU report now includes information on "OPSWAT Integration Libraries V3". |
482046-1 |
Now APM verified old user's password before submitting the new one to AD when native VMWare View client is used. |
482260-4 |
APM] Captive portal probe URL in Edge Client for x64 Win platforms can't be customized in the same way as x86 Win. This is now fixed. |
482710-4 |
SSLv3 protocol disabled in APM clients |
483113-1 |
A cosmetic issue with the server selection menu showing white background is now fixed. |
483379-1 |
An issue with Edge Client consuming high CPU and having unresponsive menu icon is now fixed. |
484454-3 |
Check config snapshots periodically and recreate them if any is missing. |
484635-10 |
CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568: Update OpenSSL to latest. |
484847-2 |
Added registry keys which allows to disable DTLS for both EdgeClient and Browsers. This case allows to disable DTLS on particular client without changing BIG-IP configuration. To disable DTLS on client machine: Create registry DWORD value (keys are both valid for both x64 and x86 systems): HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\EnableDTLSTransport or HKEY_CURRENT_USER\Software\F5 Networks\RemoteAccess\EnableDTLSTransport and set to 0 |
484856-1 |
Now when a remote desktop has auto logon enabled and has no resources assigned for the user its folder icon is hidden from APM Webtop. |
485304-1 |
Fixed root cause of crash - improper memory managment. |
485465-3 |
tmm core due to SLO response/request fixed. |
485760-1 |
Issue where SAML metadata Tag NameIDFormat would contain invalid information under certain conditions is now fixed. |
485948-5 |
Machine info agent now differentiates between legacy logon clients and web logon clients by creating 'error' session variable. 'error' session variable is set to 1 when legacy logon clients connect to APM and 0 otherwise. |
486344-2 |
French translation corrected to properly fit buttons in BIG-IP EDGE client on Windows. |
487859-1 |
when we try to import a Local DB user with UID not set , The code has been updated to generate a Unique ID and then store the user details in the Database |
488892-3 |
JavaRDP client session starts correctly now, and the system does not process extraneous input that occurs before the handshake completes. |
488986-2 |
Fixed an issue when PWS can't be entered with IE10/IE11. |
489323-1 |
Code hardening |
489364-1 |
Now IE window is correctly minimized to tray. |
489888-1 |
Now admin UI doesn't allow to configure VDI profile when apm is not provisioned. |
490482-1 |
Fixed to allow for unused macros in an Access Policy |
490811-5 |
A rare case where proxy configuration might not be restored correctly. |
491233-1 |
Fixed rarely happening deadlock in CustomDialer component. |
491478-1 |
EAM is a CMP plugin and spins up one thread per TMM. |
491887-1 |
Fixed to allow for name changes to the macro endings |
492153-2 |
Edge client now keep the DTLS connection until the IP address becomes 'invalid', as expected. |
492238-6 |
TMM no longer restarts when connected to Office 365 as SP initiated SLO. |
492844-1 |
Office 365 generated SAML SLO message no longer causes browser connection to reset. |
493164-3 |
The erroneous security check has been fixed, so accessing some content in a different domain now works as expected. |
493487-3 |
Indirect method call via Function::call() or Function::apply() works properly now. |
494098-6 |
PAC file download mechanism now avoids a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file. |
494189-1 |
Clipboard channel have significantly better performance now. |
494284-3 |
Fixed text shown in german language |
496440-1 |
Apply route domain configured in Visual Policy Editor to Java RDP connections |
496441-1 |
Apply route domain configured in Visual Policy Editor to Java AppTunnel connections |
496447-1 |
Apply route domain configured in Visual Policy Editor to Citrix/View connections when Citrix/View backend is specified as hostname/IP in resource. |
496449-1 |
Support session variables for backend's address in Citrix/View resource |
500088-1 |
OpenSSL library updated to version 1.0.1l |
503924-1 |
Now Citrix Receivers can successfully authenticate when username or password contain ampersand and Storefront is configured without APM gateway |
471125 |
Resolved rare condition that causes Edge-Client to work improperly when Client uses proxy to connect to BIG-IP. |
475143 |
The errant code was corrected to remove the undefined behavior. |
478333 |
Used correct flags to MoveFileEX, which allows copying files across volumes |
478491 |
Fix has improved iOS client recognition so that it works fine for the latest released version. |
482833 |
Missing an inclusion of RPM file for bigdbd in rollup package file, caused new db variable unexposed to the system. Due to this whenever, apd trying to access these db variables, it failed and crashed. We fixed the issue, by including the RPM file definition in rollup.package.inc |
483601 |
If session is expired and query is made with Access whitelist and query parameters, err code in access enforce session state was not set correctly. Setting the error code to ERR_NOT_FOUND fixes the issue. |
485396 |
Online help has been updated to clarify the use of persistent cookies for SSO Across Authentication Domains. Persistent cookies are supported only when a session is started using an LTM-APM access profile type. |
485906 |
APM virtual servers with OneConnect profiles attached to them will no longer cause TMM to crash and restart. |
493089 |
Updated SWG Implementation Guide to specify need to disable Address Translation on virtual server for SSL. |
504060 |
none required |
Wan Optimization Manager Fixes
| ID Number | Description |
479889-5 |
This release resolves memory leaks that occurred when iSession and iControl were configured. |
480305-1 |
Fixed icontrol / isession memory leak issue; set proper log level to prevent log flooding. |
Service Provider Fixes
| ID Number | Description |
472092-3 |
The complete request payload goes out to the ICAP server even in the presence of a long-running iRule in ICAP_REQUEST. |
476886-3 |
In this release, if BIG-IP system receives the complete ICAP response from the ICAP server before it has completed sending the ICAP request, and a OneConnect profile is on the IVS, the TCP connection to the ICAP server is terminated and that connection is not reused. |
Advanced Firewall Manager Fixes
| ID Number | Description |
429885-6 |
When operating in firewall (AFM) mode i.e. default deny, BigIP will now count and log (if enabled) any traffic that does not match a Virtual or SelfIP and is being dropped/rejected. |
442535-5 |
tmsh modify sys ntp timezone |
469512-2 |
TMM getting aborted by SOD due to heartbeat miss (when trying to load huge firewall policies) is being fixed. |
474896-1 |
DoS for Application Security now reports suspicious entities only if the application is under attack, or as part of proactive mitigation. DoS for Application Security no longer reports suspicious entities if an attack has not occurred, because this led to logs with empty attack IDs and blank mitigation methods. |
477576-1 |
An iRule using the following commands can now be saved: FLOWTABLE::limit virtual FLOWTABLE::limit route_domain |
477769-1 |
TMM crash (panic) is fixed now and TMM no longer panics scenarios with SPDY or HTTP Prefetching enabled. |
480583-1 |
The code changes through this bug will drop the SIP DOS attacked packets. This change will also restricts the SIP/DNS DOS only for UDP packtes. SIP/DNS DOS attacks over TCP and SCTP will not be detected. |
480903-1 |
AFM DoS ICMP sweep mitigation performance issues have been alleviated. |
481189-2 |
The load factor controls the minimum percentage of fullness that need to be reached before the table is expanded to a larger size. Setting it to 25 by default prevent the firewall rule compiler from growing the table size too aggressively and results in big firewall BLOB. |
484245-1 |
Using the GUI to delete a rule no longer changes ports specified in other rules to 'any.' |
485771-1 |
A crash bug when executing multiple FLOW_INIT events has been fixed. |
485787-1 |
Counters for staged ACL rules now increment even when a match at a broader context is enforced. For example, a staged ACL rule in a policy assigned to a Virtual Server will now have policy counters increment even if an enforced policy assigned at the Global or Route Domain context matches. |
493234-1 |
Version string was changed sometime in 11.5.0 which cuased this. |
495698-3 |
Introduced validation to ensure that a referenced iRule cannot be deleted. |
495928-5 |
RDP connections no longer get dropped during AFM firewall policy changes. |
496498-3 |
The aforementioned incorrect behavior has been fixed. |
497263-1 |
This was due to a minor internal inconsistency with the system that's overseeing the whitelist count, which's fixed now. |
497667-2 |
validation is added to block this configuration and error message is added. |
497732-2 |
This is fixed as part of this bug so only desired traffic will be logged when TCP events logs are enabled |
498227-2 |
The issue regarding update of incorrect rule counter (after pktclass-daemon restarts) has been fixed. |
500640-1 |
Since we cant find Virtual server, listener has NULL connflow, we were referencing context name from cf structure. So check was needed before we deference context name from cf structure we need to check if its NULL. |
476753 |
Restored the proper behavior, which is the correct error messages being returned. |
476755 |
Shun-global category initially created for global shun enforcement, is no longer present. |
476763 |
Resolved issue found by internal F5 testing in shun processing to make system more reliable for customers. |
477964 |
Shun bug fix. Shun documentation updated for this build release. |
478493 |
'tmsh show info' command now shows correct value for action from IP Intelligence lookup. |
478631 |
IP Intelligence now rejects ip-ttl values that are above 2^31. This value determines how long an IP address will be shunned. |
478644 |
dwbld now waits for mcpd to completely initialize, preventing a core. |
478816 |
An enhancement that allows logging the TCP events and errors on fastL4 virtual. |
480194 |
Perform VS DWBL lookup after accept-decisive firewall rule match at global level |
480196 |
A fix was already put into the code for this problem. |
480623 |
Category defaulted to whitelist when a valid category was not specified. |
480826 |
This fix allows the user to use "infinite" as a valid input to tmsh. |
496036 |
When attempting to apply an ASM policy to a virtual server that is using LTM forwarding, the GUI no longer returns an error: "An error has occurred while trying to process your request." |
497342 |
The aforementioned TMM crash has been fixed. |
498785 |
Black List Classes is now correctly referred to as Black List Categories in AFM 11.6.0 IP Intelligence, which makes the term consistent across the GUI versions. |
Policy Enforcement Manager Fixes
| ID Number | Description |
453959-3 |
tmsh modify sys db tmm.udp.ttl.mode value "decrement" |
472860-3 |
The session statistics for sessions created by RADIUS is now incremented whenever the user runs an irule on the RADIUS virtual, that creates a new session. |
474638-1 |
Custom attribute for create or update no longer harms the policy list. |
476705-1 |
After the fix, TMM does not crash if receiving the radius message specified in the above condition |
476904-2 |
Adjusted Logging levels to remove potentialy confusing messages. |
478950-2 |
The issue has been fixed so that DHCP profile with Radius AAA authentication will always function as expected. |
479917-1 |
The intended fix have fixed the crash problem, such that the new ip address can be added to an existing session through radius interim update message. |
481373-1 |
TMM no longer cores when deleting a Radius profile. |
481950-1 |
Manually go in bigip.conf and remove the udp{} profile and instead add dhcpv4 or dhcpv6 profile under this virtual. Also, you need to set the mode of operation (relay or forwarding) in that profile you are attaching. Forwarding mode work with unicast DHCP traffic, while Relay mode works with Broadcast or multicast traffic. |
482137-1 |
TCP iRules have been added to PEM space and thus functioning properly |
483798-1 |
The fix fixes the crash problem in using the PSC::ip_address with the RADIUS authentication process |
484095-1 |
Fixes the tmm crash problem, and radius accounting message with multiple IPv6-prefix is now parsed correctly. |
487512-1 |
Bittorrent classification is now enabled in Qosmos by default. |
489754-1 |
To keep the backward compatibility, the following fields are still kept. But the values of those *-usec below are 0 now, representing that they are not meaningful; we just do not want to break the users' existing scripts. For session: last-sent-usec timestamp-usec module-id For flow: flow-start-time-usec flow-end-time-usec timestamp-usec |
479450 |
Bug fix in classification library that caused SSL traffic not to be forwarded to the destination. |
Global Traffic Manager Fixes
| ID Number | Description |
482442-5 |
State changes for wideips should be updated correctly when the "Update" button is clicked in the GUI wideip properties page. |
Firepass Fixes
| ID Number | Description |
475414-1 |
Data integrity data is no longer sent when it is not required. |
493607-1 |
A TMM core that was found during performance testing was fixed. |
473732 |
If encryption is disabled, an alert is sent with the correct username. |
473771 |
Fixed the client_request_uri field in the Browser Automation alert. |
474469 |
Repeating identical alerts are now prevented. |
475267 |
All alerts are sent only to the customer's BIGIP. From there, the customer can decide where they are sent. |
477429 |
Phishing referrer checks are now performed in requests to all URLs, including those ones that are not configured as protected URLs. |
477431 |
Malware alerts are no longer sent from phishing sites when the domain does not match the expected domain of the virtual server. |
477891 |
An automatic transaction alert is now also sent when a Transaction data cookie is missing in a request. |
478147 |
Fixed alerts in IE9 |
478297 |
The JS engine update is included in the hotfix. |
478497 |
Irrelevant alerts are stopped if phishing is detected. |
478859 |
Fixed phishing alert details. |
478868 |
A validation was added that disallows configuring a parameter with both “Encrypt” and “Identify as Username” settings enabled together. |
479742 |
We fixed a memory leak in the FPS plugin when alerts are sent by the BIG-IP. |
480359 |
Fixed user inspection in Internet Explorer 9 |
481463 |
The user inspection logic has been fixed. |
482034 |
False positives are now prevented. |
482060 |
The false positive has been fixed. |
482788 |
Source integrity alerts are now sent with non-empty GUID field from the BIG-IP. |
482864 |
The vHTML GUID alert is now also sent in requests to FPS URL paths and locations in addition to protected URLs, and it is sent only when both GUID and username values are present. |
482865 |
The handling of certain cases of parameter decryption failure was fixed. |
483109 |
A TMM core that was found during automation testing was fixed. |
484020 |
If Identify as Username is enabled for a parameter, the Encrypt checkbox becomes grayed out. |
484032 |
When creating or modifying URL properties in an anti-fraud profile, under the Parameters tab, there is the following limitation: If Identify as Username is enabled, Encrypt is permanently disabled. And if Encrypt is enabled, Identify as Username is permanently disabled. |
484379 |
Alerts have been reordered. |
485253 |
Enabled protection on a complete directory of protected URLs. |
486001 |
Fixed the application layer encryption for certain situations. |
486310 |
Enabled protection is queried before requests are sent. |
486820 |
WebSafe signatures were updated. |
487553 |
Improved alerting for Fraud Protection Service (FPS). |
489929 |
Added HTML information to external source alerts. |
489933 |
Signatures updated. |
490841 |
A false negative mandatory words alert in Internet Explorer 8 has been fixed. |
491155 |
Added fail-over mechanism for phishing alerts. |
491168 |
Now Encrypt checkbox is grayed out for a new parameter when Application Layer Encryption is disabled under URL Configuration. |
491370 |
A false positive mandatory words alert in old Firefox versions has been fixed. |
491389 |
Phishing referrer checks are now correctly ignored for the configured URLs. |
492549 |
FPS JavaScript is now injected only into responses with 2xx status codes. |
492918 |
A false positive mandatory words alert in Internet Explorer has been fixed. |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release
TMOS Fixes
| ID Number | Description |
478791-1 |
Improved automated test suites for more platforms coverage to ensure high quality releases. |
484635-1 |
CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568: Update OpenSSL to latest. |
Local Traffic Manager Fixes
| ID Number | Description |
451218-2 |
CVE-2014-8730: Corrected Nitrox TLS padding. |
485188-1 |
When the SSL ClientHello contains the SCSV marker, if the client protocol offered is not the latest that the virtual server supports, a fatal alert will be sent. |
488208-1 |
Proper upgrade to OpenSSL 1.0.1j. |
Global Traffic Manager Fixes
| ID Number | Description |
487808-3 |
Link cost and inbound link path load balancing software support has reached EOL. (See Solution 15834) |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release
TMOS Fixes
| ID Number | Description |
410101-3 |
F5 support for new platform hardware. |
467693-1 |
sysObjectID OID now correctly returns the appropriate BIG-IP platform. |
471436-1 |
F5 support for new hardware platforms. |
472310-2 |
F5 support for new hardware platforms. |
472767-1 |
Adding slots to running guests with host-iso can become stuck. |
473772-1 |
F5 support for new hardware platforms. |
476521-2 |
Use true timeout instead of retries limit in when to give up initializing FIPS device, and subsequently power cycle the unit to recover FIPS device. |
479374-5 |
VIPRION C4800 backplane interfaces are now given proper settings to prevent unidirectional traffic issues. |
480264-1 |
F5 support for new hardware platforms. |
473210 |
F5 support for new hardware platforms. |
473509 |
F5 support for new hardware platforms. |
473748 |
F5 support for new hardware platforms. |
473772 |
F5 support for new hardware platforms. |
476475 |
F5 support for new hardware platforms. |
476725 |
F5 support for new hardware platforms. |
477098 |
F5 support for new hardware platforms. |
477676 |
The new bitstream was integrated to fix the following issues: 1) fixed bug 474323 Aluminum bitfile ipv6/ipv4 collision eviction bug 2) fixed bug 475543 epva_cc_fsd_cntl.sv has typos that can lead to fifo overflow and HDE hang 3) fixed bug 461245 [DOS WL] IP fragment pkts don't do WL match on ipproto field in HW |
478948 |
On BIG-IP 10000/12000 Series platforms, the system no longer reports a secondary DC power supply that is installed, but not powered on, as an AC power supply, when power is applied to the secondary DC power supply. |
479181 |
F5 support for new hardware platforms. |
479583 |
F5 support for new hardware platforms. |
479585 |
F5 support for new hardware platforms. |
479586 |
F5 support for new hardware platforms. |
479588 |
F5 support for new hardware platforms. |
Local Traffic Manager Fixes
| ID Number | Description |
477571-1 |
HTTP/2 supports IETF HTTP-WG http2-draft-14. |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release
TMOS Fixes
| ID Number | Description |
480931-1 |
ShellShock bash vulnerability has been fixed with upstream patches for CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187. |
Known Issues in BIG-IP v11.6.x
Functional Change Issues
| ID Number | Severity | Description |
| 515764-1 | 2-Critical | PVA stats only being reported on virtual-server and system-level basis. |
| 560405-6 | 3-Major | Support optional target IP address and port in the 'virtual' iRule API |
| 545263-4 | 3-Major | Add SSL maximum aggregate active handshakes per profile and per global |
| 493250-2 | 3-Major | BGP disabling graceful-restart in ZebOS does not persist and is automatically enabled |
| 451433-7 | 3-Major | HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe) |
| 425331-2 | 3-Major | On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID |
| 374067-4 | 3-Major | Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections |
| 368824-3 | 3-Major | There is no indication that a failed standby cannot go active. |
TMOS Issues
| ID Number | Severity | Description |
| 583936-3 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM |
| 574116-2 | 2-Critical | MCP may crash when sync'ing configuration between device groups |
| 568889-2 | 2-Critical | Some ZebOS daemons do not start on blade transition secondary to primary. |
| 563064-1 | 2-Critical | Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory |
| 561814-1 | 2-Critical | TMM Core on Multi-Blade Chassis |
| 560683-3 | 2-Critical | HA IPSEC: tmm core/crash on standby in function ikev2_child_delete_outbound() |
| 559034-1 | 2-Critical | Mcpd core dump in the sync secondary during config sync |
| 557144-3 | 2-Critical | Dynamic route flapping may lead to tmm crash |
| 530903-1 | 2-Critical | HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade |
| 518197 | 2-Critical | Modifying the default antifraud profile causes device group sync failures |
| 513151-8 | 2-Critical | VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID. |
| 512634-3 | 2-Critical | Add logging to indicate the nitrox3 compression engine is stalled. |
| 506274-2 | 2-Critical | TMM crash/core seen when a traffic-selector is created Action discard |
| 493950-3 | 2-Critical | Virtual Server with misconfigured profiles may block upgrade |
| 493053-2 | 2-Critical | Route domains' firewall policies may be removed after sync |
| 491717 | 2-Critical | No eud.log found on /var/tmp for 7000 series and 10000 series |
| 481647-5 | 2-Critical | OSPF daemon asserts and generates core |
| 477611-3 | 2-Critical | ICMP monitor does not work on DAG Round Robin enabled VLANs |
| 473527-2 | 2-Critical | IPsec interop problem when using AES-GCM. |
| 592194-2 | 3-Major | HSB transmitter failure on 5250 in vCMP guest |
| 591104-3 | 3-Major | ospfd cores due to an incorrect debug statement. |
| 590938-2 | 3-Major | The CMI rsync daemon may fail to start |
| 590904-5 | 3-Major | New HA Pair created using serial cable failover only will remain Active/Active |
| 589698 | 3-Major | HSB lockup on B2100 (A109) blade with vCMP running v11.6.0 final |
| 589338 | 3-Major | Linux host may lose ECMP routes on secondary blades |
| 586878-2 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration. |
| 584583-1 | 3-Major | Timeout error when attempting to retrieve large dataset. |
| 583754-5 | 3-Major | When TMM is down, executing 'show ltm persist persist-records' results in a blank error message. |
| 583475-2 | 3-Major | The BIG-IP may core while recompiling LTM policies |
| 583285-3 | 3-Major | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 582084-2 | 3-Major | BWC policy in device sync groups. |
| 580499 | 3-Major | Can't disable default admin on chassis |
| 579694-2 | 3-Major | Monitors may create invalid configuration files |
| 579565-1 | 3-Major | FIPS (ngfips) card-sync fails due to its lacking ability to properly handle "\" in the SO (security officer) password. |
| 577831 | 3-Major | VE does not boot without a vga console |
| 577785 | 3-Major | Loading sys config might fail after removing NICs for VE |
| 577440-1 | 3-Major | audit logs may show connection to hagel.mnet |
| 576807-1 | 3-Major | Firewall policies assigned to route domain may not sync across HA |
| 576305-3 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code |
| 575735-2 | 3-Major | Potential MCPd leak in global CPU info stats code |
| 575726-2 | 3-Major | MCPd might leak memory in vCMP interface stats. |
| 575716-2 | 3-Major | MCPd might leak memory in VCMP base stats. |
| 575708-2 | 3-Major | MCPd might leak memory in CPU info stats. |
| 575671-2 | 3-Major | MCPd might leak memory in host info stats. |
| 575660-2 | 3-Major | Potential MCPd leak in TMM rollup stats stats |
| 575649-2 | 3-Major | MCPd might leak memory in IPFIX destination stats query |
| 575619-2 | 3-Major | Potential MCPd leak in pool member stats query code |
| 575608-2 | 3-Major | MCPd might leak memory in virtual server stats query. |
| 575595-1 | 3-Major | Potential MCPd leak in eviction policy stats. |
| 575591-2 | 3-Major | Potential MCPd leak in IKE message stats query code |
| 575589-1 | 3-Major | Potential MCPd leak in IKE event stats query code |
| 575587-2 | 3-Major | Potential MCPd leak in BWC policy class stats query code |
| 575027-2 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. |
| 574045-2 | 3-Major | BGP may not accept attributes using extended length |
| 573757 | 3-Major | Virtual servers configured with CMP enabled on a chassis can cause cascading primary blade failures when synced across a device group |
| 572246 | 3-Major | When a rewrite profile using the default settings is attached to a virtual server, all layer 3 connectivity will begin to fail. |
| 571333-1 | 3-Major | fastL4 tcp handshake timeout not honored for offloaded flows |
| 571210-4 | 3-Major | Upgrade, load config, or sync might fail on large configs with large objects. |
| 571019-3 | 3-Major | Topology records can be ordered incorrectly. |
| 570845-2 | 3-Major | Configuration Infrastructure Should Reject Invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy |
| 570839 | 3-Major | IPSEC IKE-v2 Peer UI does not prevent configuration of 'NONE' option using Microsoft Internet Explorer. |
| 570818-2 | 3-Major | Address lease-pool in IKEv2 might interfere with IKEv2 negotiations. |
| 570419-2 | 3-Major | Use of session DB on multi-process appliances and blades may core. |
| 569280-1 | 3-Major | BIG-IP does not delete the SA on peer box after erase/modify ike-peer |
| 569236-4 | 3-Major | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 568182-1 | 3-Major | IPsec is not sending phase 2 delete |
| 565534-2 | 3-Major | Some failover configuration items may fail to take effect |
| 565137-1 | 3-Major | Pool licensing fails in some KVM/OpenStack environments |
| 562452 | 3-Major | Perpetual 'Loading...' banner when updating values in GUI System :: Preferences. |
| 562044-2 | 3-Major | Statistics slow_merge option does not work |
| 559939-2 | 3-Major | Changing hostname on host sometimes causes blade to go RED / HA TABLE offline |
| 559080-3 | 3-Major | High Speed Logging to specific destinations stops from individual TMMs |
| 558779-6 | 3-Major | SNMP dot3 stats occassionally unavailable |
| 557155-4 | 3-Major | BIG-IP Virtual Edition becomes completely unresponsive under very heavy load. |
| 557059-2 | 3-Major | When a virtual server has an Anti-Fraud Profile and a Web Acceleration profile, POST requests to non-protected URLs hang |
| 555905-3 | 3-Major | sod health logging inconsistent when device removed from failover group or device trust |
| 555039-2 | 3-Major | VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration |
| 553795-4 | 3-Major | Differing certificate/key after successful config-sync |
| 552176-1 | 3-Major | LTM v11.6.0 iControl REST transaction w/multiple commands don't work as expected |
| 549971-5 | 3-Major | Some changes to virtual servers' profile lists may cause secondary blades to restart |
| 548385-3 | 3-Major | iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results |
| 547047-3 | 3-Major | Older cli-tools unsupported by AWS |
| 546410-2 | 3-Major | Configuration may fail to load when upgrading from version 10.x. |
| 546085-2 | 3-Major | On shutdown, SOD and other daemons very infrequently cores due to an internal processing error during the shutdown. |
| 545946-2 | 3-Major | Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load |
| 545745-2 | 3-Major | Enabling tmm.verbose mode produces messages that can be mistaken for errors. |
| 545214-2 | 3-Major | OSPF distance command does not persist across restarts. |
| 544989-2 | 3-Major | distance cli command without access name in OSPF posts a memory allocation error. |
| 544906 | 3-Major | Issues when using remote authentication when users have different partition access on different devices |
| 544463 | 3-Major | The BIG-IP system's management port drops egress Ethernet multicast traffic |
| 543208 | 3-Major | Upgrading APM v11.6.0 to v12.0.0 in a failover group might cause mcpd to become unresponsive. |
| 542860-4 | 3-Major | TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event |
| 542742-2 | 3-Major | SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m). |
| 542664-1 | 3-Major | No default boot volume is set when installing a vCMP guest from a hotfix iso. |
| 542320-1 | 3-Major | no login name may appear when running ssh commands through management port |
| 542191-2 | 3-Major | Snmpd V1 and V2c view based access. |
| 541316-3 | 3-Major | Unexpected transition from Forced Offline to Standby to Active |
| 540923-1 | 3-Major | TMSH list node filtering no longer filters correctly. |
| 539199-3 | 3-Major | HTML filter is truncating the server response when sending it to client |
| 538133-4 | 3-Major | Only one action per sensor is displayed in sensor_limit_table and system_check |
| 537326-2 | 3-Major | NAT available in DNS section but config load fails with standalone license |
| 536931 | 3-Major | VCMP Host: statistic discrepancy when guests use pva disabled virtual servers |
| 533813-3 | 3-Major | Internal Virtual Server in partition fails to load from saved config |
| 533174 | 3-Major | Several "Standard MIB" OIDs were not supported correctly |
| 532559-4 | 3-Major | Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'. |
| 530122-1 | 3-Major | Improvements in building hotfix images for hypervisors. |
| 530081 | 3-Major | Mcpd will crash if load too many SSL certificates |
| 528295-4 | 3-Major | Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later. |
| 528083-2 | 3-Major | On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown. |
| 528052-1 | 3-Major | System remains OFFLINE after running tmsh run cm config-sync recover-sync |
| 526974-1 | 3-Major | Data-group member records map empty strings to 'none'. |
| 526500 | 3-Major | Manually adding username/password in ZebOS can cause imi to core |
| 524545-3 | 3-Major | Generate HF roll-up images for Virtual Edition platforms. |
| 524193-4 | 3-Major | Multiple Source addresses are not allowed on a TMSH SNMP community |
| 524126-4 | 3-Major | The DB variable provision.tomcat.extramb is cleared on first boot. |
| 524123-3 | 3-Major | iRule ISTATS::remove does not work |
| 523985 | 3-Major | Certificate bundle summary information does not propagate to device group peers |
| 523642-5 | 3-Major | Power Supply status reported incorrectly after LBH reset |
| 523527-6 | 3-Major | Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0. |
| 522632 | 3-Major | Qkview generates error-level message |
| 522304-2 | 3-Major | Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group |
| 519394-1 | 3-Major | Sync when licensed for ASM/AFM fails to sync pool with "Load balancing feature not licensed" error |
| 519081-1 | 3-Major | Cannot use tmsh to load valid configuration created using the GUI. |
| 516995-3 | 3-Major | NAT traffic group inheritance does not sync across devices |
| 513649-4 | 3-Major | Transaction validation errors on object references |
| 512954-2 | 3-Major | ospf6d might leak memory distribute-list is used |
| 512853-2 | 3-Major | Kerberos SSO fails if KDC is not specified |
| 511900-1 | 3-Major | 'sessiondump -allkeys' command hangs and does not display all the entries when the number of sessions is very large, for example, 100,000 sessions. |
| 510580-5 | 3-Major | Interfaces might be re-enabled unexpectedly when loading a partition |
| 510425-4 | 3-Major | DNS Express zone RR type-count statistics are missing in some cases |
| 510200-1 | 3-Major | Upon de-provisioning, ASM does not release disk resources. |
| 509611-1 | 3-Major | Asynchronous Tasks for Long-Running command control |
| 508076-2 | 3-Major | Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name. |
| 507331-4 | 3-Major | Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled. |
| 505123-7 | 3-Major | sysObjectID returns 'unknown' platform on the VIPRION 4400 |
| 504803-5 | 3-Major | GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'. |
| 502714-4 | 3-Major | Deleting files and file object references in a single transaction might cause validation errors |
| 501949-1 | 3-Major | BWC rate limit instability on large number of live dynamic flows |
| 488417-2 | 3-Major | Config load failure with 'Input error: can't create user' after upgrade |
| 488262-2 | 3-Major | moving VLAN from route-domain being deleted in the same transaction can cause errors |
| 488188-1 | 3-Major | When qkview is killed, it might leave temporary files on disk |
| 487625-3 | 3-Major | Qkview might hang |
| 487194 | 3-Major | Cannot remove a profile from a virtual server and delete it inside a transaction |
| 486725-2 | 3-Major | GUI creating key files with .key extensions in the name causing errors |
| 486712-3 | 3-Major | GUI PVA connection maximum statistic is always zero |
| 485702-4 | 3-Major | Default SNMP community 'public' is re-added after the upgrade |
| 484534-4 | 3-Major | interface STP state stays in blocked when added to STP as disabled |
| 481696-2 | 3-Major | Failover error message 'sod out of shmem' in /var/log/ltm |
| 479553-4 | 3-Major | Sync may fail after deleting a persistence profile |
| 479543-6 | 3-Major | Transaction will fail when deleting pool member and related node |
| 479115-1 | 3-Major | stpd tries to use bcm56xxd before it has started which results in error messages in ltm log |
| 478215-2 | 3-Major | The command 'show ltm pool detail' returns duplicate members in some cases |
| 477888-4 | 3-Major | ESP ICSA support is non-functional on versions 11.4.0 and up |
| 474149-4 | 3-Major | SOD posts benign error message: Config digest module error: Traffic group device not found |
| 472308-3 | 3-Major | Management IP address change interaction with HA heartbeat / failover traffic |
| 470203-2 | 3-Major | Setting a remote syslog destination to a localhost address results in recursive log messages. |
| 469984-3 | 3-Major | The upgrade process can discard valid HTTP Class URLs |
| 468559-2 | 3-Major | Config fails to load after upgrade to 11.5.1 when iApp requires PSM module. |
| 460176-4 | 3-Major | Hardwired failover asserts active even when standalone |
| 455651-5 | 3-Major | Improper regex/glob validation in web-acceleration and http-compression profiles |
| 452660-4 | 3-Major | SNMP trap engineID should not be configsynced between HA-pairs |
| 451494-2 | 3-Major | SSL Key/Certificate in different partition with Subject Alternative Name (SAN) |
| 441482-2 | 3-Major | SWG is seen on platforms with less than 8 GB of memory |
| 433055-6 | 3-Major | BFD GTSM IMI shell commands don't work |
| 425980-3 | 3-Major | Blade number not displayed in CPU status alerts |
| 421971-9 | 3-Major | Renewing certificates with SAN input leads to error in UI |
| 420438-3 | 3-Major | Default routes from standby system when HA is configured in NSSA |
| 384995-4 | 3-Major | Management IP changes are not synced to the device group. |
| 382363 | 3-Major | min-up-members and using gateway-failsafe-device on the same pool. |
| 378967-1 | 3-Major | Users are not synchronized if created in a partition |
| 373949-4 | 3-Major | NW failover w/out mgmt addr cause active-active after unit1 reboot |
| 372118-3 | 3-Major | import_all_from_archive_file and import_all_from_archive_stream does not create file objects. |
| 369352-10 | 3-Major | No verification prompt when executing 'load sys config default' for resource administrator role |
| 337934-1 | 3-Major | remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly |
Local Traffic Manager Issues
| ID Number | Severity | Description |
| 579919-1 | 2-Critical | TMM may core when LSN translation is enabled |
| 578045-2 | 2-Critical | The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks |
| 574153-2 | 2-Critical | If an ssl client disconnects during the handshake, the SSL flow may stall. |
| 565409-4 | 2-Critical | Invalid MSS with HW syncookies and flow forwarding |
| 559973-2 | 2-Critical | Nitrox can hang on RSA verification |
| 558612-2 | 2-Critical | System may fail when syncookie mode activated |
| 558534-2 | 2-Critical | The TMM may crash if http url rewrite is used with APM |
| 555156-3 | 2-Critical | Changing monitoring configuration stops health checks for FQDN nodes. |
| 534795-1 | 2-Critical | Swapping VLAN names in config results in switch daemon core and restart. |
| 527080 | 2-Critical | Upgrade of invalid FQDN configuration |
| 521548-6 | 2-Critical | Possible crash in SPDY |
| 517613-1 | 2-Critical | ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps |
| 511985-4 | 2-Critical | Large numbers of ERR_UNKNOWN appearing in the logs |
| 511782-3 | 2-Critical | The HTTP_DISABLED event does not trigger in some cases |
| 480009-2 | 2-Critical | OSPFv2 Redistributed routes are deleted after blade failover with Graceful Restart |
| 477178-1 | 2-Critical | Occasional crash when SSL session mirroring is enabled |
| 476136 | 2-Critical | notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE/TRUE) |
| 474797 | 2-Critical | Malformed SSL packets can cause errors in /var/log/ltm |
| 466007-2 | 2-Critical | DNS Express daemon, zxfrd, can not start if it's binary cache has filled /var |
| 459671-2 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. |
| 457256-2 | 2-Critical | Configuration utility allows for mismatch in IP protocol and transport profile |
| 372332 | 2-Critical | Unnecessary buffering of client-side egress in some circumstances. |
| 591789-1 | 3-Major | IPv4 fragments are dropped when packet filtering is enabled. |
| 590857-3 | 3-Major | SSL resumption does not work with SSL::profile. |
| 589400-3 | 3-Major | With Nagle disabled, TCP does not send all of xfrags with size greater than MSS. |
| 589223-3 | 3-Major | TMM crash and core dump when processing SSL protocol alert. |
| 588442-3 | 3-Major | TMM can core in a specific set of conditions. |
| 588243-3 | 3-Major | Monitor instances being deleted in peer unit after sync. |
| 588115-3 | 3-Major | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw |
| 586621-3 | 3-Major | SQL monitors 'count' config value does not work as expected. Must add 101 to desired 'count' value. |
| 585961 | 3-Major | LTM policy Tcl set-variable action can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule. |
| 585412-2 | 3-Major | SMTPS virtual with activation-mode allow will RST non-TLS connections with Email bodies with very long lines |
| 583957-4 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. |
| 582331 | 3-Major | Maximum connections is not accurate when TMM load is uneven |
| 582234-2 | 3-Major | When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again. |
| 582207-3 | 3-Major | MSS may exceed MTU when using HW syncookies |
| 580303-3 | 3-Major | When going from active to offline, tmm might send a GARP for a floating address. |
| 579843-3 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states |
| 579371-2 | 3-Major | BigIP may generate ARPs after transition to standby |
| 579252-2 | 3-Major | Traffic can be directed to an incorrect virtual during virtual modification |
| 576296-2 | 3-Major | MCPd might leak memory in SCTP profile stats query. |
| 575626 | 3-Major | Minor memory leak in DNS Express stats error conditions |
| 575347-2 | 3-Major | Unexpected backslashes remain in monitor 'username' attribute after upgrade |
| 574262-1 | 3-Major | Rarely encountered lockup for N3FIPS module when processing key management requests. |
| 573402-2 | 3-Major | See "C_GetAttributeValue error" with netHSM |
| 573366-2 | 3-Major | parking command used in the nesting script of clientside and serverside command can cause tmm core |
| 572895 | 3-Major | tcp forwarded flows are reset when time wait recycle of port happens |
| 572680-3 | 3-Major | Standby TMM might overflow send buffer if out of sync with Active TMM |
| 572180-2 | 3-Major | httpclass containing escaped backslashes backslashes are stripped on migration to LTM policy |
| 572025-2 | 3-Major | HTTP Class profile using a path selector upgrade to a policy that does not match the entire path |
| 571573-2 | 3-Major | Persistence may override node/pmbr connection limit |
| 571183-2 | 3-Major | Bundle-certificates Not Accessible via iControl REST. |
| 569642-4 | 3-Major | Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core |
| 569356-2 | 3-Major | BGP ECMP learned routes may use incorrect vlan for nexthop |
| 569349-2 | 3-Major | Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled |
| 569288-2 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures |
| 569206-2 | 3-Major | After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades. |
| 568229-2 | 3-Major | [LTM][DNS] save-on-auto-sync with partitions fails for ltm dns partition objects |
| 566361-8 | 3-Major | RAM Cache Key Collision |
| 563933-2 | 3-Major | [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs |
| 563591-2 | 3-Major | reference to freed loop_nexthop mauy cause tmm crash. |
| 563419-5 | 3-Major | IPv6 packets containing extended trailer are dropped |
| 563232-2 | 3-Major | FQDN pool in resource prevents Access Policy Sync. |
| 563227-3 | 3-Major | When a poolmember goes down, persistence entries may vary among tmms |
| 562885 | 3-Major | TMM segfault in flow_find_opaque_ctx() caused by corrupt opaque ctx. |
| 557358-1 | 3-Major | Rare crash when the dequeued element is not in the queue |
| 556117-2 | 3-Major | client-ssl profile is case-sensitive when checking server_name extension |
| 555343-3 | 3-Major | tmm may crash in fastl4 tcp vs |
| 554295-3 | 3-Major | CMP disabled flows are not properly mirrored |
| 551189 | 3-Major | Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data |
| 550739-2 | 3-Major | TMSH mv virtual command will cause iRules on the virtual to be dis-associated |
| 549329-1 | 3-Major | L7 mirrored ACK from standby to active box can cause tmm core on active |
| 548583-3 | 3-Major | TMM crashes on standby device with re-mirrored SIP monitor flows. |
| 547657-1 | 3-Major | A TCL error in a DNS_RESPONSE iRule event can cause a tmm crash. |
