Supplemental Document : Release Information: BIG-IQ Centralized Management 5.4.0

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Original Publication Date: 12/27/2017 Updated Date: 04/18/2019

BIG-IQ CM Release Information

Version: 5.4.0
Build: 7437.0

Known Issues in BIG-IQ CM v5.4.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
680031 CVE-2017-10102,CVE-2017-10108,
CVE-2017-10115,CVE-2017-10116,CVE-2017-10118,CVE-2017-10135,
CVE-2017-10176,CVE-2017-10198
K91024405 Fixed Java Vulnerabilities


Functional Change Fixes

ID Number Severity Solution Article(s) Description
689882 3-Major   When there are hundreds of conflicts identified during the import process, the UI is slow and sometimes appear hung


BIG-IQ Configuration - Local Traffic Fixes

ID Number Severity Solution Article(s) Description
673704 3-Major   Importing a PKCS#12 format archive file with an alias without a certificate or key fails
691830 4-Minor   BIG-IQ no longer accept an MD5 Signature Passphrase value for the TCP base profile
653529-1 4-Minor   Deployment fails when attempting to deploy more than 4000 certs in a single deployment across multiple BIG-IPs
640043 4-Minor   You cannot delete a BIG-IP monitor from BIG-IQ


BIG-IQ Configuration - Network Fixes

ID Number Severity Solution Article(s) Description
687551 3-Major   Failure when importing route domain with names that contain the "%" character
670671-1 3-Major   Missing error message when user moves VLAN from Selected to Available in default route domain, when the VLAN is already in use by a self ip


BIG-IQ Deployment - Evaluate & Deploy Fixes

ID Number Severity Solution Article(s) Description
680817 2-Critical   Deployment of Access policy with an auto-discovered JWT OAuth provider


BIG-IQ Device User Interface Fixes

ID Number Severity Solution Article(s) Description
690348 3-Major   Viewing regkeys in regkey pool using an IE version 11 browser
684504 3-Major K11533021 Cannot activate stand-alone BIG-IP VEs
673680 3-Major   BIG-IP devices without slot information fail to display in software installations
658039 4-Minor   License reactivation fails when a EULA has changed


BIG-IQ Monitoring - Alerts & Notifications Fixes

ID Number Severity Solution Article(s) Description
647177 3-Major   BIG-IQ system performance with a high numbers of accumulated snapshots


BIG-IQ Monitoring - Dashboards & Reports Fixes

ID Number Severity Solution Article(s) Description
688275 3-Major   HTTP monitoring chart shows activity for DNS and SIP
671695 3-Major   Stats collection can cause BIG-IP CPU issues
651172 4-Minor   CSV downloads after session details dialog is opened


BIG-IQ System User Interface Fixes

ID Number Severity Solution Article(s) Description
682707 3-Major   Port 27017 must be open between the primary and secondary in order for HA to pair and function properly
668865-1 3-Major   Attempting to manually sync files in an HA pair may fail if a file sync task is in progress
655987-2 3-Major   Setting the Master Key in the setup wizard while upgrading devices with large configurations
690909 4-Minor   Deleting a self IP address used as the discovery address returns an error with incorrect mitigation


BIG-IQ Access Fixes

ID Number Severity Solution Article(s) Description
698680 3-Major   Error during deployment: The requested OAuth Profile Client Application (....) already exists in partition...
655123 3-Major   Network Access, LDAP, AD, CRLDP, TACACS+, and RADIUS server properties screens do not allow editing
642976 3-Major   Deployment diff shows unused objects to be deleted during deployment
659424 4-Minor   Deployment failure due to SAML object deletion
505455 4-Minor   Adding a device to Access Group fails: Unable to calculate working config ID


BIG-IQ Local Traffic & Management Fixes

ID Number Severity Solution Article(s) Description
683407-1 2-Critical   Import of ADC config fails for Traffic Selector using same IP address for source and destination
687096 3-Major   Eviction Policies: Low priority route domain and eviction policy are part of the same LTM deployment to a BIG-IP cluster
679698 3-Major   TM Options validation for Client SSL profile
674947 3-Major   Deleting and recreating a node in BIG-IP with different address causes import to fail
663919-1 3-Major   Pool Member Operator role cannot filter pools


AppIQ Fixes

ID Number Severity Solution Article(s) Description
656112 3-Major   Scroll bars on device health, device, traffic, DNS, and local traffic statistics
653467 3-Major   Retaining more than 10 hours of raw statistical data may cause chart timeouts when querying for Last Day or Last 12-hours of data


BIG-IQ Device Management Fixes

ID Number Severity Solution Article(s) Description
680915 3-Major   Cluster name after services are removed
670837 3-Major   iHealth upload task can fail if running for multiple managed devices