| 545796-3 | 3-Major | [iRule] [Stats] iRule is not generating any stats for executed irules |
| 545704-2 | 3-Major | TMM might core when using HTTP::header in a serverside event |
| 543993-3 | 3-Major | Serverside connections may fail to detach when using the HTTP and OneConnect profiles |
| 542009-2 | 3-Major | tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message. |
| 541126-4 | 3-Major | After restarting pkcs11d or being restored from HSM networking failure, Safenet connection may still fail. |
| 540893-2 | 3-Major | Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets. |
| 540213-2 | 3-Major | mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary |
| 539439-1 | 3-Major | Using the pool command in HTTP_PROXY_REQUEST event occasionally fails |
| 537209-2 | 3-Major | Fastl4 profile sends RST packet when idle-timeout value set to 'immediate' |
| 536563-2 | 3-Major | Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets. |
| 536191-2 | 3-Major | Transparent inherited TCP monitors may fail on loading configuration |
| 534111-1 | 3-Major | [SSL] Config sync problems when modifying cert in default client-ssl profile |
| 533966-5 | 3-Major | Double loopback nexthop release might cause TMM core. |
| 531979-1 | 3-Major | SSL version in the record layer of ClientHello is not set to be the lowest supported version. |
| 530812-1 | 3-Major | Legacy DAG algorithm reuses high source port numbers frequently |
| 530795-3 | 3-Major | In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number. |
| 529627-1 | 3-Major | LDAP StartTLS may fail on serverside when persistence is configured |
| 529395 | 3-Major | Local-only network IP forwarding virtual server not forwarding traffic on standby system |
| 528736-1 | 3-Major | When tcp connection is aborting tmm can crash with "hud_oob consumed" message |
| 528734-2 | 3-Major | TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received. |
| 528401-1 | 3-Major | Using an irule to enable/disable a profile does not enable/disable the profile |
| 525675 | 3-Major | SSL with forward proxy can leak memory |
| 523513-3 | 3-Major | COMPRESS::enable keeps compression enabled for a subsequent HTTP request. |
| 523126 | 3-Major | Change in route domain in NAT configuration does not take effect until restart |
| 522620-1 | 3-Major | [APM][AAA] Monitor instances not removed for AAA Radius/others pool when dis-associate AAA pool |
| 521711-4 | 3-Major | HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual |
| 521036-2 | 3-Major | Dynamic ARP entry may replace a static entry in non-primary TMM instances. |
| 520604-8 | 3-Major | Route domain creation may fail if simultaneously creating and modifying a route domain |
| 520405-4 | 3-Major | tmm restart due to oversubscribed DNS resolver |
| 518258 | 3-Major | The CLIENTSSL_CLIENTCERT iRule event may not be triggered. |
| 518086-6 | 3-Major | Safenet HSM Traffic failure after system reboot/switchover |
| 518059 | 3-Major | The HTTP::payload iRules API appends garbage to content when transfer-encoding is chunked |
| 517510-1 | 3-Major | HTTP monitor might add extra CR/LF pairs to HTTP body when supplied |
| 517456 | 3-Major | Resetting virtual server stat increments cur_conns stat in clientssl profile |
| 516280-2 | 3-Major | bigd process uses a large percentage of CPU |
| 515139-5 | 3-Major | Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics |
| 514419-5 | 3-Major | TMM core when viewing connection table |
| 513530-4 | 3-Major | Connections might be reset when using SSL::disable and enable command |
| 513319-4 | 3-Major | Incorrect of failing sideband connections from within iRule may leak memory |
| 511324-5 | 3-Major | HTTP::disable does not work after the first request/response. |
| 510395-3 | 3-Major | Disabling some events while in the event, then running some commands can cause tmm to core. |
| 504396-2 | 3-Major | When a virtual's ARP or ICMP is disabled, the wrong mac address is used |
| 503257-7 | 3-Major | Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST |
| 502747-1 | 3-Major | Incoming SYN generates unexpected ACK when connection cannot be recycled |
| 501984-2 | 3-Major | TMM may experience an outage when an iRule fails in LB_SELECTED. |
| 500003-4 | 3-Major | Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP |
| 499615-3 | 3-Major | RAM cache serves zero length documents. |
| 495588-5 | 3-Major | Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases |
| 494084-2 | 3-Major | Certain rapidly-terminating UDP virtuals may core on standby |
| 491801 | 3-Major | GTM iRule command [LB::status up] gives error |
| 490174-2 | 3-Major | Improved TLS protocol negotiation with clients supporting TLS1.3 |
| 487696-4 | 3-Major | Number of CPU allocated for ASM guests |
| 480982-5 | 3-Major | pkcs11d with a high thread count can result in high CPU utilization |
| 477950-3 | 3-Major | Displayed SSL profile statistics might be incorrect |
| 477897-2 | 3-Major | After modifying the protocol profile on an SCTP virtual, the logs may contain error messages |
| 475677-3 | 3-Major | Connections may hang until timeout if a LTM policy action failed |
| 472748-1 | 3-Major | SNAT pool stats are reflected in global SNAT stats |
| 472571-6 | 3-Major | Memory leak with multiple client SSL profiles. |
| 471288-5 | 3-Major | TMM might crash with session-related commands in iRules. |
| 471001-4 | 3-Major | Standby responds to traceroute on mirror enabled forwarding virtual server |
| 469566-1 | 3-Major | HTTP OneConnect on wildcard non-translating virtual server does not reuse connections |
| 468790-2 | 3-Major | Inconsistent Safenet key deletion in BIG-IP and Safenet HSM |
| 463202-7 | 3-Major | BIG-IP system drops non-zero version EDNS requests |
| 462881-1 | 3-Major | Configuration utility allows for mismatch in IP protocol and transport profile |
| 456378-2 | 3-Major | On a virtual server with the ipother profile assigned, iRule firing on CLIENT_ACCEPTED with discard or reject action may cause TMM to core |
| 454209-3 | 3-Major | TMM crash on UDP DNS virtual without datagram-load-balancing enabled |
| 440431-3 | 3-Major | Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands. |
| 434517-10 | 3-Major | HTTP::retry doesn't work in an early server response |
| 433323-2 | 3-Major | Ramcache handling of Cache-Control: no-cache directive |
| 420176 | 3-Major | On UDP virtual under CLIENT_DATA event load balance does not work |
| 408599-3 | 3-Major | The iRule node command does not function properly when invoked from the LB_SELECTED event. |
| 385859 | 3-Major | iRule TCP::close on vip with Ramcache can cause TMM restart |
| 345358-2 | 3-Major | Oneconnect Transforms don't recognize Connection header if it contains extra Header tokens. |
| 333340 | 3-Major | The bigd process is not compatible with IPv6 link-local unicast addresses |
| 222690 | 3-Major | The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command. |
Performance Issues
| ID Number | Severity | Description |
| 454949-3 | 2-Critical | AFM Optimizations to improve run-time and memory usage. |
| 467018-1 | 3-Major | On HSB platforms which don't have HW DoS, bad cksum pkts could cause perf drop |
Global Traffic Manager Issues
| ID Number | Severity | Description |
| 569972-2 | 2-Critical | Unable to create gtm topology records using iControl REST |
| 569521-4 | 2-Critical | Invalid WideIP name without dots crashes gtmd. |
| 539466-5 | 2-Critical | Cannot use self-link URI in iControl REST calls with gtm topology |
| 589256-3 | 3-Major | DNSSEC NSEC3 records with different type bitmap for same name. |
| 588289-4 | 3-Major | GTM is Re-ordering pools when adding pool including order designation |
| 569472-2 | 3-Major | TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled |
| 561539-2 | 3-Major | [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3. |
| 559975-5 | 3-Major | Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth |
| 517582-3 | 3-Major | [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record. |
| 511865-1 | 3-Major | [GTM] GTM external monitor is not correctly synced in GTM sync group without device group |
| 510888-1 | 3-Major | [LC] snmp_link monitor is not listed as available when creating link objects |
| 500639-2 | 3-Major | Setting log level for ZoneRunner has no effect. |
Application Security Manager Issues
| ID Number | Severity | Description |
| 582003-2 | 2-Critical | BD crash on startup or on XML configuration change |
| 569583-1 | 2-Critical | Secondary Blade Rejects All Traffic |
| 568347-2 | 2-Critical | BD Memory corruption |
| 526829-2 | 2-Critical | Enable client side encoding by default in DoS Layer 7 |
| 476616-3 | 2-Critical | Set active fails after accept learning suggestion for illegal metachar Policy with encoding iso-8859-1 |
| 590851-2 | 3-Major | "never log" IPs are still reported to AVR |
| 582683-5 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan |
| 580168-2 | 3-Major | Information missing from ASM event logs after a switchboot and switchboot back |
| 579531 | 3-Major | bd_agent and bd are suddenly restarted, while there is no traffic nor configuration being processed |
| 576705 | 3-Major | ASM does not start up after TMM crash on a 3600 platform |
| 576591-4 | 3-Major | Support for some future credit card number ranges |
| 573406-3 | 3-Major | ASU cannot be completed if license was last activated more than 18 months before |
| 572922-2 | 3-Major | Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES. |
| 567400-2 | 3-Major | Policy Diff/Merge Does Not Work Correctly For Session Awareness Login Pages |
| 561595-2 | 3-Major | Guest user cannot see Event Correlation details |
| 559541-2 | 3-Major | ICAP anti virus tests are not initiated on XML with when should |
| 559055-1 | 3-Major | Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All" |
| 554324-1 | 3-Major | Signatures cannot be updated after Signature Systems have become corrupted in database |
| 535904-2 | 3-Major | BD crashes when attempting to access a closed connection |
| 531566-2 | 3-Major | A partial response arrives to the client when response logging is turned on |
| 530102-2 | 3-Major | Illegal meta characters on XML tags - |
| 528071-1 | 3-Major | ASM periodic updates (cron) write errors to log |
| 523522-1 | 3-Major | In a CMI device group, installing a UCS (on any one of the peers in group) does not propagate the ASU file (that is bundled with UCS) to other peers |
| 518201-1 | 3-Major | ASM policy creation fails with after upgrading |
| 513787-3 | 3-Major | CSRF doesn't apply web application callback registered as XMLHttpRequest.onload in IE8-10 |
| 510281-1 | 3-Major | learning_manager crash |
| 507640-1 | 3-Major | Importing Security Policy in Binary Format Fails |
| 506597-1 | 3-Major | False positive cookie hijacking violation after uploading big requests |
| 498433-1 | 3-Major | Upgrading with ASM iRule and virtual server with no websecurity profile |
| 494493-1 | 3-Major | iControl REST for ASM Character Sets returns invalid characters ( greater than 127 (0x7f) ) for Multi-Byte Encodings |
| 456976 | 3-Major | Web scraping/brute force may break application on IE6/IE7 |
Application Visibility and Reporting Issues
| ID Number | Severity | Description |
| 579049-1 | 2-Critical | TMM core due to wrong assert |
| 578353 | 2-Critical | Statistics data aggregation process is not optimized |
| 582029-1 | 3-Major | AVR reports incorrect statistics when it receives a 'response done' event, but does not receive a 'clientside request' event. |
| 574160-4 | 3-Major | Publishing DNS statistics if only Global Traffic and AVR are provisioned |
| 567355-1 | 3-Major | Scheduled report lost after loading configuration |
| 565412-1 | 3-Major | AVR reports device-level mitigation as "Device Level" and not as "Aggregated" |
| 560114-3 | 3-Major | Monpd is being affected by an I/O issue which makes some of its threads freeze |
| 559060-3 | 3-Major | AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration. |
| 557062-2 | 3-Major | Configuration upgrade failure due to change in an ASM predefined report name |
| 528406 | 3-Major | Errors in monpd log after upgrade from version 11.5.x regarding deprecated widgets |
| 508341-4 | 3-Major | Scheduled-reports are not syncing the 'first-time' value on a CMI |
| 488989-3 | 3-Major | AVRD does not print out an error message when the external logging fails |
| 474613-1 | 3-Major | Upgrading from previous versions |
Access Policy Manager Issues
| ID Number | Severity | Description |
| 580225-3 | 2-Critical | WEBSSO::select may crash tmm. |
| 579909-2 | 2-Critical | Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error |
| 578844-2 | 2-Critical | tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client. |
| 575609-3 | 2-Critical | Zlib accelerated compression can result in a dropped flow. |
| 571090 | 2-Critical | When BIG-IP is used as SAML IdP, tmm may restart under certain conditions |
| 562919-2 | 2-Critical | TMM cores in renew lease timer handler |
| 552342-2 | 2-Critical | APMD logging at debug level may log passwords in clear text |
| 513083-1 | 2-Critical | d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server. |
| 467059-1 | 2-Critical | Customization GUI not showing proper error message when modify customization group file created from iApps |
| 450136-5 | 2-Critical | Occasionally customers see chunk boundaries as part of HTTP response |
| 446187-7 | 2-Critical | If manually started, bigip service(s) may consume 100% and become not functional |
| 590820-1 | 3-Major | Applications that use appendChild() or similar functions to build UI might experience slow performance in Microsoft Internet Explorer browser. |
| 589794 | 3-Major | APD might crash if LDAP Query agent failed to retrieve primary group for a user |
| 589118 | 3-Major | Horizon View client throws an exception when connecting to Horizon 7 VCS through APM |
| 588888-2 | 3-Major | Empty URI rewriting is not done as required by browser. |
| 586006-3 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present |
| 583113-2 | 3-Major | NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event |
| 582752-2 | 3-Major | Macrocall could be topologically not connected with the rest of policy. |
| 582526-1 | 3-Major | Very large policies (e.g., more than 4000 elements) might not display. |
| 580893-1 | 3-Major | Support for Single FQDN usage with Citrix Storefront Integration mode |
| 576350-2 | 3-Major | External input from client doesn't pass to policy agent if it is not the first in the chain. |
| 576069-2 | 3-Major | Rewrite can crash in some rare corner cases |
| 575499-1 | 3-Major | VPN filter may leave renew_lease timer active after teardown |
| 574860-1 | 3-Major | HTTP request dropped when using ACCESS::disable from iRule and a Per-Request Policy |
| 574781-2 | 3-Major | APM Network Access IPV4/IPV6 virtual may leak memory |
| 573643-2 | 3-Major | flash.utils.Proxy functionality is not negotiated |
| 573429-1 | 3-Major | APM Network Access IPv4/IPv6 virtual may leak memory |
| 571718-2 | 3-Major | LocalDB Auth Logs New Password in Debug Log on password change |
| 570640-2 | 3-Major | APM Cannot create symbolic link to sandbox. Error: No such file or directory |
| 567660-2 | 3-Major | Disabling global Auto Last Hop setting breaks APM's Remote Desktop Gateway (RDG) feature |
| 566646-4 | 3-Major | Portal Access could respond very slowly for large text files when using IE < 11 |
| 565231-2 | 3-Major | If exported policy have two objects names profile_name-aaa and aaa import gonna fail |
| 564521-3 | 3-Major | JS passed to ExternalInterface.call() can be erroneously unescaped |
| 564482-2 | 3-Major | Kerberos SSO does not support AES256 encryption |
| 563443-2 | 3-Major | WebSSO plugin core dumps under very rare conditions. |
| 563349-3 | 3-Major | On MAC, NA proxy settings are not applie to tun adapter after VPN is established |
| 559218-2 | 3-Major | Iframes could be inaccessible to a parent window on a page accessed through Portal Access |
| 559159-1 | 3-Major | [PORTAL] JavaScript errors when Application runs through Portal |
| 558946-4 | 3-Major | TMM may core when APM is provisioned and access profile is attached to the virtual |
| 554458 | 3-Major | No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports with reduced zeros in Session ID |
| 552444-2 | 3-Major | Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD |
| 551260-2 | 3-Major | When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated |
| 547692 | 3-Major | Firewall-blocked KPASSWD service does not cause domain join operation to fail |
| 543344-1 | 3-Major | ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event |
| 541622-1 | 3-Major | APD/APMD Crashes While Verifying CAPTCHA |
| 541261-2 | 3-Major | Clientless NA fails when iRule agent is present in access policy |
| 539018-3 | 3-Major | TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file. |
| 536575-1 | 3-Major | Session variable report can be blank in many cases |
| 534901-1 | 3-Major | VMware View HTML5 client may load/initialize with delays |
| 533422-1 | 3-Major | sessiondump is not reusing connections |
| 531966 | 3-Major | APM ACLs can block ICA file generation on APM Webtop |
| 530092-1 | 3-Major | AD/LDAP groupmapping is overencoding group names with backslashes |
| 528701-1 | 3-Major | Sessiondump does not accept single dash options |
| 528548-2 | 3-Major | @import "url" is not recognized by client-side CSS patcher |
| 528424-3 | 3-Major | IE11 on Windows 10 doesn't show tooltips/toast notifications when Network Access changes state |
| 527668-1 | 3-Major | "Minimize to tray" option doesn't work in IE with latest updates if APM is not in Trusted Sites list |
| 527119-3 | 3-Major | Iframe document body could be null after iframe creation in rewritten document. |
| 522124-3 | 3-Major | Secondary MCPD restarts when SAML IdP or SP Connector is created |
| 519090-1 | 3-Major | Assigning value to window.onerror in empty window lead to exception. |
| 519059-3 | 3-Major | [PA] - Failing to properly patch webapp link, link not working |
| 516219-4 | 3-Major | User failed to get profile license in VIPRION P8 chassis if slot 1 is not enabled |
| 510802 | 3-Major | Using ECA:metadata iRule command causes MCPD failure |
| 495128-9 | 3-Major | Safari 8 continues using proxy for network access resource in some cases when it shouldn't |
| 493106-4 | 3-Major | HTTP Basic authentication module logs clear text password in /var/log/apm at debug level |
| 489562 | 3-Major | HTTP with NTLMSSP_NEGOTIATE message and with payload more than 4KB cause the NTLM front end authentication to stall |
| 479715-3 | 3-Major | Multi-tab protection problems with multi-domain SSO |
| 477547-1 | 3-Major | Resource Assign Agent shows javascript error |
| 447565-3 | 3-Major | Renewing machine-account password does not update the serviceId for associated ntlm-auth. |
| 442532-4 | 3-Major | Log shows "socket error: resource temporarily unavailable" |
| 441913-6 | 3-Major | Empty Webtop when large number of resources assigned to access policy. |
| 440505-7 | 3-Major | Default port should be removed from Location header value in http redirect |
| 439330-8 | 3-Major | Javascript: getAttribute() returns mangled event handlers |
| 409323-3 | 3-Major | OnDemand cert auth redirect omits port information |
| 399732-1 | 3-Major | SAML Error: Invalid request received from remote client is too big |
| 238444-1 | 3-Major | An L4 ACL has no effect when a layered virtual server is used. |
WebAccelerator Issues
| ID Number | Severity | Description |
| 562644-4 | 3-Major | TMM may crash when AAM receives a pipelining HTTP request which while shutting down the connection |
| 506557-3 | 3-Major | IBR tags might occasionally be all zeroes. |
| 506315-5 | 3-Major | WAM/AAM is honoring OWS age header when not honoring OWS maxage. |
| 501714-2 | 3-Major | System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS. |
| 476476-7 | 3-Major | Occasional inability to cache optimized PDFs and images |
Service Provider Issues
| ID Number | Severity | Description |
| 592378 | 3-Major | TMM crashed with SIGSEGV and possible mr_proxy cores. |
| 590091-1 | 3-Major | Single-line Via headers separated by single comma result in first character second header being stripped. |
| 578564-3 | 3-Major | ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response |
| 573075-2 | 3-Major | ADAPT recursive loop when handling successive iRule events |
| 572224-4 | 3-Major | Buffer error due to RADIUS::avp command when vendor IDs do not match |
| 570363-2 | 3-Major | Potential segfault when MRF messages cross from one TMM to another |
| 566576-2 | 3-Major | ICAP/OneConnect reuses connection while previous response is in progress |
| 550434-5 | 3-Major | Diameter connection may stall if server closes connection before CER/CEA handshake completes |
Advanced Firewall Manager Issues
| ID Number | Severity | Description |
| 580235 | 2-Critical | PCCD cored when running 'bigstart restart pccd' command in v11.6.1 |
| 551635-2 | 2-Critical | pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule |
| 550926-2 | 2-Critical | AFM rule with "unknown" source Geo-entity, stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule |
| 547550-3 | 2-Critical | avrd reports incorrect stat values |
| 484013-4 | 2-Critical | tmm might crash under load when logging profile is used with packet classification |
| 592113 | 3-Major | Uninitialized dos_vectors may cause core dump |
| 590805 | 3-Major | Active Rules page displays a different time zone. |
| 580460 | 3-Major | Client side integrity defense or proactive may break application |
| 575582-2 | 3-Major | MCPd might leak memory in FW network attack stats. |
| 575571-2 | 3-Major | MCPd might leak memory in FW DOS SIP attack stats query. |
| 575569-2 | 3-Major | MCPd might leak memory in FW DOS DNS stats query. |
| 575565-2 | 3-Major | MCPd might leak memory in FW policy rule stats query. |
| 575564-2 | 3-Major | MCPd might leak memory in FW rule stats query. |
| 575559-1 | 3-Major | MCPd might leak memory in FW rule user ID validation stats. |
| 575557-1 | 3-Major | MCPd might leak memory in FW rule stats. |
| 575321-2 | 3-Major | MCPd might leak memory in firewall stats. |
| 569337-2 | 3-Major | TCP events are logged twice in a HA setup |
| 564956-4 | 3-Major | PCCD core and slow running SQL |
| 558763 | 3-Major | "Show All" option for large no. of security objects can cause poor performance in some browsers |
| 554826-1 | 3-Major | TMM crash (assert) observed during processing of HA packets. |
| 539687-1 | 3-Major | No logs for Proactive Bot Defense drops. |
| 534472 | 3-Major | Collecting DoS stats using iControl REST doesn't work when the stat in question has a space in its name. |
| 524009-1 | 3-Major | Incorrect parsing of abnormal request headers during DOS attacks |
| 511819 | 3-Major | Using replace-all-with to modify a rule list doesn't work if you specify an existing rule name |
| 506452-2 | 3-Major | Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1 |
| 497154-2 | 3-Major | Clear schedue name when setting firewall rule state from Scheduled to Enabled/Disabled. |
| 478462-1 | 3-Major | Whitelist count could increment wrongly |
| 426274-2 | 3-Major | Firewall ACL Schedules may not work when configured with a daily schedule that starts before the specified start date and time |
Policy Enforcement Manager Issues
| ID Number | Severity | Description |
| 527992-1 | 2-Critical | tmm might crash with 'DHCP:dhcp_server_flow_connect' error when the server flow is already connected to a different client. |
| 592070-1 | 3-Major | DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied. |
| 588456-1 | 3-Major | PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed). |
| 577863-1 | 3-Major | DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime |
| 577814-4 | 3-Major | MCPd might leak memory in PEM stats queries. |
| 568722 | 3-Major | Gy quota and end of session reporting does not work under certain conditions. |
| 566061-1 | 3-Major | Subscriber info missing in flow report after subscriber has been deleted |
Carrier-Grade NAT Issues
| ID Number | Severity | Description |
| 532365-1 | 3-Major | lsndb cores with "Assertion `size < bin_key_size' failed" |
| 520682-2 | 3-Major | In PBA mode subscribers cannot initiate more than 512 connections to the same server IP:port |
| 515736-4 | 3-Major | LSN pool with small port range may not use all ports |
| 487660-6 | 3-Major | LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range |
Global Traffic Manager (DNS) Issues
| ID Number | Severity | Description |
| 532859-1 | 3-Major | [GTM] ZRD cannot create reverse zones for stub, slave and forward zones |
Anomaly Detection Services Issues
| ID Number | Severity | Description |
| 540054-2 | 3-Major | tmm crash when Dos protection and behavior analysis enabled on virtual server |
Centralized Management Issues
| ID Number | Severity | Description |
| 453640-3 | 2-Critical | Java core formed when modifying global-settings. |
| 580686 | 3-Major | Hostagentd might leak memory on vCMP hosts. |
| 563144 | 3-Major | Changing the system's admin user causes many errors in the REST framework. |
iApp Technology Issues
| ID Number | Severity | Description |
| 569270 | 3-Major | BIG-IQ CM 4.6 incompatible with BIG-IP 11.6.1. |
| 508074-1 | 3-Major | Non-admin deployment causes iApp failure |
Known Issue details for BIG-IP v11.6.x
592378 : TMM crashed with SIGSEGV and possible mr_proxy cores.
Component: Service Provider
Symptoms:
TMM crashed with SIGSEGV and possible mr_proxy cores.
Conditions:
Impact:
Unknown
Workaround:
592194-2 : HSB transmitter failure on 5250 in vCMP guest
Component: TMOS
Symptoms:
An HSB transmitter failure occurs within a vCMP guest. This is indicated by the following in the tmm logs: panic: hsb interface 1 DMA lockup on transmitter failure. This may or may not be specific to a 5250 or vCMP guest.
Conditions:
Unknown.
Impact:
Reboot of the unit.
Workaround:
None.
592113 : Uninitialized dos_vectors may cause core dump
Component: Advanced Firewall Manager
Symptoms:
Unknown
Conditions:
Impact:
Unknown
Workaround:
592070-1 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied.
Component: Policy Enforcement Manager
Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.
Conditions:
DHCP virtual created in a non-local traffic group.
Impact:
Variable sharing in the TCL context will not work.
Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.
591789-1 : IPv4 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv4 fragments are dropped when packet filtering is enabled.
Conditions:
Impact:
Unknown
Workaround:
591104-3 : ospfd cores due to an incorrect debug statement.
Component: TMOS
Symptoms:
ospfd cores due to an incorrect debug statement.
Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish): debug ospf all. debug ospf route. debug ospf route ase.
Impact:
ospfd might crash, interrupting dynamic routing.
Workaround:
Do not enable debugging in ospf that includes 'route ase'.
590938-2 : The CMI rsync daemon may fail to start
Component: TMOS
Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.
Conditions:
The rsync daemon failed unexpectedly.
Impact:
Sync of file objects will fail with an error like this: 01070712:3: Caught configuration exception (0), Failed to sync files...
Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.
590904-5 : New HA Pair created using serial cable failover only will remain Active/Active
Component: TMOS
Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.
Conditions:
Create a new sync-failover device-group without enabling network failover.
Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.
Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.
590857-3 : SSL resumption does not work with SSL::profile.
Component: Local Traffic Manager
Symptoms:
SSL resumption does not work with SSL::profile.
Conditions:
Impact:
Unknown
Workaround:
590851-2 : "never log" IPs are still reported to AVR
Component: Application Security Manager
Symptoms:
Unknown
Conditions:
Impact:
Unknown
Workaround:
590820-1 : Applications that use appendChild() or similar functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Component: Access Policy Manager
Symptoms:
Applications that use appendChild() or similar functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Conditions:
Intense usage of methods such as: appendChild(), insertBefore(), and so on.
Impact:
Very low web application performance when using Microsoft Internet Explorer.
Workaround:
No workaround except to use another browser.
590805 : Active Rules page displays a different time zone.
Component: Advanced Firewall Manager
Symptoms:
Active Rules page displays a different time zone.
Conditions:
Impact:
Unknown
Workaround:
590091-1 : Single-line Via headers separated by single comma result in first character second header being stripped.
Component: Service Provider
Symptoms:
Removing the first Via header strips the leading character from the second Via when headers are separated by a comma (',').
Conditions:
Multiple Via headers on single-line separated by a single comma (',').
Impact:
Leading character of 2nd Via header will be stripped e.g. 'SIP/2.0/TCP' becomes 'IP/2.0/TCP'.
Workaround:
None.
589794 : APD might crash if LDAP Query agent failed to retrieve primary group for a user
Component: Access Policy Manager
Symptoms:
APD will crash and generate a core file.
Conditions:
The problem can happen only when the following is true: 1. LDAP Query is used with AD backend 2. "Fetch groups to which the user or group belong" is defined other value than None (direct/all) 3. There were logins to bigip before, so group cache is built and valid 4. New group created in the domain and assigned as a primary group for the user trying to authenticate
Impact:
Authentication service will be interrupted.
Workaround:
Administrator should reset group cache using either GUI (AAA LDAP Server configuration page) or tmsh (apm aaa ldap object). After cache is reset, it will be built from scratch on next request and the new group will be added to the cache.
589698 : HSB lockup on B2100 (A109) blade with vCMP running v11.6.0 final
Component: TMOS
Symptoms:
An HSB lockup occurred on a B2100 (A109) blade running vCMP.
Conditions:
Unknown.
Impact:
HSB lockup requires unit restart.
Workaround:
None.
589400-3 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Component: Local Traffic Manager
Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.
Impact:
Additional connection latency.
Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases. If init-cwnd is low, raising it might also help. Disabling abc can also reduce the problem, but might have other negative network implications.
589338 : Linux host may lose ECMP routes on secondary blades
Component: TMOS
Symptoms:
As a result of a known issue, Linux host residing on the secondary blade may lose ECMP routes previously learned via a dynamic routing protocol.
Conditions:
- Multibladed chassis or vCMP guest - ECMP routes learned via dynamic routing - Restart of services or reboot of secondary blade
Impact:
ECMP Routes on Linux host of secondary blade lost. This may cause an effect on host traffic, such as monitoring, remote logging, etc due to the lack of routing information
Workaround:
Restarting routing processes on the primary blade will cause the routes to propagate to the secondary blade.
589256-3 : DNSSEC NSEC3 records with different type bitmap for same name.
Component: Global Traffic Manager
Symptoms:
DNSSEC NSEC3 records with different type bitmap for same name.
Conditions:
Impact:
Unknown
Workaround:
589223-3 : TMM crash and core dump when processing SSL protocol alert.
Component: Local Traffic Manager
Symptoms:
TMM crash and core dump when processing SSL protocol alert.
Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.
Impact:
System instability due to tmm restarting.
Workaround:
None.
589118 : Horizon View client throws an exception when connecting to Horizon 7 VCS through APM
Component: Access Policy Manager
Symptoms:
If APM is configured as PCoIP proxy against Horizon 7 VCS, the Horizon View client will fail to retrieve the list of entitlements with an exception written in its logs.
Conditions:
APM as PCoIP proxy for Horizon 7 View Connection Server.
Impact:
Horizon View client cannot be used with APM to access Horizon 7.
Workaround:
An iRule can be used to patch the broker protocol version returned by APM to be 11.0 instead of 9.0.
588888-2 : Empty URI rewriting is not done as required by browser.
Component: Access Policy Manager
Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat it in a specific way).
Conditions:
A tag with an empty "src" or "href" attribute.
Impact:
Web application misbehavior
Workaround:
Application dependent iRule.
588456-1 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
Component: Policy Enforcement Manager
Symptoms:
When the BigIp is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP(giaddr) instead of ciaddr. Bigip DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.
Conditions:
1)BigIP in forwarding mode 2)giaddr field in unicast DHCP renewal packet is set to IP address of relay agent(Typically, it is set to 0 by DHCP client)
Impact:
PEM Subscriber Session will age out
Workaround:
588442-3 : TMM can core in a specific set of conditions.
Component: Local Traffic Manager
Symptoms:
TMM can core and assert: 'ifc not set'.
Conditions:
This occurs under the following conditions: - A unit with license that ratelimits throughput performance to something other than max or 1 (or setting it via a custom tmm build). - One or more VIPs with dns profile with rapid-response enabled. - Something causing the listener to be disabled or a listener to not be found. - Send a dns request to the disabled listener.
Impact:
TMM will core and assert: 'ifc not set'.
Workaround:
None.
588289-4 : GTM is Re-ordering pools when adding pool including order designation
Component: Global Traffic Manager
Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.
Conditions:
Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.
Workaround:
588243-3 : Monitor instances being deleted in peer unit after sync.
Component: Local Traffic Manager
Symptoms:
Monitor instances being deleted in peer unit after sync.
Conditions:
Impact:
Unknown
Workaround:
588115-3 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
Component: Local Traffic Manager
Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.
Conditions:
- Unit configured with a floating self-IP and allow-service != none. - More specific route exists via GW to the self-IP. - Configured gateway for the overlapping route is unreachable. - Ingress traffic to the floating self-IP.
Impact:
TMM may crash
Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.
586878-2 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.
Component: TMOS
Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3. The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.
Conditions:
The issue occurs when all the below conditions are met. 1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3). 2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'. 3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, and versions 12.1.0 and later).
Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following: -- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed. -- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.
Workaround:
To workaround this situation, modify the configuration file before upgrading: 1. Check the config file /config/bigip.conf. 2. Identify the clientssl profile without a cert/key. For example, it might look similar to the following: ltm profile client-ssl /Common/cssl_no-cert-key2 { app-service none cert none cert-key-chain { "" { } } chain none defaults-from /Common/clientssl inherit-certkeychain false key none passphrase none } Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example: ltm profile client-ssl /Common/cssl_no-cert-key2 { app-service none cert none cert-key-chain { default { } } chain none defaults-from /Common/clientssl inherit-certkeychain false key none passphrase none } 3. Remove the clientssl profile from /config/bigip.conf. 4. Run the command: tmsh load sys conf. 5. Re-create the clientssl profiles you need.
586621-3 : SQL monitors 'count' config value does not work as expected. Must add 101 to desired 'count' value.
Component: Local Traffic Manager
Symptoms:
SQL monitors 'count' config value does not work as expected. Must add 101 to desired 'count' value.
Conditions:
Impact:
Unknown
Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.
586006-3 : Failed to retrieve CRLDP list from client certificate if DirName type is present
Component: Access Policy Manager
Symptoms:
Client certification revocation check will fail.
Conditions:
Two conditions will trigger this problem: 1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND 2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.
Impact:
Users may fail access policy evaluation when client certification is used.
Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.
585961 : LTM policy Tcl set-variable action can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule.
Component: Local Traffic Manager
Symptoms:
Customer may experience unexpected failover.
Conditions:
Issues has been found on a virtual server with both an attached iRule and LTM Policy. The iRule calls TCP::collect when connection is accepted, and calls TCP::release at the CLIENT_DATA event. The LTM Policy has a single action to set a tcl set-variable expression.
Impact:
Customer may experience unexpected failover
Workaround:
No workaround.
585412-2 : SMTPS virtual with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
Component: Local Traffic Manager
Symptoms:
Connections to a virtual server that uses an smtps profile may be reset with a reset cause of "Out of memory.".
Conditions:
A virtual server that uses an smtps profile with activation-mode set to allow. A client connection which does not use TLS that sends a DATA section with a text line that is longer than about 8192 characters. 8192 characters is a rough estimate for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.
Impact:
The TCP connection is reset with a reset-cause of "Out of memory." and the Email will not be delivered.
Workaround:
584583-1 : Timeout error when attempting to retrieve large dataset.
Component: TMOS
Symptoms:
Timeout error when attempting to retrieve large dataset.
Conditions:
Impact:
Unknown
Workaround:
583957-4 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.
Conditions:
A HTTP::respond or HTTP::redirect iRule is used. The iRule command is in an event triggered on the client-side. A pipelined HTTP request is being handled.
Impact:
The TMM will be restarted by SOD.
Workaround:
583936-3 : Removing ECMP route from BGP does not clear route from NSM
Component: TMOS
Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.
Conditions:
ECMP routing must be enabled and in-use.
Impact:
ECMP routes are not properly removed from the main routing table.
Workaround:
583754-5 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
Component: TMOS
Symptoms:
When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
Conditions:
Impact:
Unknown
Workaround:
583475-2 : The BIG-IP may core while recompiling LTM policies
Component: TMOS
Symptoms:
In some rare and still unknown situations the BIG-IP may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.
Conditions:
Creating or modifying LTM policies.
Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.
Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.
583285-3 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the second part of a fix provided for this issue. See fixes for bug 569236 for the first part.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system.
583113-2 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials. when HTTP_PROXY_REQUEST { if { [HTTP::uri] contains "disable" } { ACCESS::disable } }
Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.
Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.
Workaround:
The following iRule works from HTTP_REQUEST when HTTP_REQUEST { if { [HTTP::uri] contains "disable" } { ACCESS::disable ECA::disable } }
582752-2 : Macrocall could be topologically not connected with the rest of policy.
Component: Access Policy Manager
Symptoms:
It's possible to create macrocall access policy item that: 1. Belongs to policy items list 2. Correctly connected to ending 3. Have no incoming rules i.e. no items pointing at it
Conditions:
1. Create access policy with macrocall item in one of the branches. 2. Remove the item which refers to this macrocall item from AP As a result, macrocall item remains.
Impact:
VPE fails to render this access policy.
Workaround:
It is possible to delete macrocall access policy item manually using tmsh commands.
582683-5 : xpath parser doesn't reset a namespace hash value between each and every scan
Component: Application Security Manager
Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.
Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.
Impact:
XML content based routing does not work dependably.
Workaround:
N/A
582526-1 : Very large policies (e.g., more than 4000 elements) might not display.
Component: Access Policy Manager
Symptoms:
Very large policies (e.g., more than 4000 elements) might not display.
Conditions:
Impact:
Unknown
Workaround:
582331 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
582234-2 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
Component: Local Traffic Manager
Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
Conditions:
Impact:
Unknown
Workaround:
582207-3 : MSS may exceed MTU when using HW syncookies
Component: Local Traffic Manager
Symptoms:
Packets larger than the interface's MTU can be transmitted.
Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.
Impact:
Potential packet loss.
Workaround:
Disable HW syncookie mode.
582084-2 : BWC policy in device sync groups.
Component: TMOS
Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.
Conditions:
If BWC policy is created both in global sync and local.
Impact:
Configuration error, BWC policies will not be synced due to errors.
Workaround:
Ensure that BWC policy is in global sync only.
582029-1 : AVR reports incorrect statistics when it receives a 'response done' event, but does not receive a 'clientside request' event.
Component: Application Visibility and Reporting
Symptoms:
AVR reports incorrect statistics when it receives a 'response done' event, but does not receive a 'clientside request' event.
Conditions:
Impact:
AVR reports incorrect statistics: unexpectedly large numbers.
Workaround:
582003-2 : BD crash on startup or on XML configuration change
Component: Application Security Manager
Symptoms:
BD crash. out of memory XML message in the bd.log. The BD doesn't startup and keeps crashing upon startup.
Conditions:
Many XML profiles and relatively large XML configuration.
Impact:
ASM down, machine is offline.
Workaround:
Increase the XML available memory.
580893-1 : Support for Single FQDN usage with Citrix Storefront Integration mode
Component: Access Policy Manager
Symptoms:
Adding a new login account onto citrix receiver could enumerate the applications and desktop. But after logging off and trying to reconnect to the same account will start failing.
Conditions:
Citrix storefront integration mode with APM and using same FQDN for both accessing Storefront as well as APM virtual
Impact:
Customer has to use different FQDNs for internal (Storefront) and external access (APM virtual)
Workaround:
No workaround other than using different FQDNs
580686 : Hostagentd might leak memory on vCMP hosts.
Component: Centralized Management
Symptoms:
System instability. Health monitors could work intermittently.
Conditions:
hostagentd consumes more than 400 Mb of resident memory. In some cases it consumes more than 1 Gb. vcmp host uptime is usually 2 month and more. hostagentd resident memory keeps leaking over time.
Impact:
System instability. Intensive usage of vcmp host swap memory.
Workaround:
Restart hostagentd on vCMP host
580499 : Can't disable default admin on chassis
Component: TMOS
Symptoms:
On a chassis with at least two blades, after disabling the default admin on the primary and setting an alternate, mcpd on secondary goes into restart loop and error messages are seen in /var/log/ltm: Mar 14 10:05:49 slot2/VPR-144-6 warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user a-test. Mar 14 10:05:49 slot2/VPR-144-6 warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user test-noaccess. Mar 14 10:05:49 slot2/VPR-144-6 warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user test-noaccess1. Mar 14 10:05:49 slot2/VPR-144-6 warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user test-noaccess2. Mar 14 10:05:49 slot2/VPR-144-6 warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user nothing. Mar 14 10:05:49 slot2/VPR-144-6 err mcpd[26012]: 010718e7:3: The requested primary admin user (admin111) must have a password set. Mar 14 10:05:50 slot2/VPR-144-6 err mcpd[26012]: 01070734:3: Configuration error: Configuration from primary failed validation: 010718e7:3: The requested primary admin user (admin111) must have a password set.... failed validation with error 17242343. (admin111 is the primary admin user set on the primary blade.)
Conditions:
Chassis with multiple blades; alternate primary admin is set on the primary blade.
Impact:
mcpd in a restart loop on secondaries
Workaround:
580460 : Client side integrity defense or proactive may break application
Component: Advanced Firewall Manager
Symptoms:
A blank page is shown when client side integrity/proactive is turned on.
Conditions:
1. Client side integrity/proactive is turned on 2. IE on compatibility mode - ver 8 or lower
Impact:
Application is broken - blank page is shown
Workaround:
N/A
580303-3 : When going from active to offline, tmm might send a GARP for a floating address.
Component: Local Traffic Manager
Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.
Conditions:
Using high availability, and switching a device from active to offline.
Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.
Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.
580235 : PCCD cored when running 'bigstart restart pccd' command in v11.6.1
Component: Advanced Firewall Manager
Symptoms:
PCCD cores when running 'bigstart restart pccd' command in v11.6.1. The issue is intermittent.
Conditions:
Issue'bigstart restart pccd' command in v11.6.1.
Impact:
No functional impact. After pccd generates the core file it restarts and compiles the firewall rules successfully.
Workaround:
580225-3 : WEBSSO::select may crash tmm.
Component: Access Policy Manager
Symptoms:
The WEBSSO::select iRule command can cause TMM to crash if no arguments are passed in.
Conditions:
This occurs the command is used with no arguments.
Impact:
TMM crash.
Workaround:
See the following DevCentral page related to WEBSSO::select - https://devcentral.f5.com/wiki/irules.websso__select.ashx
580168-2 : Information missing from ASM event logs after a switchboot and switchboot back
Component: Application Security Manager
Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back
Conditions:
ASM provisioned event logs available with violation details install/upgrade to another volume and switchboot to it wait for ASM to fully come up switchboot back event logs are still available but violation details are gone
Impact:
Information missing from ASM event logs after a switchboot and switchboot back
Workaround:
N/A
579919-1 : TMM may core when LSN translation is enabled
Component: Local Traffic Manager
Symptoms:
tmm core
Conditions:
Virtual uses LSN translation with a destination matching a pool-based route
Impact:
outage / failover
Workaround:
579909-2 : Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error
Component: Access Policy Manager
Symptoms:
Secondary blade MCPD exits if APM Sandbox intends to log a warning message when it fails to remove the corresponding sandbox directory /var/sam/www/webtop/sandbox/files_d/<partition_name>_d while the user is removing the partition. There are multiple cases that can potentially log such kind of Sandbox warning message. Refer to the known cases at below. Any case will make the secondary MCPD(s) exit resulting in the secondary blade(s) restart. (1) Directory not empty Mar 11 11:36:49 slot2/viprion-3 warning mcpd[6022]: 010717ac:4: Configuration Warning: Cannot remove directory with symlink to sandbox for partition (p1). Error: Directory not empty. If you have access to bash shell, try to run command: rmdir /var/sam/www/webtop/sandbox/files_d/p1_d/ Mar 11 11:36:49 slot2/viprion-3 err mcpd[6022]: 01070734:3: Configuration error: Configuration from primary failed validation: 010717ac:4: Configuration Warning: Cannot remove directory with symlink to sandbox for partition (p1). Error: Directory not empty. If you have access to bash shell, try to run command: rmdir /var/sam/www/webtop/sandbox/files_d/p1_d/... failed validation with error 17242028. Mar 11 11:36:49 slot2/viprion-3 err clusterd[6100]: 013a0004:3: IO error on recv from mcpd - connection lost Mar 11 11:36:49 slot2/viprion-3 err bcm56xxd[6561]: 012c0004:3: Lost connection with MCP: 16908291 ... Exiting bsx_connect.cpp(180) Mar 11 11:36:49 slot2/viprion-3 info bcm56xxd[6561]: 012c0012:6: MCP Exit Status Mar 11 11:36:49 slot2/viprion-3 info bcm56xxd[6561]: 012c0012:6: Info: LACP stats (time now:1457725009) : no traffic Mar 11 11:36:49 slot2/viprion-3 info bcm56xxd[6561]: 012c0014:6: Exiting... Mar 11 11:36:49 slot1/viprion-3 notice mcpd[6998]: 0107092a:5: Secondary slot 2 disconnected (2) No such file or directory Mar 7 18:07:41 slot2/Viprion-3 warning mcpd[6873]: 010717ac:4: Configuration Warning: Cannot remove directory with symlink to sandbox for partition (p1). Error: No such file or directory. If you have access to bash shell, try to run command: rmdir /var/sam/www/webtop/sandbox/files_d/p1_d/ Mar 7 18:07:41 slot2/Viprion-3 err mcpd[6873]: 01070734:3: Configuration error: Configuration from primary failed validation: 010717ac:4: Configuration Warning: Cannot remove directory with symlink to sandbox for partition (p1). Error: No such file or directory. If you have access to bash shell, try to run command: rmdir /var/sam/www/webtop/sandbox/files_d/p1_d/... failed validation with error 17242028. Mar 7 18:07:41 slot2/Viprion-3 notice promptstatusd[6024]: 01460006:5: semaphore mcpd.running(1) held Mar 7 18:07:41 slot2/Viprion-3 err lind[9322]: 013c0004:3: IO error on recv from mcpd - connection lost Mar 7 18:07:41 slot2/Viprion-3 warning promptstatusd[6024]: 01460005:4: mcpd.running(1) held, wait for mcpd Mar 7 18:07:41 slot2/Viprion-3 err csyncd[6417]: 013b0004:3: IO error on recv from mcpd - connection lost Mar 7 18:07:41 slot2/Viprion-3 err clusterd[7183]: 013a0004:3: IO error on recv from mcpd - connection lost Mar 7 18:07:41 slot2/Viprion-3 info sod[8839]: 010c0009:6: Lost connection to mcpd - reestablishing. Mar 7 18:07:41 slot2/Viprion-3 err zxfrd[7557]: 0153e0f7:3: Lost connection to mcpd. Mar 7 18:07:41 slot2/Viprion-3 err bcm56xxd[7564]: 012c0004:3: Lost connection with MCP: 16908291 ... Exiting bsx_connect.cpp(167) Mar 7 18:07:41 slot2/Viprion-3 info bcm56xxd[7564]: 012c0012:6: MCP Exit Status
Conditions:
The sandbox directory corresponding to the partition that the user is deleting cannot be removed due to any reason such as Not Existing, Not Empty, etc. on the secondary blade.
Impact:
Secondary MCPD exits and blade restarts.
Workaround:
N/A
579843-3 : tmrouted may not re-announce routes after a specific succession of failover states
Component: Local Traffic Manager
Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
Conditions:
- Active/Standby HA pair set up - Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses. - Active unit has the following succession of failover states: Active->Offline->Online->Standby->Active
Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.
Workaround:
A failover to Standby and back to Active works around the issue. Restarting tmrouted is also an alternative option.
579694-2 : Monitors may create invalid configuration files
Component: TMOS
Symptoms:
Under certain conditions monitors created or edited in the GUI may save an invalid configuration to disk, causing errors when the configuration is reloaded.
Conditions:
Using the GUI to create/edit monitors.
Impact:
tmsh load sys config will fail.
Workaround:
Use tmsh to create or edit monitors. If your configuration file already has an offending backlash, please manually remove the backlash.
579565-1 : FIPS (ngfips) card-sync fails due to its lacking ability to properly handle "\" in the SO (security officer) password.
Component: TMOS
Symptoms:
When setting up SO (security officer) password using "tmsh run util fips-util -f init", it accepts the password containing "\" without showing problems. However, card-sync will fail since it can't properly log on the fips with the password.
Conditions:
Impact:
A password containing '\' will fail the card-sync process in FIPS HA setup.
Workaround:
Reset the password using command "tmsh run util fips-util -f init" and avoid the special character '\'.
579531 : bd_agent and bd are suddenly restarted, while there is no traffic nor configuration being processed
Component: Application Security Manager
Symptoms:
bd_agent and bd are suddenly restarted, while there is no traffic nor configuration being processed This log line appears in '/var/log/ts/nwd.log' ------------ asm_start|INFO|Feb 26 01:34:35.922|19639|F5::NwdUtils::Nwd::verify,,bd_agent: not enough threads, exceeded TimesThreadsFail (2)!! ------------
Conditions:
unknown
Impact:
bd_agent and bd are suddenly restarted, while there is no traffic no configuration being processed
Workaround:
unknown
579371-2 : BigIP may generate ARPs after transition to standby
Component: Local Traffic Manager
Symptoms:
tmm generates unexpected ARPs after entering standby
Conditions:
HA pair with a vlangroup with bridge-in-standby disabled ARP is received just before transition to standby
Impact:
Unexpected ARP requests that may result in packet loops
Workaround:
579252-2 : Traffic can be directed to an incorrect virtual during virtual modification
Component: Local Traffic Manager
Symptoms:
Traffic can be directed to an incorrect virtual during virtual modification
Conditions:
net self external-ipv4 { address 10.124.0.19/16 traffic-group traffic-group-local-only vlan external } net self internal-ipv4 { address 10.125.0.19/16 traffic-group traffic-group-local-only vlan internal } ltm pool redirect-echo { members { 10.125.0.17:7 } } ltm virtual fw { description "less-specific virtual" destination 10.125.0.0:any ip-forward mask 255.255.255.0 profiles { fastL4 } translate-address disabled translate-port disabled vlans-disabled } ltm virtual redirect-echo { description "enable/disable this one" destination 10.125.0.20:echo ip-protocol udp mask 255.255.255.255 pool redirect-echo profiles { udp } vlans { external } vlans-enabled }
Impact:
Traffic can be directed to an incorrect virtual server
Workaround:
No known workaround at this time.
579049-1 : TMM core due to wrong assert
Component: Application Visibility and Reporting
Symptoms:
Under stress traffic we can get TMM core with the following backtraces: frame 3: in *__GI___assert_fail frame 4 will look like this: .... avr_alloc_segmempool_with_id .. mempool.c:278
Conditions:
AVR provision and collecting statistic.
Impact:
We can get TMM core.
Workaround:
578844-2 : tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
Component: Access Policy Manager
Symptoms:
tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
Conditions:
Impact:
Unknown
Workaround:
578564-3 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
Component: Service Provider
Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"
Conditions:
An HTTP virtual has a request-adapt profile. The ICAP server returns an HTTP response for REQMOD. An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.
Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.
Workaround:
578353 : Statistics data aggregation process is not optimized
Component: Application Visibility and Reporting
Symptoms:
CPU spikes may occur every 5 minutes
Conditions:
Occurs all the time
Impact:
High CPU usage may be observed every 5 minutes
Workaround:
For versions based on 11.5.4 and 11.6.0 take the following steps: 1. Edit the entry 'AggregationMode' under the /etc/avr/monpd/monpd.cfg file and set it to be 'low' instead of 'medium' or 'high'. 2.Restart Monpd afterwards. For 12.0.0 and on: tmsh modify sys db avr.stats.aggregation value low
578045-2 : The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks
Component: Local Traffic Manager
Symptoms:
The TMM crashes while resuming from a HTTP_PROXY_REQUEST event.
Conditions:
A HTTP_PROXY_REQUEST iRule event parks. Pipelined ingress occurs.
Impact:
TMM crash.
Workaround:
Don't use parking iRule commands within the HTTP_PROXY_REQUEST event. If a parking command must be used, the following may work: Try using TCP::collect to disable ingress while a potentially parking iRule command executes. TCP::release can be used after the command completes to restore normal behavior. Another work-around is to set max-requests to 1. (Disabling pipelining.)
577863-1 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime
Component: Policy Enforcement Manager
Symptoms:
If routing table on DHCP server is mis-configured, so that DHCP server know how to send packets to BigIP selfIP(used by BigIP DHCP relay), but does not know how to send packets to DHCP clients, DCHP client will not receive DHCP reply for unicast request and will start to broadcast DHCP renewal. After a while, BigIP will stop to relay DHCPOFFER and DHCPACK back to DHCP clients all together.
Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets(with client's IP as source IP).
Impact:
BigIP will stop to relay DHCPOFFER and DHCPACK back to DHCP clients
Workaround:
Fix the DHCP server routing table, so that DHCP server can deliver DHCP reply packet back to client successfully.
577831 : VE does not boot without a vga console
Component: TMOS
Symptoms:
Virtual Edition (VE) does not boot and no boot messages are displayed.
Conditions:
This occurs when there is no video device present. This is an issue because by design VE grub and kernel configurations default to vga (tty0).
Impact:
VE does not boot.
Workaround:
Use a VGA console option when deploying the VE (via virt-admin, or the Xen configuration utility, etc.)
577814-4 : MCPd might leak memory in PEM stats queries.
Component: Policy Enforcement Manager
Symptoms:
System may be unresponsive or crash due to being out of memory.
Conditions:
Can occur when a PEM stats query is processed.
Impact:
System may be unresponsive or crash due to being out of memory.
Workaround:
None.
577785 : Loading sys config might fail after removing NICs for VE
Component: TMOS
Symptoms:
Loading sys config triggered by MCPD start might fail after removing NICs for VE if the given NICs have been configured as the data-plane interfaces in BIG-IP Virtual Edition (VE).
Conditions:
- BIG-IP VE. - Multi-NICs have been configured as the data-plane interfaces. - One or some of these NICs have been removed from the host side.
Impact:
BIG-IP VE stops working. BIG-IP VE cannot be in ready state since almost all other services depend on MCPD to be up running first.
Workaround:
Edit /config/bigip_base.conf to delete the net interfaces that have been removed on the host/hypervisor side.
577440-1 : audit logs may show connection to hagel.mnet
Component: TMOS
Symptoms:
An iControl host header is improperly formatted with the name hagal.mnet The request is properly delivered to the correct host but contains a badly addressed host header that is ignored. If the authorization fails for the icontrol query then the audit log will contain this destination information which may be confusing.
Conditions:
Setting up device trust exercises this code path.
Impact:
No impact to functionality but is confusing for log interpretation.
Workaround:
There is not workaround
576807-1 : Firewall policies assigned to route domain may not sync across HA
Component: TMOS
Symptoms:
HA devices may report "in sync" even though the firewall policy assigned to the route domain is not being synced. The problem is sporadic.
Conditions:
Route domains are configured across HA peers, and the route domain has a firewall policy attached to it.
Impact:
Firewall policies not syncing correctly within a sync group can cause unexpected or unwanted traffic on the network.
Workaround:
None
576705 : ASM does not start up after TMM crash on a 3600 platform
Component: Application Security Manager
Symptoms:
ASM does not start up after TMM crash on a 3600 platform. In the ASM log there are repeated insufficient thread messages. In the bd log there is a loop of restarts and SIGTERMs happening right after starting up.
Conditions:
tmm crashed or stopped causing the system to restart asm.
Impact:
ASM is not running. If bypass ASM is not configured, traffic is not getting through.
Workaround:
Run: bigstart restart asm
576591-4 : Support for some future credit card number ranges
Component: Application Security Manager
Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.
Impact:
The traffic passes unmasked or unblocked to the end client.
Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.
576350-2 : External input from client doesn't pass to policy agent if it is not the first in the chain.
Component: Access Policy Manager
Symptoms:
When client gets authenticated, and then the session is deleted (times out or is manually deleted from memcache), the browser still has its authorization token. If client refreshes the page, the browser passes the existing 'authorization' token, which gets deleted by the agent processing the existing task (a message box, in this case) for the targeted agent (HTTP_401_Response agent, in this case).
Conditions:
When a logon page is not the first agent in the access policy chain and it gets a pre-authenticated token from browser.
Impact:
Although client (browser) sends the pre-authenticated token, the browser still posts a challenge for credential (pop up window). This is unnecessary and should not occur.
Workaround:
None.
576305-3 : Potential MCPd leak in IPSEC SPD stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IPSEC SPD stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
576296-2 : MCPd might leak memory in SCTP profile stats query.
Component: Local Traffic Manager
Symptoms:
The memory allocation for mcpd will grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.
Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.
Impact:
Performance may be degraded.
Workaround:
576069-2 : Rewrite can crash in some rare corner cases
Component: Access Policy Manager
Symptoms:
Rewrite can crash in some rare corner cases when some specific erroneous elements are present in an HTML content.
Conditions:
Any of the strings: <meta http-equiv="refresh" /> <meta http-equiv="location" /> <param name="general_servername" /> <param name="wmode" /> triggers guaranteed rewrite crash.
Impact:
Web application malfunction.
Workaround:
iRule or direct fix of improper HTML tag.
575735-2 : Potential MCPd leak in global CPU info stats code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying global CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
575726-2 : MCPd might leak memory in vCMP interface stats.
Component: TMOS
Symptoms:
MCPd might leak memory in vCMP interface stats.
Conditions:
Impact:
Unknown
Workaround:
575716-2 : MCPd might leak memory in VCMP base stats.
Component: TMOS
Symptoms:
MCPd might leak memory in VCMP base stats.
Conditions:
Impact:
Unknown
Workaround:
575708-2 : MCPd might leak memory in CPU info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in CPU info stats.
Conditions:
In some cases, querying CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
575671-2 : MCPd might leak memory in host info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in host info stats.
Conditions:
In some cases, querying host information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
575660-2 : Potential MCPd leak in TMM rollup stats stats
Component: TMOS
Symptoms:
MCPd leaks memory so the amount of used memory will grow over time.
Conditions:
In rare cases, such as immediately after a reboot before system performance stats are populated, querying system performance stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
575649-2 : MCPd might leak memory in IPFIX destination stats query
Component: TMOS
Symptoms:
MCPd might leak memory in IPFIX destination stats query.
Conditions:
In some cases, querying IPFIX destination stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
575626 : Minor memory leak in DNS Express stats error conditions
Component: Local Traffic Manager
Symptoms:
A minor memory leak can occur in certain error conditions relating to DNS Express statistics.
Conditions:
There are no known DNS Express configurations that will lead to this issue. The problem was detected through standard code review practices and is being patched as a precaution.
Impact:
Memory leaks can eventually lead to system reboots.
Workaround:
575619-2 : Potential MCPd leak in pool member stats query code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying pool member stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
575609-3 : Zlib accelerated compression can result in a dropped flow.
Component: Access Policy Manager
Symptoms:
Some compression requests would fail when the estimated compression output block was too small. Such errors deposit an error in the log similar to: Device error: n3-compress0 Zip engine ctx eviction (comp_code=2): ctx dropped.
Conditions:
A block that will not compress can generate a compression output that exceeds the estimated output block size.
Impact:
The flow that encounters the error is dropped.
Workaround:
Disable hardware accelerated compression.
575608-2 : MCPd might leak memory in virtual server stats query.
Component: TMOS
Symptoms:
MCPd might leak memory in virtual server stats query.
Conditions:
In some cases, querying virtual server stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
575595-1 : Potential MCPd leak in eviction policy stats.
Component: TMOS
Symptoms:
The memory allocation for mcpd will grow by a small amount if a eviction policy stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.
Conditions:
An eviction policy is configured, and the stats are displayed in TMSH or the GUI.
Impact:
Performance may be degraded.
Workaround:
575591-2 : Potential MCPd leak in IKE message stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IKE message stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
575589-1 : Potential MCPd leak in IKE event stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IKE event stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
575587-2 : Potential MCPd leak in BWC policy class stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying BWC policy stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
575582-2 : MCPd might leak memory in FW network attack stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW network attack stats.
Conditions:
Impact:
Unknown
Workaround:
575571-2 : MCPd might leak memory in FW DOS SIP attack stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW DOS SIP attack stats query.
Conditions:
Impact:
Unknown
Workaround:
575569-2 : MCPd might leak memory in FW DOS DNS stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW DOS DNS stats query.
Conditions:
Impact:
Unknown
Workaround:
575565-2 : MCPd might leak memory in FW policy rule stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW policy rule stats query.
Conditions:
Impact:
Unknown
Workaround:
575564-2 : MCPd might leak memory in FW rule stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW rule stats query.
Conditions:
Impact:
Unknown
Workaround:
575559-1 : MCPd might leak memory in FW rule user ID validation stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW rule user ID validation stats.
Conditions:
Impact:
Unknown
Workaround:
575557-1 : MCPd might leak memory in FW rule stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW rule stats.
Conditions:
Impact:
Unknown
Workaround:
575499-1 : VPN filter may leave renew_lease timer active after teardown
Component: Access Policy Manager
Symptoms:
TMM core making the system unavailable for a period of time until it comes back up.
Conditions:
When using both IPv4 & IPv6 network access resources with static IP address for IPv4 and dynamic address assignment for IPv6 tmm will core while NA tunnel is running or on NA's disconnect time.
Impact:
TMM core and bring down the system.
Workaround:
N/A
575347-2 : Unexpected backslashes remain in monitor 'username' attribute after upgrade
Component: Local Traffic Manager
Symptoms:
The monitor 'username' attribute contains unexpected backslashes.
Conditions:
Upgrading from an earlier version with a configuration that contains a monitor 'username' attribute with at least one escaped backslash ('\\').
Impact:
Monitor probes contain excess backslashes which can lead to monitor failures.
Workaround:
Un-escape backslashes after upgrade by transforming '\\' sequences to '\'.
575321-2 : MCPd might leak memory in firewall stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in firewall stats.
Conditions:
Impact:
Unknown
Workaround:
575027-2 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Component: TMOS
Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Conditions:
This occurs when the following conditions are met: 1. Use of tagged VLANs in the configuration. 2. Change cmp-hash of the tagged VLAN.
Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)
Workaround:
Use untagged VLANs and hypervisor side tagging.
574860-1 : HTTP request dropped when using ACCESS::disable from iRule and a Per-Request Policy
Component: Access Policy Manager
Symptoms:
When ACCESS::disable command is used in an iRule along with a Category Lookup agent in a per-request policy, the HTTP request we be incorrectly dropped and the connection reset. This error condition may also occur with other per-request policy agents.
Conditions:
APM deployed with a Per-Request policy using a Category-Lookup agent and an iRule which issues the ACCESS::disable command associated on the same virtual server.
Impact:
The HTTP request will be dropped or the HTTP connection will stall and timeout.
Workaround:
574781-2 : APM Network Access IPV4/IPV6 virtual may leak memory
Component: Access Policy Manager
Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, xhead and xdata caches grow over time. Additionally, the ppp_npmode_errors in the ppp stat table will increment with each leak.
Conditions:
APM virtual with Network Access configured with IPV4 and IPv6.
Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.
Workaround:
No workaround short of not enabling IPv6.
574262-1 : Rarely encountered lockup for N3FIPS module when processing key management requests.
Component: Local Traffic Manager
Symptoms:
The N3FIPS module does not respond to key management requests.
Conditions:
No specific condition has been identified for this failure.
Impact:
Existing data continues to forward, but new traffic keys fail. MGMT locks up. This is a rarely encountered issue.
Workaround:
A SNMP trap is generated when N3FIPS is locked up. The trap informs the user that the BIG-IP system must be rebooted. Rebooting clears the condition.
574160-4 : Publishing DNS statistics if only Global Traffic and AVR are provisioned
Component: Application Visibility and Reporting
Symptoms:
AVR does not publish DNS statistics if LTM is not provisioned.
Conditions:
LTM is not provisioned.
Impact:
The DNS chart does not show statistics.
Workaround:
574153-2 : If an ssl client disconnects during the handshake, the SSL flow may stall.
Component: Local Traffic Manager
Symptoms:
If the TCP connection shuts down while SSL has offloaded a request to the Nitrox, the connection will stall until the flow expires. This can use excessive memory causing crashes elsewhere.
Conditions:
SSL must be configured on an interface, and a client must connect, begin the handshake, then disconnect while Nitrox requests are outstanding.
Impact:
Other parts of the TMM might crash causing service disruption.
Workaround:
574116-2 : MCP may crash when sync'ing configuration between device groups
Component: TMOS
Symptoms:
mcpd crashes when sync'ing configuration
Conditions:
The synchronized configuration does not contain an iRule that is attached to a local traffic group resource.
Impact:
Outage due to mcp crash which causes tmm to restart.
Workaround:
Add iRule to configuration being synchronized.
574045-2 : BGP may not accept attributes using extended length
Component: TMOS
Symptoms:
If a BGP peer sends a path attribute using the "extended length" flag and field, the attribute may be rejected and the BGP connection terminated.
Conditions:
Neighbor sends path attributes using extended length.
Impact:
The BGP adacency will repeatedly bounce and the RIB will never converge.
Workaround:
573757 : Virtual servers configured with CMP enabled on a chassis can cause cascading primary blade failures when synced across a device group
Component: TMOS
Symptoms:
When a blade syncs its config with a peer device in a device group, an mcpd core dump triggers a new primary blade. If auto-sync is turned on the new primary will attempt to sync again, core dump, and cascade to the next primary.
Conditions:
There must be a virtual server synced in the device group configured with CMP enabled and an iRule. The chassis must also have a local non-synced virtual server referencing the same iRule. If that iRule is deleted on the peer device, it will cause a core dump on the chassis when the change is synced.
Impact:
If auto-sync is disabled on the device group and a user issues a manual sync, the primary blade will core and a new primary will come up out of sync but functional. If auto-sync is enabled on the device group, a cascading primary blade failure will occur. Every time a new primary is established, it will attempt to sync and core dump. This leaves the chassis in a state where the primary blade can't be established.
Workaround:
If auto-sync is turned on then disable it first to prevent cascading failures. One of several things can be done: 1. Remove the reference from the non-synced virtual server to the iRule that is in the device group. 3. Turn off CMP on the non-synced virtual server 2. Undo the delete of the iRule on the peer by either recreating it or loading a backup UCS. Attempt a manual sync and make sure it succeeds before turning auto-sync back on.
573643-2 : flash.utils.Proxy functionality is not negotiated
Component: Access Policy Manager
Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.
Conditions:
Presence of flash.utils.Proxy descendants.
Impact:
Customer application malfunction.
Workaround:
None.
573429-1 : APM Network Access IPv4/IPv6 virtual may leak memory
Component: Access Policy Manager
Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, connflow and tunnel_nexthop caches grow over time.
Conditions:
APM virtual with Network Access configured with no SNAT and both IPV4 and IPV6 enabled.
Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.
Workaround:
No workaround short of not enabling IPv6 support.
573406-3 : ASU cannot be completed if license was last activated more than 18 months before
Component: Application Security Manager
Symptoms:
Attack Signature Update (ASU) if license was last activated more than 18 months before.
Conditions:
The license was last activated more than 18 months before.
Impact:
Attack SIgnature Update (ASU) cannot be performed.
Workaround:
The license must be re-activated.
573402-2 : See "C_GetAttributeValue error" with netHSM
Component: Local Traffic Manager
Symptoms:
When netHSM is used with BigIP, sometimes you will see "C_GetAttributeValue error". This is not harmful but showing unnecessary errors are not good. With deeper analysis, we shouldn't call "C_GetAttributeValue()" function for netHSM.
Conditions:
When netHSM is used, this error message may appear.
Impact:
Log is not clean; unnecessary pkcs11 functions are called.
Workaround:
This error message is not harmful. User can ignore them in the log.
573366-2 : parking command used in the nesting script of clientside and serverside command can cause tmm core
Component: Local Traffic Manager
Symptoms:
parking command used in the nesting script of clientside and serverside command can cause tmm core
Conditions:
parking command used in the nesting script of clientside and serverside command
Impact:
tmm cores.
Workaround:
move the parking command outside the nesting script.
573075-2 : ADAPT recursive loop when handling successive iRule events
Component: Service Provider
Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly. The connection is aborted with RST cause "ADAPT unexpected state transition". The adapt profile statistic "records adapted" reaches a very high number as it counts every attempt.
Conditions:
A requestadapt or responseadapt profile is configured. An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks. The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked. Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.
Impact:
The connection is aborted with RST cause "ADAPT unexpected state transition". The statistic "records adapted" reaches a very high number. Eventually the TMM crashes and the Big-IP fails over.
Workaround:
If possible, arrange the iRules to avoid the conditions above. In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.
572922-2 : Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.
Component: Application Security Manager
Symptoms:
The following error is produced in ASM log during upgrade: ----------- ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name> -----------
Conditions:
ASM provisioned
Impact:
Different portions of the security policy may be incorrectly upgraded.
Workaround:
N/A
572895 : tcp forwarded flows are reset when time wait recycle of port happens
Component: Local Traffic Manager
Symptoms:
When a flow is forwarded from one tmm to another, and the destination tmm finds that the client is reusing a port that is in time_wait, and time wait recycle is enabled, the source tmm terminates the connection with a RST sent to the SYN-ACK from the client.
Conditions:
Using time-wait recycle and a client reuses the port that is currently in time-wait, and the flow is forwarded to another tmm.
Impact:
Client flows are reset rather than accepted.
Workaround:
572680-3 : Standby TMM might overflow send buffer if out of sync with Active TMM
Component: Local Traffic Manager
Symptoms:
Send buffer size is unlimited on a standby TMM. If sync is lost with the active TMM while a TCP client is advertising a zero receive buffer, the standby TMM might continue to use a zero send buffer indefinitely. This eventually leads to the send buffer overflowing on the standby TMM.
Conditions:
Standby TMM loses sync with active TMM while a TCP client's advertised receive window is zero.
Impact:
Standby TMM can accumulate too much data in the send buffer and overflow.
Workaround:
This issue is less likely with a low zero-window-timeout value in the TCP profile.
572246 : When a rewrite profile using the default settings is attached to a virtual server, all layer 3 connectivity will begin to fail.
Component: TMOS
Symptoms:
By default, the 'rewrite' profile is in APM portal mode. When enabling a 'rewrite' profile on a vCMP guest with ten cores allocated all layer 3 connectivity to the virtual IP will begin to fail. Errors similar to the following are seen in the TMM log (/var/log/tmm): notice share_mem: shmget(0x1304d8, 657664, 0x3b6): Invalid argument The system posts errors similar to the following in Local Traffic logs (/var/log/ltm): crit tmm1[17820]: 01000025:2: Device error: mpi failed to allocate shared memory err tmm1[17820]: 01480043:3: Failed to build plugin profile for /Common/rewriteplugin err tmm1[17820]: 01480002:3: Can't initialize plugin configuration crit tmm1[17820]: 01000203:2: Proxy failed to attach plugin rule err tmm1[17820]: 01000008:3: Proxy initialization failed for /Common/my_virtual
Conditions:
A 'rewrite' profile in portal mode (the default) on a vCMP guest with ten cores allocated. A 'rewrite' profile is required for rewriting content; this is required for APM Portal deployments and VDI deployments.
Impact:
When a 'rewrite' profile using the default settings is attached to a virtual server all layer 3 connectivity to the virtual IP will fail.
Workaround:
Use another core allocation configuration for the guest (such as two, four or eight). If the APM (portal) function is not required, create a custom 'rewrite' profile with the 'rewrite-mode' option of 'uri-translation'.
572224-4 : Buffer error due to RADIUS::avp command when vendor IDs do not match
Component: Service Provider
Symptoms:
Errors similar to the following in the ltm log: err tmm3[21915]: 01220001:3: TCL error: /Common/RadiusTest CLIENT_DATA - Buffer error (line 1) (line 1) invoked from within "RADIUS::avp 26 ip4 index 0 vendor-id 12345 vendor-type 6".
Conditions:
The issue happens when there is a RADIUS::avp command for a vendor specific AVP and there's a RADIUS request that contains a different Vendor-type then what was specified in the iRule command.
Impact:
Customers are unable to use vendor-specific RADIUS AVP commands.
Workaround:
None.
572180-2 : httpclass containing escaped backslashes backslashes are stripped on migration to LTM policy
Component: Local Traffic Manager
Symptoms:
When upgrading or installing a UCS file with http class profiles values containing escaped backslashes will have the escaped backslashes stripped from the value.
Conditions:
A http class profile with values containing escaped backslashes.
Impact:
The escaped backslashes will be removed and then the policy will not correctly match.
Workaround:
Edit the policy and add backslashes back in.
572025-2 : HTTP Class profile using a path selector upgrade to a policy that does not match the entire path
Component: Local Traffic Manager
Symptoms:
If you upgrade to version 11.4.0 or newer, and your configuration contains a HTTP Class profile containing a paths selector, the generated policy does not match.
Conditions:
A HTTP Class profile containing a paths selector.
Impact:
The generated policy does not match the same paths as original HTTP Class profile.
Workaround:
Manually edit resulting policy
571718-2 : LocalDB Auth Logs New Password in Debug Log on password change
Component: Access Policy Manager
Symptoms:
When the Local user changes the password, the Localdb component logs the new password in the Debug Level. Also, during the parsing of HTTP header, we log the content of the Parameter "_F5_challenge", which contains the Local user password.
Conditions:
Impact:
The password is plainly visible in the log file /var/log/apm
Workaround:
571573-2 : Persistence may override node/pmbr connection limit
Component: Local Traffic Manager
Symptoms:
In certain circumstances the Big-IP may load balance connections to a node or poolmember over the configured connection limit.
Conditions:
- Pool member or node configured with connection limit. - L4 or L7 virtual server. - Persistence configured on the Virtual Server. - Very high load on unit.
Impact:
Big-IP may load balance connections to a node or pool-member over the configured connection limit.
Workaround:
Remove persistence or use another method of limiting the connections (rate limiting or connection limit on the Virtual Server).
571333-1 : fastL4 tcp handshake timeout not honored for offloaded flows
Component: TMOS
Symptoms:
When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead.
Conditions:
1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS 2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN 3. Send over SYN packet from client to server via VS
Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.
Workaround:
Set the offload state to "established"
571210-4 : Upgrade, load config, or sync might fail on large configs with large objects.
Component: TMOS
Symptoms:
Attempting to load a large config with large objects may result in the following error message: err mcpd[7366]: 01070710:3: Database error (52), Can't write blob data, attribute:implementation status:52 - EdbBlobData.cpp, line 57 Attempting to synchronize a large change may result in the following error messages and a crash of the MCPD process: err mcpd[8210]: 01071693:3: Incremental sync: Caught an exception while adding a transaction to the incremental config sync cache: unexpected exception. err mcpd[8210]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: Can't write blob data, attribute:msgs status:52 err mcpd[8210]: 01070596:3: An unexpected failure has occurred, request_group destroyed while processing, exiting...
Conditions:
The config must be approximately 19.75 MB (slightly less) prior to processing a large object in the config that exceeds 256 KB. Or, once config exceeds 19.75 MB and 2 MB of additional memory has been allocated, processing config objects that exceed 256 KB (the larger, the more likely to occur) lead to the error.
Impact:
Upgrade, load config, or sync might fail, and a system crash and restart might occur.
Workaround:
Stagger the load, or reduce the size of particularly large objects within a config.
571183-2 : Bundle-certificates Not Accessible via iControl REST.
Component: Local Traffic Manager
Symptoms:
Unknown
Conditions:
Impact:
Unknown
Workaround:
571090 : When BIG-IP is used as SAML IdP, tmm may restart under certain conditions
Component: Access Policy Manager
Symptoms:
tmm restarts.
Conditions:
TBA (needs more investigation). BIG-IP is configured as SAML IdP.
Impact:
Tmm may restart.
Workaround:
None
571019-3 : Topology records can be ordered incorrectly.
Component: TMOS
Symptoms:
Topology records can contain missing order numbers, duplicate order numbers, and differences in the ordering of topology records on BIG-IP's in a sync group.
Conditions:
When adding or deleting topology records or modifying the order of existing topology records, the resulting ordering of the topology records can be inconsistent. This can lead to ordering issues including differences in the ordering of topology records on BIG-IP's in a sync group.
Impact:
It is difficult to manage the order of topology records. Topology records are evaluated in different orders on different BIG-IP's in a sync group.
Workaround:
None.
570845-2 : Configuration Infrastructure Should Reject Invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy
Component: TMOS
Symptoms:
The configuration infrastructure currently allows the invalid 'None' option to be configured on an IKE peer for phase 1 perfect forward secrecy. Although the ability to configure the 'None' option is a bug (BZ570839) which happens on specific browsers, the configuration infrastructure should have stronger checking and prevent the acceptance of an invalid 'None' option for configured IKE peers.
Conditions:
The ability to configure and IKE peer invalid 'None' option for perfect forward secrecy occurs on Internet Explorer and Safari browsers (see BZ570839), and the configuration infrastructure does not reject this invalid configuration for these cases.
Impact:
IKE peer created with invalid 'None' perfect secrecy cryptographic algorithm does not allow an IKE session to be established.
Workaround:
Don't configure the 'None' option on an IKE peer.