BIG-IQ Fraud Protection Service (FPS) Fixes

ID Number Severity Solution Article(s) Description
676528-1 3-Major   FPS: difficult to find the transform rule that transformed the alert
676418 3-Major   FPS: Transform rules on existing alerts failed with status: 400 error
676402-1 3-Major   FPS: CSV file contains unexpected contents when exporting alerts
672680 3-Major   Alerts marked with "drop" status
672340 3-Major   Disabling and enabling transform rules
672327 3-Major   Viewing FPS Unfiltered Alerts under the Advanced tab displays
672115 3-Major   Mobile alert details not forwarded to SOC web service
670255 3-Major   Existing transform rule updates from the cloud dashboard are not updated on local (on-premise) BIG-IQ devices.
668192 3-Major   Need unique ID for FPS alerts when forwarding to external reporting system.
667524 3-Major   FPS: Searching alerts by account name
666672 3-Major   Filtering FPS Unfiltered Alerts by alert type displays non-matching results
666309 3-Major   Alert transform rules deleted by the Security Operations Center (SOC) WebService
626959 3-Major   FPS: Synchronizing of forwarding and transform rules to the Data Collection Devices


BIG-IQ Network Security Fixes

ID Number Severity Solution Article(s) Description
678846 2-Critical   Deploying a rule that refers to an IPv6 address list
678768 2-Critical   Verification warning when management interface's context rule has compatible IPv6 address and protocol
632799 3-Major   BIG-IQ cannot manage a BIG-IP 13.0.0 firewall rule with the "Send to Virtual" option


REST Framework and TMOS Platform Fixes

ID Number Severity Solution Article(s) Description
696914-1 2-Critical   Validation errors that occur during import/reimport can lock users out during large LTM configurations
680790 2-Critical   BIG-IQ prompts you to accept a previously-accepted signature
656828-2 2-Critical   Setting the master key after upgrading a system with a large configuration from 5.x to 5.2 could result in an unsuccessful encryption of objects.
691209 3-Major   Stat alert messages
681698 3-Major   Using libtar fails with files larger than 2 GB - impacts qkview
671437 3-Major   Post upgrade process for a Data Collection Device
654212 3-Major   Fixed several vulnerabilities in the RH kernel
642913 3-Major   BIG-IQ now has configurable maximum login attempts and lockout duration.
686004 4-Minor   BIG-IQ now removes the /var/tmp/toku_storage_temp directory after running the qkview command
670335 4-Minor   Changes to exported CSV Files


BIG-IQ Web Application Security (ASM) Fixes

ID Number Severity Solution Article(s) Description
689253 3-Major   ASM import configuration failure
677881 3-Major   Using XFF header names that contain hyphens in security policies
674895 3-Major   Upgradeing from BIG-IQ version 5.1 for ASM
670683-1 3-Major   ASM Event Logs

 

Cumulative fix details for BIG-IQ CM v5.4.0 that are included in this release

698680 : Error during deployment: The requested OAuth Profile Client Application (....) already exists in partition...

Component: BIG-IQ Access

Symptoms:
When an oAuthProfile is updated to use new Client App or Resource Server, the second deployment to the device after the UI update fails.

Conditions:
When an oAuthProfile is updated to use new Client App or Resource Server, the second deployment to the device after the UI update fails.

Impact:
Device deployment fails.

Workaround:
1) Remove all client-apps and resource server on BIG-IQ oauth_profiles.
2) Deploy to devices.
3) Attach the client-apps and resource-servers on BIg-IP oauth_profiles.
4) Deploy to devices. This deployment should succeed.


696914-1 : Validation errors that occur during import/reimport can lock users out during large LTM configurations

Component: REST Framework and TMOS Platform

Symptoms:
On some large LTM configurations, validation errors that occur during import/reimport can lock the user out of the system.

The root cause is the large amount of memory required to back out the changes to the configuration, leading to an almost continuous execution of the Java Garbage Collector (GC), which stalls the system while trying to free memory.

Conditions:
Large LTM configurations, import or re-import a device triggering multiple validation errors.

Impact:
System locks out users and becomes unusable for long period of times.

Workaround:
If this condition is encountered, restart BIG-IQ. Customers should then fix the BIG-IP configuration that's triggering the validation errors prior to attempting to import or reimport the BIG-IP device.

Fix:
The transaction subsystem has been refactored to reduce the amount of memory needed to roll back.


691830 : BIG-IQ no longer accept an MD5 Signature Passphrase value for the TCP base profile

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
BIG-IQ requires re-entry for passwords, and other secure properties, to preserve their values on older BIG-IP 11.x.x devices. The base TCP profile became read-only in BIG-IP release 13.0.0. F5 guidance is to now discontinue the use of this profile. Consequently, it will no longer be possible to re-enter the MD5 Signature Passphrase value for the TCP base profile on BIG-IQ.