570839 : IPSEC IKE-v2 Peer UI does not prevent configuration of 'NONE' option using Microsoft Internet Explorer.
Component: TMOS
Symptoms:
Safenet client not able to establish session to all HSMs on all blades.
Conditions:
Impact:
Unknown
Workaround:
570818-2 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
Component: TMOS
Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.
Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.
Impact:
Failure in establishing IPsec SA.
Workaround:
None.
570640-2 : APM Cannot create symbolic link to sandbox. Error: No such file or directory
Component: Access Policy Manager
Symptoms:
The user may encounter the following configuration error when adding a new APM sandbox-contained object in a non-default partition (other than /Common) if the user has ever attempted (but failed) to delete this partition (for example, couldn't delete it because it was not empty). 01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again. Unexpected Error: Validating configuration process failed.
Conditions:
The user has ever attempted (but failed) to delete the partition.
Impact:
No more APM sandbox object such as Hosted-Content can be added to the partition. Upgrade may fail to install configuration with the impacted sandbox object.
Workaround:
Manually use the shell command 'mkdir -p' to re-create the missing folder where the symbolic link is suppsed to be created as shown in the error message. Directories are: {to do mkdir -p) /config/filestore/files_d/OUTSIDE_PROD_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/OUTSIDE_PROD_d/sandbox_file_d After creating the directors sync to active unit.
570419-2 : Use of session DB on multi-process appliances and blades may core.
Component: TMOS
Symptoms:
On selected devices and blades, tmm runs multiple processes. When running multiple processes, the session DB may occasionally attempt an operation that will cause a tmm segfault.
Conditions:
In order to experience this failure, tmm must be running in multiple processes on the appliance or on the blade, and session DB usage is required with mirroring.
Impact:
Outage and restart of tmm. This applies when bringing up blades as well as bringing peers online.
Workaround:
None.
570363-2 : Potential segfault when MRF messages cross from one TMM to another
Component: Service Provider
Symptoms:
When MRF messages travel from one TMM to another and an asynchronous operation also occurs (like persistence), it is possible to the message object to be removed before the asynchronous operation to complete. If this occurs, a segfault may occur.
Conditions:
When MRF messages travel from one TMM to another and an asynchronous operation also occurs (like persistence), it is possible to the message object to be removed before the asynchronous operation to complete. If this occurs, a segfault may occur.
Impact:
System restarts - message is lost.
Workaround:
569972-2 : Unable to create gtm topology records using iControl REST
Component: Global Traffic Manager
Symptoms:
The user is unable to create gtm topology records using iControl REST.
Conditions:
This occurs when a user issues an iControl REST POST command for a gtm topology record.
Impact:
The iControl REST POST command fails with the following error: 'Topologies must specify both regions: ldns: server:'.
Workaround:
Use TMSH, iControl SOAP, or the GUI to create gtm topology records.
569642-4 : Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
Component: Local Traffic Manager
Symptoms:
In certain circumstances TMM may core if an HA pair configured with mirroring has all the routes to the server pool removed.
Conditions:
- HA pair. - FastL4 VIP with mirroring. - default route to pool via an intermediate router. - The active unit is handling traffic. - Active unit fails over and loses its mirroring connection. - Prior active unit comes back and HA connection is reestablished. - During the loss of HA and its recovery the now active unit loses its only route to the pool member.
Impact:
TMM will core and the failover will occur. As this is soon after the HA re-establishment, previously mirrored connections may be lost.
Workaround:
Do not remove all routes to poolmembers. If this is needed please create other backup routes prior to the deletion.
569583-1 : Secondary Blade Rejects All Traffic
Component: Application Security Manager
Symptoms:
After an upgrade ends in errors, the device may be left in a state that it erroneously believes to still be in the middle of the upgrade.
Conditions:
A second blade is installed into a chassis and there are errors as it comes up. System configuration is never successfully loaded.
Impact:
Secondary blade blocks all ASM traffic.
Workaround:
1) Delete the /var/ts/var/install/ucs_install.pid file on all blades 2) Push a fresh sync from a good device.
569521-4 : Invalid WideIP name without dots crashes gtmd.
Component: Global Traffic Manager
Symptoms:
If a user creates a WideIP or WideIP Alias with a name that does not contain a dot, gtmd crashes. The symptom is a crash and core dump from gtmd.
Conditions:
This occurs when the following conditions are met: -- FQDN validation is suppressed by the following setting: gtm global-settings general domain-name-check == 'none'. -- User attempts to create a WideIP with a name that does not contain a dot.
Impact:
gtmd crashes and WideIPs do not function.
Workaround:
When creating a WideIP or WideIP Alias while FQDN validation has been disabled (by setting gtm global-settings general domain-name-check == 'none'), make sure that the WideIP or WideIP Alias name contains at least one dot, and follows these rules: -- The name must not end with a dot. -- The name must not begin with a dot, unless '.' is the entire name. -- The name contains no consecutive dots.
569472-2 : TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled
Component: Global Traffic Manager
Symptoms:
tmm cores with sigsegv within lb_why_pmbr_str.
Conditions:
1. Disable a GTM/BIG-IP DNS pool or pool member; 2. pool-member-selection is enabled for load-balancing-decision-log-verbosity.
Impact:
tmm cores.
Workaround:
Disable pool-member-selection for load-balancing-decision-log-verbosity.
569356-2 : BGP ECMP learned routes may use incorrect vlan for nexthop
Component: Local Traffic Manager
Symptoms:
BGP with ECMP may result in learned routes using an incorrect next-hop vlan if there are more than 1 vlan configured with global IPv6 addresses in the same RD where the routing protocol is running.
Conditions:
BIGIP with 2+ vlans configured with ipv6 global addresses and BGP with ECMP is peered with an active ipv6 bgp neighbor. The BGP is also configured with max-paths.
Impact:
The traffic randomly gets black-holed.
Workaround:
569349-2 : Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled
Component: Local Traffic Manager
Symptoms:
When net cos (class of Service) feature is enabled, vlan priority for those cmp redirected packets are not being preserved from ingress to egress.
Conditions:
1. net cos feature is enabled 2. packet is being cmp redirected from one tmm to another tmm for processing.
Impact:
Egress packets are not being processed according to the ingress vlan priority by BIG-IP and down stream router. Certain packets will be dropped by downstream router due to the wrong mark of vlan priority.
Workaround:
None.
569337-2 : TCP events are logged twice in a HA setup
Component: Advanced Firewall Manager
Symptoms:
TCP log events are logged twice (if enabled in security log profile) with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).
Conditions:
When there's a HA setup (Active/Standby) or both client side and server side connection flow.
Impact:
TCP log events are logged twice (duplicate events from active unit and standby unit or from both client side and server side of the connection flow).
Workaround:
N/A
569288-2 : Different LACP key may be used in different blades in a chassis system causing trunking failures
Component: Local Traffic Manager
Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.
Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.
Impact:
Non aggregated trunk members won't be able to pass traffic.
Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"
569280-1 : BIG-IP does not delete the SA on peer box after erase/modify ike-peer
Component: TMOS
Symptoms:
After erase/modify ike-peer phase 1-2 SA deleted on the box but does not deleted on peer box.
Conditions:
Any erase/modify ike-peer causes it.
Impact:
Possible lost of connectivity (if initiator has SA but receiver does not)
Workaround:
1. Delete SA manually.
569270 : BIG-IQ CM 4.6 incompatible with BIG-IP 11.6.1.
Component: iApp Technology
Symptoms:
The restnoded process on the BIG-IP system continuously cycles after discovery by BIG-IQ CM 4.6.
Conditions:
Using BIG-IQ CM 4.6 to discover BIG-IP systems running 11.6.1.
Impact:
BIG-IQ CM 4.6 cannot manage BIG-IP 11.6.1.
Workaround:
Do not use BIG-IQ CM 4.6 to discover BIG-IP systems running version 11.6.1.
569236-4 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the first part of a fix provided for this issue. See fixes for bug 569236 for the second part.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system.
569206-2 : After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades.
Component: Local Traffic Manager
Symptoms:
After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades.
Conditions:
Connectivity loss and restoration between HSM and pkcs11d.
Impact:
Sometimes, one or more blades have SSL failure consistently. Others are working fine after the network restoring.
Workaround:
None. This is an intermittent failure.
568889-2 : Some ZebOS daemons do not start on blade transition secondary to primary.
Component: TMOS
Symptoms:
In some specific cases the standby unit's secondary blade ZebOS daemons might not get started when it becomes active.
Conditions:
If the failover occurs as a result of the primary blade's mcpd restarting
Impact:
The new primary blade does not start some ZebOS daemons resulting in ospf not working as expected on the standby unit.
Workaround:
Run the following tmsh command on the new active unit: bigstart restart tmrouted.
568722 : Gy quota and end of session reporting does not work under certain conditions.
Component: Policy Enforcement Manager
Symptoms:
Gy quota and end of session reports are not sent for a session under certain conditions. The conditions include scenarios when classification is disabled on the virtual that handles the session or classification is enabled and no actions or classification filters under a session's policy. The other condition can be that classification is Enabled and there is no policy against a session.
Conditions:
1. Classification Disabled on the virtual that handles the session 2. Classification Enabled AND no actions or classification filters under a session's policy 3. Classification Enabled AND no policy against a session
Impact:
Lack of Gy quota and end of session reports for a session
Workaround:
To workaround this, for the first two conditions, disable optimization where based on policies or actions and certain HUD nodes are removed.
568347-2 : BD Memory corruption
Component: Application Security Manager
Symptoms:
An Enforcer crash occurs and UMU errors may appear in the bd.log file.
Conditions:
N/A
Impact:
Traffic goes down while the Enforcer goes back up.
Workaround:
568229-2 : [LTM][DNS] save-on-auto-sync with partitions fails for ltm dns partition objects
Component: Local Traffic Manager
Symptoms:
Even though auto-sync enabled and save-on-auto-sync true are set on a device group which has a partition assigned to it, creating a ltm dns object in the partition is successfully transmitted to the running configuration of the peer device, but not written to bigip.conf.
Conditions:
1. auto-sync and save-on-auto-sync enabled for device group; 2. The device group has a partition assigned to it; 3. Creating a ltm dns partition object.
Impact:
Changes are not written to conf files as expected.
Workaround:
Save configuration manually at regular intervals on peer box.
568182-1 : IPsec is not sending phase 2 delete
Component: TMOS
Symptoms:
IPSEC does not remove IKE-SA on change traffic selector. As result we get uneven SA status for both IPSEC boxes and it can cause significant delay in communication.
Conditions:
Change traffic selector on one box force delete SA on this box but do not propagated to other one.
Impact:
Sgnificant delay in communication.
Workaround:
delete sa manually (may be impossible)
567660-2 : Disabling global Auto Last Hop setting breaks APM's Remote Desktop Gateway (RDG) feature
Component: Access Policy Manager
Symptoms:
Existing TCP connection is being sporadically disrupted by BIGIP virtual server sending out a SYN, ACK, causing existing connection to fail. The client and virtual server setup a good tcp connection, complete SSL handshake and starts to pass application data. APM virtual then sends SYN, ACK with sequence and ack numbers which do not match existing stream. The APM then tries three syn-ack's before giving up and sends out a rst-ack which drops the connection attempt, but as it shares the same ip:port number as the existing connection, resets the good connection.
Conditions:
Auto Last Hop setting is disabled
Impact:
APM RDG feature does not work
Workaround:
1. Enable Auto Last Hop OR 2. Set cmp_enabled to 'NO' on virtual
567400-2 : Policy Diff/Merge Does Not Work Correctly For Session Awareness Login Pages
Component: Application Security Manager
Symptoms:
When comparing Security Policies with Session Awareness enabled for specific Login Pages, false differences are shown in the Diff. Additionally, attempting to merge policies with these elements does not provide expected enforcement, as the Login Pages will not be enabled correctly in the target policy.
Conditions:
A Security Policy with Session Awareness Login Pages is compared with Policy Diff
Impact:
False differences may appear, and merging them will not provide expected enforcement.
Workaround:
These elements can be ignored in the Diff Summary before an auto-merge, and handled manually.
567355-1 : Scheduled report lost after loading configuration
Component: Application Visibility and Reporting
Symptoms:
Saved scheduled report will be lost after loading the system configuration.
Conditions:
Create scheduled report. Save the configuration. Load the configuration. The scheduled report wont be existing anymore.
Impact:
The scheduled report can be lost.
Workaround:
566646-4 : Portal Access could respond very slowly for large text files when using IE < 11
Component: Access Policy Manager
Symptoms:
When accessing a large 'text/plain' file from server with Internet Explorer version 7 through 10 client browsers, Portal Access sometimes holdz response until it fetches and processes the entire file contents. This can take several dozen seconds, or even minutes.
Conditions:
Impact:
Large text files can't be accessed or downloaded through Portal Access.
Workaround:
Irule that does any of following: a) Preferred: append F5CH=I to request uri in HTTP_REQUEST for affected requests. b) Call REWRITE::disable for affected requests.
566576-2 : ICAP/OneConnect reuses connection while previous response is in progress
Component: Service Provider
Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.
Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile. Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete. This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.
Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.
Workaround:
Remove OneConnect.
566361-8 : RAM Cache Key Collision
Component: Local Traffic Manager
Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled
Conditions:
This occurs when RAM cache is enabled in certain circumstances.
Impact:
Invalid response format, and/or serving the wrong object from cache, and/or tmm crash, interruption of service.
Workaround:
None.
566061-1 : Subscriber info missing in flow report after subscriber has been deleted
Component: Policy Enforcement Manager
Symptoms:
If we have a subscriber flow during which the subscriber gets deleted, then the flow reports begin to report subscriber id as "unknown". It becomes difficult to map the flow to that specific subscriber.
Conditions:
Flow reporting is enabled for a subscriber. And the subscriber gets deleted in the middle of a flow.
Impact:
If the customer is looking for subscriber id to match the flows, then they would miss out on these flows that get reported with unknown subscriber.
Workaround:
565534-2 : Some failover configuration items may fail to take effect
Component: TMOS
Symptoms:
These symptoms apply to version 12.0.0 and higher: When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device. These symptoms can occur on all versions: When the unicast address list is changed at the same time as other device properites, sod (the failover daemon) may fail to recognize one of the other changes.
Conditions:
For version 12.0.0 and higher: Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location or after performing the procedure in Sol13030. For all versions: A change is made to the cm device configuration that includes a unicast-address change along with something else.
Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.
Workaround:
Mitigation for v12.0.0 symptom: To restore multicast failover, disable and re-enable multicast failover. CLI: This must be done on the the local device: Determine which interface is being used for multicast failover: tmsh> list cm device bigip1 multicast-interface Disable and re-enable multicast failover. tmsh> modify cm device bigip1 { multicast-interface none } tmsh> modify cm device bigip1 { multicast-interface eth0 } Mitigation for all versions symptoms: Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.
565412-1 : AVR reports device-level mitigation as "Device Level" and not as "Aggregated"
Component: Application Visibility and Reporting
Symptoms:
When AVR gets a report on device-level mitigation, it reports it as "Aggregated" instead of "Device Level".
Conditions:
When AVR gets a report on device-level mitigation.
Impact:
The network reports was not clear or detailed enough.
Workaround:
565409-4 : Invalid MSS with HW syncookies and flow forwarding
Component: Local Traffic Manager
Symptoms:
A packet may have an MSS set to 65536 when using HW syncookies and flow forwarding.
Conditions:
Impact:
TMM core/reboot.
Workaround:
Disable HW syncookies or TSO.
565231-2 : If exported policy have two objects names profile_name-aaa and aaa import gonna fail
Component: Access Policy Manager
Symptoms:
If an exported access policy includes two object names profile_name-aaa and aaa, import might fail or be incorrect.
Conditions:
For example: access policy name "test" access policy item name "test-empty" access policy item name "empty" For example: access policy name "test" access policy item name "test-empty" macro name "empty"
Impact:
Serious but very rare. Import of such a policy fails.
Workaround:
One of the objects could be renamed in the bigip.conf file to avoid such a naming pattern.
565137-1 : Pool licensing fails in some KVM/OpenStack environments
Component: TMOS
Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.
Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.
Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.
Workaround:
There is no workaround.
564956-4 : PCCD core and slow running SQL
Component: Advanced Firewall Manager
Symptoms:
Search in network firewall log is very slow.
Conditions:
This occurs with large log files.
Impact:
Log searches could get really slow for very large log files.
Workaround:
Use custom search filters to speed up the search times.
564521-3 : JS passed to ExternalInterface.call() can be erroneously unescaped
Component: Access Policy Manager
Symptoms:
JavaScript passed to ExternalInterface.call() can be erroneously unescaped if Adobe SWF is version 24 or less.
Conditions:
Adobe Action Script 3 SWF version 24 or less.
Impact:
Arbitrary Adobe Flash application malfunction.
Workaround:
There is no workaround.
564482-2 : Kerberos SSO does not support AES256 encryption
Component: Access Policy Manager
Symptoms:
If the delegation account is enforced to use AES256 encryption, then APM Kerberos SSO will fail. Example error message: Dec 18 19:22:19 bigip8910mgmt err websso.7[31499]: 014d0005:3: Kerberos: can't decrypt S4U2Self ticket for user 'username' - Decrypt integrity check failed (-1765328353).
Conditions:
Delegation account is enforced to use AES256 encryption.
Impact:
Kerberos SSO will fail and user will be prompted to enter credential.
Workaround:
Disable the option to enforce AES256 encryption for the delegation account.
563933-2 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
Component: Local Traffic Manager
Symptoms:
A and AAAA RRsets in the additional section are dropped.
Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.
Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.
Workaround:
Set dns64-additional-section-rewrite is 'any'.
563591-2 : reference to freed loop_nexthop mauy cause tmm crash.
Component: Local Traffic Manager
Symptoms:
tmm may crash intermittently when there are cmp directed VIP (Virtual IP) to VIP traffic.
Conditions:
When CMP directed VIP to VIP traffic exists.
Impact:
tmm crash and traffic passing is disrupted on BIG-IP.
Workaround:
none.
563443-2 : WebSSO plugin core dumps under very rare conditions.
Component: Access Policy Manager
Symptoms:
WebSSO plugin core dumps under very rare conditions.
Conditions:
When two threads read and update on the cache data structure at the same time. This issue is rarely reproducible. This happens due to operations on a global data structure by multiple threads (one updating while another is reading). With a greater number of worker threads, the possibility of encountering the problem increases.
Impact:
WebSSO plugin core dumps.
Workaround:
None.
563419-5 : IPv6 packets containing extended trailer are dropped
Component: Local Traffic Manager
Symptoms:
Some IPv6 packets are dropped
Conditions:
IPv6 packet contains trailing bytes after payload
Impact:
Packet loss
Workaround:
563349-3 : On MAC, NA proxy settings are not applie to tun adapter after VPN is established
Component: Access Policy Manager
Symptoms:
In some cases, user may not be able to browse to external or internal web sites, Because the proxy settings won't be used.
Conditions:
User's machine has local proxy settings configured NA settings specify a proxy configuration
Impact:
User may not be able to browse some sites, or the connection would not take the proxy settings into account.
Workaround:
None
563232-2 : FQDN pool in resource prevents Access Policy Sync.
Component: Local Traffic Manager
Symptoms:
FQDN pool in resource prevents Access Policy Sync
Conditions:
Impact:
Unknown
Workaround:
563227-3 : When a poolmember goes down, persistence entries may vary among tmms
Component: Local Traffic Manager
Symptoms:
When a poolmember goes down, persistence entries may vary among tmms. The result will be that rather than persisting to a single pool member, the new connections may arrive on different pool members based on the number of tmms on the BIG-IP platform in use.
Conditions:
Using persistence with some connections persisted to a pool member that goes down, either administratively or due to a monitor. During this time, the client is issuing several new connections to the big-ip.
Impact:
Inconsistent persistence entries.
Workaround:
563144 : Changing the system's admin user causes many errors in the REST framework.
Component: Centralized Management
Symptoms:
The iControl REST log at /var/log/icrd will have entries similar to the following: notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
Conditions:
Follow the steps in the Solution https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15632.html, and changes the default admin user.
Impact:
Many REST APIs do not function, and functionality that depends on REST fails.
Workaround:
None.
563064-1 : Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
Component: TMOS
Symptoms:
Cipher memory initialized when an IPsec tunnel is created is not cleaned up when IPsec tunnel is removed.
Conditions:
Every time an IPsec tunnel is established and then removed will leave the allocated cipher memory in the system.
Impact:
Slowly leak TMM memory
Workaround:
562919-2 : TMM cores in renew lease timer handler
Component: Access Policy Manager
Symptoms:
TMM generates core.
Conditions:
All three following conditions have to be met for this to trigger : 1) Both IPv4 and IPv6 network access connection has to be enabled for the same network access resource. 2) IPv4 address have to be statically assigned. 3) IPv6 address have to be dynamically assigned from the leasepool.
Impact:
TMM generates core on network access connection close.
Workaround:
Workaround 1) Use IPv4 only network access connection. Workaround 2) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint addresses from IPv4 and IPv6 leasepool respectively. Workaround 3) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint statically.
562885 : TMM segfault in flow_find_opaque_ctx() caused by corrupt opaque ctx.
Component: Local Traffic Manager
Symptoms:
TMM segfault in flow_find_opaque_ctx() caused by corrupt opaque ctx.
Conditions:
Impact:
Unknown
Workaround:
562644-4 : TMM may crash when AAM receives a pipelining HTTP request which while shutting down the connection
Component: WebAccelerator
Symptoms:
In rare conditions when a client sends pipelining HTTP requests and AAM is configured it may incorrectly process a consequent request resulting in crashing of TMM.
Conditions:
1) BIGIP has to be licensed for AAM and ASM and 2) a virtual has to have AAM configured and 3) AVR has to be configured on the virtual (analytics profile) and 4) HTTP compression profile is configured on the virtual and 5) ASM has to be configured on the virtual and 6) a client has to send a number of pipelining HTTP requests then AAM may cause a TMM crash on a consequent request if ASM initiates the connection closure after processing one of the previous requests.
Impact:
TMM crash cause failover and loss of all cached data in TMM. If there is no standby BIGIP it may cause disruption in processing traffic.
Workaround:
None.
562452 : Perpetual 'Loading...' banner when updating values in GUI System :: Preferences.
Component: TMOS
Symptoms:
The GUI banner 'Loading... Receiving configuration data from your device' does not disappear when updating changes in System :: Preferences page.
Conditions:
Use a BIG-IP system running 11.6.0 HF6. Make changes to System :: Preferences page.
Impact:
The GUI banner 'Loading... Receiving configuration data from your device' stays without showing the modified data. This is cosmetic. The changes are properly sent and stored. Reloading the page shows the new values.
Workaround:
None needed. This is cosmetic.
562044-2 : Statistics slow_merge option does not work
Component: TMOS
Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge' then the merging of statistics stops working. This causes statistics to no longer appear to be updated.
Conditions:
The DB variable 'merged.method' is set to 'slow_merge'.
Impact:
Statistics no longer appear to be updated.
Workaround:
Use fast_merge.
561814-1 : TMM Core on Multi-Blade Chassis
Component: TMOS
Symptoms:
TMM core.
Conditions:
On a multi-blade chassis with WAM caching in use, where the datastor daemon is stopped and restarted, and where traffic is being cached by datastor.
Impact:
TMM cores.
Workaround:
None.
561595-2 : Guest user cannot see Event Correlation details
Component: Application Security Manager
Symptoms:
Guest user cannot see Event Correlation details.
Conditions:
Log in as Guest
Impact:
Limited read access for guest users.
Workaround:
For guest user - there is no workaround, but if it is possible to log in as another user - then everything works.
561539-2 : [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.
Component: Global Traffic Manager
Symptoms:
When upgrading from 10.x to 11.x Wide IP pool member ratio value is changed from 0 to 1.
Conditions:
1. Upgrade from v10.x to v11.x 2. Have a Wide IP pool member ratio set to 0.
Impact:
Wide IP pool member ratio is changed to 1 (the default) from 0 after upgrading, potentially enabling selection of members that had been "disabled" with a ratio of 0.
Workaround:
Manually change ratio back to 0 after upgrade.
560683-3 : HA IPSEC: tmm core/crash on standby in function ikev2_child_delete_outbound()
Component: TMOS
Symptoms:
tmm crash after a number of failovers (approximately two to four).
Conditions:
This occurs in a high availability (HA) configuration with IPSEC traffic and multiple failovers. This is an intermittent issue.
Impact:
tmm might core/crash on standby unit in HA configuration.
Workaround:
None.
560405-6 : Support optional target IP address and port in the 'virtual' iRule API
Component: Local Traffic Manager
Symptoms:
In certain scenarios there is a need to redirect an HTTP request through a given virtual server to a another virtual server (or remote endpoint). Such a use-case would also be known as "vip-to-vip" forwarding. The available iRule API at hand (i.e. the 'virtual' command) has been improved to support this functionality.
Conditions:
Using an iRule to forward a request through a given virtual server to another virtual serer or remote endpoint.
Impact:
The customer is not able to implement HTTP Forward Proxy + Transparent redirection to Web- Cache Pool (according to related Subcase)
Workaround:
Behavior Change:
The 'virtual' iRule API has been changed to support a secondary target IP address and port to redirect the connection to, from a given virtual server. The new signature of the 'virtual' iRule API is: virtual [<name>] [<ipaddr> [<port>]] where: <name> = the name of the virtual server to redirect the connection from <ipaddr> = the target IP address of the remote endpoint to route the connection to, through the specified virtual server; <ipaddr> can also have a route-domain (%) <port> = the port of the remote endpoint to route the connection to, through the specified virtual server
560114-3 : Monpd is being affected by an I/O issue which makes some of its threads freeze
Component: Application Visibility and Reporting
Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded.
Conditions:
A system I/O issue (maybe caused by /var/log being full).
Impact:
AVR statistics are lost. Monpd thread cannot load new data, and it prints non-stop error messages to the logs.
Workaround:
Run the following: find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm touch /var/avr/init_avrdb bigstart restart monpd
559975-5 : Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth
Component: Global Traffic Manager
Symptoms:
HTTP basic authentication uses a base64 encoded string. When an HTTP monitor username or password is changed, the b64 string is regenerated and may become malformed.
Conditions:
When an http monitor username or password is changed, e.g. shortened, then the HTTP basic auth string may be mangled.
Impact:
An HTTP monitor may show its resource as unavailable after changing the username or password.
Workaround:
Restart big3d, or delete then recreate the monitor instead of modifying the existing monitor.
559973-2 : Nitrox can hang on RSA verification
Component: Local Traffic Manager
Symptoms:
With certain signatures, RSA verification can hang the Nitrox crypto accelerator chip.
Conditions:
RSA verification with certain signatures.
Impact:
Nitrox crypto accelerator can hang.
Workaround:
559939-2 : Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
Component: TMOS
Symptoms:
If the UI System::Platform screen is used to change the hostname on a Standalone VIPRION, the non-primary blades in the chassis may temporarily report an offline state.
Conditions:
This affects only multi-blade chassis systems in Standalone mode.
Impact:
If the system is hosting vCMP guests, it may cause unexpected failovers, and interruption of traffic.
Workaround:
To change the hostname on the VIPRION, use the tmsh command: 'modify sys global-settings hostname new-host-name'.
559541-2 : ICAP anti virus tests are not initiated on XML with when should
Component: Application Security Manager
Symptoms:
ICAP anti virus tests are not performed on XML with sensitive data.
Conditions:
ICAP and XML profile are configured on the policy, the ICAP configured to inspect the XML. The XML has sensitive data configured. The XML request contained sensitive data. The expectation was that XML with sensitive data would initiate ICAP tests.
Impact:
Virus tests will not be enabled on this request if the only reason for testing the ICAP was the existence of the sensitive XML data.
Workaround:
559218-2 : Iframes could be inaccessible to a parent window on a page accessed through Portal Access
Component: Access Policy Manager
Symptoms:
document.write from window to iframe could silently fail, if page is accessed by FQDN, and Same Origin Policy restrictions were relaxed with assignment to a document.domain. The code on the page will be executed without errors, but no content will appear in iframe.
Conditions:
Impact:
Some content could be not displayed on a page accessed through Portal Access.
Workaround:
iRule workaround specific to a web application
559159-1 : [PORTAL] JavaScript errors when Application runs through Portal
Component: Access Policy Manager
Symptoms:
[Portal Access] Wrong rewriting for some nested conditional expressions at client side. For example, "x?w.location=y?a:b:c;"
Conditions:
Application running through Portal has javascript errors causing page not to load.
Impact:
Page not load.
Workaround:
iRule workaround available upon request. iRule will specific to the wep application behind BIG-IP.
559080-3 : High Speed Logging to specific destinations stops from individual TMMs
Component: TMOS
Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.
Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.
Impact:
Logs are silently lost.
Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.
559060-3 : AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration.
Component: Application Visibility and Reporting
Symptoms:
AVR presents incorrect data in the GUI statistics (for example, unexpected pool members, and so on, with hitcount 0).
Conditions:
Multiple BIG-IP systems are configured, one is acting as server for the other and both have 'collect client latency' enabled.
Impact:
Invalid data is presented in the statistics.
Workaround:
Turn off 'collect client latency' in the AVR profile on the BIG-IP system that is acting as the server.
559055-1 : Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"
Component: Application Security Manager
Symptoms:
Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".
Conditions:
Learn New Parameters is set to "Add All Entities".
Impact:
Staging on wildcard parameter "*" remains unchanged.
Workaround:
Disable staging on wildcard parameter "*" manually.
559034-1 : Mcpd core dump in the sync secondary during config sync
Component: TMOS
Symptoms:
mcpd will crash if certain files are missing from the file store during sync operations.
Conditions:
This can happen when files associated with file objects are removed from the file store. Users are not permitted to directly modify the contents of the file store.
Impact:
mcpd will crash
Workaround:
Users are not permitted to directly modify the contents of the file store. Use tmsh or the Configuration Utility to manage BIG-IP objects such certificates.
558946-4 : TMM may core when APM is provisioned and access profile is attached to the virtual
Component: Access Policy Manager
Symptoms:
TMM may core when APM is provisioned and access profile is attached to the virtual.
Conditions:
This crash is most likely to occur when there are more than 1 ABORT events sent to a connection on a virtual with attached access profile.
Impact:
The TMM process might crash, which will cause a system to temporarily go offline and will cause a traffic disruption.
Workaround:
558779-6 : SNMP dot3 stats occassionally unavailable
Component: TMOS
Symptoms:
SNMP would not provide values for some dot3 stats.
Conditions:
Not conditional.
Impact:
SNMP would not provide values for some dot3 stats.
Workaround:
None
558763 : "Show All" option for large no. of security objects can cause poor performance in some browsers
Component: Advanced Firewall Manager
Symptoms:
Using "Show All" for showing a large number of security objects on GUI can be challenging for some browsers (specially IE)
Conditions:
Large number of security objects on GUI to display, use of particular browsers (specially IE)
Impact:
AFM Address List page and others may not render properly or responsively.
Workaround:
Use Chrome
558612-2 : System may fail when syncookie mode activated
Component: Local Traffic Manager
Symptoms:
As a result of a known issue the BIG-IP may encounter a system failure when syncookie mode has been activated.
Conditions:
L7 VIP with certain TCP profile attributes enabled. Syncookies have been activated. System under memory pressure due to heavy load.
Impact:
System may fail.
Workaround:
Use the default TCP profile for all L7 VIPs.
558534-2 : The TMM may crash if http url rewrite is used with APM
Component: Local Traffic Manager
Symptoms:
The HTTP uri rewrite feature depends on having a client-side to determine the ip address of that client. However, APM may use the HTTP filter without having a client-side. This can cause a TMM crash when the missing ip address is used by the HTTP uri rewrite feature.
Conditions:
APM + HTTP uri rewrite feature. (This is different to the "rewrite" profile.)
Impact:
The TMM may crash.
Workaround:
Disable the HTTP uri rewrite feature when using APM. An iRule may be used to safely implement its transformations.
557358-1 : Rare crash when the dequeued element is not in the queue
Component: Local Traffic Manager
Symptoms:
ssl_q_dequeue can cause crash when the dequeued element is not in the queue. This happens rarely under certain condition.
Conditions:
Try to dequeue one element which is not in the queue.
Impact:
Crash.
Workaround:
None.
557155-4 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
Component: TMOS
Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
Conditions:
Sustained high packet rate with a very small payload.
Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.
Workaround:
Try ones of the following workarounds: 1. Increase guest memory. 2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
557144-3 : Dynamic route flapping may lead to tmm crash
Component: TMOS
Symptoms:
When dynamic routing is in use and routes are being actively added and removed, tmm may crash.
Conditions:
The cause for this issue is not well understood.
Impact:
Traffic interruption while TMM restarts. HA pair failover.
Workaround:
None.
557062-2 : Configuration upgrade failure due to change in an ASM predefined report name
Component: Application Visibility and Reporting
Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version - (11.3 or 11.4) and upgrading.
Conditions:
Define scheduled report with 'predefined-report-name: '/Common/Top alerted URLs' on version 11.3 or 11.4 upgrade the version.
Impact:
Version upgrade fails (the BIG-IP system becomes unusable).
Workaround:
Manually change predefined-report-name '/Common/Top alerted URLs' to predefined-report-name '/Common/Top alarmed URLs'.
557059-2 : When a virtual server has an Anti-Fraud Profile and a Web Acceleration profile, POST requests to non-protected URLs hang
Component: TMOS
Symptoms:
A POST request to a virtual will timeout will not immediately return a response. After a timeout occurs, a HTTP 400 response status will be returned.
Conditions:
This issue is encountered when sending a POST request to a virtual server that is configured with an Anti-Fraud Profile and a Web Acceleration profile.
Impact:
The request times out and 400 HTTP response status is returned. The application will break.
Workaround:
556117-2 : client-ssl profile is case-sensitive when checking server_name extension
Component: Local Traffic Manager
Symptoms:
The client-ssl profile is Case-Sensitive when configuring server-name in the client-ssl profiles and checking server_name extension in the ClientHello Message.
Conditions:
When using mixed upper-lower case server-name in the client-ssl profile configuration and ClientHello messages.
Impact:
The system treats mixed upper-lower case server-name as different names which violate the RFC6066, which states: "Currently, the only server names supported are DNS hostnames. DNS hostnames are case-insensitive."
Workaround:
1. Configure only one client-ssl profile with same server-name. 2. Use only lower-case server-name when configure the client-ssl profile. 3. Use lower-case server-name in the Client side.
555905-3 : sod health logging inconsistent when device removed from failover group or device trust
Component: TMOS
Symptoms:
When a device is in a failover group, so logs state change messages indicating the reachability of other devices in the group. For example: Nov 2 11:34:54 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Online). Nov 2 11:31:19 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Offline). Nov 2 11:31:43 BIGIP-1 notice sod[5716]: 010c007e:5: Not receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Disconnected). If a reachable device is removed from the failover group, no "Disconnected" message is issued, so the last reported status will be inaccurate. When a device is part of a trust, sod logs messages indicating what unicast addresses it is monitoring on remote devices: Nov 2 11:34:29 BIGIP-1 info sod[5716]: 010c007a:6: Added unicast failover address 10.145.192.5 port 1026 for device /Common/BIGIP-3.localdomain. If devices are removed from the trust, sod does not log a message that those unicast addresses are no longer in use.
Conditions:
When a device is removed from a failover device group, or removed from a device trust.
Impact:
Inaccurate state reporting.
Workaround:
555343-3 : tmm may crash in fastl4 tcp vs
Component: Local Traffic Manager
Symptoms:
tmmm may crash if got fragmented packet in a fastl4 tcp vs.
Conditions:
fastl4 tcp vs. fragmented packet
Impact:
tmm crash
Workaround:
For fasltl4 tcp vs, enable option "Reassemble IP Fragments" in profile.
555156-3 : Changing monitoring configuration stops health checks for FQDN nodes.
Component: Local Traffic Manager
Symptoms:
When changing the monitoring configuration, the health checks never resume for FQDN node types.
Conditions:
Create a custom monitor, apply it to an FQDN node type. Change the monitor configuration, and health checks never resume.
Impact:
No health checking. (member status remains static as prior to change). - Traffic may be sent to unavailable pool members.
Workaround:
Restart bigd to force the change using the following command: bigstart restart bigd
555039-2 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
Component: TMOS
Symptoms:
You notice high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.
Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports. This affects the following platforms: BIGIP-7000 series, 5000 series, B2100, B2150, PB200.
Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.
Workaround:
None.
554826-1 : TMM crash (assert) observed during processing of HA packets.
Component: Advanced Firewall Manager
Symptoms:
TMM crash (assert) observed during processing of HA packets.
Conditions:
Impact:
Unknown
Workaround:
554458 : No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports with reduced zeros in Session ID
Component: Access Policy Manager
Symptoms:
No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports
Conditions:
When Session ID has 1 or more leading zero
Impact:
Empty in the APM Session Variable report
Workaround:
Run "Session Variables" report. When enter session ID, prepend 0s if the session ID has less 8 chars. The total length of session ID is 8 chars.
554324-1 : Signatures cannot be updated after Signature Systems have become corrupted in database
Component: Application Security Manager
Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database.
Conditions:
Signature systems are corrupted in configuration database.
Impact:
Signatures cannot be updated.
Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command: mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"
554295-3 : CMP disabled flows are not properly mirrored
Component: Local Traffic Manager
Symptoms:
A client connection to a virtual server configured for 'cmp-enabled no' and 'mirror enabled' will be dropped if the standby unit is promoted to active.
Conditions:
The virtual server is configured for 'cmp-enabled no' and 'mirror enabled' on multiple BIG-IP appliances peered in a HA configuration.
Impact:
Mirroring does not work as expected on BIG-IP appliances. (NOTE: CMP is required on Viprion chasses, so this expectation only applies to appliances.)
Workaround:
Do not disable CMP on virtual servers that are mirrored.
553795-4 : Differing certificate/key after successful config-sync
Component: TMOS
Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key. 2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.
Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync. 2) High Availability failover systems configured with Manual Sync.
Impact:
1) An abandoned FIPS key is left behind. 2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.
Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile. Workaround #2: Delete the FIPS key by-handle on the peer system(s). 2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile. Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).
552444-2 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
Component: Access Policy Manager
Symptoms:
Dynamic drive mapping in network access may not work if mapping is configured to use session variable, and session variable is received from LDAP/AD.
Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"
Impact:
Dynamic drive mapping may not function.
Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM. homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]
552342-2 : APMD logging at debug level may log passwords in clear text
Component: Access Policy Manager
Symptoms:
APMD logging at debug level logs all request headers in clear text. Some request types contain passwords in headers resulting in passwords logged in clear text.
Conditions:
APMD logging at debug level.
Impact:
Some passwords may be logged in clear text.
Workaround:
Do not log at debug level unless absolutely necessary.
552176-1 : LTM v11.6.0 iControl REST transaction w/multiple commands don't work as expected
Component: TMOS
Symptoms:
An exception may be thrown during mcp transaction when processing a more than one delete request.
Conditions:
One of the objects being deleted must have a dependency on the other.
Impact:
A valid transaction may fail.
Workaround:
551635-2 : pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule
Component: Advanced Firewall Manager
Symptoms:
pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule
Conditions:
If firewall config contains rules with mixed IPv4 and IPv6 addresses in the same rule (either as source addresses or destination addresses), pccd may crash
Impact:
pccd crash.
Workaround:
Separate different address family addresses into separate rules. In other word, each firewall rule should contain only IPv4 or OPv6 addresses.
551260-2 : When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML Service Provider, and IdP-Connectors Single Sign On Service URL contains ampersand (&), part of the URL may be truncated when user is redirected to IdP for authentication.
Conditions:
All conditions must be true: - BIG-IP is used as SAML Service Provider - Single Sign On Service URL property of IdP connector contains ampersand, e.g. https://idp.f5.com/saml/idp/profile/redirectorpost/sso?a=b&foo=bar - User performs SP initiated SSO
Impact:
The query part of the redirect URL after ampersand will be lost when user is redirected to SSO URL with Authentication Request.
Workaround:
n/a
551189 : Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data
Component: Local Traffic Manager
Symptoms:
Upon repeatedly modifying the same HTTP cookie value (in the Set-Cookie header) within an iRule attached to a virtual server, the HTTP::cookie API may produce stale HTTP header data (e.g. HTTP Set-Cookie header and/or other HTTP headers).
Conditions:
LTM Virtual Server handling HTTP traffic, with iRule attached which modifies a given HTTP cookie value through the HTTP::cookie API, on ingress and/or egress traffic (through the HTTP_REQUEST and/or HTTP_RESPONSE events). An example use-case for producing the error would be encrypting and decrypting HTTP cookies via an iRule.
Impact:
Repeatedly altering the same HTTP cookie value in an iRule, via the HTTP::cookie API, may yield to an HTTP request/response with inconsistent HTTP header data, including but not limited to the Set-Cookie HTTP header.
Workaround:
None.
550926-2 : AFM rule with "unknown" source Geo-entity, stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule
Component: Advanced Firewall Manager
Symptoms:
When an AFM rule is configured to "unknown" geographic location, the rule stops functioning when another entity (geolocation or IP address) is added to the same list of addresses in the rule.
Conditions:
Configure an address list of AFM rule with "unknown" source Geo-entity and at least one other entity (geolocation or IP address).
Impact:
Confusing, inconsistent, and apparently broken behavior.
Workaround:
As a workaround, do not configure "unknown" geographic locations as one of the entities in an address list. Known geographic locations work correctly.
550739-2 : TMSH mv virtual command will cause iRules on the virtual to be dis-associated
Component: Local Traffic Manager
Symptoms:
After renaming a virtual server that has attached iRules, the resulting virtual server configuration in tmm no longer has the iRules attached. The configuration in mcpd does not match the running configuration in tmm.
Conditions:
Must use the 'mv' command on an ltm virtual with iRules.
Impact:
Configuration is not as expected.
Workaround:
After moving the virtual, remove the iRules on it and re-add them.
550434-5 : Diameter connection may stall if server closes connection before CER/CEA handshake completes
Component: Service Provider
Symptoms:
Serverside connection stalls. Connection is not torn down and packets are not forwarded to serverside.
Conditions:
Selected pool member closes (via FIN) connection before sending CEA as part of Diameter handshake.
Impact:
Connection stalls until handshake timeout and then it is reset.
Workaround:
none
549971-5 : Some changes to virtual servers' profile lists may cause secondary blades to restart
Component: TMOS
Symptoms:
If a virtual server's ip-protocol is not set, then some changes to the list of attached profiles may cause a validation error on secondary blades. This will cause those blades to restart.
Conditions:
This may happen in some cases when changing the list of profiles attached to a virtual server, but does not happen if 'ip-protocol' was explicitly set by the user.
Impact:
mcpd will restart on secondary blades. This will cause most other daemons on those blades to restart as well, including the TMM. Traffic will be lost.
Workaround:
You should explicitly set the ip-protocol when changing the profiles of a virtual server. Then this bug will not occur.
549329-1 : L7 mirrored ACK from standby to active box can cause tmm core on active
Component: Local Traffic Manager
Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.
Conditions:
HA active-standby pair setup for L7 packet mirroring.
Impact:
tmm cored and caused failover.
Workaround:
None.
548583-3 : TMM crashes on standby device with re-mirrored SIP monitor flows.
Component: Local Traffic Manager
Symptoms:
Occasionally, the standby system with a SIP monitor crashes in a configuration where the active system contains a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled.
Conditions:
This occurs on an active-standby setup in which there is an L4 forwarding virtual server or SNAT listener configuration with a wildcard IP address and port, and with connection mirroring enabled. Also, the standby has a SIP monitor configured.
Impact:
Packets that are sent by the SIP monitor on the standby get routed back to the active unit (possibly due to a routing loop) and are then sent to the standby because of the wildcard mirrored configuration. tmm on standby might crash. When the crash occurs, the standby system posts the following assert and crashes: tmm failed assertion, non-zero ha_unit required for mirrored flow.
Workaround:
-- If a routing or switching loop is the reason the packets come back to the active unit, then the routing issues can be eliminated. -- The mirroring of the wildcard virtual server or SNAT listener can be disabled.
548385-3 : iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results
Component: TMOS
Symptoms:
If the active folder is not same as the folder in which the query is being run, and the corresponding key/cert extension is not present in the name of the key/certificate file, the query result returns incorrect results.
Conditions:
This occurs when iControl calls that query key/cert from parent folder, and the name is missing the extension.
Impact:
The query result returns incorrect results.
Workaround:
You can use one of the following workarounds: -- Change the filename to include the extension. -- Change to the folder containing the iControl call you are executing.
547692 : Firewall-blocked KPASSWD service does not cause domain join operation to fail
Component: Access Policy Manager
Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator. As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly. However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch. creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.
Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.
Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.
Workaround:
Allow KPASSWD to reach ActiveDirectory server
547657-1 : A TCL error in a DNS_RESPONSE iRule event can cause a tmm crash.
Component: Local Traffic Manager
Symptoms:
A TCL error, such as referencing an undefined variable, in a DNS_RESPONSE iRule event can cause a tmm crash. This can occur on a UDP listener with a DNS profile without datagram load balancing enabled. A DNS_REQUEST event, with any content, on the same listener is also required.
Conditions:
All of the following: UDP listener with DNS profile without datagram load balancing. A TCL error, such as referencing an undefined variable, in a DNS_RESPONSE iRule event. A DNS_REQUEST iRule event with any content.
Impact:
tmm crash
Workaround:
Either add datagram load balancing to the listener or correct the TCL errors that lead to the problem.
547550-3 : avrd reports incorrect stat values
Component: Advanced Firewall Manager
Symptoms:
Unknown
Conditions:
Impact:
Unknown
Workaround:
547047-3 : Older cli-tools unsupported by AWS
Component: TMOS
Symptoms:
Older EC2 tools stopped working in some AWS regions.
Conditions:
This can happen in some AWS regions.
Impact:
BIG-IP high availability configurations may stop working in some AWS regions.
Workaround:
None.
546410-2 : Configuration may fail to load when upgrading from version 10.x.
Component: TMOS
Symptoms:
After upgrade, configuration fails to load with the following error: 01070734:3: Configuration error: Invalid primary key on monitor_param object () - not a full path 2.
Conditions:
Configuration contains a user-created monitor (A) that inherits from user-created monitor (B). Monitor A appears first within the configuration files and monitor B does not have a 'destination' attribute.
Impact:
Configuration fails to load.
Workaround:
Re-order monitors such that Monitor B appears first, or add a 'destination' attribute (i.e., 'destination *:*') to monitor B.
546085-2 : On shutdown, SOD and other daemons very infrequently cores due to an internal processing error during the shutdown.
Component: TMOS
Symptoms:
On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
Conditions:
System shutdown. Unable to reproduce the issue reliably, so conditions for the crash are unknown
Impact:
Since the core happens on shutdown, operation on the device is not affected, but a core file may be generated.
Workaround:
None.
545946-2 : Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load
Component: TMOS
Symptoms:
Transparent/translucent Vlangroup may have its MAC address set to 02:00:00:00:00 on either the first configuration load after an upgrade or on a manual mcpd db clear/reload.
Conditions:
Transparent/Translucent vlangroup. Upgrade to later version or manually delete mcpd DB binary.
Impact:
Vlangroup MAC address is incorrect and can adversely affect traffic transversing the vlangroup.
Workaround:
Reload configuration or alter vlangroup configuration: e.g: set back and forth between transparency modes.
545796-3 : [iRule] [Stats] iRule is not generating any stats for executed irules
Component: Local Traffic Manager
Symptoms:
iRule is not generating any stats for executed iRules.
Conditions:
1. Moving/editing a iRule attached to a virtual server; 2. Passing traffic to the virtual server; 3. Adding the iRule back to the virtual server.
Impact:
No iRule usage stats available.
Workaround:
Restart tmm.
545745-2 : Enabling tmm.verbose mode produces messages that can be mistaken for errors.
Component: TMOS
Symptoms:
When tmm first starts, the system logs multiple messages containing the words "error:" and "best_error:" in the tmm log files when tmm.verbose is enabled, and hardware accelerators are present.
Conditions:
Must have an accelerator device, and enable tmm.verbose logging.
Impact:
The system posts messages that could be mistaken for errors. For example: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000. These are not errors, and may be safely ignored.
Workaround:
Ignore the lines with format similar to the following: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000
545704-2 : TMM might core when using HTTP::header in a serverside event
Component: Local Traffic Manager
Symptoms:
In certain circumstances TMM might core when using an HTTP iRule command in a HTTP_REQUEST_SEND serverside event.
Conditions:
- iRule with an HTTP command in a serverside event prior to the serverside being completely established, such as HTTP_REQUEST_SEND. - OneConnect configured on the virtual server.
Impact:
The command might either return invalid value or lead to a condition where TMM might core.
Workaround:
Use the {clientside} Tcl command to execute on the client side. Alternatively, you might use the HTTP_REQUEST_RELEASE event for HTTP inspection/modification on the server-side.
545263-4 : Add SSL maximum aggregate active handshakes per profile and per global
Component: Local Traffic Manager
Symptoms:
SSL active handshakes in one BIGIP can be infinity. With many calls, memory can be exhausted and cause the system problems.
Conditions:
When BIGIP has too many active SSL handshakes.
Impact:
The memory and/or CPU can be exhausted.
Workaround:
Behavior Change:
New db variable "tmm.ssl.maxactivehandshakes" limits the total number of active SSL handshakes. By default this variable is set to '0', which means no limit.
545214-2 : OSPF distance command does not persist across restarts.
Component: TMOS
Symptoms:
When ospfd is restarted, the value configured for the OSPF distance command is lost.
Conditions:
The distance command is configured in OSPF and the ospfd process is restarted.
Impact:
The distance command does not function as configured, which affects OSPF behavior.
Workaround:
None.
544989-2 : distance cli command without access name in OSPF posts a memory allocation error.
Component: TMOS
Symptoms:
OSPF distance command gives error and is not effective in changing Open Shortest Path First (OSPF) behavior.
Conditions:
throwing a memory allocation error when the distance command is used without an access list name. The access list name is optional parameter in the following command (WORD represents the optional access list name): distance <1-255> A.B.C.D/M (WORD|).
Impact:
The distance command does not function correctly and posts a memory allocation error.
Workaround:
None.
544906 : Issues when using remote authentication when users have different partition access on different devices
Component: TMOS
Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user. For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].
Conditions:
Devices configured for remote authentication. User A on device 1 with role on all-partitions. User A on device 2 with role restricted to a single partition. Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.
Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.
Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.
544463 : The BIG-IP system's management port drops egress Ethernet multicast traffic
Component: TMOS
Symptoms:
The BIG-IP system's management port drops egress Ethernet multicast traffic. You may experience this issue if you employ certain routing techniques in the network segment the management port connects to. For example, you may experience this issue if the BIG-IP system's default gateway on the management network is a pair of Check Point Secure Gateways configured in Load Sharing Multicast Mode. In this case, the IP address of the default gateway resolves to a L2 multicast address and, because of this issue, the BIG-IP system's management port ends up dropping traffic destined the default gateway.
Conditions:
No special conditions are required to trigger this issue. However, only customers with unusual routing configurations are likely to actually notice this issue.
Impact:
As a result of this issue, certain destinations or certain services will not be reachable via the BIG-IP system's management port.
Workaround:
The Linux host configures a single-interface bridge over the management port to make certain tasks simpler. This issue has been shown to go away when multicast snooping is disabled for said bridge. You can disable multicast snooping for the management bridge by running the following command: # echo 0 > /sys/class/net/mgmt/bridge/multicast_snooping On a VIPRION chassis, the aforementioned command would have to be run on each blade. The command is not permanent and the change is lost after a reboot of the system. To make the change permanent, you can add the command to the /config/startup file.
543993-3 : Serverside connections may fail to detach when using the HTTP and OneConnect profiles
Component: Local Traffic Manager
Symptoms:
Serverside connection does not detach when using OneConnect profile
Conditions:
An HTTP/1.1 response without Content-Length header is received in response to an HTTP/1.0 HEAD request
Impact:
HTTP requests on the same connection are not LB'ed across pool members.
Workaround:
Remove OneConnect profile
543344-1 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in these ways: either the session ID is embedded in the request, or the connection has been processed by ACCESS previously. When neither condition is satisfied, then current ACCESS iRule cannot find the associated session ID.
Conditions:
ACCESS iRule such as ACCESS::session data get/set, ACCESS::session exists, session ID is not provided by the caller, and caller expects the session ID to be resolved internally.
Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.
Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.
543208 : Upgrading APM v11.6.0 to v12.0.0 in a failover group might cause mcpd to become unresponsive.
Component: TMOS
Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this: 01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: ).. 01070712:3: Caught configuration exception (0), Failed to sync files.. ... 0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr(). 01070712:3: Caught configuration exception (0), Failed to sync files..
Conditions:
-- The system is running a pre-12.0.0 version that supports APM local database sync. -- The configuration has an APM local database on the devices in a sync-failover device group. -- Only a subset of the systems in a device group have been upgraded to 12.0.0 or later. -- A failover event occurs on traffic-group-1.
Impact:
mcpd may become unresponsive. Upgrade fails.
Workaround:
None.
542860-4 : TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event
Component: TMOS
Symptoms:
TMM can crash when IPsec SA's are deleted using TMSH or racoonctl utility during HA Active to Standby or vice versa.
Conditions:
During the HA Active to standby or vice versa event, Use of TMSH or racoonctl utility to delete IPsec SA's can cause TMM crash. This is a race condition and can occur rarely.
Impact:
TMM crashes
Workaround:
None.
542742-2 : SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
Component: TMOS
Symptoms:
SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
Conditions:
Querying the OIDs.
Impact:
Unable to monitor the moving averages of the current connection counts as they return 0.
Workaround:
There is no known workaround.
542664-1 : No default boot volume is set when installing a vCMP guest from a hotfix iso.
Component: TMOS
Symptoms:
When creating a vCMP guest using both an initial-image and initial-hotfix, the default boot volume is not set. This causes any future software installation performed inside that guest to automatically become the default boot volume.
Conditions:
This issue occurs when a vCMP guest is created from a hotfix build of BIG-IP.
Impact:
The default boot location is not set, which causes subsequent software installations inside the guest to be automatically marked default. Upon a reboot of an affected guest, the system boots into a newly installed volume, which might not be the desired behavior.
Workaround:
Once the vCMP guest is running perform the following steps: 1. Login to the guest via ssh or the vconsole utility. 2. Run the switchboot utility. 3. Select the appropriate volume to be the default boot location (there might be only one option in this list). 4. Press enter. If the selected boot location is the current or only volume, it is marked as the default boot volume and the guest does not reboot. If the selected boot location is not the currently booted volume, the guest immediately reboots into the selected volume. Verify the operation was successful by issuing the command: grub_default -l. The output of the command should resemble this: -- config # grub_default -l HD1.1 active yes default yes title BIG-IP 11.6.0 Build 5.0.429 As long as the appropriate volume is marked 'default yes', the operation is complete.
542320-1 : no login name may appear when running ssh commands through management port
Component: TMOS
Symptoms:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"
Conditions:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"
Impact:
Display issue
Workaround:
542191-2 : Snmpd V1 and V2c view based access.
Component: TMOS
Symptoms:
SNMP v3 allows for 'views' to be created. These views can be a union of multiple sub-branch OID access config statements. Users/groups can then be assigned to a view.
Conditions:
If more that one snmpd view is specified per community string the second view is not accessible. Note: A view is a portion of a MIB tree defined by an OID.
Impact:
The BIG-IP system does not support view configuration. If multiple views are created using the lines: rouser USER [noauth|auth|priv [OID]], the system adds only one of them to the snmpd.conf file.
Workaround:
Multiple views with the same community string are not supported.
542009-2 : tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message.
Component: Local Traffic Manager
Symptoms:
tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message.
Conditions:
This occurs when the system receives an invalid MPI message in which the header shows a length of 0, but the actual message is not empty.
Impact:
tmm might loop, using 100% of CPU, and eventually get killed by sod.
Workaround:
None.
541622-1 : APD/APMD Crashes While Verifying CAPTCHA
Component: Access Policy Manager
Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA
Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.
Impact:
Authentication service will be disrupted until APD/APMD is up again.
Workaround:
541316-3 : Unexpected transition from Forced Offline to Standby to Active
Component: TMOS
Symptoms:
If a BIG-IP configuration is reset to default, and then restored from a saved UCS that was taken while the system was Forced Offline, the system will be restored to the Forced Offline state, but the state may not persist across reboots.
Conditions:
Restore a saved UCS that was created while the BIG-IP system was Forced Offline.
Impact:
System may unexpectedly go Active after a reboot.
Workaround:
None.
541261-2 : Clientless NA fails when iRule agent is present in access policy
Component: Access Policy Manager
Symptoms:
The failure happens when we get the redirect to /vdesk/webtop.eui. This is in the whitelist as a portal protected URI, and when it doesn't have a valid sid, the action is to create a new session. Because this is clientless mode, there aren't any cookies, so it thinks it needs to create a new session. Then the old session is deleted, causing the logs to report a logout due to user request.
Conditions:
Windows 8.1 + APM 11.5.3. Logon page -> irule agent -> Advanced resource assign (NA+NA webtop) -> Allow (no auth for logon page, everything should lead to allow) Try to log on with the Windows inbox VPN client.
Impact:
VPN connection Failed; stating error invalid credentials. Logs show session deleted due to user logout request.
Workaround:
None.
541126-4 : After restarting pkcs11d or being restored from HSM networking failure, Safenet connection may still fail.
Component: Local Traffic Manager
Symptoms:
netHSM usage may fail for Safenet users.
Conditions:
This may happen after restarting pkcs11d without starting tmm immediately after or when the networking between bigip and HSM is failed and up again.
Impact:
SSL handshake failure with a message similar to the following: SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001.
Workaround:
For Safenet, always restart tmm after restarting pkcs11d. bigstart restart pkcs11d bigstart restart tmm When the networking to HSM is restored, always run bigstart restart pkcs11d bigstart restart tmm
540923-1 : TMSH list node filtering no longer filters correctly.
Component: TMOS
Symptoms:
In some circumstances the use of filters in the 'tmsh list ltm node' command no longer works correctly, returning all values instead.
Conditions:
Use of filter in the 'tmsh list ltm node' command.
Impact:
Filter is not applied, so all results are returned.
Workaround:
None.
540893-2 : Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.
Component: Local Traffic Manager
Symptoms:
Flows for a syncookie-enabled listener might occasionally receive a RST after responding correctly to a syncookie challenge.
Conditions:
-- Fast Flow Forwarding is enabled. -- At least one tmm thread is heavily loaded but has not reached its syncookie thresholds, while at least one tmm thread is less heavily loaded but has met its syncookie threshold.
Impact:
Occasional clients take an incorrect path and have their valid syncookie ACKs rejected with a TCP RST and must retry.
Workaround:
Set db variable tmm.ffwd.enable = false. Doing this may modestly reduce peak performance on CPU bound loads.
540213-2 : mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary
Component: Local Traffic Manager
Symptoms:
When a secondary blade's mcpd starts up, it may continually restart, failing to load, when the primary blade has a certain configuration. The easiest way to reproduce this is to insert a new blade into an existing running cluster. This will happen when a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default). It is not possible to create such self IPs unless the DB variable is first enabled, the object is created, and then the DB variable is disabled. In certain scenarios a secondary blade mcpd may go into a restart loop when receiving the configuration from the primary blade if ipv4 link local SelfIP addresses are in use enabled by DBKey config.allow.rfc3927.
Conditions:
This happens only on MCP startup on secondary blades, when a link local IPv4 self IP is configured, and when the DB variable config.allow.rfc3927 is set to disabled (which is the default).
Impact:
Secondary blade will not become part of the cluster and will not be able to process traffic. Continual log messages will show up on existing blades announcing that mcpd is continually restarting.
Workaround:
Enable the config.allow.rfc3927 DB variable on the primary to suspend this validation.
540054-2 : tmm crash when Dos protection and behavior analysis enabled on virtual server
Component: Anomaly Detection Services
Symptoms:
There is an unprotected flow in the code that was introduced in BIG-IP v.11.6.0 for statistics collection for some future research. DoS-network behavioral analysis is not needed and should not be turned on. Unfortunately, in v.12.0 the customer facing manual has direct steps describing how to configure the feature.
Conditions:
Once it's configured as described in the bug overview: 1) Provision AFM and LTM. 2) Enable DoS protection, Behavior Analysis in DoS profiles. 3) DoS profile is associated on a virtual server 4) Send bad packets using scapy to the virtual server. ICMP Fragmented send(IP(dst="2.2.2.3")/ICMP()/Raw(load="x"*2000), inter=0.001,count=10000)
Impact:
It will cause tmm to core.
Workaround:
DoS-network behavioral analysis should be never configured since it does not provide any needed functionality. If any security dos profiles contain "behavioral-analysis enabled", these should be changed to "disabled".
539687-1 : No logs for Proactive Bot Defense drops.
Component: Advanced Firewall Manager
Symptoms:
A RST happens upon a request. There are no loggings or indication regarding this reset.
Conditions:
The VS has application dos attached with the proactive bot defense turned on.
Impact:
A connection terminates. The logging absence causes confusion.
Workaround:
N/A
539466-5 : Cannot use self-link URI in iControl REST calls with gtm topology
Component: Global Traffic Manager
Symptoms:
The self-link URI cannot be used in iControl REST calls with gtm topology.
Conditions:
User issues iControl REST commands for gtm topology that include the self-link URI.
Impact:
The given command is not executed and the system posts the following error message: "Topologies must specify both regions: ldns: server:".
Workaround:
Do not use the self-link in iControl REST commands with gtm topology.
539439-1 : Using the pool command in HTTP_PROXY_REQUEST event occasionally fails
Component: Local Traffic Manager
Symptoms:
Use of HTTP::proxy disable with a pool command occasionally fails.
Conditions:
For each session, the very first request with the Proxy-Authorization header will get a RST, although the authentication is successful. That means that the request is not proxied to the backend proxy. Further requests are processed normally.
Impact:
Connection is being RST when pool command is used in HTTP_PROXY_REQUEST iRule. Subsequent requests go through successfully.
Workaround:
None.
539199-3 : HTML filter is truncating the server response when sending it to client
Component: TMOS
Symptoms:
The response to the client is truncated
Conditions:
When a server sends a compressed response to a flow that has html profile. It seems like compressed response may not be a prerequisite - it might just be bringing out the issue better due to asynchornous nature of inflating
Impact:
the response is truncated when it reaches the client.
Workaround:
None.
539018-3 : TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file.
Component: Access Policy Manager
Symptoms:
TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file instead of looping TMM thread log file.
Conditions:
TMM stuck in a loop and aborted by monitor process.
Impact:
Unclear which TMM thread was looping and resulted in crash and failover.
Workaround:
538133-4 : Only one action per sensor is displayed in sensor_limit_table and system_check
Component: TMOS
Symptoms:
A list of sensors displayed in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit. On the affected versions, each sensor item is displayed only once, even if multiple limits and actions are defined for the sensor. Additional limits and actions defined for the sensor are not displayed.
Conditions:
This problem occurs when the affected version of the BIG-IP software is running on the following hardware platforms: BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances and VIPRION B2100, B2150, B2250 blades.
Impact:
The system does not show the complete set of defined sensor limits and corresponding BIG-IP system actions when there are multiple limits and actions defined. Only one action is displayed for each sensor. The system_check utility will only evaluate sensor measurements against limits that appear in its sensor limit tables. Missing sensor limits will not be evaluated, and corresponding alerts will not be issued.
Workaround:
None.
537326-2 : NAT available in DNS section but config load fails with standalone license
Component: TMOS
Symptoms:
config load fails with error: 01070356:3: NAT feature not licensed. Unexpected Error: Loading configuration process failed.
Conditions:
A NAT object is created for GTM/LC standalone license box.
Impact:
config fails to load.
Workaround:
none.
537209-2 : Fastl4 profile sends RST packet when idle-timeout value set to 'immediate'
Component: Local Traffic Manager
Symptoms:
Unknown
Conditions:
Impact:
Unknown
Workaround:
536931 : VCMP Host: statistic discrepancy when guests use pva disabled virtual servers
Component: TMOS
Symptoms:
When guests use ePVA disabled virtuals the host double-counts packets and bits in the host side throughput counters.
Conditions:
VCMP guest disable pva in a virtual. Observe host throughput statistics (packets, bits).
Impact:
Incorrect representation of traffic flowing through the BIG-IP.
Workaround:
536575-1 : Session variable report can be blank in many cases
Component: Access Policy Manager
Symptoms:
For an access policy that includes On-Demand Cert Auth, Dynamic ACL, Per-App VPN, and other components, the Session Variable Report output can be blank.
Conditions:
On-Demand Cert Auth in an access policy. DACL in access policy. Per-App VPN access policy. probably others.
Impact:
The Session Variable report is empty.
Workaround:
Check the session variable using command sessiondump.
536563-2 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.
Component: Local Traffic Manager
Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.
Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.
Impact:
Unexpected RSTs (Clientside).
Workaround:
None.
536191-2 : Transparent inherited TCP monitors may fail on loading configuration
Component: Local Traffic Manager
Symptoms:
LTM monitor configuration may fail to reload from disk if the monitor name occurs alphabetically prior to the inherited-from monitor.
Conditions:
Monitor A inheriting from Monitor B, where both monitors are of type 'transparent'.
Impact:
Configuration from disk fails to load. System posts an error message similar to the following: 1070045:3: Monitor /Common/test1 type cannot have transparent attribute. Unexpected Error: Loading configuration process failed.
Workaround:
Rename monitors so they occur in the required alphabetical order to support inheritance.
535904-2 : BD crashes when attempting to access a closed connection
Component: Application Security Manager
Symptoms:
The Enforcer Application system generates a BD core file to the /shared/core directory.
Conditions:
One or more of these features is turned on - Session tracking, web scraping, ICAP, ASM irules. The client side or the server side pre-maturely closes the connection. Some load happens on this traffic.
Impact:
The Enforcer Application system may temporarily fail to process traffic.
Workaround:
N/A
534901-1 : VMware View HTML5 client may load/initialize with delays
Component: Access Policy Manager
Symptoms:
When HTML5 client is used to access VMware View remote desktops, it may sometimes take about 30 seconds to initialize.
Conditions:
APM Webtop with a VMware View remote desktop assigned available for HTML5 client launch.
Impact:
Slow HTML5 client initialization.
Workaround:
- Go to admin UI -> Local Traffic -> Profiles: Services: HTTP and create new http profile. - Set Unchunk (or Rechunk) for "Response Chunking" option and save it. - Assign this http profile to the Virtual Server.
534795-1 : Swapping VLAN names in config results in switch daemon core and restart.
Component: Local Traffic Manager
Symptoms:
Changing names of configured VLANs directly in the configuration file and reloading results in a bcm56xxd switch daemon core and restart.
Conditions:
Applies to all switch based platforms, when modifying the VLAN names directly in the configuration file and reloading.
Impact:
Switch daemon drops core, restarts, and reconfigures the switch.
Workaround:
First delete any existing VLANs, and then recreate then with new names.
534472 : Collecting DoS stats using iControl REST doesn't work when the stat in question has a space in its name.
Component: Advanced Firewall Manager
Symptoms:
Collecting DoS stats using iControl REST doesn't work when the stat in question has a space in its name.
Conditions:
Using iControl REST to collect DoS stats.
Impact:
Failure to obtain desired stats.
Workaround:
534111-1 : [SSL] Config sync problems when modifying cert in default client-ssl profile
Component: Local Traffic Manager
Symptoms:
Config sync problems after modifying cert in default client-ssl profile when the profile is already active and in use on members in a high availability configuration.
Conditions:
Modify cert in default client-ssl profile and perform a config sync operation.
Impact:
After config sync, units in the sync group have different cert/key settings for client-ssl profiles. You can see this in the inherit-certkeychain setting, which changes from 'true' to 'false' after syncing the configuration with the changed default value.
Workaround:
1. Remove client-ssl definitions from bigip.conf on each unit. 2. Reload the config. 3. Synchronize the config.
533966-5 : Double loopback nexthop release might cause TMM core.
Component: Local Traffic Manager
Symptoms:
TMM might restart after logging an 'Assertion "nexthop ref valid" failed' message.
Conditions:
Traffic is sent from one tmm to a tunnel in another tmm, but the tunnel does not exist.
Impact:
TMM restarts.
Workaround:
None.
533813-3 : Internal Virtual Server in partition fails to load from saved config
Component: TMOS
Symptoms:
Loading a successfully configured internal Virtual Server from the config fails with the following message: -- 01070712:3: Values (/part2/0.0.0.0%2) specified for Virtual Server (/part2/ICAP_request): foreign key index (name_FK) do not point at an item that exists in the database.
Conditions:
This occurs when the following conditions are met: -- You are running a BIG-IP system with no configuration. -- You have created an external VLAN with an interface. -- You have created a non-default route domain, and associated it with a newly created VLAN. -- You have created a virtual server, and configured a pool in a partition other than /Common. -- You have saved the configuration. Here is an example of how this might occur. Run the following commands. - tmsh - create net vlan external interfaces add { 1.2 } - create net route-domain 2 vlans add { external } - create auth partition part2 default-route-domain 2 - cd ../part2 - create ltm pool icap_pool members add { 10.10.10.10:8080 } - create ltm virtual ICAP_request destination 0.0.0.0:0 mask 0.0.0.0 internal ip-protocol tcp profiles add { tcp } pool icap_pool - save sys config - load sys config partitions all verify.
Impact:
The operation creates a virtual server but cannot load it from saved config.
Workaround:
To work around this issue, you can use the Common partition to complete the configuration.
533422-1 : sessiondump is not reusing connections
Component: Access Policy Manager
Symptoms:
sessiondump opens a TCP connection to TMM. It really only needs to make one connection, but it was actually making one connection for each request. This is visible in a packet capture or by monitoring the number of sockets left in TIME_WAIT state On a box that had 1000 sessions, a little over 1000 sockets were generated by the sessiondump call: # netstat -a | grep memcache | grep TIME_WAIT | wc 3 18 267 # sessiondump --allkeys 1> /dev/null # netstat -a | grep memcache | grep TIME_WAIT | wc 1054 6324 93806
Conditions:
This issue is most relevant when BZ511900 is present. That fix improved sessiondump performance by eliminating the amount of process forking. The connection reuse problem isn't really a visible problem until after that. BZ 511900 was included in 12.0 BZ 533422 (this bug) was included with 12.1 So relevant to all 12.0 customers and to 11.x customers that request a hotfix with BZ 511900
Impact:
The extra connections have a minor throughput impact, because of the cost of establishing TCP 3WHS. The more important impact is that on a large system (around 20k sessions or more), this will be creating a lot of sockets in a very short period of time. These sockets go into TIME_WAIT and are not immediately reusable. The box could run out of sockets and sessiondump will exit.
Workaround:
533174 : Several "Standard MIB" OIDs were not supported correctly
Component: TMOS
Symptoms:
Certain OIDs in the IP-MIB, IF-MIB and Etherlike-MIB were either not supported by the Big-IP, or the returned MIB query data related to the interface index (IfIndex) was incorrect or inconsistent with the IfIndex returned by the IF-MIB::ifTable.
Conditions:
No special conditions.
Impact:
Customer could not relate interface data from one MIB table to another.
Workaround:
None.
532859-1 : [GTM] ZRD cannot create reverse zones for stub, slave and forward zones
Component: Global Traffic Manager (DNS)
Symptoms:
ZRD cannot create reverse zones for zone types stub, slave, and forward (that is, zone types other than Master).
Conditions:
Creating zone for ZRD with zone types other than Master.
Impact:
Cannot create reverse zones. This is as-designed behavior: reverse zones must include SOA and NS records, which are only available for Master zones.
Workaround:
None.
532559-4 : Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.
Component: TMOS
Symptoms:
If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'.
Conditions:
This condition could be caused by executing the following command when generating the configuration. 'tmsh modify ltm profile client-ssl clientssl defaults-from none'
Impact:
The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile.
Workaround:
Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile.
532365-1 : lsndb cores with "Assertion `size < bin_key_size' failed"
Component: Carrier-Grade NAT
Symptoms:
When there are many entries in the session database and a user attempts to delete them with "lsndb del all", this can cause lsndb to core with "Assertion 'size < bin_key_size' failed". The user may see lots of "Error: Connection to internal DB failed (err: Cannot assign requested address [99])" messages displayed to the console. In addition not all of the session database entries will be deleted.
Conditions:
- LSN is configured with persistence, inbound-connections automatic, or PBA enabled. - There are over 100,000+ Session database entries (e.g. persistence, inbound, or PBA entries). - User attempts to manually delete all entries with "lsndb del all"
Impact:
- Session database cannot be properly cleared using the lsndb util.
Workaround:
531979-1 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.
Component: Local Traffic Manager
Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported. Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows: SSL Record: Content Type: Handshake (22) Version: $LOWEST_VERSION Handshake Record: Handshake Type: Client Hello (1) Version: $HIGHEST_VERSION The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.
Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports. For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.
Impact:
SSL handshake fails.
Workaround:
There is no workaround for this issue.
531966 : APM ACLs can block ICA file generation on APM Webtop
Component: Access Policy Manager
Symptoms:
APM ACLs can block ICA file generation on APM Webtop. As a result, Citrix app on APM Webtop cannot be started.
Conditions:
APM ACLs are blocking internal ICA file generation request. Example is a deny-all L4 ACL.
Impact:
Citrix app on APM Webtop cannot be started.
Workaround:
Add allow ACL to allow ICA file generation request destined for hte virtual server servicing the Citrix. ACL logging from /var/log/pktfilter to determine the rule for such allow ACL.
531566-2 : A partial response arrives to the client when response logging is turned on
Component: Application Security Manager
Symptoms:
When response logging is turned on, the client receives only a partial response.
Conditions:
Response logging is turned on. The response is chunked.
Impact:
The response arrives as chunked, but not all the chunks arriving, causing the client to wait for the traffic continuation.
Workaround:
N/A
530903-1 : HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade
Component: TMOS
Symptoms:
HA pair should remain in active/standby state after the software upgrade but instead goes into an active/active state.
Conditions:
Occurs in an active/standby HA pair which has a medium size configuration of pools and virtual servers (at least 30 objects total). The standby device is upgraded first and then it is rebooted. After reboot, the HA pair goes into an Active/Active state.
Impact:
Active/Standby configuration is lost.
Workaround:
Reconfigure the HA pair back to active/standby.
530812-1 : Legacy DAG algorithm reuses high source port numbers frequently
Component: Local Traffic Manager
Symptoms:
A service on a pool member will receive connections frequently with a source port number above 65400, especially when the incoming connections to the Virtual IP listener are generated by test tools that increment their source port numbers sequentially. This could lead to premature SNAT port exhaustion, if SNAT is also being used.
Conditions:
The issue appears to be limited to the legacy DAG algorithm on the Viprion PB100 and PB200 blades. All supported versions of BIG-IP will exhibit this issue on this hardware when this DAG algorithm is used. The problem is not exhibited when the incoming sessions' source port numbers have a reasonable amount of entropy (as one would normally see with real Internet traffic); however, the use of test tools, or even intentional malicious traffic may cause this issue to be seen.
Impact:
The issue could result in resource contention (such as SNAT pool port exhaustion), or problems with the pool member services distinguishing between sessions. A notable exception: Port reuse before TIME_WAIT expires is specifically NOT an impact of this issue.
Workaround:
To work around SNAT pool port exhaustion, increase the pool size, or change to auto-map. An iRule may be used to help pool member services better distinguish incoming sessions.
530795-3 : In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may send ICMP messages that contain an incorrect tcp seq ack number in the embedded msg body.
Conditions:
FastL4 TCP virtual servers. Syncookie mode.
Impact:
The TCP connflow might be aborted if an ICMP message (such as More fragment) is received.
Workaround:
None.
530122-1 : Improvements in building hotfix images for hypervisors.
Component: TMOS
Symptoms:
The name of HF/EHF ISOs changed recently and the filter used to locate them needs to change.
Conditions:
Building hotfix images for hypervisors.
Impact:
There are issues providing bundled images.
Workaround:
None.
530102-2 : Illegal meta characters on XML tags -
Component: Application Security Manager
Symptoms:
After upgrading from 11.4.1 to 11.6.0, a customer began seeing a lot of "Illegal meta character in value" false positives on their XML content. The flagged character are valid within XML (<, >, /, :, etc.) and the affected URLs are associated with legitimate XML profiles via header-based content profiles. From the security event report, one can see that the invalid characters are for the global UNNAMED wildcard parameter and that the request is a multipart POST.
Conditions:
XML profile is assigned to the wildcard URL and having Header-Based Content profile.
Impact:
False positive violations could happen on the parameter enforcement (as it's not a parameter content but XML).
Workaround:
N/A
530092-1 : AD/LDAP groupmapping is overencoding group names with backslashes
Component: Access Policy Manager
Symptoms:
Adding a group value that contains space(s) manually in AD/LDAP Group Resource Assign actions will result in the space(s) being escaped and thus invalidating match attempts. For example, adding group 'Foo Bar' (without the quotes) will result in an expression found in bigip.conf as follows: expression "expr { [mcget -decode {session.ldap.last.attr.memberOf}] contains \"CN=Foo\\\\ Bar\" }" The value '\"CN=Foo\\\\ Bar\"' will not match a memberOf group returned that contains 'CN=Foo Bar,...'.