Conditions:
The base TCP profile became read-only in BIG-IP release 13.0.0. BIG-IQ can no longer deploy changes to this profile to BIG-IP versions 13.0.0 and greater. Since BIG-IQ must manage environments that contain multiple BIG-IP versions, a decision was reached to make the BIG-IQ instance of base TCP profile read-only.

Impact:
This condition will affect all usage of the base TCP profile when the base TCP profile contains a value for the MD5 Signature Passphrase property.

Workaround:
If you are using the base TCP profile, we strongly encourage you to replace it immediately, perhaps with a custom profile that defaults from the 'tcp-legacy' TCP profile. If you are using the base TCP profile, and it has an MD5 Signature Passphrase value, then you must replace the base profile with a custom profile in order to re-enter a value for the MD5 Signature Passphrase property and deploy successfully.

Fix:
To be consistent with BIG-IP guidance, the base TCP profile is now read-only on BIG-IQ.


691209 : Stat alert messages

Component: REST Framework and TMOS Platform

Symptoms:
Occasionally, due to timing issues, BIG-IQ would send an alert saying stats had not been received when in fact they either already had or were about to be received.

Conditions:
This happened during normal stats collection by a DCD.

Impact:
An alert was generated when it shouldn't be, which could be potentially confusing.

Fix:
This issue has been fixed and BIG-IQ no longer sends false positive alerts.


690909 : Deleting a self IP address used as the discovery address returns an error with incorrect mitigation

Component: BIG-IQ System User Interface

Symptoms:
If you try to delete a self IP address that was specified as the discovery address, BIG-IQ returns an error message with incorrect instructions about how to resolve the issue.

Conditions:
1.Configure BIG-IQ to use a self IP as the discovery address.
2.Try to delete the self IP.

Impact:
The message could cause confusion on how to address the issue.

Workaround:
User could update the discovery address through setup utility.

Fix:
BIG-IQ now displays the correct message and provides you a link to where you can reset the discovery address.


690348 : Viewing regkeys in regkey pool using an IE version 11 browser

Component: BIG-IQ Device User Interface

Symptoms:
When using Internet Explorer version 11, BIG-IQ does not display the list of rekeys for a regkey pool.

Conditions:
Only occurs when using IE version 11.

Impact:
regkeys don't display for regkey pools when using IE version 11.

Workaround:
To work around this issue, use a browser other than Internet Explorer version 11.

Fix:
BIG-IQ now properly displays the regkeys for a regkey pool in Internet Explorer version 11.


689882 : When there are hundreds of conflicts identified during the import process, the UI is slow and sometimes appear hung

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
During the process of importing a device where there are hundreds of conflicts between previously discovered objects and the objects found on the incoming device, the conflict resolution UI could appear hung up.

Conditions:
This would occur when the incoming device had hundreds of conflicting differences with items that were previously discovered.

Impact:
Users had difficulty resolving conflicts and completing the import of the device.

Workaround:
If the system identifies more than 500 conflicting differences, it only allows bulk level resolutions. Users will be able to resolve all conflicts by selecting either USE BIG-IP or USE BIG-IQ. Individual items by item resolution is not allowed.

Behavior Change:
Prior to BIG-IQ version 5.4, BIG-IQ attempted to display all conflicts simultaneously. This caused the browser to slow down or lock up.

Starting in BIG-IQ version 5.4, BIG-IQ displays only 500 conflicts at a time. If there are more than 500, BIG-IQ returns a message of too many conflicts to display. At this point, select an option to resolve the conflicts without viewing the differences.


689253 : ASM import configuration failure

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
When importing an ASM, it fails and displays the following errors in logs: AsmPolicySignaturesDifferencerTaskWorker] Size <size> is larger than MaxDocumentSize

Conditions:
The happens when there are conflicts on multiple policy signatures.

Impact:
ASM configuration import fails.

Fix:
This issue is now fixed and you can now successfully import the ASM configuration.


688275 : HTTP monitoring chart shows activity for DNS and SIP

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
In the Virtual Servers monitoring screen, the chart titled "HTTP Transactions" also shows activity for DNS & SIP.

Conditions:
DNS or SIP activity displays under the title of the HTTP Transaction activity

Impact:
This can be confusing.

Workaround:
Explain the user the error in the title.

Fix:
We have changed the chart title to Transactions because it contains all activity for HTTP, DNS, and SIP transactions.