Conditions:
Spaces are encoded with backslashes.
Impact:
Matching for memberOf group will not working.
Workaround:
N/A
530081 : Mcpd will crash if load too many SSL certificates
Component: TMOS
Symptoms:
Mcpd/TMM will crash if load too many SSL certificates.
Conditions:
Loading too many SSL certificates at a time, for example, 4000 or more SSL certificates.
Impact:
Mcpd/TMM might crash.
Workaround:
Split the config file into several smaller ones.
529627-1 : LDAP StartTLS may fail on serverside when persistence is configured
Component: Local Traffic Manager
Symptoms:
In some circumstances LDAP may fail to setup StartTLS on the server-side when instructed by a LDAP client when the LDAP virtual server is in use with a persistence profile.
Conditions:
- LDAP VS with client and server profiles. - LDAP profiles with STARTTLS Activation Mode set to Allow. - Persistence profile, e.g. src addr persistence.
Impact:
Serverside will not upgrade to TLS
Workaround:
Do not use LDAP virtual server in conjunction with persistence.
529395 : Local-only network IP forwarding virtual server not forwarding traffic on standby system
Component: Local Traffic Manager
Symptoms:
A local-only network IP forwarding virtual server does not forward traffic on standby systems.
Conditions:
BIG-IP systems in an high-availability (HA) device cluster. An IP forwarding virtual server in traffic-group-local-only.
Impact:
Traffic is forwarded only on active BIG-IP systems.
Workaround:
None.
528736-1 : When tcp connection is aborting tmm can crash with "hud_oob consumed" message
Component: Local Traffic Manager
Symptoms:
TMM crashes with "hud_oob consumed" message in the log.
Conditions:
This is a rarely occurring edge case. It can be seen when tcp has been aborted and messages exist in an internal queue.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
528734-2 : TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.
Component: Local Traffic Manager
Symptoms:
In a Standard virtual server, A data segment will be retransmitted when an ICMP Type 3, Code 4 message with an MTU (>= 0) is received. The retransmission occurs until there are no ICMP Type 3, Code 4 messages, a connection times out or an ACK is received.
Conditions:
Malicious router or client send in icmp frag message with random MTU values. It can be increasing, decreasing, same or 0 MTU.
Impact:
Packets fill up the pipe and cause a minor outage. It can allow a DoS risk that can be exploitable from outside the network.
Workaround:
528701-1 : Sessiondump does not accept single dash options
Component: Access Policy Manager
Symptoms:
sessiondump switched to double dash options like `sessiondump --list` and was no longer backward compatible with single dash options like `sessiondump -list`
Conditions:
This bug is only applicable if BZ 511900 is being integrated to an engineering hotfix for an 11.x version. BZ 511900 was included in 12.0 and improved sessiondump performance but broke backward compatibility. However, the regression was identified during the 12.0 development, and was fixed before 12.0 released.
Impact:
Minimal impact. Only applies to customers that request and receive an engineering hotfix that includes BZ 511900 to get a faster sessiondump. Functionality is the same, but utility scripts that were using the old commands will need to be updated to the new ones
Workaround:
Use the double dash option. The option names have not changed, and the functionality of sessiondump has not changed.
528548-2 : @import "url" is not recognized by client-side CSS patcher
Component: Access Policy Manager
Symptoms:
Not rewriten links from CSS.
Conditions:
CSS which contains: @import "url" or @import 'url'
Impact:
Unmangled requests resulting in error and customer confusion. Wrong rendering of pages.
Workaround:
Custom iRule can be used. No general workaround exists.
528424-3 : IE11 on Windows 10 doesn't show tooltips/toast notifications when Network Access changes state
Component: Access Policy Manager
Symptoms:
Tooltips/Toast notification are not displayed when Network Access changes state (Connect, Disconnect, Reconnect, etc). Beginning with Microsoft Windows 8, tooltips are replaced by Toast Notifications; Windows does not convert tooltips to toast notification for F5 WebComponent in Windows 10.
Conditions:
The problem occurs under these conditions: Internet Explorer 11. Windows 10. Networks Access changes state.
Impact:
User is not notified about state change.
Workaround:
To enable tooltips, in Group Policy change this setting: "User Configuration \ Administrative Templates \ Start Menu and Taskbar \ Disable showing balloon notifications as toasts" to Enable.
528406 : Errors in monpd log after upgrade from version 11.5.x regarding deprecated widgets
Component: Application Visibility and Reporting
Symptoms:
Errors appear in monpd log after upgrading from version 11.5.x regarding deprecated widgets. For example, "Failed on primary blade: Undefined entity dosl7_ip was used".
Conditions:
Defining widgets in 11.5.x with entities that are no longer in use in later versions and upgrading to 11.6.x or 12.0.0.
Impact:
Errors in monpd log (no other "serious" impact).
Workaround:
After upgrading to new version remove all widgets from the Analytics :: HTTP :: Overview page and the Security :: Overview : Summary page and create new ones.
528401-1 : Using an iRule to enable/disable a profile does not enable/disable the profile
Component: Local Traffic Manager
Symptoms:
The profile is enabled/disabled on every other iRule invocation.
Conditions:
Reusing a connection between requests and using an iRule to enable/disable a profile.
Impact:
The profile will not be enabled/disabled.
Workaround:
528295-4 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
Component: TMOS
Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.
Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.
Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.
Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.
528083-2 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
Component: TMOS
Symptoms:
On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
Conditions:
System shutdown. Unable to reproduce the issue reliably, so conditions for the crash are unknown
Impact:
Since the core happens on shutdown, operation on the device is not affected, but a core file may be generated.
Workaround:
None
528071-1 : ASM periodic updates (cron) write errors to log
Component: Application Security Manager
Symptoms:
ASM periodic updates (run via cron) write errors to log when ASM is not provisioned.
Conditions:
ASM is not provisioned.
Impact:
Errors appears in ASM logs.
Workaround:
528052-1 : System remains OFFLINE after running tmsh run cm config-sync recover-sync
Component: TMOS
Symptoms:
When ASM is provisioned, running the command "tmsh run cm config-sync recover-sync" causes the device to remain offline. This command should reset all of the local device configuration, but the device should come back online after several minutes.
Conditions:
ASM is provisioned and FPS is not provisioned.
Impact:
System remains OFFLINE and not handling incoming traffic.
Workaround:
Two workaround options: 1. Re-provision ASM: tmsh modify sys provision level nominal 2. Reboot the device
527992-1 : tmm might crash with 'DHCP:dhcp_server_flow_connect' error when the server flow is already connected to a different client.
Component: Policy Enforcement Manager
Symptoms:
when the DHCP server flow is trying to connect to the same client flow that is already connected and not released, there might be a tmm crash.
Conditions:
Impact:
Unknown
Workaround:
527668-1 : "Minimize to tray" option doesn't work in IE with latest updates if APM is not in Trusted Sites list
Component: Access Policy Manager
Symptoms:
KB3058515 introduces new security changes in Internet Explorer versions 9, 10, and 11. As a result, it is unable to create a tray icon from a plug-in that running on site that is not in the Trusted Sites list.
Conditions:
The problem occurs under these conditions: 1. KB3058515 is installed. 2. Client machine has Internet Explorer version 9, 10 or 11. 3. APM virtual server is not in Trusted Sites list.
Impact:
Minimize to tray option does not work.
Workaround:
To work around the problem, uninstall KB3058515 or add APM to the Trusted Sites list.
527119-3 : Iframe document body could be null after iframe creation in rewritten document.
Component: Access Policy Manager
Symptoms:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code: iframe.contentDocument.write(html); iframe.contentDocument.close(); <any operation with iframe.contentDocument.body> One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Conditions:
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule. The workaround iRule will be unique for each affected application.
527080 : Upgrade of invalid FQDN configuration
Component: Local Traffic Manager
Symptoms:
All nodes have unique constraints on address or FQDN. If saved configuration has violated that constraint, upgrade fails when configuration fails validation.
Conditions:
Impact:
Configuration will fail to load on upgrade.
Workaround:
Delete duplicates.
526974-1 : Data-group member records map empty strings to 'none'.
Component: TMOS
Symptoms:
When empty string is applied to a data-group member record, it is being converted to 'none'.
Conditions:
Record type is string.
Impact:
Data-group records data is set to string 'none', literally, even though user input an empty string ''.
Workaround:
None.
526829-2 : Enable client side encoding by default in DoS Layer 7
Component: Application Security Manager
Symptoms:
The client side challenge does not encode the parameters of POST requests by default. A system protected by DoS Layer 7 can get broken by the proactive mitigation (not during attacks) or by client side challenge mitigation (during attacks)
Conditions:
DoS client side is enabled as a mitigation or a proactive bot defense is enabled. A POST request is sent and its parameters should get decoded.
Impact:
The application might break in this scenario by receiving parameters that are not encoded.
Workaround:
Manually change the parameters cs_encode to enable and to compensate for the performance penalty reduce the size of cs_max_request_size from 50k to 10k or lower.
526500 : Manually adding username/password in ZebOS can cause imi to core
Component: TMOS
Symptoms:
Manually adding a username and encrypted password into ZebOS, either by using imish command line, or by modifying zebos.conf directly, might cause imi to core.
Conditions:
Manually modifying the zebos.conf configuration file or adding a non-existing user using imish.
Impact:
The user interface to ZebOS, imi, might core. Other functionality should not be affected.
Workaround:
Do not add the configuration manually in ZebOS. Use the BIG-IP system facilities for adding/modifying ZebOS users.
525675 : SSL with forward proxy can leak memory
Component: Local Traffic Manager
Symptoms:
Under some conditions, SSL with forward proxy might leak memory.
Conditions:
Forward proxy is enabled on a BIG-IP system that is running multiple TMM instances.
Impact:
Service degradation leading to an eventual reboot.
Workaround:
None.
524545-3 : Generate HF roll-up images for Virtual Edition platforms.
Component: TMOS
Symptoms:
Release HF roll-up images for Virtual Edition.
Conditions:
Building images for Virtual Edition.
Impact:
Release HF roll-up images for Virtual Edition.
Workaround:
524193-4 : Multiple Source addresses are not allowed on a TMSH SNMP community
Component: TMOS
Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.
Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.
Impact:
The customer may enter multiple source addresses for and snmp community object, but only the first address will be alowed snmp access.
Workaround:
Add an additional source address to another snmp community object that has the same community string.
524126-4 : The DB variable provision.tomcat.extramb is cleared on first boot.
Component: TMOS
Symptoms:
The DB variable provision.tomcat.extramb is 0 (zero) after upgrading using a configuration with the variable set to a non-zero value.
Conditions:
The DB variable provision.tomcat.extramb set to a value other than 0 before installing.
Impact:
The DB value is not rolled forward, so the GUI gets less than expected amount of memory.
Workaround:
After the first boot, set the DB variable provision.tomcat.extramb to the desired amount or restore the saved UCS at /var/local/ucs/config.ucs.
524123-3 : iRule ISTATS::remove does not work
Component: TMOS
Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.
Conditions:
Invoking the ISTATS::remove command from an iRule.
Impact:
The value of the iStat remains defined.
Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.
524009-1 : Incorrect parsing of abnormal request headers during DOS attacks
Component: Advanced Firewall Manager
Symptoms:
When the DOS profile is in use, and a client-side mitigation is active, in some rare cases the request headers were parsed incorrectly, causing valid requests to be reset.
Conditions:
DOS profile is used, DOS attack is active and mitigated using Client-Side Integrity. This is only relevant for the requests which are marked for DOS mitigation.
Impact:
Some valid requests are blocked during the client-side DOS mitigation.
Workaround:
None
523985 : Certificate bundle summary information does not propagate to device group peers
Component: TMOS
Symptoms:
Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync.
Conditions:
A certificate file is create in a folder synced to a device group.
Impact:
Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available.
Workaround:
None.
523642-5 : Power Supply status reported incorrectly after LBH reset
Component: TMOS
Symptoms:
On BIG-IP appliances with the Backplane Micro-Controller Hybrid (LBH) type of Always-On-Management device, Power Supply status reporting and enumeration may function incorrectly if the LBH resets due to a watchdog reboot or other cause.
Conditions:
This may occur on BIG-IP 2000-/4000-series, BIG-IP 5000-/7000-series, and BIG-IP 10000-/12000-series platforms.
Impact:
Resets of the LBH device occur very rarely. When this issue occurs, the status reporting and enumeration of appliance power supplies may be inaccurate. Errors may be reported when attempting to obtain sensor values from non-present power supplies. Power supply presence, status and identification may be reported incorrectly following power supply removal or reinsertion.
Workaround:
To work around this issue and restore correct reporting of power supply status, you can restart the chmand process. To do so, perform the following procedure: Impact of workaround: Restarting the chmand process also restarts core BIG-IP system daemons such as TMM. Running this procedure interrupts traffic processing. 1.Log in to the BIG-IP command line. 2.To restart the chmand process, type the following command: bigstart restart chmand.
523527-6 : Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.
Component: TMOS
Symptoms:
Customers directly upgrading from version 10.x to version 11.2.0 or later with a working dynamic routing protocols configuration may encounter that the routing protocol is disabled on upgrade to 11.2.0 or later.
Conditions:
- Upgrade from 10.x to 11.2.0 or later. - Routing protocol enabled in tmrouted dbkeys. - No route domain 0 (zero) (RD0) configuration, that is defaults of all VLANs in RD0, no comment, leading to no existing configuration in bigip_base.conf
Impact:
Routing protocol information is missing from RD0, ZebOS is not running (although configured).
Workaround:
There are several workarounds to this issue: - Causing the RD0 configuration to exist by adding a comment to the 10.x description field and saving prior to upgrade. - Re-adding the routing protocol to the RD0 configuration after the upgrade. - Perform an intermediate upgrade from 10.x to 11.0.0 or 11.1.0 prior to upgrading to an 11.2.0 or later version.
523522-1 : In a CMI device group, installing a UCS (on any one of the peers in group) does not propagate the ASU file (that is bundled with UCS) to other peers
Component: Application Security Manager
Symptoms:
In a CMI device group, after installing a UCS file (on any one of the peers in group), an inconsistent state of Application security update version is achieved between peer machines.
Conditions:
ASM is provisioned. CMI device group with ASM sync enabled. Install UCS file with a bundled ASU version different then the currently installed.
Impact:
An inconsistent state of ASU version is achieved between peer machines.
Workaround:
Manually trigger ASU update/install from: Security > Security Updates > Application Security
523513-3 : COMPRESS::enable keeps compression enabled for a subsequent HTTP request.
Component: Local Traffic Manager
Symptoms:
COMPRESS::enable keeps compression enabled for a subsequent HTTP request. The response for the first HTTP request enables the compression, but it is not used since the payload is empty. For the second HTTP request (whose URI indicates that it is not supposed to be compressed), the system still compresses the response because the first request did not disable compression.
Conditions:
Subsequent HTTP requests in the same TCP connection. - First HTTP response contains empty payload and enabling the compression. - Second HTTP response still gets compressed.
Impact:
Unintended compression for subsequent HTTP responses.
Workaround:
Disable compression in the else case manually in the iRule using COMPRESS::disable.
523126 : Change in route domain in NAT configuration does not take effect until restart
Component: Local Traffic Manager
Symptoms:
When the route domain of the originating address of a NAT configuration is changed without the address itself being changed, the change does not take effect. Viewing the configuration through tmsh and the GUI indicates that the change has worked, when it is not yet in use.
Conditions:
This occurs when editing an existing NAT configuration and changing the route domain without changing the address.
Impact:
The intended NAT change is not in effect.
Workaround:
In order to make the change take effect, delete and recreate the NAT or restart tmm.
522632 : Qkview generates error-level message
Component: TMOS
Symptoms:
In version 11.6.0, if AVR is not provisioned but a module that uses AVR (for example, APM) is provisioned, the Qkview utility generates the following error-level log message: err tmsh[18617]: 01420006:3: virtual is not a valid entity.
Conditions:
AVR not provisioned, but modules that use AVR (e.g. APM, AFM) are provisioned.
Impact:
This is a cosmetic issue. There is no impact on traffic.
Workaround:
This is a benign error message that can be safely ignored.
522620-1 : [APM][AAA] Monitor instances not removed for AAA Radius/others pool when dis-associate AAA pool
Component: Local Traffic Manager
Symptoms:
Monitor pool members are not shown appropriately , after update of AAA server - pool - monitor.
Conditions:
Create pool from APM, Modify on LTM
Impact:
LTM Pool modifications effecting APM AAA pools.
Workaround:
On Update of AAA Pool, Recreated the new pool members. So should see the see effect of LTM pool modification
522304-2 : Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group
Component: TMOS
Symptoms:
Some password policy settings (maximum and minimum durations, expiration warning) are reflected in /etc/shadow when a user's password is changed. In a CMI device group, changes to password policy are correctly synced, but the settings reflected in /etc/shadow are not.
Conditions:
CMI device group configured; maximum or minimum duration, or expiration warning, settings of password policy are used; user password is changed.
Impact:
Password policy may not be enforced consistently across all devices.
Workaround:
None.
522124-3 : Secondary MCPD restarts when SAML IdP or SP Connector is created
Component: Access Policy Manager
Symptoms:
Secondary MCPD restarts when the admin creates APM SAML IdP Connector (or SP Connectors) from attached metadata on the primary blade.
Conditions:
BIG-IP chassis with multiple blades where the configuration includes APM SAML IdP Connector or SP Connector created from attached metadata file.
Impact:
Secondary slot's MCPD restarts.
Workaround:
521711-4 : HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual
Component: Local Traffic Manager
Symptoms:
If the client sends a non-keepalive CONNECT request (in HTTP 1.0 with no Connection header, in 1.1 with Connection: close) to a OneConnect-enabled virtual server, HTTP forces the connection closed by sending FIN on both client and server flows, even if the server responds with a 200. If the connect is successful, HTTP should leave flows open regardless of the HTTP headers.
Conditions:
- HTTP and OneConnect profiles are attached to the virtual server. - Client sends a non-keepalive CONNECT request (either 1.0/no-Connection-Header request or 1.1/'Connection: close' header. - Server responds to the CONNECT request with successful 200 OK.
Impact:
HTTP adds a Connection: close header when responding to the client after a successful response is received from the server. In addition, HTTP closes the connection by sending FIN on both client and server flows. If the server responds to the CONNECT request with 200 OK, the connection should remain open.
Workaround:
You can use the following iRule to work around this issue: when HTTP_REQUEST { if { [HTTP::method] eq "CONNECT" } { HTTP::disable } }
521548-6 : Possible crash in SPDY
Component: Local Traffic Manager
Symptoms:
In very rare circumstances related to SPDY protocol handling together with a compression profile a crash may occur.
Conditions:
This is very rare and the exact circumstances are unclear, It involves SPDY, a compression profile and a congested client connection and a stream being reset by the browser (using a RST_STREAM frame).
Impact:
Very rarely a crash may occur.
Workaround:
Don't apply the compression profile.
521036-2 : Dynamic ARP entry may replace a static entry in non-primary TMM instances.
Component: Local Traffic Manager
Symptoms:
In a very rare occasion, a dynamic ARP entry may replace a static entry in non-primary TMM instances. When the BIG-IP system attempts to send packets to an address, "tmsh show net arp" lists two entries for the address: one static and the other shows up as "incomplete" status.
Conditions:
The issue is due to a very rare race condition, and the BIG-IP system is configured with a static ARP entry.
Impact:
The issue may impact traffic flow if traffic goes through non-primary TMM instances.
Workaround:
There is no workaround but the issue is very rare to occur.
520682-2 : In PBA mode subscribers cannot initiate more than 512 connections to the same server IP:port
Component: Carrier-Grade NAT
Symptoms:
In PBA mode connections fail and new port blocks are not allocated when subscriber attempts more than 512 connections to the same server IP and port.
Conditions:
PBA mode is configured on the LSN pool and inbound connections setting is set to disabled.
Impact:
Subscribers can initiate only 512 connections to particular server IP:port.
Workaround:
Set 'Inbound connections' setting in the LSN pool to 'Automatic'.
520604-8 : Route domain creation may fail if simultaneously creating and modifying a route domain
Component: Local Traffic Manager
Symptoms:
Failure trying to create and modify a route domain in a single operation.
Conditions:
Performing create and modify operations in the same transactions, as can be done using tmsh and iControl.
Impact:
Transaction fails. Even though an ID is passed in with the create method, the system posts an error similar to the following: 01070734:3: Configuration error: route-domain Name /Common/test_rd_200 is non-numeric, so an ID must be specified.
Workaround:
Perform create and modify operations in different transactions.
520405-4 : tmm restart due to oversubscribed DNS resolver
Component: Local Traffic Manager
Symptoms:
A max-concurrent-queries configuration setting significantly above default can lead to a situation that causes tmm to restart in certain traffic loads.
Conditions:
DNS cache resolver configured with max-concurrent-queries setting significantly above default.
Impact:
tmm is restarted.
Workaround:
Set the max-concurrent-queries configuration value closer to default.
519394-1 : Sync when licensed for ASM/AFM fails to sync pool with "Load balancing feature not licensed" error
Component: TMOS
Symptoms:
When adding a single pool member to a pool associated to a virtual server, the sync fails with error message 'Load balancing feature not licensed.' from peer.
Conditions:
ASM/AFM licensed, a pool assigned to a virtual server, a single pool member is added.
Impact:
Sync fails.
Workaround:
Perform a sync between the creation of the pool and the pool members.
519090-1 : Assigning value to window.onerror in empty window lead to exception.
Component: Access Policy Manager
Symptoms:
Assigning value to window.onerror in empty window might lead to load failure.
Conditions:
Portal access configured, and there are links on pages that stop working after rewrite when assigning value to some empty window's onerror handler.
Impact:
Page does not load.
Workaround:
None.
519081-1 : Cannot use tmsh to load valid configuration created using the GUI.
Component: TMOS
Symptoms:
Cannot use tmsh to load a valid configuration created using the GUI.
Conditions:
This occurs with the following configuration: 1) Configure server with :* members. 2) Configure member-specific gateway-icmp monitor for the :* member. 3) Assign any L4/7 monitor at the server level. (http/tcp, etc., with the default '*:*' destination in the monitor).
Impact:
Although the configuration is valid, it fails to load with error: err iqsyncer[16456]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17237538 result_message '01070622:3: The monitor /Common/my-tcp-half has a wildcard destination service and cannot be associated with a node that has a zero service.' }
Workaround:
Remove the parent TCP monitor.
519059-3 : [PA] - Failing to properly patch webapp link, link not working
Component: Access Policy Manager
Symptoms:
Any attribute URL in a HTML content is rewritten as "javascript:location=..." if is <base> tag is situated before the tag with the attribute, a content hint is not set in the HTML rules for the attribute and it's not the cookieless mode.
Conditions:
Webapp link is not properly patched.
Impact:
Rewritten links are not accessible.
Workaround:
N/A
518258 : The CLIENTSSL_CLIENTCERT iRule event may not be triggered.
Component: Local Traffic Manager
Symptoms:
Using the SSL persistence profile, the CLIENTSSL_CLIENTCERT event might not be triggered during renegotiation.
Conditions:
The SSL persistence profile is in use, and an iRule depends upon the CLIENTSSL_CLIENTCERT event.
Impact:
The CLIENTSSL_CLIENTCERT iRule event may not be triggered. iRule command SSL::cert does not access certs retrieved from on-demand cert auth. This is functioning as designed.
Workaround:
None.
518201-1 : ASM policy creation fails with after upgrading
Component: Application Security Manager
Symptoms:
You cannot create an ASM security policy after upgrading to version 11.6.x. You will see the following error message: ------------------ # tmsh create asm policy /Common/blabla active encoding utf-8 Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy. ------------------ It does not matter if the security policy was created by the command line or by the Configuration utility.
Conditions:
ASM provisioned Upgrade to 11.6.X
Impact:
ASM policies cannot be created.
Workaround:
Please apply the following workaround, as root user, from the command line of the affected BIG-IP. Please run these exact commands - copy and paste into the command line: --------------------- # mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)' --------------------- Be advised that this operation will permanently affect the mentioned database table. It is strongly advised to first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP: --------------------- # tmsh save sys ucs /shared/tmp/backup.ucs --------------------- Before applying the workaround, first make sure that you indeed need one. You can do that by running this in the command line: --------------------- # mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)' --------------------- In case this query does not return any output - it means that there is no need to apply the mentioned workaround. In case you do need to apply the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.
518197 : Modifying the default antifraud profile causes device group sync failures
Component: TMOS
Symptoms:
A device group sync results in the following error: 01070700:3: The attributes of a root profile (/Common/antifraud) cannot be set to 'default'.
Conditions:
The default /Common/antifraud profile is modified from its default values while in a device group.
Impact:
Sync fails and can be difficult to recover.
Workaround:
Don't modify the base profile; create a new one instead. Recovery could involve running SOL13887 against a peer with an unmodified base profile, but this will delete any changes made. If that is not an acceptable solution, you can tmsh save sys config, remove the /Common/antifraud profile from bigip.conf, then tmsh load sys config.
518086-6 : Safenet HSM Traffic failure after system reboot/switchover
Component: Local Traffic Manager
Symptoms:
SafeNet hardware security module (HSM) Traffic failure after system reboot/switchover.
Conditions:
Restart of services on primary or secondary blade.
Impact:
Now traffic will fail. There will be no pkcs11 connection on new primary blade.
Workaround:
The workaround is to restart pkcs11d on the secondary blade.
518059 : The HTTP::payload iRules API appends garbage to content when transfer-encoding is chunked
Component: Local Traffic Manager
Symptoms:
Using the HTTP::payload iRules API within the iRules HTTP_RESPONSE_DATA event yields bogus data in the inspected content, when the server sends a chunked HTTP response (HTTP/1.1 Transfer-Encoding: chunked). The following characters are appended to the actual content: CR-LF-0-CR-LF-CR-LF (H'0d0a300d0a0d0a' ..0....).
Conditions:
HTTP::payload iRules API used within the HTTP_RESPONSE_DATA iRules event, when server responds with a chunked HTTP payload (HTTP/1.1 Transfer-Encoding: chunked).
Impact:
Invalid content returned by the HTTP::payload iRules API when server sends a chunked HTTP response.
Workaround:
The iRule author can work around this issue by changing the request protocol to HTTP 1.0, since that prevents chunked transfer encoding. However, that would be inefficient because it breaks connection reuse. Workaround is just to add: HTTP::version "1.0" in HTTP_REQUEST event.
517613-1 : ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps
Component: Local Traffic Manager
Symptoms:
ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps.
Conditions:
Create a ClientSSL profile (p1) with user-defined key/certificate/chain. Create another clientSSL profile (p2) with all default fields. Modify p2 to have the defaults from p1.
Impact:
GUI shows the right key/certificate/chain in p2, whereas tmsh shows p2 to have default key and certificate.
Workaround:
None.
517582-3 : [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.
Component: Global Traffic Manager
Symptoms:
Cannot delete a region even though it is not referenced by any record.
Conditions:
This occurs after a failed attempt to delete a region that is referenced by a record.
Impact:
Hard to manage topology regions.
Workaround:
Restart mcpd.
517510-1 : HTTP monitor might add extra CR/LF pairs to HTTP body when supplied
Component: Local Traffic Manager
Symptoms:
When supplying HTTP containing body text to the HTTP monitor, the system might append extra CR/LF pairs to the end.
Conditions:
HTTP monitor with text specifying HTTP body text.
Impact:
This may cause malformed POST or PUT messages.
Workaround:
Limited work-around entails providing an alternative HTTP health check that does not require PUTting or POSTing a body.
517456 : Resetting virtual server stat increments cur_conns stat in clientssl profile
Component: Local Traffic Manager
Symptoms:
When there are active connections on the virtual server, resetting its virtual server stat through tmsh reset-stats ltm virtual virtual_name, doubles the client ssl profile cur_conns/cur_native_conns/cur_compat_conns.
Conditions:
- SSL virtual server. - Active connections on the virtual server. - Virtual server stat reset which active connections are occurring.
Impact:
Invalid statistics values on the client ssl profile stats.
Workaround:
None.
516995-3 : NAT traffic group inheritance does not sync across devices
Component: TMOS
Symptoms:
When a NAT object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.
Conditions:
This is relevant for any setup with multiple devices in a CMI failover device group.
Impact:
The inherited-traffic-group property must be manually maintained on all devices.
Workaround:
Enable the 'full sync' option instead of using incremental sync.
516280-2 : bigd process uses a large percentage of CPU
Component: Local Traffic Manager
Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.
Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.
Impact:
bigd process uses a large percentage of CPU.
Workaround:
None.
516219-4 : User failed to get profile license in VIPRION P8 chassis if slot 1 is not enabled
Component: Access Policy Manager
Symptoms:
Connection is reset when user tries to log on to an APM virtual server. APM log shows ERR_NOT_FOUND while getting profile license.
Conditions:
The issue happens if slot 1 in a P8 chassis is not occupied or is occupied but not enabled.
Impact:
User logon failure
Workaround:
Detach APM access profile from the virtual server and then reattach it.
515764-1 : PVA stats only being reported on virtual-server and system-level basis.
Component: TMOS
Symptoms:
The VLAN/interfaces stats do not include PVA stats. PVA stats are reported on a per-virtual-server including virtual server plus pool and pool members.
Conditions:
Viewing PVA stats.
Impact:
Interfaces stats only count TMM software traffic stats, and do not include PVA traffic stats. Although this is by design, it makes it difficult to monitor per-VLAN throughput on their devices.
Workaround:
Retrieve pool member PVA stats for server-side PVA stats on the associated VLANs. Also look at PVA stats in the virtual server stats for client-side PVA stats. Note: On the client side, the virtual server might be configured to run on multiple VLANs, so the client-side details are not included in the stats.
Behavior Change:
Unknown
515736-4 : LSN pool with small port range may not use all ports
Component: Carrier-Grade NAT
Symptoms:
When LSN pool port range is small, some ports may not be used for translation.
Conditions:
LSN pool port range is small.
Impact:
Even though free ports are available, they are not used for translation and the connection fails
Workaround:
Set the LSN pool port range to default value of 1025 - 65535
515139-5 : Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics
Component: Local Traffic Manager
Symptoms:
Current connections seen in the poolmember statistics via tmsh might show a non-decremented number over time.
Conditions:
This occurs when the following conditions are met: - FTP virtual server with address translate disabled. - FTP profile with inherit parent profile. - Active FTP session. Running the command: tmsh show ltm pool pool_name.
Impact:
The current connections statistics value does not decrement upon data connection closure. While this is primarily cosmetic, it might impact connections when used in combination with limit calculations.
Workaround:
Disable inherit parent profile in the FTP profile.
514419-5 : TMM core when viewing connection table
Component: Local Traffic Manager
Symptoms:
In very rare conditions tmm may core on viewing the connection table.
Conditions:
This occurs only when a configuration meets all of the following conditions: - A NAT. - An AFM reject rule for ICMP. The user views the connection table on the system.
Impact:
TMM might core.
Workaround:
Do not view the connection table when this configuration combination exists.
513787-3 : CSRF doesn't apply web application callback registered as XMLHttpRequest.onload in IE8-10
Component: Application Security Manager
Symptoms:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.
Conditions:
Using Internet Explorer 8-10 with CSRF ASM enabled.
Impact:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.
Workaround:
N/A
513649-4 : Transaction validation errors on object references
Component: TMOS
Symptoms:
If certain objects are deleted then created within the same transaction, transaction errors might occur.
Conditions:
This is exclusive to transactions either via iControl, tmsh cli transaction, or a device group config sync. An object must be deleted and re-created in the same transaction. The object that was deleted must have configured references to other objects. For example, a virtual server can reference a profile or a VLAN. If it does, and there is a virtual server delete-and-create operation in the same transaction, mcpd fails to clean up the join reference on delete and complains when it tries to recreate it.
Impact:
Unnecessary mcpd validation failure. The system posts an error message similar to the following: 01020066:3: The requested virtual server profile (/Common/vs1 /Common/tcp) already exists in partition Common.
Workaround:
If a user needs to delete and re-create an object, perform the delete in one transaction and the create in a subsequent transaction.
513530-4 : Connections might be reset when using SSL::disable and enable command
Component: Local Traffic Manager
Symptoms:
Enable/disable of SSL filter in quick succession might cause connection reset.
Conditions:
SSL filter is disabled then quickly re-enabled.
Impact:
Connection is unexpectedly reset/lost.
Workaround:
Do not re-enable SSL filter immediately after disabling it.
513319-4 : Incorrect of failing sideband connections from within iRule may leak memory
Component: Local Traffic Manager
Symptoms:
When using sideband connections within iRules, the internal TMM memory structures might leak if the sideband destination is not reachable (routing, etc.).
Conditions:
Unreachable sideband destination that lead to failures of the sideband connection creation, e.g. destination is not reachable via routing.
Impact:
Gradual memory usage in TMM, which can lead to aggressive memory sweeper and eventual failover/outage. This might manifest in gradual increment of TMM memory usage in graphs, particularly, the following: -- High number of connfails in tmctl sb_stats. -- High number of allocated memory in tmctl sb_cache.
Workaround:
Correct possible reachability issues to the sideband destination.
513151-8 : VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID.
Component: TMOS
Symptoms:
VIPRION B2150 blades with SSD show up as unknown when SNMP queries the OID sysObjectID.
Conditions:
SNMP queries the OID sysObjectID.
Impact:
Customer cannot identify any VIPRION B2150 blades with SDD using SNMP.
Workaround:
None.
513083-1 : d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server.
Component: Access Policy Manager
Symptoms:
When tmm is running out of memory because of overload or other conditions and if APM is configured, tmm could potentially crash.
Conditions:
tmm is already running out of memory
Impact:
Unknown
Workaround:
512954-2 : ospf6d might leak memory distribute-list is used
Component: TMOS
Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv3 and the Routing Information Base (RIB). The leak may lead to a crash unrelated to memory exhaustion.
Conditions:
OSPFv3 in use with a distribute-list, and LSAs in the database whose prefixes will be filtered by the distribute-list.
Impact:
ospf6d crashes interrupt all dynamic routing using OSPFv3.
Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.
512853-2 : Kerberos SSO fails if KDC is not specified
Component: TMOS
Symptoms:
When you configure single sign-on (SSO) using Kerberos, and you do not fill in the KDC field on the configuration page (Access Policy > SSO Configurations > Kerberos) , you may encounter an error. The error may be similar to: <Date> slot2/BIGIP1 err websso.0[29236]: 014d0005:3: Kerberos: can't get TGT for host/svcf5kerberos.corpdev.apdev.local@CORPDEV.APDEV.LOCAL - Cannot contact any KDC for realm 'CORPDEV.APDEV.LOCAL' (-1765328228)
Conditions:
User does not specify a valude for KDC when configuring SSO with Kerberos.
Impact:
SSO fails
Workaround:
Has a workaround, administrator should edit /etc/krb5.conf file manually and set option dns_lookup_kdc=true Note that this workaround is: not synced across cluster not backed up not audited not upgrade safe not re-provision safe may revert during other maintenance operations
512634-3 : Add logging to indicate the nitrox3 compression engine is stalled.
Component: TMOS
Symptoms:
The compression engine stops functioning, and new compression requests may fail. Examination of tmctl compress table shows no changes for accelerated compression, over time.
Conditions:
Invalid request data passed into the compression engine can stall the accelerated compression engine.
Impact:
No compression; or possibly compression performed only in software (which drives up the CPU).
Workaround:
Disable accelerated compression.
511985-4 : Large numbers of ERR_UNKNOWN appearing in the logs
Component: Local Traffic Manager
Symptoms:
There are times when LTM Policy subsystem attempts to execute particular actions, which fail and result in LTM Policy writing an error to the logs with an error type of ERR_UNKNOWN.
Conditions:
While not limited only to the ASM module, this has been observed when ASM is active and experiencing high traffic volumes. The logging of ERR_UNKNOWN occurs when filters and plug-ins experience failures (such as out of memory) and react by initiating a reset of the connection. When these filters and plug-ins return an error to LTM Policy, LTM Policy logs ERR_UNKNOWN, as it should.
Impact:
This is a case of unnecessary logging, and there is no adverse effect other than a higher-than-normal amount of logging.
Workaround:
None.
511900-1 : 'sessiondump -allkeys' command hangs and does not display all the entries when the number of sessions is very large, for example, 100,000 sessions.
Component: TMOS
Symptoms:
'sessiondump -allkeys' command hangs and does not display all the entries when the number of sessions is very large, for example, 100,000 sessions.
Conditions:
With a setup where there are 100,000 sessions, running a 'sessiondump -allkeys' command.
Impact:
The operation hangs.
Workaround:
None.
511865-1 : [GTM] GTM external monitor is not correctly synced in GTM sync group without device group
Component: Global Traffic Manager
Symptoms:
GTM external monitor is not correctly synced in GTM sync group without device group.
Conditions:
This occurs when the following conditions are met: 1. GTM systems exist in the same GTM sync group but not in the same device group. The GTM external monitor refers to non-default system file.
Impact:
The GTM external monitor is not synced correctly and configuration fails on the peer GTM system. The system posts an error similar to the following: err iqsyncer[20361]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17237778 result_message '01070712:3: Values (/Common/bad_external_monitor.sh) specified for external monitor parameter (/Common/external_test 2 RUN_I=): foreign key index (to_file) do not point at an item that exists in the database.' }
Workaround:
Configure both GTM systems in the same GTM sync group and the same device group.
511819 : Using replace-all-with to modify a rule list doesn't work if you specify an existing rule name
Component: Advanced Firewall Manager
Symptoms:
Using replace-all-with to modify a rule list doesn't work if you specify an existing rule name. The system attempts to modify the existing rule.
Conditions:
Rule list, attempt to replace-all-with and specify a rule name that exists.
Impact:
Difficulty modifying the rule list.
Workaround:
When using replace-all-with, use new rule names.
511782-3 : The HTTP_DISABLED event does not trigger in some cases
Component: Local Traffic Manager
Symptoms:
HTTP_DISABLED is not triggered by the HTTP::disable iRule command, requests using the CONNECT method, and Web-sockets traffic.
Conditions:
If the HTTP filter is switched into pass-through mode by the HTTP::disable command, CONNECT requests, or via Web-sockets traffic.
Impact:
The HTTP_DISABLED event does not trigger.
Workaround:
This issue has the following workaround: -- For HTTP::disable, add the logging code within HTTP_DISABLED after that iRule command. -- For CONNECT, use an iRule to match the method in HTTP_REQUEST, and check that 200 Connected is returned as the status in HTTP_RESPONSE. If so, invoke the logging code within HTTP_DISABLED. -- For Web-sockets, use an iRule to match the 101 Switching Protocols status code in HTTP_RESPONSE. If this happens invoke the logging code that is also within HTTP_DISABLED.