687551 : Failure when importing route domain with names that contain the "%" character

Component: BIG-IQ Configuration - Network

Symptoms:
Failed to import LTM service. An error like the following may occur:

"Property 'name' value 'default-inet6%2' has an invalid character that is not in the allowed set of characters '-a-zA-Z_.0-9'"

Conditions:
Where a route name contained a "%" char for a route domain.

Impact:
Cannot import LTM configuration.

Fix:
The special route names: any%1, default%1, any6%1, default-inet6%1 (where 1 is the route-domain) are now properly validated and allow the LTM service to be imported.


687096 : Eviction Policies: Low priority route domain and eviction policy are part of the same LTM deployment to a BIG-IP cluster

Component: BIG-IQ Local Traffic & Management

Symptoms:
Eviction policy deployment fails if a low priority route domain and an eviction policy are part of the same LTM deployment to a BIG-IP cluster.

Conditions:
1. New route domain is created at BIG-IQ; and
2. The new route domain is used to config eviction policy (old or new)'s low priority Route Domain strategy; and
3. both above are deployed to a BIG-IP cluster

Impact:
Deployment failure

Workaround:
Two phase deployment,
1) create new route domain at BIG-IQ, and deploy to BIG-IP cluster; then
2) Use that already deployed route domain to config eviction policy's low priority Route Domain strategy, and deploy to BIG-IP cluster again.

Fix:
This issue no longer occurs.


686004 : BIG-IQ now removes the /var/tmp/toku_storage_temp directory after running the qkview command

Component: REST Framework and TMOS Platform

Symptoms:
When you run the qkview command, BIG-IQ creates a /var/tmp/toku_storage_temp directory that contains temporary toku files.

Conditions:
When you run the qkview command on BIG-IQ

Impact:
This can cause the /var directory to fill up with unnecessary temporary files.

Workaround:
To work around this issue, remove the /var/tmp/toku_storage_temp directory after running the qkview command.

Fix:
BIG-IQ now removes the /var/tmp/toku_storage_temp directory after you run the qkview command.


684504 : Cannot activate stand-alone BIG-IP VEs

Solution Article: K11533021

Component: BIG-IQ Device User Interface

Symptoms:
Cannot activate certain standalone BIG-IP Virtual Editions on BIG-IQ.

Conditions:
Only a license generated from a version plus SKU can be activated on a BIQ-IQ. Any SKU that does not end in V12, V13 or V16 is not a version plus SKU and cannot be activated on a BIG-IQ.

https://support.f5.com/csp/article/k15643

Workaround:
Purchase or trade in to a version Plus virtual edition.

Fix:
Purchase or trade in to a version Plus virtual edition.


683407-1 : Import of ADC config fails for Traffic Selector using same IP address for source and destination

Component: BIG-IQ Local Traffic & Management

Symptoms:
ADC config cannot be imported on to BIG-IQ device if it has Traffic Selectors with same source and destination IP address.

Traffic Selector cannot be created on BIG-IQ device if it has same source and destination IP address.

Conditions:
Traffic Selector validation blocks import of ADC config to BIG-IQ if it contains Traffic Selectors with same source and destination IP address. It also blocks creation of Traffic Selectors on BIG-IQ with same source and destination IP.

Impact:
BIG-IP config can not be imported on to BIG-IQ making it impossible to manage the device from BIG-IQ.

Workaround:
None.

Fix:
Removed the restriction to block same source and destination subnet from validation code.


682707 : Port 27017 must be open between the primary and secondary in order for HA to pair and function properly

Component: BIG-IQ System User Interface

Symptoms:
TCP port 27017 (mongo protocol) must be open between the primary and secondary devices for HA to work correctly. For any firewalls in the network path between the devices, this port must be allowed in both directions, between both devices, not just from the primary and secondary. If not configured properly, HA pairing will fail indicating which node was unable to communicate with the other. If the firewall is modified after pairing, the HA status will fail. Please note that this is handled automatically on the primary and secondary devices, it only applies to other firewalls in the network path.

Impact:
If port 27017 is not open between the two BIG-IQ systems in an HA pair, HA pairing will fail. If the port allowance is removed after pairing, the HA cluster will fail. After fixing the port allowance, it may be required to re-sync the secondary database to the primary. If, after fixing the port allowance, the HA status is indicating the secondary database is in a FAILED state, re-syncing the database should repair it.

Workaround:
Check that the TCP port 27017 is open in both directions between the two devices.


681698 : Using libtar fails with files larger than 2 GB - impacts qkview

Component: REST Framework and TMOS Platform

Symptoms:
When you use programs, such as qkview for iHealth, BIG-IQ creates a .tar (tarball) file using libtar. If any of the files collected is greater than 2 GB, /bin/tar cannot read the output tar file and you will be unable to submit a qkview file to iHealth for analysis.

Conditions:
The file collected using libtar (through qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.

Impact:
You will be unable to submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.

Workaround:
To work around this issue, you can extract the qview tarball with /use/bin/libtar. The oversized file will be a zero-length file. Alternatively, remove the file greater than 2 GB prior to running qkview or another program that uses libtar.

Fix:
This issue is fixed.


680915 : Cluster name after services are removed

Component: BIG-IQ Device Management

Symptoms:
Cluster name disappears after a service is removed from a device, even if LTM still discovered and imported.

Conditions:
This happens only when using dynamic device groups that are available in any service except for "Device Operations".

Impact:
Defect and extra work load for customer.

Workaround:
This is fixed in BIG-IQ version 5.4.0. For previous releases you must update the dynamic device group making it available only in Device Operations service.


680817 : Deployment of Access policy with an auto-discovered JWT OAuth provider

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
When you deploy an Access policy with an auto-discovered JWT OAuth provider, it fails and BIG-IQ displays one of the following errors:

The last-discovery-time cannot be specified while creating Provider '/Common/OAuth_Policy-PingFedProvider'

The auto-generated attribute for JWT config
'/Common/auto_jwt_Comcast_provider' cannot be specified."

Impact:
OAuth Provider with auto-discovered JWT config needs to be configured manually on all BIG-IP devices belonging to an Access Group.

Workaround:
After creating a new Access Group, manually configure the auto-discovered JWT OAuth Provider on all BIG-IP devices in the Access Group.

For reimport and subsequent deployment scenario:
1. Remove the OAuth Provider from the device being reimported and all other devices to which subsequent deployment will happen.
2. Reimport the device.
3. Deploy the device.
4. Manually create and configure the auto-discovered JWT OAuth provider for all the devices from which it was removed in Step 1.

Fix:
This issue is now fixed. Access policies with an auto-discovered JWT OAuth provider no longer fails.


680790 : BIG-IQ prompts you to accept a previously-accepted signature

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ systems configured in a high availability (HA) pair prompt you to accept a previously-accepted signature when you log in to a BIG-IP device through the command line.

Conditions:
This issue only impacts customers who use BIG-IQ to ssh into other devices from the BIG-IQ root command line.

Impact:
When you log in to a BIG-IP device through the command line using ssh-keygen -R causes the original symlink to be renamed to known_hosts.old and a new file known_hosts file copied and created from the old. This breaks the link to the /shared partition, so upon upgrade, those entries are lost.

Workaround:
For BIG-IQ version 5.2 and 5.3:
1. Disassociate the BIG-IQ systems in the HA pair.
2. Recover signatures by copying /shared/ssh/root/known_hosts to /root/.ssh/known_hosts. 3. Re-establish the HA pair.

To avoid this issue when you upgrade to BIG-IQ version 5.4, preserve the accepted host signatures by copying /root/.ssh/known_hosts to /shared/ssh/root/known_hosts.

Fix:
This issue has been fixed. Accepted signatures are now preserved.


680031 : Fixed Java Vulnerabilities

Solution Article: K91024405


679698 : TM Options validation for Client SSL profile

Component: BIG-IQ Local Traffic & Management

Symptoms:
Device discovery and import fails if the Client SSL profile's TM Options contains a value of "microsoft-sess-id-bug".

Conditions:
A BIG-IP device subject to discovery and import contains a Client SSL profile with a TM Option value of "microsoft-sess-id-bug".

Impact:
Customer is unable to Discovery/Import BIG-IP when Client SSL profile contains a TM Options value of "microsoft-sess-id-bug".

Workaround:
Client SSL validation for TM Options has been removed. Valid values are subject to change and TM-UI values are not authoritative.

Fix:
BIG-IQ can now discover and import devices that have a client SSL profile with TM Option value of "microsoft-sess-id-bug".


678846 : Deploying a rule that refers to an IPv6 address list

Component: BIG-IQ Network Security

Symptoms:
When you deploy a rule that refers to an IPv6 address list, BIG-IQ incorrectly returns an error.

Conditions:
When you:

•Have an IPv6 Mgmt IP address.
•Create an address list with IPv6 address.
•Add a rule where src and dest refers to the address list.
•Create a deployment task.

Impact:
Generates false verification warning

Workaround:
You can ignore the warning and continue to deploy the task.

Fix:
BIG-IQ no longer returns a false warning.


678768 : Verification warning when management interface's context rule has compatible IPv6 address and protocol

Component: BIG-IQ Network Security

Symptoms:
If you create an address list with an IPv6 address and a rule refers to its source and destination, the deployment task for that rule, BIG-IQ incorrectly returns the following verification warnings:

 o The address family in management IP address is
          different from those in <rule>
 o The address family or the management IP is
          different from the Address Family referred to
          by <rule>. This rule has an IPv6
          address and IPv4 protocol

Conditions:
This happens when you:

• Have an IPv6 Mgmt IP address
•Create an address list having IPv6 address.
•Add a rule where src and dest refers to the address list.
•Create a deployment task.