511324-5 : HTTP::disable does not work after the first request/response.
Component: Local Traffic Manager
Symptoms:
The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message.
Conditions:
HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it.
Impact:
The connection is reset.
Workaround:
None.
510888-1 : [LC] snmp_link monitor is not listed as available when creating link objects
Component: Global Traffic Manager
Symptoms:
GUI: snmp_link is not listed from Available monitor list when creating link objects. TMSH: snmp_link is not shown when using TAB to show monitor options when creating link objects.
Conditions:
When creating GTM link objects.
Impact:
Cannot determine whether snmp_link monitor can be used. Must manually input snmp_link to associate snmp_link to a link object.
Workaround:
Through tmsh, manually type snmp_link as monitor when creating link objects.
510802 : Using ECA:metadata iRule command causes MCPD failure
Component: Access Policy Manager
Symptoms:
Using the ECA::metadata iRule command in an iRule causes configuration errors.
Conditions:
Using ECA::metadata command in the iRule causes this.
Impact:
Configuration cannot be loaded or saved.
Workaround:
Use ECA::select command instead of ECA::metadata command.
510580-5 : Interfaces might be re-enabled unexpectedly when loading a partition
Component: TMOS
Symptoms:
Loading of a set of partitions not including Common might re-enable interfaces that were previously disabled.
Conditions:
Loading of a set of partitions not including Common.
Impact:
Interfaces might be unexpectedly reenabled. (It is expected that 'load sys config partitions { anotherpartition }' will only affect objects in the /anotherpartition folder.)
Workaround:
None.
510425-4 : DNS Express zone RR type-count statistics are missing in some cases
Component: TMOS
Symptoms:
When displaying DNS zone data with multiple instances, if one has no resource record data, the following instance also displays an empty resource record data even there is something to display.
Conditions:
When displaying DNS zone data with multiple instances, and one has no resource record data.
Impact:
Missing Resource Record data when the data is not empty.
Workaround:
Query the specific DNS Zone data instance instead of the 'query all'.
510395-3 : Disabling some events while in the event, then running some commands can cause tmm to core.
Component: Local Traffic Manager
Symptoms:
If an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed, TMM can core.
Conditions:
An event is disabled from inside the event, and then a parking command is issued. Example: when HTTP_REQUEST { if { $a == $b } { event disable HTTP_REQUEST } after 100 log local0. "foo" }
Impact:
Tmm cores.
Workaround:
Disable events as the last command before exiting the event. For example: when HTTP_REQUEST { if { $a == $b } { event disable HTTP_REQUEST return } }
510281-1 : learning_manager crash
Component: Application Security Manager
Symptoms:
learning_manager crashed and restarted.
Conditions:
ASM provisioned, learning_manager running and traffic is flowing through ASM.
Impact:
learning_manager restarted
Workaround:
N/A
510200-1 : Upon de-provisioning, ASM does not release disk resources.
Component: TMOS
Symptoms:
ASM is deprovisioned but asm logical volume remains.
Conditions:
provision and then de-provision asm
Impact:
ASM is deprovisioned but asm logical volume remains.
Workaround:
after asm is de-provisioned, run this in CLI: - tmsh delete sys disk application-volume asmdata - tmsh save sys config
509611-1 : Asynchronous Tasks for Long-Running command control
Component: TMOS
Symptoms:
Long-running operations via the iControl/REST interface might lead to timeouts and non-responsiveness to new requests while the operation completes, with no way to return the result. While transactions can mitigate this by permitting polling on the status of the transaction, not all operations are permitted in transactions.
Conditions:
Heavily loaded systems might result in some commands, particularly save sys config, or save sys ucs, taking so long to complete that they time out. Until the operation completes, further operations can not be started by the same user.
Impact:
This makes automated control problematic, as it removes control over long-running operations.
Workaround:
Where possible, run long-running iControl/REST commands in transactions.
508341-4 : Scheduled-reports are not syncing the 'first-time' value on a CMI
Component: Application Visibility and Reporting
Symptoms:
Creating a scheduled-report on a CMI configuration.
Conditions:
Having a CMI configuration and trying to create a scheduled report.
Impact:
This issue may cause other devices in CMI send reports before the first-time they assigned to.
Workaround:
508076-2 : Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name.
Component: TMOS
Symptoms:
Unable to create SSL Certificate or Key if the name extension starts with a special extension.
Conditions:
When creating a certificate or key, if the certificate/key name has an extension starts with one of (".key", ".crt", ".csr", ".crl", ".der", ".exp", ".pem"), then the creation will fail. For example, it is an error to create a key named "test.key1". In this case, the key extension ".key1" starts with ".key".
Impact:
Key creation or Certificate creation will fail. The following example command will fail with error. tmsh create sys crypto key test.key1 tmsh create sys crypto cert test.key1 key test.key1.key common-name test Error: Key management library returned bad status: 02, Not Found
Workaround:
do not create a key or certificate with name extension starts with one of (.key .crt .csr .crl .der .exp .pem).
508074-1 : Non-admin deployment causes iApp failure
Component: iApp Technology
Symptoms:
Some iApps fail when deployed by a user with role privilege lower than "admin".
Conditions:
Impact:
Affected templates: f5.dns f5.ldap f5.microsoft_sharepoint_2010 f5.http f5.sap_enterprise_portal f5.peoplesoft_9 f5.sap_erp f5.microsoft_iis f5.bea_weblogic f5.oracle_ebs
Workaround:
507640-1 : Importing Security Policy in Binary Format Fails
Component: Application Security Manager
Symptoms:
Error appears in the GUI after attempting to import a binary policy: Unknown error after running import policy script. Could not import the Security Policy; Error: DBD::mysql::db do failed: Cannot add or update a child row: a foreign key constraint fails.
Conditions:
A Security Policy was created using a Custom Policy Template. It is then exported in Binary format and attempted to be imported on a device where that Custom Policy Template does not exist.
Impact:
User will be unable to import the policy
Workaround:
Use XML Export/Import instead.
507331-4 : Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.
Component: TMOS
Symptoms:
If a saved configuration from an earlier version is used when launching an instance of BIG-IP v11.5.2 on AWS, then SSLv3 may be enabled on the management interface.
Conditions:
Using configuration saved with version 11.5.2 (and earlier) on AWS.
Impact:
There are known security vulnerabilities with SSLv3 and the BIG-IP software disables it by default with v11.5.2 on AWS. An enabled SSLv3 on the management interface might make the instance vulnerable to an attack, so after upgrading, configurations in which SSLv3 is enabled should be disabled before deploying.
Workaround:
Disable SSLv3 as documented here: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip, and in and in SOL15702: https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html.
506597-1 : False positive cookie hijacking violation after uploading big requests
Component: Application Security Manager
Symptoms:
There is a false cookie hijacking violation, there is a TS cookie with _0 at the end of the cookie name.
Conditions:
After uploading a big payload, a false cookie is created which in turn, upon the next request will issue the ASM cookie hijacking violation.
Impact:
A false violation, alarm or block.
Workaround:
Turn off the ASM cookie hijacking violation (it is off by default)
506557-3 : IBR tags might occasionally be all zeroes.
Component: WebAccelerator
Symptoms:
IBR tags might occasionally be all zeroes.
Conditions:
This might occur when requests to OWS to update cached, expired content, receive updated content from OWS that has no Content-Length header and is uncacheable (that is, served with X-WA-Info code S10206).
Impact:
The content hash for that URL can be incorrectly set to all zeroes, causing an incorrect IBR for that item until it is recached.
Workaround:
Avoid the specific preconditions, or disable IBR-TO for the specific content meeting the preconditions.
506452-2 : Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1
Component: Advanced Firewall Manager
Symptoms:
Sometime the firewall rule matching result is wrong if there are firewall rules configured with source or destination IPv6 address whose most significant bit is 1. Below are some examples of those IPv6 address: dfdf::/128, bbbb://64.
Conditions:
Firewall rules are configured with source or destination IPv6 address whose most significant bit is 1.
Impact:
The firewall rule with those IPv6 addresses may accept or deny packets that do not match the rule.
Workaround:
506315-5 : WAM/AAM is honoring OWS age header when not honoring OWS maxage.
Component: WebAccelerator
Symptoms:
WAM/AAM policy is configured to ignore OWS maxage header values, but the policy does not ignore the OWS Age header.
Conditions:
BIG-IP system with AAM provisioned, content matching a policy node not honoring OWS headers maxage and or s-maxage, and a large 'Age' value.
Impact:
This results in WAM/AAM improperly reducing the lifetime of OWS responses by the amount of the Age header, and more frequent WAM/AAM revalidation of the affected content (possibly on every request if the Age header is larger than the policy-specified cache lifetime).
Workaround:
You can use any one of the following as a workaround: -- Honor OWS lifetime headers (s-maxage and max-age). -- Use an iRule to delete OWS Age header. -- Increase cache AAM/WAM cache lifetime for that content to compensate.
506274-2 : TMM crash/core seen when a traffic-selector is created Action discard
Component: TMOS
Symptoms:
TMM crash/core seen when a traffic-selector is created with unsupported Action discard.
Conditions:
Create an IPsec traffic-selector with Action discard
Impact:
The tmm will be in a crash looop
Workaround:
Do not configure IPsec traffic-selector with Action discard.
505123-7 : sysObjectID returns 'unknown' platform on the VIPRION 4400
Component: TMOS
Symptoms:
Querying for sysObjectID on VIPRION 4400 returns 'unknown' (.1.3.6.1.4.1.3375.2.1.3.4.1000): # snmpwalk -v 2c -c community big-ip sysObjectID SNMPv2-MIB::sysObjectID.0 = OID: F5-BIGIP-SYSTEM-MIB::unknown (# snmpwalk -v 2c -On -c community big-ip sysObjectID .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.3375.2.1.3.4.1000.)
Conditions:
This occurs when running 'show sys hardware' on the VIPRION 4400.
Impact:
The snmpd call incorrectly identifies the BIG-IP system as unknown.
Workaround:
504803-5 : GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'.
Component: TMOS
Symptoms:
Local Traffic Pool list does not show Pools with names that contain the characters 'mam' starting at the 5th position of the name.
Conditions:
This occurs using the GUI.
Impact:
Cannot see these pools in the GUI.
Workaround:
Use tmsh to list pools with mam in the name.
504396-2 : When a virtual's ARP or ICMP is disabled, the wrong mac address is used
Component: Local Traffic Manager
Symptoms:
When we use tmsh to modify icmp_enabled or arp_enabled property of a virtual address object from true to false, tmm does not reset internal state properly. This results in a tmm using the VLAN's true mac as the source mac instead of the traffic group's mac masquerade address.
Conditions:
Using mac masquerading in a HA traffic group.
Impact:
Packets may be dropped by switches or routing tables improperly updated.
Workaround:
None.
503257-7 : Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST
Component: Local Traffic Manager
Symptoms:
Client connections to a virtual server with persistence, connection limits, and an iRule that issues an HTTP response may receive a RST with a cause of "pmbr enqueue failed" even though connection queuing is not enabled.
Conditions:
This can happen if the connection makes an HTTP request and an iRule directly responds to the first request on the connection. A future request on that TCP connection would be reset if it is persisted to a pool member that is at its connection limit. The iRule would use HTTP::respond (without "connection close") or HTTP::redirect.
Impact:
Clients may receive a RST and fail to connect to an available pool member under some traffic patterns.
Workaround:
If using HTTP::respond or HTTP::redirect in an iRule, change to HTTP::respond with the "Connection close" option in order to force the connection to terminate and the client to start a new connection after the redirect is sent.
502747-1 : Incoming SYN generates unexpected ACK when connection cannot be recycled
Component: Local Traffic Manager
Symptoms:
Incoming SYN causes the BIG-IP system to generate ACK instead of SYN-ACK.
Conditions:
This can occur when the following conditions are met: - IP addresses and ports of SYN match an existing connection; - Sequence number of the SYN is greater than 2^31+ from previously sent FIN; - Existing connection is in TIME_WAIT state; - Virtual server has time_wait_recycle enabled.
Impact:
Client will generate RST and connection must be re-tried.
Workaround:
Set time-wait-timeout to 1 millisecond per SOL12673.
502714-4 : Deleting files and file object references in a single transaction might cause validation errors
Component: TMOS
Symptoms:
Deleting files and file object references in a single transaction can lead to a validation error. This might occur during device group configuration sync, an iApp, a tmsh cli transaction, or an iControl transaction.
Conditions:
A file object is deleted in the same transaction that its references are also deleted.
Impact:
This can cause an invalid validation error, including during a config sync.
Workaround:
In the case of iControl and tmsh, file object references must first be deleted/removed in a separate transaction. In the case of config sync, perform a full sync.
501984-2 : TMM may experience an outage when an iRule fails in LB_SELECTED.
Component: Local Traffic Manager
Symptoms:
When an iRule fails in LB_SELECTED, it is possible for TMM to crash. The TMM failure is an intermittent, timing-related issue..
Conditions:
Using iRules with a rule for when LB_SELECTED is operating on a node/pool member.
Impact:
TMM outage resulting in brief loss of service or HA failover.
Workaround:
None.
501949-1 : BWC rate limit instability on large number of live dynamic flows
Component: TMOS
Symptoms:
max-user-rate configuration changes constantly on large number of live dynamic flows.
Conditions:
This issue appears very intermittently.
Impact:
This results in a lower-than-expected total rate.
Workaround:
Avoid rapid constant configuration changes on live traffic. Restart tmm to recover.
501714-2 : System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS.
Component: WebAccelerator
Symptoms:
The test to prevent JPEGs on OWS with low quality from being 'optimized' to higher quality (if the quality setting in WAM policy is higher than in the file on OWS) is not working.
Conditions:
AAM image optimization enabled and the JPEG quality in AAM policy is higher than the JPEGs on OWS.
Impact:
image optimization can make the file significantly bigger.
Workaround:
Add the line below to /service/wamd/settings (create the file if it does not exist): export WAMD_OPT_IMAGES_NO_BIGGER=all Note this will return the original file if the 'optimized' one comes out bigger: subtly different behavior than making any other requested changes but leaving the quality the same as the file on OWS.
500639-2 : Setting log level for ZoneRunner has no effect.
Component: Global Traffic Manager
Symptoms:
Modifying the log level for ZoneRunner does not change the log level. This is a bug in the handling of the log level change message within ZoneRunner
Conditions:
If a GTM config sync is also occurring, the GTM can get into a state where all queries go unanswered until the GTM config loads and/or the BIND zones load.
Impact:
BIND queries go unanswered until the zone is loaded into BIND.
Workaround:
Assuming that the desired log level is "DEBUG", the following steps will force zonerunner to log debug messages to /var/tmp/zrd.out On the BIG-IP system: touch /service/zrd/debug bigstart restart zrd
500003-4 : Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP
Component: Local Traffic Manager
Symptoms:
When incoming NTP packets from the configured NTP server arrive for a non-local IP on a BIG-IP system that is either a Virtual Edition (VE) guest, an appliance, or a vCMP guest on an appliance host, an iptables rule is triggered that results in further outgoing packets to the NTP server to have their destination IP addresses changed to 127.3.0.0, which is not routable and thus causes NTP time syncs to stop.
Conditions:
An NTP server is configured on a BIG-IP system that is either a VE, an appliance, or a vCMP guest on an appliance host, and packets arrive from the configured NTP server destined for an IP address belonging to another machine on the network. This can happen for several reasons: 1) The customer has a device on the same management network doing very low-to-zero volume of traffic over its management port. NTP syncs time less often than the L2 FDB expiration time. 2) The customer is using a L2 topology that uses redundant switches with NIC teaming / bonding, and one of the hosts cuts over to the other switch. This also causes transmits of packets that have no valid L2 FDB entry. 3) An STP topology change occurs in a given network, causing switches to drop L2 FDB entries for relevant hosts and flood unknown unicast destination traffic to all ports of a given VLAN. 4) Any unicast misdirection of NTP traffic to the management port not covered above.
Impact:
NTP time syncing stops on affected BIG-IP systems.
Workaround:
To remove the iptables rule that is causing the problem: # iptables -t nat -D bpnet-in -p udp --dport 123 -j DNAT --to-destination 127.3.0.0. Comment out the following line in the function setup_virtual_backplane() in the file /etc/init.d/cluster to prevent the rule from coming back upon reboot: iptables -t nat -A bpnet-in -p udp --dport 123 -j DNAT --to-destination $int_mgmtip.
499615-3 : RAM cache serves zero length documents.
Component: Local Traffic Manager
Symptoms:
RAM cache serves zero length documents.
Conditions:
Forcing caching in an iRule.
Impact:
RAM Cache will cache a HEAD response, if an iRule is configured to force it to do so. This causes RAM cache to serve zero length documents.
Workaround:
If the HTTP operation is a HEAD request, do not cache the response.
498433-1 : Upgrading with ASM iRule and virtual server with no websecurity profile
Component: Application Security Manager
Symptoms:
If you have an iRule that uses "ASM::*" assigned to a virtual server with no websecurity profile, when trying to upgrade from BIG-IP version 11.4.0 to any newer version, the upgrade fails, and you receive the following error message: ----------------- ASM::disable in rule (iRule_name) requires an associated WEBSECURITY profile on the virtual server (virtual_server_name). -----------------
Conditions:
On version 11.4: 1) Have an iRule that uses ASM::*, e.g. when HTTP_REQUEST { ASM::disable } 2) Create a virtual server and associate an ASM policy with it via CPM (L7) policy 3) Assign the iRule to the VS 4) Remove the CPM policy from the VS Now upgrade to any newer version OR Save the ucs and try to manually install it on any newer version
Impact:
Fails to upgrade. Fails to install ucs.
Workaround:
Prior to upgrading and/or saving the ucs, for all virtual servers that have no websecurity profile assigned to them, remove all iRules that contain 'ASM::*' actions.
497154-2 : Clear schedue name when setting firewall rule state from Scheduled to Enabled/Disabled.
Component: Advanced Firewall Manager
Symptoms:
Schedule name was not getting cleared when firewall rule state was changed from Scheduled to Enabled/Disabled.
Conditions:
Happens when firewall rule state was changed from Scheduled to Enabled/Disabled.
Impact:
AFM Policy Editor
Workaround:
495588-5 : Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases
Component: Local Traffic Manager
Symptoms:
Configuration fails with Syntax Error after upgrading to 11.5.0 from pre-11.5.0 releases.
Conditions:
When upgrading from a pre-11.5.0 release to version 11.5.0, the key/cert have an extra period in the name (for example mykey..key and mycert..crt). Beginning with version 11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name. During upgrade, the system provides a name for each key/cert, which can cause problems if the existing key/cert name contains a period character.
Impact:
Configuration load fails, and the system posts the alert: Syntax Error:(/config/bigip.conf at line: 12) one or more configuration identifiers must be provided.
Workaround:
Manually edit the bigip.conf to add a title for the cert-key-chain, and then run the command: tmsh load sys config.
495128-9 : Safari 8 continues using proxy for network access resource in some cases when it shouldn't
Component: Access Policy Manager
Symptoms:
If a client machine uses proxy and Network Access does not specify any proxy, then Safari should not use proxy for some Network Access resource after the Network Access tunnel is created. However, Safari does so. This problem occurs with Safari 8. Other versions of Safari and other browsers work as expected in our testing. Apple has been notified: rdar://problem/18651124
Conditions:
The problem occurs when all of these conditions exist: 1. OS = Mac OS X Yosemite. 2. Configuration = Client machine has local proxy configured and Network Access on BIG-IP system access policy does not specify any proxy. 3. Action = Accessing Network Access resource after tunnel is created.
Impact:
As a result, some Network Access resource might be unavailable.
Workaround:
There is no workaround at this time.
494493-1 : iControl REST for ASM Character Sets returns invalid characters ( greater than 127 (0x7f) ) for Multi-Byte Encodings
Component: Application Security Manager
Symptoms:
The REST endpoint for Character Sets returns items that are invalid to send back to the endpoint as a PATCH. This can cause an API client to get unexpected errors
Conditions:
A Security Policy exists with a Single-Byte Encoding configured, and REST API is being used.
Impact:
Objects returned by the endpoint will fail validation when sent back to the endpoint. Additionally this will not match output from the same endpoint (if enabled) on 11.5.2-HF1+, and could confuse API clients that attempt to compare Security Policies.
Workaround:
494084-2 : Certain rapidly-terminating UDP virtuals may core on standby
Component: Local Traffic Manager
Symptoms:
Based on an internal race condition, it is possible for certain flows to cause cores on standby BIG-IPs when using connection mirroring on layer 7 VIPs. This does not apply to use of mirroring on Performance or Performance (HTTP) virtuals.
Conditions:
Standard UDP virtual using connection mirroring.
Impact:
Restart of the standby tmm. No connections are affected, though if packets are set to require acknowledgements from the standby there may be a brief delay in processing for some or all connections.
Workaround:
493950-3 : Virtual Server with misconfigured profiles may block upgrade
Component: TMOS
Symptoms:
Virtual Server with unmatched context settings in a profile might block upgrade.
Conditions:
This occurs when there is a virtual server configured with a TCP, UDP, or SCTP profile set with either (context clientside) or (context serverside), but without a corresponding profile with the other proxy side (serverside or clientside, respectively).
Impact:
Cannot upgrade and roll-forward a configuration, and the system might post the following error message: 01070734:3: Configuration error: Less than the required minimum number of profiles found on /Common/test-vip5: At least 1 Of but Not more than 1 Of (UDP Profile, TCP Profile, SCTP Profile)
Workaround:
There are 2 workarounds: 1: Before upgrade, modify the existing configuration, by either removing the (context) line or by adding the corresponding context, and then saving the UCS file. 2: After a failed attempt to load the UCS file, manually modify the UCS file as described in workaround 1., and then load the file again.
493250-2 : BGP disabling graceful-restart in ZebOS does not persist and is automatically enabled
Component: TMOS
Symptoms:
The ZebOS command to 'disable' BGP graceful-restart works temporarily, but is reset to 'enable' after system restart.
Conditions:
Setting BGP graceful-restart to enable and restarting the system.
Impact:
Cannot disable graceful-restart past a restart operation.
Workaround:
Behavior Change:
Graceful restart can now be disabled at the command line and the setting persists through reboots.
493106-4 : HTTP Basic authentication module logs clear text password in /var/log/apm at debug level
Component: Access Policy Manager
Symptoms:
The HTTP parser logs a clear text password in the /var/log/apm log file from a debug log message. This occurs only when the accesscontrol log level is debug and HTTP authentication of type Basic is used in the access policy.
Conditions:
The accesscontrol log level is debug and HTTP authentication of type Basic is used in the access policy.
Impact:
A clear text password is logged in /var/log/apm.
Workaround:
Change the accesscontrol log level to informational or higher.
493053-2 : Route domains' firewall policies may be removed after sync
Component: TMOS
Symptoms:
If you modify the firewall policy of a route domain, and then sync, then it may be removed rather than changed on devices receiving the sync.
Conditions:
This affects full load sync (full load checkbox is enabled, or the 'Overwrite Configuration' option was selected), but not incremental sync.
Impact:
Firewall rules may be removed.
Workaround:
Set the policy to none, sync, then set it to the desired value and sync again.
491801 : GTM iRule command [LB::status up] gives error
Component: Local Traffic Manager
Symptoms:
When attempting to create this GTM iRule when DNS_REQUEST { LB::status up } you'll get this error in the logs: "01070151:3: Rule [/Common/irule_test] error: /Common/irule_test:2: error: [invalid option "up" must be: vs pool mbr][up]"
Conditions:
Creating GTM iRules
Impact:
Can't use this specific iRule command syntax.
Workaround:
None.
491717 : No eud.log found on /var/tmp for 7000 series and 10000 series
Component: TMOS
Symptoms:
Running the command 'eud_log' on a BIG-IP 7000 series and 10000 series platform produces the following output: -- info: No EUD log found in /var/tmp. Searching boot volume -- info: No eud.log found on sda.dat.boot.
Conditions:
This occurs on the 7000 series and 10000 series.
Impact:
This message indicates that eud.log file cannot be detected in the incorrect directory /var/tmp. However, the file does exist in the /var/log directory, which is the correct directory.
Workaround:
None.
490174-2 : Improved TLS protocol negotiation with clients supporting TLS1.3
Component: Local Traffic Manager
Symptoms:
When a TLS client connects to a BIG-IP TLS server requesting TLS1.3, the handshake will fail. A message will be logged in the Local Traffic Manager (LTM) log about a handshake failure. The estimated deployment of clients supporting TLS1.3 is 2016.
Conditions:
A TLS client handshake with the protocol version set to TLS1.3 in the ClientHello.
Impact:
Lower performance is the most likely outcome. The hanshake requesting TLS1.3 will fail, after which a client will reconnect with a TLS 1.2 hanhdshake and succeed. The worst case scenario is inability to establish a connection for clients that only implement standard TLS version negotiation mechanism. The estimated deployment of clients supporting TLS1.3 is 2016.
Workaround:
This issue has no workaround at this time.
489562 : HTTP with NTLMSSP_NEGOTIATE message and with payload more than 4KB cause the NTLM front end authentication to stall
Component: Access Policy Manager
Symptoms:
NTLM authentication cannot be completed in the following circumstances. It is observed that some non-Microsoft HTTP clients might start NTLM authentication by sending a NTLMSSP_NEGOTIATE message together with a payload. As part of NTLM protocol, the response to this request should be a 401 status with an NTLMSSP_CHALLENGE message which renders the payload from the initial request unnecessary. However, the issue is that currently the BIG-IP system has a limit of 4KB for initial buffer, and does not drop it. This causes a deadlock between the BIG-IP server and HTTP client, as the BIG-IP notifies the client that it cannot receive the payload any more by closing the TCP receive window, and the client tries to complete sending all of the requests to be able to send the final NTLMSSP_AUTHENTICATE message.
Conditions:
The client sends NTLMSSP_NEGOTIATE message with payload of more than 4KB and the BIG-IP system performs NTLM authentication for this request.
Impact:
NTLM authentication cannot be completed.
Workaround:
488989-3 : AVRD does not print out an error message when the external logging fails
Component: Application Visibility and Reporting
Symptoms:
External logging of AVR statistics is done by HSL framework, if a message is failed to be sent to the syslog server, then AVR does not log this error.
Conditions:
If customer network is under stress, there is a possibility that the external logging will not be 100% transmitted
Impact:
Customer external application get less information.
Workaround:
488417-2 : Config load failure with 'Input error: can't create user' after upgrade
Component: TMOS
Symptoms:
Cannot load config after upgrade or reboot if the admin account is disabled and replaced with a custom user. The system posts the message: 01070829:5: Input error: can't create user, role partition mapping, user does not exist, username, Unexpected Error: Loading configuration process failed. On single-NIC virtual deployments, if the admin account is disabled and replaced with a custom user, the system will experience this issue any time the system is rebooted. Logs similar to the following may appear in /var/log/ltm: notice sod[6214]: 010c005e:5: Waiting for mcpd to reach phase base, current phase is platform. notice mcpd[4672]: 01070829:5: Input error: can't create user, role partition mapping, user does not exist, security err tmsh[7444]: 01420006:3: Loading configuration process failed. emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all base" - failed. -- 01070829:5: Input error: can't create user, role partition mapping, user does not exist, security Unexpected Error: Loading configuration process failed. err mcpd[4672]: 01070422:3: Base configuration load failed.
Conditions:
This occurs when upgrading or rebooting a system on which the root admin account is disabled and replaced with a custom admin user account. This occurs on single-NIC virtual deployments in version 12.0.0, when a system on which the root admin account is disabled and replaced with a custom admin user account is rebooted. To verify single-NIC is enabled: tmsh list sys db provision.1nic To verify a custom administrator has been defined: tmsh list sys db systemauth.primaryadminuser
Impact:
You cannot upgrade if the root admin account is disabled. On single-NIC virtual deployment configurations in version 12.0.0, the system will fail to load the configuration after a reboot.
Workaround:
Switch back to the volume where you disabled the root admin account, and load the configuration from there. You can then disable root access and create a custom admin user account. Workaround for a single-NIC deployment issue on version 12.0: In Azure, via tmsh: modify sys db systemauth.primaryadminuser value admin load sys config In AWS: Since the default password for the "admin" user in Azure is the .pem key file, it is also necessary to update the password for this user. Via tmsh: modify auth user admin password modify sys db systemauth.primaryadminuser value admin load sys config
488262-2 : moving VLAN from route-domain being deleted in the same transaction can cause errors
Component: TMOS
Symptoms:
Error can occur when removing VLAN(s) from route-domain, and deleting the said route-domain in the same transaction can cause errors.
Conditions:
In a transaction, removing the VLAN membership from route-domain, and deleting the same route-domain.
Impact:
Transactional deletion of route-domain and route-domain VLAN membership changes in the same transaction.
Workaround:
Perform route-domain VLAN changes, and route-domain deletion in different transaction.
488188-1 : When qkview is killed, it might leave temporary files on disk
Component: TMOS
Symptoms:
qkview removes its temporary files on exit. However, if qkview is killed externally, for example by CTRL-C, temporary files remain on the disk.
Conditions:
qkview is running, and is killed with a signal, such as CTRL-C.
Impact:
Unneeded files remain in /var/tmp, and possibly in other locations. This might contribute to a disk filling up with garbage data.
Workaround:
Delete files in /var/tmp.
487696-4 : Number of CPU allocated for ASM guests
Component: Local Traffic Manager
Symptoms:
The TMM plugin manager does not expect/support an ASM guest configuration of 10 cores, thus its calculations as to the number of devices required and numbering does not match the existing number of threads/devices.
Conditions:
This occurs when there are 10 CPUs allocated for ASM guests.
Impact:
System does not start up or has intermittent failures if running.
Workaround:
Reduce the number of cores to 8 or increase the number to 12.
487660-6 : LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range
Component: Carrier-Grade NAT
Symptoms:
LSN Translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN.
Conditions:
Persistence is enabled on the LSN pool, and cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN, when the lsn-pool port range is relatively small (under 1000), or a blade is added or removed. Translation mode is NAPT or PBA.
Impact:
Translation failures. The system posts an error similar to the following: debug tmm9[25268]: 01670012:7: [0.9] Translation failed client 200.200.200.101,10096.
Workaround:
Adequately provision the LSN pool.
487625-3 : Qkview might hang
Component: TMOS
Symptoms:
A corrupted filestore causes qkview to hang.
Conditions:
This occurs due to filestore mapping issues. This might also occur when there are files listed in the filestore are missing.
Impact:
Qkview hangs and sync attempts silently fail due to filestore mapping issue. The system might post error messages similar to the following: err mcpd[4596]: 0107134e:3: Failed while making snapshot: (Failed to link files existing(/config/ssl/ssl.crt/ca-bundle.crt) new(/config/.snapshots_d/certificate_d/1389867940_:Common:ca-bundle.crt_1) errno(2)(No such file or directory).) errno(2) errstr(No such file or directory).
Workaround:
None.
487194 : Cannot remove a profile from a virtual server and delete it inside a transaction
Component: TMOS
Symptoms:
When attempting to remove a profile from a virtual server and delete that same profile within a transaction, the system returns an error indicating that the profile is not found.
Conditions:
A virtual server configured with a profile.
Impact:
Delete operation does not complete.
Workaround:
Remove the profile and then delete it in separate transactions.
486725-2 : GUI creating key files with .key extensions in the name causing errors
Component: TMOS
Symptoms:
When using the GUI, if a user adds a '.key' extension to the name, the file will be created with an extra .key extension to the file.
Conditions:
When a key file name is 'test.key' entered from the GUI it is created with 'test.key.key'.
Impact:
The extra '.key' extension causes problems with deletion/Archive etc. GUI posts the following error: Not Found.
Workaround:
Delete the key and recreate without the .key in the name.
486712-3 : GUI PVA connection maximum statistic is always zero
Component: TMOS
Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.
Conditions:
This occurs when fastL4 connections are used.
Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.
Workaround:
485702-4 : Default SNMP community 'public' is re-added after the upgrade
Component: TMOS
Symptoms:
If the SNMP default community (public) has been removed from the configuration, and a new version of the software is installed, the default community will be added to the new configuration.
Conditions:
Impact:
The impact of this issue is that the SNMP default community will be added to the new configuration.
Workaround:
After upgrading to versions after 11.4.0, delete the default 'public' community again.
484534-4 : interface STP state stays in blocked when added to STP as disabled
Component: TMOS
Symptoms:
When two interfaces are disabled and added to Spanning Tree Protocol (STP) in the VLAN configuration, the second interface stays in 'blocked' STP state.
Conditions:
At least two interfaces exist in disabled state, added to STP.
Impact:
The blocked port does not send out data.
Workaround:
If the STP flag is disabled and re-enabled on the blocked interface, after the port is enabled, the port STP status is re-evaluated to the correct state.
484013-4 : tmm might crash under load when logging profile is used with packet classification
Component: Advanced Firewall Manager
Symptoms:
When tmm is under heavy load (e.g., an attack) it may run out of memory and crash under certain conditions.
Conditions:
This occurs when the following conditions are met: 1. Packet classification is enabled 2. Security logging profile is used with 'log translation fields' option enabled. 3. Fast flow forwarding is enabled on forwarding virtual server.
Impact:
tmm crash and possible outage.
Workaround:
To work around this, do one of the following: -- Disable 'log translation fields' in the security logging profile. -- Disable fast flow forwarding.
481696-2 : Failover error message 'sod out of shmem' in /var/log/ltm
Component: TMOS
Symptoms:
You might see a failover error message 'sod out of shmem' in /var/log/ltm.
Conditions:
The conditions under which this occurs vary based on the configured shared memory usage.
Impact:
Failover might not function fully. System posts the message 'err sod[6300]: 01140003:3: Out of shmem, increment amount' in /etc/ha_table/ha_table.conf.
Workaround:
Manually modify /etc/ha_table/ha_table.conf as follows: Change this line: 'ha segment path: /sod table pages: 2' to this: 'ha segment path: /sod table pages: 4'. Save the file and reboot the system.
481647-5 : OSPF daemon asserts and generates core
Component: TMOS
Symptoms:
The OSPF daemon might assert if receiving a Link Status (LS) Update header with a length greater than 255 bytes.
Conditions:
This occurs when the LSA header length is greater than 255 bytes in length.
Impact:
OSPF daemon asserts and generates a core, which might cause a service outage.
Workaround:
None.
480982-5 : pkcs11d with a high thread count can result in high CPU utilization
Component: Local Traffic Manager
Symptoms:
When pkcs11d is set to use a very high thread count, CPU utilization can increase dramatically.
Conditions:
The thread count for pkcs11d is set higher than the default.
Impact:
Less CPU available for other processes.
Workaround:
Do not set the db variable for pkcs11d thread count (/sys crypto fips external-hsm num-threads) higher than the default.
480009-2 : OSPFv2 Redistributed routes are deleted after blade failover with Graceful Restart
Component: Local Traffic Manager
Symptoms:
OSPFv2 Redistributed routes are getting deleted after blade failover
Conditions:
1. Configure OSPFv2 and enable Graceful restart 2. Add static routes on Chassis and redistribute static through ospfv2 blade failover
Impact:
routes are deleted after failover.
Workaround:
479715-3 : Multi-tab protection problems with multi-domain SSO
Component: Access Policy Manager
Symptoms:
When APM is configured with multi-domain SSO, and an unauthenticated user opens multiple tabs simultaneously to different protected domains, then one of the tabs will be issued an error page indicating authentication is in progress. That page offers a link to reset the session and begin a fresh authentication sequence. Clicking on the link will result in the same error page being presented.
Conditions:
APM is configured with multi-domain SSO, and an unauthenticated user opens multiple tabs simultaneously to different protected domains, and then follows the link to reset the session.
Impact:
The user will be unable to establish a session until the session itself has expired or the browser is restarted.
Workaround:
This issue has no workaround at this time.
479553-4 : Sync may fail after deleting a persistence profile
Component: TMOS
Symptoms:
After syncing configuration, the following error occurs: 'One or more persistence attributes are incompatible with the persistence mode for profile'.
Conditions:
This happens if automatic sync is disabled on a device group and a user both creates and deletes a persistence profile before manually syncing the configuration.
Impact:
Peer boxes fail to load the configuration.
Workaround:
There are two possible workarounds: 1. Perform a full sync instead of an incremental sync. 2. Create the profile, then perform a sync, and then delete the profile, and perform a separate sync.
479543-6 : Transaction will fail when deleting pool member and related node
Component: TMOS
Symptoms:
Removing a pool and the related nodes in the same transaction will fail. It will output an error message similar to the following: 01070110:3: Node address '/Common/12.33.22.2' is referenced by a member of pool '/Common/mypool'.
Conditions:
Create a pool, add a single pool member (which creates the associated node). If you then delete the pool and node in the same transaction, the transaction will fail.
Impact:
A pool and related nodes cannot be deleted within the same transaction.
Workaround:
If you delete the pool and nodes in 2 separate transactions, the process will succeed.
479115-1 : stpd tries to use bcm56xxd before it has started which results in error messages in ltm log
Component: TMOS
Symptoms:
There is a race condition when the daemons startup where stpd is coming up before bcm56xxd. The stpd daemon tries to use bcm56xxd before it has started.
Conditions:
Affects switch based platforms that use bcm56xxd.
Impact:
Several error messages appear in the ltm log: Feb 9 15:06:23 localhost err stpd[9390]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address Feb 9 15:06:23 localhost err stpd[9390]: 01280012:3: HAL packet request sendMessage failed (slot 0)
Workaround:
478462-1 : Whitelist count could increment wrongly
Component: Advanced Firewall Manager
Symptoms:
The whitelist count for UDP flood may increament wrongly
Conditions:
when ICMP traffic is coming in, the UDP flood whitelist count will increament
Impact:
The counts for whitelist will be seen increamenting
Workaround:
478215-2 : The command 'show ltm pool detail' returns duplicate members in some cases
Component: TMOS
Symptoms:
The command "show ltm pool <poolname> detail" may show duplicate pool members in some conditions.
Conditions:
The conditions required are that the same IP address must be used for multiple members and one member must have :0 port.
Impact:
The customer had hoped to use 'detail raw field-fmt' output for an EAV script he is writing, but having multiple members confuses his logic and is misleading.
Workaround:
This issue has no workaround at this time.
477950-3 : Displayed SSL profile statistics might be incorrect
Component: Local Traffic Manager
Symptoms:
When issuing `tmsh show ltm profile client-ssl', the hardware acceleration statistics might be incorrect in some instances.
Conditions:
Negotiated ciphers are partially accelerated (the handshake is done in software, the encryption in hardware).
Impact:
None. This is a display only issue.
Workaround:
This issue has no workaround at this time.