Impact:
Wrong Verification warning about address family compatibility when Mgmt context has IPv6 address and its rule -> add list also has IPv6 address are returned.

Workaround:
You can ignore both of the erroneous verification warnings. They do not affect your deployment configuration or cause a deployment failure.

Fix:
This issue no longer occurs.


677881 : Using XFF header names that contain hyphens in security policies

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
BIG-IQ does not accept an XFF header name in a security policy if it contains a hyphen.

Conditions:
When you try to add an XFF header name with a hyphen to a security policy.

Impact:
BIG-IQ marks the field as red and you cannot save the security policy.

Fix:
BIG-IQ now can handle valid XFF header names with a hyphen in a security policy.


676528-1 : FPS: difficult to find the transform rule that transformed the alert

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
When applying transform rules to FPS alerts, there is no clear indication which transform-rule was applied to which alert.

Conditions:
N/A

Impact:
This makes alert transform rules less useful.

Fix:
BIG-IQ now has a new field for the transform rule alert viewer page.


676418 : FPS: Transform rules on existing alerts failed with status: 400 error

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
Applying a transform rule to an existing alert fails with the following error:

Alert modify task failed status:400, showing" failed to parse date field".

Conditions:
This happens when using timeframe (Last Hour, Last Day, Last Week) on specific timezones.

Impact:
Transform rules not applied as required.

Workaround:
To work around this, change the client machine’s timezone (laptop, computer, not the actual BIG-IQ timezone) and use the UI to issue apply transform rules.

The timezone has to be any time zone from UTC-1 to UTC-12.
Changing the timezone will give you the ability to execute the apply operation from the BIG-IQ user interface.

Fix:
BIG-IQ can now handle date formats and properly apply transform rules.


676402-1 : FPS: CSV file contains unexpected contents when exporting alerts

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
The alters displayed in a CSV file for exported alerts do not contain the alerts selected for export.

Conditions:
N/A

Impact:
Alerts are not exported as expected.

Fix:
This issue is now fixed and exported alerts properly display in the CSV file.


674947 : Deleting and recreating a node in BIG-IP with different address causes import to fail

Component: BIG-IQ Local Traffic & Management

Symptoms:
If you delete a node from a BIG-IP device and re-create the node with the same name (but with a new IP address), BIG-IQ cannot rediscover and reimport the BIG-IP device.

Conditions:
Deleted a node from the target BIG-IP LTM and re-created the node with the same node name, but with a new IP address.

Impact:
Import fails with the following message:

Failed to copy configuration to working-config; reason: Failed copying from source to target:
java.lang.IllegalArgumentException: change node <NODE_NAME> address from <OLD_ADDRESS> to <NEW_ADDRESS> is not allowed

Workaround:
To work around this issue, remove the BIG-IP device from BIG-IQ and discover and import it again.


674895 : Upgradeing from BIG-IQ version 5.1 for ASM

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
BIG-IQ upgrade fails with the following error: "TypeError: Cannot convert null to object" in tokuupgrade.log

Conditions:
This happens if an ASM policy is set with policy builder configuration with trustedTrafficSiteChangeTracking/untrustedTrafficSiteChangeTracking set to null.

Impact:
The upgrade fails, the system does not start.

Fix:
This issue no longer occurs after upgrading BIG-IQ.


673704 : Importing a PKCS#12 format archive file with an alias without a certificate or key fails

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
If you attempt to import a PKCS#12 format archive file with an alias that doesn't contain a certificate or key, it fails.

Conditions:
A PKCS#12 format file that contains an alias that is missing a certificates or keys

Impact:
Importing the PKCS#12 file fails

Fix:
BIG-IQ can now import a PKCS#12 format archive file that contains an alias without a certificate or key.


673680 : BIG-IP devices without slot information fail to display in software installations

Component: BIG-IQ Device User Interface

Symptoms:
BIG-IQ does not display all BIG-IP devices when you add/remove devices for a software installation if the BIG-IP devices have missing slot information.

Conditions:
Some managed BIG-IP devices have missing volume slot information.

Impact:
BIG-IQ is unable to display all BIG-IP devices during software installations.

Fix:
BIG-IQ now displays devices for software installations even if the slot information is missing.


672680 : Alerts marked with "drop" status

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
BIG-IQ doesn't delete alerts with the drop status from its database when you apply transform rules.

Conditions:
If an existing alert status is changed to drop when new transform rules are applied to it, the alert incorrectly remains in the BIG-IQ alert list.

Impact:
This could cause the alert database to grow substantially, which could impact database capacity and product efficiency.

Workaround:
To avoid this, you can manually delete the alerts with status of drop from the list of alerts.

Fix:
This issue is resolved. BIG-IQ now properly deletes alerts with the status of drop.


672340 : Disabling and enabling transform rules

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
In some cases, you might want to test alerts (for example, because you think it might be a false positive) before applying a specific transform rule. Currently, the only way to do that is to export the rule, remove the rule, and after testing it, re-import it to BIG-IQ.

Conditions:
The transform rule needs to be removed from the BIG-IQ to test for false-positive alerts.

Impact:
Since you currently can't disable and enable transform rules, you have to resort to this inefficient and destructive way to test for false-positive alerts.

Workaround:
Export the rule from BIG-IQ, remove and re-import it after you test it.

Fix:
BIG-IQ now allows you to disable and enable transform rules. You can disable a transform rule, test it, then re-enable it.


672327 : Viewing FPS Unfiltered Alerts under the Advanced tab displays

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
Unexpected results displayed in the Unfiltered Alerts under the Advanced tab.

Conditions:
This happens when alerts contain control characters of query string such as '&'

Impact:
Unexpected results display.

Fix:
The effect of control character was eliminated and the alerts now correctly display.


672115 : Mobile alert details not forwarded to SOC web service

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
BIG-IQ does not forward mobile alert details to the SOC web service because they are not saved in a separate field.

Conditions:
Alert details for mobile alerts are not saved in a separate field when the alert is saved.

Impact:
Mobile alert details are missing when these alerts are forwarded to the SOC WebService.

Fix:
BIG-IQ now saves mobile alert details in a field and forwards it to the SOC WebService.


671695 : Stats collection can cause BIG-IP CPU issues

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
If a managed BIG-IP device is configured to collect statistics, its CPU usage might increase while BIG-IP transfers statistics files from the BIG-IQ Data Collection Device.

Conditions:
Statistics collection enabled on BIG-IQ/BIG-IP

Impact:
Excess CPU usage can cause issues with traffic management on BIG-IP

Workaround:
If this happens, either stop collecting statistics on a given BIG-IP, or reduce the overall load by changing the polling frequency (Devices -> BIG-IP DEVICES -> <Device> -> Statistics Collection -> Frequency)


671437 : Post upgrade process for a Data Collection Device

Component: REST Framework and TMOS Platform

Symptoms:
After you upgrade a Data Collection Device to BIG-IQ version 5.3, BIG-IQ returns the following restjavad.0.log error message:

[WARN][03 Jul 2017 12:29:54 PDT][/cm/shared/esmgmt/upgrade-prep/13366647-93b5-409c-84a6-969b395b268e/worker ESUpgradePrepTaskWorker] Unable to stop elasticsearch service for machine https://10.144.73.116/mgmt/cm/shared/esmgmt/cluster-task due to exception java.lang.Exception: 10.144.73.116 not found in any device-groups.


[WARN][03 Jul 2017 12:29:54 PDT][/cm/shared/esmgmt/upgrade-prep/13366647-93b5-409c-84a6-969b395b268e/worker ESUpgradePrepTaskWorker] java.lang.Exception: 10.144.73.116 not found in any device-groups.
        at com.f5.rest.common.DeviceAuthTokenCache.findDiscoveryGroupWithDevice(DeviceAuthTokenCache.java:282)
        at com.f5.rest.common.DeviceAuthTokenCache.access$200(DeviceAuthTokenCache.java:30)
        at com.f5.rest.common.DeviceAuthTokenCache$1.completed(DeviceAuthTokenCache.java:260)
...
...

Conditions:
Discover a Data Collection Device from the BIG-IQ using its self IP address, then upgrade to BIG-IQ 5.3.0

This error occurs only if the Data Collection device was discovered using its self IP.

Impact:
The event log listeners and stats data collection may not work correctly.

Workaround:
1. From BIG-IQ, navigate away from the System --> BIG-IQ DATA COLLECTION --> BIG-IQ Data Collection Devices

2. Log out of the BIG-IQ system.

3. Run the following command on BIG-IQ:

restcurl cm/shared/esmgmt/upgrade-prep-accounting

Lets call the result of this -- "A". Save a copy of this resultset. This is important.