477897-2 : After modifying the protocol profile on an SCTP virtual, the logs may contain error messages
Component: Local Traffic Manager
Symptoms:
Error messages are logged in the tmm and ltm logs: /var/log/tmm: <13> Sep 4 10:07:29 localhost notice hudfilter_init: 'proxy' is not a bottom-level filter. /var/log/ltm Sep 4 10:07:29 localhost err tmm1[14942]: 01010008:3: Proxy initialization failed for /Common/sctp_echo Sep 4 10:07:29 localhost err tmm[14942]: 01010008:3: Proxy initialization failed for /Common/sctp_echo
Conditions:
Modify an SCTP virtual by changing the protocol profiles so that the client-side and server-side profiles are are both the same profile.
Impact:
The only impact is that an ominous error message is logged.
Workaround:
477888-4 : ESP ICSA support is non-functional on versions 11.4.0 and up
Component: TMOS
Symptoms:
Attempting to turn on ICSA logging for ESP packets will lead to the following logs. Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: "inbound"
Conditions:
ICSA logging for ESP packets is enabled. ESP connections are sent through the BIG-IP. Logs similar to the following are found in /var/log/ICSA Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: "inbound"
Impact:
ICSA logging misses information that is required for certification.
Workaround:
477611-3 : ICMP monitor does not work on DAG Round Robin enabled VLANs
Component: TMOS
Symptoms:
ICMP monitor does not work on the VLANs with DAG Round Robin set to enabled.
Conditions:
For a VLAN, the DAG Round Robin option is enabled.
Impact:
ICMP monitor will be down.
Workaround:
Utilize another monitor or disable the DAG Round Robin option.
477547-1 : Resource Assign Agent shows javascript error
Component: Access Policy Manager
Symptoms:
When opening full resource assign, users encounter the following error while trying to edit the Visual Policy Editor (VPE): "Error While creating agent class (pCustomRAMapping_class is not defined)"
Conditions:
Attempt to edit resource assign.
Impact:
Unable to edit resource assign.
Workaround:
Edit bigip.conf directly.
477178-1 : Occasional crash when SSL session mirroring is enabled
Component: Local Traffic Manager
Symptoms:
Occasionally, when SSL session mirroring is enabled, TMM will crash.
Conditions:
unknown
Impact:
service disruption
Workaround:
476616-3 : Set active fails after accept learning suggestion for illegal metachar Policy with encoding iso-8859-1
Component: Application Security Manager
Symptoms:
The following is reported in the GUI: Could not apply configuration; Set active failed
Conditions:
When a customer's policy is configured for an application language like iso-8859-1 or iso-8859-15, and learning suggestions that stem from multi byte UTF-8 parameter values (Illegal Meta Character in Value) are accepted, policy changes cannot be applied.
Impact:
Set active fails
Workaround:
Go to Parameters list and for each parameter with override 'Allow' for the metachar 'ÿ' remove the override completely: choose the override, click on '>>' and click on update, see attached picture.
476476-7 : Occasional inability to cache optimized PDFs and images
Component: WebAccelerator
Symptoms:
Restarting the datastor service can result in some optimized PDFs or optimized images becoming un-cacheable
Conditions:
If WAM has a handle to cached content in datastor which no longer exists because datastor restarted or evicted it, and if this content is an image or PDF which WAM optimized, and if two requests for such content arrive on the same TCP connection, the second can get incorrectly cached such that it can not be served or replaced until tmm is restarted.
Impact:
Certain URLs become uncacheable, thus reducing effectiveness of WAM.
Workaround:
Disable client keep-alive in the HTTP profile (change Maximum Requests in the HTTP profile from 0 to 1) or disable PDF linearization and image optimization. A partial workaround is to use wa_clear_cache instead of restarting datastor to clear the cache. Content which datastor evicts might still suffer (but this is unlikely).
476136 : notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE/TRUE)
Component: Local Traffic Manager
Symptoms:
On VIPRION B2250 and B4300/B4340N blades, you might encounter log entries of this type: notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE): error 01140012 or notice HA: ha_enabled_put(daemon_heartbeat, tmm, TRUE): error 01140012.
Conditions:
This occurs only on VIPRION B2250, B4300, B4340N blades.
Impact:
The system posts the error messages. These messages are benign and can be safely ignored.
Workaround:
None.
475677-3 : Connections may hang until timeout if a LTM policy action failed
Component: Local Traffic Manager
Symptoms:
When an LTM policy action that takes place during an HTTP request or response fails (which is very rare), the affected connection hangs until a timeout occurs.
Conditions:
This issue occurs when you attach an LTM policy to a virtual with a rule that has an action that fails. Now send a request that matches that rule. The command 'tmsh show ltm policy' will show the action failed, but the connection 'hangs' until timeout.
Impact:
When an LTM policy action fails, affected connections hang until they time out.
Workaround:
This issue has no workaround at this time.
474797 : Malformed SSL packets can cause errors in /var/log/ltm
Component: Local Traffic Manager
Symptoms:
If malformed SSL packets are sent to the BIG-IP system, the following errors can be logged to /var/log/ltm: Device error: cn9 core general. crypto codec cn-crypto-4 queue is stuck.
Conditions:
Malformed SSL packets being sent to the BIG-IP system.
Impact:
Error logs in /var/log/ltm. This is a cosmetic issue only, and the errors can be safely ignored.
Workaround:
None.
474613-1 : Upgrading from previous versions
Component: Application Visibility and Reporting
Symptoms:
Configuration upgrade from versions 11.2, 11.1, or 11.0 fails when two analytics profiles on different partitions are configured with the same remote login server IP address.
Conditions:
Upgrading from versions 11.2, 11.1, or 11.0 when two analytics profiles on different partitions are configured with the same remote login server IP address.
Impact:
Upgrade process fails.
Workaround:
Remove the external logging configuration on the source partition, upgrade, and then restore the configuration as needed.
474149-4 : SOD posts benign error message: Config digest module error: Traffic group device not found
Component: TMOS
Symptoms:
SOD posts benign error message: Config digest module error: Traffic group device not found.
Conditions:
In a failover device group, if the peer device (non self device) has gone through the management IP address change, SOD fails to clean the old IP address from its internal storage, so the system subsequently and incorrectly behaves as if there is a 'configuration data inconsistent' error.
Impact:
System posts the benign message: notice sod[8118]: 010c0062:5: Config digest module error: Traffic group device not found.
Workaround:
None.
473527-2 : IPsec interop problem when using AES-GCM.
Component: TMOS
Symptoms:
BIGIP AES-GCM negotiation through IKEv2 does not accepts the case of no integrity algorithm. This can happen with the tunnel is configured to use AES.
Conditions:
Configuring the IPsec tunnel to use AES when trying to inter-operate two BIG-IPs at release levels 11.6 and 12.0. Or when configure IPsec 11.6 to interop with another vendor using AES-GCM
Impact:
The IPsec tunnel will not be established.
Workaround:
For BIG-IP only, ensure both sides of the tunnel are the same release level.
472748-1 : SNAT pool stats are reflected in global SNAT stats
Component: Local Traffic Manager
Symptoms:
There is a virtual server with SNAT pool configured. And a global default SNAT also configured similar to SNAT pool configuration. Traffic that hits virtual and uses the virtual SNAT pool to translate the source address. The same traffic stats will be reflected in default global SNAT though the default SNAT is not being used.
Conditions:
A virtual server has a SNAT configured. There is a global default SNAT configured similar to the configured SNAT pool.
Impact:
SNAT pool stats are reflected in global SNAT stats.
Workaround:
Configure the default SNAT in a different VLAN.
472571-6 : Memory leak with multiple client SSL profiles.
Component: Local Traffic Manager
Symptoms:
If multiple client SSL profiles are attached to a virtual server, memory will leak each time any profile is changed.
Conditions:
Multiple client SSL profiles are attached to a virtual server.
Impact:
Memory will leak a small amount of memory.
Workaround:
None.
472308-3 : Management IP address change interaction with HA heartbeat / failover traffic
Component: TMOS
Symptoms:
When the management IP address changes (either as a result of enabling mgmt-dhcp, or the leased address changing), the system does not synchronize this updated address to other devices in the failover device group / trust domain. (That is, the system does not trigger an update to the device_trust_group.)
Conditions:
This occurs on HA configurations.
Impact:
This can cause disruption in an HA environment. The sod process discards any HA heartbeat traffic it receives (e.g., traffic over the self IP addresses) that does not contain a 'known' cluster_mgmt_ip.
Workaround:
None.
471288-5 : TMM might crash with session-related commands in iRules.
Component: Local Traffic Manager
Symptoms:
TMM might crash with session-related commands in iRules.
Conditions:
This occurs when the following conditions are met: 1) session/table command. 2) client_closed/server_closed iRule.
Impact:
TMM might crash, and failover occurs.
Workaround:
Avoid using client_closed and sever_closed iRules at same time, in a virtual server using session/table command in iRule.
471001-4 : Standby responds to traceroute on mirror enabled forwarding virtual server
Component: Local Traffic Manager
Symptoms:
Standby responds with ICMP time exceeded message on mirror enabled forwarding virtual server.
Conditions:
This occurs when the following conditions are met: HA configuration, IP forwarding virtual server, mirroring enabled, non-floating self IP address, simultaneous flood of ICMP packet to both active and standby systems.
Impact:
Standby responds with ICMP time-exceeded message.
Workaround:
Disable mirroring in forwarding virtual server, or remove non-floating self IP address on standby system.
470203-2 : Setting a remote syslog destination to a localhost address results in recursive log messages.
Component: TMOS
Symptoms:
Setting a remote syslog destination to a localhost address results in recursive log messages.
Conditions:
Using 127.0.0.1 or a hostname resolving to it as a host for syslog's remote-server.
Impact:
Using a localhost address as a remote syslog destination results in continual log entries until the BIG-IP system runs out of disk space.
Workaround:
Use a non-local remote host for syslog's remote-server.
469984-3 : The upgrade process can discard valid HTTP Class URLs
Component: TMOS
Symptoms:
A customer trying to upgrade from a version 11.x (where x < 4) to a 11.5.x may get this error: ERROR: The httpclass profile(s) for policy <HTTP Class profile name> did not roll forward: policy rule(s) created from <HTTP Class profile name> do not contain a proper URL. See Solution SOL14409. This occurs even though the HTTP Class object is compliant with the syntax described in SOL14409 and SOL15206.
Conditions:
- Version is < 11.4.0 and >= 11.0.0 - There are httpclass profiles in the customer's bigip.conf - url-rewrite value is different than none, but valid - The customer tries to upgrade to 11.5.x
Impact:
Potential issues when upgrading from 11.x (where x < 4) to 11.5.x that aren't described in SOL14409 and SOL15206.
Workaround:
- Re-package the original UCS modifying bigip.conf file so that url-rewrite value goes in quotes (url-rewrite "/my/new/uri/") - Avoid the validations described in SOL15206: load the original UCS into a 11.4.x box, then create a new UCS from there and load it into the desired 11.5.x.
469566-1 : HTTP OneConnect on wildcard non-translating virtual server does not reuse connections
Component: Local Traffic Manager
Symptoms:
Server-side flows are not reused. In this version of the software, the system disables reuse of server-side flows if the server-side flow is established without use of a pool.
Conditions:
This occurs when using HTTP OneConnect on wildcard non-translating virtual servers.
Impact:
This causes virtual servers that do not use pools to create a new server-side connection for every HTTP request, which results in excessive back-end connection traffic.
Workaround:
For all virtual servers except for APM virtual servers, you can use the following iRule to reuse connections: when HTTP_REQUEST_RELEASE { if {[HTTP::request_num] == 0} { ONECONNECT::reuse enable } }
468790-2 : Inconsistent Safenet key deletion in BIG-IP and Safenet HSM
Component: Local Traffic Manager
Symptoms:
Under some conditions (stated below), when deleting a Safenet key, the key will be deleted from HSM but not from BIG-IP.
Conditions:
This issue happens when the BIG-IP satisfies the following conditions. 1. a Safenet-generated key is in use by a clientSSL profile 2. Safenet HSM is installed
Impact:
If this clientSSL profile is currently used by a virtual server, then SSL connection to this virtual server will fail since the key is not in HSM.
Workaround:
1. Remove the key/cert from the clientSSL profile, so that they become "not in use". 2. Delete the above key/cert from BIG-IP 2. Configure another key/cert in the clientSSL profile
468559-2 : Config fails to load after upgrade to 11.5.1 when iApp requires PSM module.
Component: TMOS
Symptoms:
Protocol Security Module (PSM) provisioning was removed in 11.5.0. Upgrading a config fails to load after upgrade to 11.5.1 when an iApp requires PSM module.
Conditions:
Upgrade to 11.5.1 when an iApp requires PSM module.
Impact:
The upgrade fails as the configuration fails to load.
Workaround:
Remove PSM from the list of enabled modules from affected iApp templates before upgrading.
467059-1 : Customization GUI not showing proper error message when modify customization group file created from iApps
Component: Access Policy Manager
Symptoms:
Objects that are created through iApps cannot be modified unless the user explicitly specifies to allow modification. An incorrect error message appears When the user tries to modify the object.
Conditions:
This issue occurs when the user tries to modify a customization group file created through iApps.
Impact:
The impact of this issue is that an incorrect error message appears, which might confuse the administrator.
Workaround:
This issue has no workaround at this time.
467018-1 : On HSB platforms which don't have HW DoS, bad cksum pkts could cause perf drop
Component: Performance
Symptoms:
If customers have a HSB platform which does not HW DoS features then bad TCP/UDP/IP checksum pkts could cause a performance drop.
Conditions:
HSB platform which does not have HW DoS (BIG-IP 2000/4000 appliances). On those platforms if too many bad checksum packets are received then the performance will not be optimum as before.
Impact:
Bad performance.
Workaround:
Create file with name "tmm_init.tcl" in "/config" with lines: HSB::netc_ipcsum_drop yes HSB::netc_l4csum_drop yes And then reboot
466007-2 : DNS Express daemon, zxfrd, can not start if it's binary cache has filled /var
Component: Local Traffic Manager
Symptoms:
DNS Express daemon, zxfrd, can not start if it's binary cache has filled the /var directory.
Conditions:
Using DNS Express and the /var directory is filled.
Impact:
Zxfrd will continually restart.
Workaround:
No workaround, but if in zxfrd restart loop due to this issue we mitigate by deleting /var/db/tmmdns.bin and then bigstart restart zxfrd.
463202-7 : BIG-IP system drops non-zero version EDNS requests
Component: Local Traffic Manager
Symptoms:
If a query from a client contains a non-zero EDNS version, the query is dropped instead of sending an appropriate response.
Conditions:
This occurs with DNS profile/processing when a client sends a query with non-zero EDNS version.
Impact:
Dropped queries, retries, and then time-outs occur.
Workaround:
462881-1 : Configuration utility allows for mismatch in IP protocol and transport profile
Component: Local Traffic Manager
Symptoms:
tmsh allows configuration of a virtual server with mismatched ip-protocol and transport-layer profile. For example, ip-protocol tcp with a UDP profile or ip-protocol udp with a TCP profile.
Conditions:
Configure a virtual server with mismatched ip-protocol and transport-layer profiles (e.g. ip-protocol udp, profiles { tcp }).
Impact:
Traffic reaching a misconfigured virtual server can crash tmm, resulting in an outage.
Workaround:
Configure virtual server with matching ip-protocol and transport-layer profile.
460176-4 : Hardwired failover asserts active even when standalone
Component: TMOS
Symptoms:
In BIG-IP software versions 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, and 12.0.0, the serial failover 'Active' signal is asserted even if the unit is not configured to be in a high availability (HA) pair. A unit can become Standalone if the configuration is reset, or if a return merchandise authorization (RMA) is performed. If the serial cable is still connected to its peer, then the HA peer may defer the Active status to the Standalone system, which does not actually take over and process traffic.
Conditions:
Serial cable failover in-use between two members of an HA pair.
Impact:
Traffic is interrupted when the Active unit transitions to Standby.
Workaround:
During an RMA, the serial cable failover can be temporarily disabled on the Active unit by issuing the following command: tmsh modify sys db failover.usetty01 value disable
459671-2 : iRules source different procs from different partitions and executes the incorrect proc.
Component: Local Traffic Manager
Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.
Conditions:
Multiple iRule procs defined in multiple admin partitions.
Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.
Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.
457256-2 : Configuration utility allows for mismatch in IP protocol and transport profile
Component: Local Traffic Manager
Symptoms:
tmsh allows configuration of a virtual server with mismatched ip-protocol and transport-layer profile. For example, ip-protocol tcp with a UDP profile or ip-protocol udp with a TCP profile.
Conditions:
Configure a virtual server with mismatched ip-protocol and transport-layer profiles (e.g. ip-protocol udp, profiles { tcp }).
Impact:
Traffic reaching a misconfigured virtual server can crash tmm, resulting in an outage.
Workaround:
Configure virtual server with matching ip-protocol and transport-layer profile.
456976 : Web scraping/brute force may break application on IE6/IE7
Component: Application Security Manager
Symptoms:
A blank page is shown on IE6/IE7 browsers when Web Scraping is enabled with Bot Detection set to Blocking mode, or Client Side Integrity Defense is enabled in Blocking mode in either Web Scraping or Brute Force.
Conditions:
1. Clients using IE6 or IE7 browser. 2. Web Scraping is enabled with Bot Detection set to blocking mode, OR Client Side Integrity Defense is enabled in blocking mode in either Web Scraping or Brute Force.
Impact:
1. Blank page is shown and user does not reach the page
Workaround:
456378-2 : On a virtual server with the ipother profile assigned, iRule firing on CLIENT_ACCEPTED with discard or reject action may cause TMM to core
Component: Local Traffic Manager
Symptoms:
When using ipother profile, if there is an iRule that fires on CLIENT_ACCEPTED that contains a discard or reject action, TMM is going to failover.
Conditions:
Virtual server with ipother profile and an iRule firing on CLIENT_ACCEPTED with discard or reject action.
Impact:
TMM cores.
Workaround:
Use CLIENT_DATA as the firing event for the iRule. Will have the same expected result when discarding the connection.
455651-5 : Improper regex/glob validation in web-acceleration and http-compression profiles
Component: TMOS
Symptoms:
The use of regex or glob patterns in certain MCP configuration objects leads to inconsistent parsing across MCP and TMM. For glob patterns, for example, the TMM produces an error indicating that the regex is invalid, while entries such as *.js are correctly treated as globs.
Conditions:
MCP configuration objects supporting regex and glob inclusion/exclusion patterns lead to inconsistent parsing across MCP/TMM.
Impact:
Cacheable objects are improperly cached or are not cached, or objects are deflated or are not deflated in opposition to the customer's intent.
Workaround:
None.
454949-3 : AFM Optimizations to improve run-time and memory usage.
Component: Performance
Symptoms:
Unknown
Conditions:
Impact:
Unknown
Workaround:
454209-3 : TMM crash on UDP DNS virtual without datagram-load-balancing enabled
Component: Local Traffic Manager
Symptoms:
TMM crash on UDP DNS virtual without datagram-load-balancing enabled.
Conditions:
DNS virtual server without datagram lb mode.
Impact:
TMM crash with a backtrace including dns_dev_pool coring at line 360. Failover and potential traffic interruption.
Workaround:
Enable datagram-lb-mode in the UDP profile used by the DNS virtual server, or turn off DNS queuing via the db variable dns.queuing.
453640-3 : Java core formed when modifying global-settings.
Component: Centralized Management
Symptoms:
Unknown
Conditions:
Impact:
Unknown
Workaround:
452660-4 : SNMP trap engineID should not be configsynced between HA-pairs
Component: TMOS
Symptoms:
When configuring an engine_id for a SNMPv3 trap destination, the engine_id was synchronized to all HA peers.
Conditions:
All
Impact:
Received SNMPv3 traps would appear as if they originated from the same Big-IP system after failover to a backup Big-IP.
Workaround:
Workaround is to disbale configsync (change 'yes' to 'no') on engine_id in /defaults/config_base.conf. However, one must first remount the /usr partition to modify the file and then run tmsh load.
451494-2 : SSL Key/Certificate in different partition with Subject Alternative Name (SAN)
Component: TMOS
Symptoms:
You are unable to create an SSL key/certificate in partition other than Common, with Subject Alternative Name (SAN)
Conditions:
In a partition other than Common, create a new SSL key/certificate with SAN.
Impact:
SSL key/certificate is not created.
Workaround:
Use tmsh to create an SSL key/certificate with SAN in a partition other than Common.
451433-7 : HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe)
Component: TMOS
Symptoms:
Combining HA group with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe results in traffic going to failed device.
Conditions:
HA-group should not be combined with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe. If these mechanisms are combined, the failsafe causes all traffic groups to go to standby on the failed device.
Impact:
Because the HA Group score might favor the failed device, there could be no active traffic group on any device.
Workaround:
Replace the failover VLAN or Gateway with an HA group. Note: HA group should not be combined with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe. If these mechanisms are combined, the failsafe causes all traffic groups to go to standby on the failed device.
Behavior Change:
In the previous code, if a user configured both HA Group Score and an HA Failsafe, when the failsafe triggered, all traffic groups on the failed device would transition to Standby. However, the group score for that device would remain at the prior value so that the traffic group would not become active on another device. The result was a traffic group that was not active on any device. With this change, the traffic group score on the failed device is forced to 0, since the failsafe condition indicates that the device is not acceptable to host any traffic group. The HA Group scoring algorithm then activates the traffic group on the best remaining non-failed device.
450136-5 : Occasionally customers see chunk boundaries as part of HTTP response
Component: Access Policy Manager
Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.
Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.
Impact:
Customer will see chunk boundaries on the web page.
Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.
447565-3 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Component: Access Policy Manager
Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Conditions:
Impact:
Unknown
Workaround:
446187-7 : If manually started, bigip service(s) may consume 100% and become not functional
Component: Access Policy Manager
Symptoms:
If a certain BIG-IP service is started and working and another instance of the same service is started manually, the original one spins in a loop, consumes around 100% CPU and, becomes nonfunctional. These services are affected: apd, websso, eam, acctd, aced, rba.
Conditions:
A service is started manually either using a binary located at search path, for example /usr/bin/ or using a script located at /etc/bigstart/scripts/
Impact:
Service becomes unavailable.
Workaround:
Never start any daemon manually. The proper way to start, stop, and restart daemons on the BIG-IP system is to use the bigstart utility: bigstart start <name> bigstart stop <name> bigstart restart <name>
442532-4 : Log shows "socket error: resource temporarily unavailable"
Component: Access Policy Manager
Symptoms:
Response could not be sent to remote client. This happens rarely with huge access policy configuration. We could not reproduce the issue.
Conditions:
Conditions leading to this issue are not yet known.
Impact:
Box still works okay. Reconnect works.
Workaround:
This issue has no workaround at this time.
441913-6 : Empty Webtop when large number of resources assigned to access policy.
Component: Access Policy Manager
Symptoms:
When a large number of resources (more than 25) is assigned to an access policy with full a webtop, the system displays an empty webtop when accessed the second time.
Conditions:
Large number of resources assigned to access policy.
Impact:
Failed to display large number of resources on webtop when accessed second time.
Workaround:
To work around the problem, you can only use fewer resources.
441482-2 : SWG is seen on platforms with less than 8 GB of memory
Component: TMOS
Symptoms:
Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms.
Conditions:
This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.)
Impact:
Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.'
Workaround:
You may provision APM plus SWG only on platforms with 8 GB of memory or more. To use APM and SWG together on platforms with exactly 8 GB of memory, LTM provisioning must be set to None. (To do so, uncheck the box next to Local Traffic (LTM) on the Resources Provisioning screen, if applicable.) To fully support the LTM-APM-SWG combination, reserve at least 12 GB of memory for VE instances, or at least 16 GB for vCMP guests on BIG-IP or VIPRION platforms.
440505-7 : Default port should be removed from Location header value in http redirect
Component: Access Policy Manager
Symptoms:
Browser recognizes page loaded with URL without default port and page loaded after receiving Location header that contains rewritten URL with default port included in it as different pages and loads page twice.
Conditions:
Resource is loaded through Portal Access; page is loaded after receiving Location header with default port included in rewritten part; navigation occurs to this page without default port in domain part (for example, to anchor in this page).
Impact:
Resource is loaded twice and this can possibly change behavior of backend.
Workaround:
This issue has no workaround at this time.
440431-3 : Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
Conditions:
This issue occurs when the following condition is met: A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command. The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging.
Impact:
The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank.
Workaround:
To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required.
439330-8 : Javascript: getAttribute() returns mangled event handlers
Component: Access Policy Manager
Symptoms:
All event handlers in HTML page are rewritten by APM. If some script uses getAttribute() call to obtain event handler code, it gets rewritten code. This may lead to incorrect results.
Conditions:
HTML page with event handlers defined.
Impact:
If a script uses event handler source code, it might work incorrectly.
Workaround:
434517-10 : HTTP::retry doesn't work in an early server response
Component: Local Traffic Manager
Symptoms:
If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly.
Conditions:
Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event.
Impact:
Typically, early server responses are error conditions.
Workaround:
HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.
433323-2 : Ramcache handling of Cache-Control: no-cache directive
Component: Local Traffic Manager
Symptoms:
When a client request contains no-cache directive, ramcache excludes the request from caching and passes the request through. Because caching is disabled, the resource is not invalidated and the response is not cached. The expectation is the action should cause re-validation of the resource.
Conditions:
Configure a virtual server with HTTP caching.
Impact:
Failure to invalidate resource. Increased load on origin server.
Workaround:
This issue has no workaround at this time.
433055-6 : BFD GTSM IMI shell commands don't work
Component: TMOS
Symptoms:
BFD GTSM IMI shell commands 'bfd gtsm enable' and 'bfd gtsm disable' commands are disabled and have no effect.
Conditions:
This problem shows up when BFD is configured, and attempt to configure GTSM feature of BFD.
Impact:
GTSM feature is not usable.
Workaround:
None.
426274-2 : Firewall ACL Schedules may not work when configured with a daily schedule that starts before the specified start date and time
Component: Advanced Firewall Manager
Symptoms:
If the daily schedule for a rule starts before the start date and time specified in the schedule. For example, assume the current time is 2013-07-26 16:20:00. If you specify the following schedule and associate it with a rule, the rule will not get scheduled at all. tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-26:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }
Conditions:
The daily-hour-start needs to be configured to occur before the date-valid-start.
Impact:
The scheduled rule will not become active when configured in this manner.
Workaround:
As a workaround, make sure that date-valid-start is not before daily-hour-start. A working example, assuming the current time is 2013-07-26 16:20:00. Configure the date-valid-start to be the previous day: tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-25:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }
425980-3 : Blade number not displayed in CPU status alerts
Component: TMOS
Symptoms:
Messages displayed on the VIPRION chassis LCD display always reference the blade number of the Primary blade in the chassis at the time that the message was issued. The slot number where the blade-specific condition is not included in message in the LCD display. In the case of CPU status alerts, where the CPU temperature is too high or the CPU fan speed is too low, the identification of the blade is not included in the console output or log messages produced by the system_check utility.
Conditions:
Affects: VIPRION B4100 (PB100), B4200 (PB200) and B4300-series blades in VIPRION C4400, C4480 and C4800 chassis. VIPRION B2100, B2150 and B2250 blades in VIPRION C2400 and C2200 chassis with external LCD displays attached.
Impact:
It may not be possible to accurately determine which blade has actually experienced a blade-specific condition reported on the chassis LCD display.
Workaround:
Use one of the following commands to examine the CPU measurements to determine which CPU on which blade is experiencing excessive temperature and/or slow fan speed: 1. tmsh show sys hardware 2. tmctl cpu_status_stat
425331-2 : On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID
Component: TMOS
Symptoms:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports the ID of the Chassis. This differs from the behavior on VIPRION 4xxx-series platforms, where the SNMP sysObjectID OID reports the ID of the Blade.
Conditions:
This occurs on VIPRION 2xxx-series platforms: - C2xxx-series chassis - B2xxx-series blades
Impact:
SNMP queries to identify the System ID of VIPRION platforms will identify different classes of hardware component on VIPRION 2xxx-series vs. 4xxxx-series platforms.
Workaround:
Behavior Change:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID now reports the ID of the Blade, to match the behavior on VIPRION 4xxx-series platforms. Previously, SNMP sysObjectID reported the ID of the Chassis on VIPRION 2xxx-series platforms.
421971-9 : Renewing certificates with SAN input leads to error in UI
Component: TMOS
Symptoms:
Renewing an existing certificate fails in UI if a user provides Subject Alternative Name (SAN) as input.
Conditions:
Provide SAN while renewing certificate.
Impact:
Cannot renew certificate.
Workaround:
Do not provide SAN information while renewing certificates.
420438-3 : Default routes from standby system when HA is configured in NSSA
Component: TMOS
Symptoms:
In an NSSA configuration with a DR, BDR, and HA-configured BIG-IP systems, there are three default routes, one each from DR, BDR, and the standby BIG-IP system. The standby BIG-IP system should not send out any default routes.
Conditions:
This occurs when using ZebOS 7.10.2 - unpatched ZebOS-7.10.4 in an NSSA configuration with a DR, BDR and HA pair BIG-IP systems.
Impact:
Traffic is incorrectly directed to the standby. This is an IPI issue.
Workaround:
None.
420176 : On UDP virtual under CLIENT_DATA event load balance does not work
Component: Local Traffic Manager
Symptoms:
On a UDP virtual server, iRule commands (e.g., pool) to change the load-balancing decision have no effect when they are in the CLIENT_DATA event.
Conditions:
UDP virtual server and CLIENT_DATA event.
Impact:
Load balance does not work. Depending on the command and the configuration, there might be other impacts. For example, for the pool command, since there is no default pool, packets might be dropped.
Workaround:
Use CLIENT_ACCEPTED instead.
409323-3 : OnDemand cert auth redirect omits port information
Component: Access Policy Manager
Symptoms:
On-Demand Cert Auth redirect does not honor a port other than 443 in virtual server.
Conditions:
On-Demand Cert Auth is used in an access policy that's assigned to a virtual server with non-standard port.
Impact:
The redirect URL is missing the port information, hence subsequent client connections aren't successful.
Workaround:
N/A
408599-3 : The iRule node command does not function properly when invoked from the LB_SELECTED event.
Component: Local Traffic Manager
Symptoms:
The iRule node command does not function properly when invoked from the LB_SELECTED event.
Conditions:
Using an iRule in which the 'node' command in the LB_SELECTED event modifies the node and port.
Impact:
Although logs from the iRule may indicate the node and/or port was modified, the changes are not applied, as a subsequent tcpdump confirms.
Workaround:
Use node under other events.
399732-1 : SAML Error: Invalid request received from remote client is too big
Component: Access Policy Manager
Symptoms:
Some SAML deployments will produce SAML Assertions or SAML Authentication Requests in POST data that are larger than 64KB. When this occurs, an error message will be produced in the APM log: "Invalid request received from remote client is too big."
Conditions:
When a BIG-IP systems acts as a SAML service provider, it supports only assertions of size 64K or less. Also, when a BIG-IP system acts as a SAML IdP, it supports only authentication requests of size 64K or less.
Impact:
SAML cannot be used in BIG-IP as IdP or BIG-IP as SP with deployments that cause large POST data from clients.
Workaround:
No workaround possible.
385859 : iRule TCP::close on vip with Ramcache can cause TMM restart
Component: Local Traffic Manager
Symptoms:
iRule TCP::close on vip with Ramcache can cause TMM restart
Conditions:
Impact:
Unknown
Workaround:
384995-4 : Management IP changes are not synced to the device group.
Component: TMOS
Symptoms:
Management IP changes are not synced to the device group.
Conditions:
Impact:
Unknown
Workaround:
382363 : min-up-members and using gateway-failsafe-device on the same pool.
Component: TMOS
Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.
Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.
Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.
Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.
378967-1 : Users are not synchronized if created in a partition
Component: TMOS
Symptoms:
Users in partitions attached to sync-only device groups do not sync to other devices in that device group.
Conditions:
There are users whose active partitions are attached to a sync-only device group.
Impact:
This affects sync-only device groups only, not the failover device group.
Workaround:
None.
374067-4 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections
Component: Local Traffic Manager
Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.
Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.
Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.
Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.
Behavior Change:
The persistence record attached to a connection is no longer reset upon pool member detachment when using OneConnect. When using OneConnect, the pool member detaches on the completion of every response. This causes subsequent requests to be load balanced to the original pool member.
373949-4 : NW failover w/out mgmt addr cause active-active after unit1 reboot
Component: TMOS
Symptoms:
A device in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.
Conditions:
If a Device Service Cluster is configured with only self-IPs for unicast network failover communication, or if the management network between the peers is unavailable, the device may not detect that the peer is active when it is starting up. When using only self-IPs, communication with the peers is disrupted while the TMM is starting up.
Impact:
Unexpected failover may cause traffic interruption.
Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.
372332 : Unnecessary buffering of client-side egress in some circumstances.
Component: Local Traffic Manager
Symptoms:
Unknown
Conditions:
Impact:
Unknown
Workaround:
372118-3 : import_all_from_archive_file and import_all_from_archive_stream does not create file objects.
Component: TMOS
Symptoms:
An attempt to transition certs/keys/etc. from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream results in the files being copied to the directories under /config/ssl/, but no file-objects are created on the target system.
Conditions:
This occurs when you attempt to transition certs/keys/etc. from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream.
Impact:
Files being copied to the directories under /config/ssl/, but no file-objects are created on the target system.
Workaround:
None.
369352-10 : No verification prompt when executing 'load sys config default' for resource administrator role
Component: TMOS
Symptoms:
When logged in as a resource administrator "load sys config default", which restores the configuration to factory defaults, doesn't prompt for verification as it should. If you execute the command from a normal administrator role you do get a prompt.
Conditions:
Login as a resource administrator run "load sys config default" restore begins without a verification prompt.
Impact:
System restore initiated without prompt when run as a resource administrator.
Workaround:
None.
368824-3 : There is no indication that a failed standby cannot go active.
Component: TMOS
Symptoms:
There is no indication that a failed standby cannot go active.
Conditions:
When a standby fails, there is no indication that it cannot go active.
Impact:
User does not know that the standby cannot go active.
Workaround:
None.
Behavior Change:
The system now provides indication that a failed standby cannot go active. -- The chassis display state of 'failed' is shown when a chassis is in the Standby state and one or more global fail-safe(s) is active on the chassis. -- The traffic group state of 'failed' is displayed when a traffic group is in the Standby state and one or more global fail-safe(s) is active on the chassis. -- The commands 'show cm traffic-group' and 'show cm device. display the Standby state. -- Updated GUI to show failover status, as well updates to the overview and device screens under device management.
345358-2 : Oneconnect Transforms don't recognize Connection header if it contains extra Header tokens.
Component: Local Traffic Manager
Symptoms:
Unknown
Conditions:
Impact:
Unknown
Workaround:
337934-1 : remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly
Component: TMOS
Symptoms:
For remoterole configurations in which one of the attributes ends in 'role' will have that attribute truncated. Also this could happen with an attribute that ends in 'deny' and has a deny directive.
Conditions:
remoterole attributes ending in 'role'. May also happen with attributes ending in 'deny'.
Impact:
Parsing truncates attributes.
Workaround:
None.
333340 : The bigd process is not compatible with IPv6 link-local unicast addresses
Component: Local Traffic Manager
Symptoms:
Monitors that are monitoring pool members using the IPv6 link local address are marked down.
Conditions:
This occurs when pointing the monitor at the pool member's link local IPv6 address (FE80::/10 prefix).
Impact:
The monitor fails to connect to the pool member, so the pool member will never be marked up.
Workaround:
You can avoid this issue by not configuring nodes or pool members using IPv6 link-local unicast addresses; instead use IPv6 global unicast addresses or IPv6 unique local unicast addresses.
238444-1 : An L4 ACL has no effect when a layered virtual server is used.
Component: Access Policy Manager
Symptoms:
A layer 4 ACL is not applied to the network access tunnel. As a result of this issue, you may encounter the following symptoms: Unexpected network traffic may be allowed to pass. Expected network traffic may be blocked.
Conditions:
This issue occurs when the following conditions are met: -- The APM virtual server is targeting a layered virtual server, such as an SSO layered virtual server. -- The referenced BIG-IP APM access policy is configured with a layer 4 ACL. -- When an ACL is applied to a BIG-IP APM access policy, the access policy dynamically creates an internal layered virtual server that is used to apply the ACL. However, if the BIG-IP APM virtual server targets a layered virtual server, such as an SSO layered virtual server, traffic bypasses the dynamically-created internal layered virtual server and the ACL is not applied.
Impact:
Access control using a layer 4 ACL will not work. This may allow unwanted traffic to pass, or can block valid traffic.
Workaround:
None. However, a layer 7 ACL may be implemented if the network traffic is HTTP.
222690 : The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command.
Component: Local Traffic Manager
Symptoms:
The persist none iRule command disables persistence for the current connection. If cookie persistence is enabled for a virtual server referencing an iRule, and the LB::reselect command is called after the persist none iRule command, cookie persistence is not disabled for the connection.
Conditions:
For example, the following configuration illustrates the issue: pool default_pool { member 10.10.10.4:80 down session disable } pool fail_pool { member 10.10.10.5:80 } rule fail_rule { when LB_FAILED { persist none LB::reselect pool fail_pool } } virtual vs { destination 10.10.10.6:80 ip protocol tcp profile http tcp persist cookie pool default_pool rule fail_rule }
Impact:
In the example, the initial load balancing attempt to the default_pool pool will fail, since sessions are disabled for the pool member. The LB_FAILED iRule event will execute, which sets the persistence to none. In addition, the LB::reselect command will load balance the connection to the fail_pool pool. The connection to the pool member 10.10.10.5 will succeed, but the BIG-IP LTM will incorrectly place a persistence cookie in the response to the client.
Workaround:
You may be able to work around this issue by using the HTTP::cookie command in the HTTP_RESPONSE event to remove the BIG-IP cookie from the response before it is sent to the client. For example, the following revised iRule removes the BIG-IP persistence cookie that would be set in the response when the fail_pool was selected: rule fail_rule_no_cookie_for_you { when LB_FAILED { persist none LB::reselect pool fail_pool } when HTTP_RESPONSE { HTTP::cookie remove BIGipServerfail_pool } } Note: The HTTP_RESPONSE event is triggered after the BIG-IP LTM has added the persistence cookie to the HTTP headers. Note: The default persistence cookie name is derived from the name of the pool to which the request was sent. For more information about the BIG-IP persistence cookie, refer to SOL6917: Overview of BIG-IP persistence cookie encoding. The workaround has the added benefit of preserving any persistence information for the original load balancing pool should it again become available. If you want to completely remove the persistence cookie from the client, you can use the HTTP::cookie command in the HTTP_RESPONSE event to set an expired version of the BIG-IP cookie in the response before it is sent to the client.
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