4. Run the following on the BIG-IQ command:

curl -X GET 'https://10.144.73.117/mgmt/shared/index/config?$filter=%27kind%27+eq+%27shared:resolver:device-groups:restdeviceresolverdevicestate%27+and+%27groupName%27+eq+%27cm-esmgmt-logging-group%27' -u "admin:password" -k | json-format


Lets call the result of this as "B"


5. Compare these as follows:

if (A.machineId == B.machineId && A.managementAddress != B.address) {

   A.managementAddress = B.address

}


6. Update "A" with the new values after step #5 by patching the worker. Here's an example:

curl -X PATCH 'https://10.144.73.117/mgmt/cm/shared/esmgmt/upgrade-prep-accounting' -u "admin:f5site02" -k -d '{
    "deviceAndServicesStates": [
        {
            "machineId": "2b091c1f-b466-4389-af20-9b17f739f923",
            "managementAddress": "10.10.1.6",
            "hostname": "ip-10-144-73-116.mgmt.pdsea.f5net.com",
            "asmActivated": true,
            "fpsActivated": true,
            "accessActivated": true,
            "ipsecActivated": false,
            "asmListenerAddress": "10.10.1.6",
            "fpsListenerAddress": "10.10.1.6",
            "accessListenerAddress": "10.10.1.6"
        }
    ],
    "preUpgradeCurrentStep": "DONE",
    "postUpgradeCurrentStep": "",
    "isDataCollectionDevice": false,
    "lastBackupData": false,
    "preUpgradeCompleted": true,
    "lastPreUpgradeStartDateTime": "2017-07-03T19:29:53.869Z",
    "lastPreUpgradeEndDateTime": "2017-07-03T19:29:54.307Z",
    "postUpgradeCompleted": false,
    "lastPostUpgradeStartDateTime": "",
    "lastPostUpgradeEndDateTime": "",
    "lastPreUpgradeFailed": false,
    "lastPostUpgradeFailed": false,
    "hasDataCollectionDevices": true,
    "message": "All the listener services were correctly started.",
    "firstBoot": true,
    "preUpgradeSoftwareVersion": "BIG-IQ 5.2.0.0.0.5741",
    "kind": "cm:shared:esmgmt:upgrade-prep-accounting:esupgradeprepaccountingstate",
    "selfLink": "https://localhost/mgmt/cm/shared/esmgmt/upgrade-prep-accounting"
}'


NOTE: You have to correctly update the managementAddress field with the self-ip (address) of the Data Collection Device, set the preUpgradeCompleted field to true and postUpgradeCompleted field to false.

7. After patching, log in to BIG-IQ, and navigate to the System --> BIG-IQ DATA COLLECTION --> BIG-IQ Data Collection Devices screen. This will re-trigger the post-upgrade process which will complete in about 1 minute. Review the restjavad.0.log and see that there are no such warning messages:

[WARN][03 Jul 2017 12:29:54 PDT][/cm/shared/esmgmt/upgrade-prep/13366647-93b5-409c-84a6-969b395b268e/worker ESUpgradePrepTaskWorker] Unable to stop elasticsearch service for machine https://10.144.73.116/mgmt/cm/shared/esmgmt/cluster-task due to exception java.lang.Exception: 10.144.73.116 not found in any device-groups.

Fix:
The system with BIG-IQ and Data Collection Devices have been successfully upgraded.


670837 : iHealth upload task can fail if running for multiple managed devices

Component: BIG-IQ Device Management

Symptoms:
iHealth upload task fails with a message similar to:

Request for POST on localhost failed: Duplicate item. Key already exists: name : H00329831

Conditions:
This can occur when an upload task is running for multiple managed devices simultaneously and more than one attempt to add a new diagnostic that doesn't already exist in BIG-IQ.

Impact:
The device report fails to generate.

Workaround:
Try to run the iHealth upload task again.

Fix:
This error no longer occurs.


670683-1 : ASM Event Logs

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Some request violations display in the ASM Event Logs with the following error: "Error! The system failed to parse the request"

Conditions:
This might happen when the evasion detected violation is reported.

Impact:
An error message is shown and could potentially be confusing.

Fix:
BIG-IQ now properly displays request violations in the ASM Event Logs.


670671-1 : Missing error message when user moves VLAN from Selected to Available in default route domain, when the VLAN is already in use by a self ip

Component: BIG-IQ Configuration - Network

Symptoms:
BIG-IQ allows a user to move a VLAN from Selected to Available in the default (id 0) route domain screen after this VLAN has been assigned to a self IP.

Conditions:
A VLAN in route domain 0 is referenced by a self IP.

Impact:
A user will not be able to deploy to the device until the VLAN is moved to Selected in the route domain 0 screen.

Workaround:
Edit route domain 0 by moving the VLAN from Available to Selected.


670335 : Changes to exported CSV Files

Component: REST Framework and TMOS Platform

Symptoms:
To avoid malicious code into our CSV files we are treating any field starting with @, +, -, =, % or containing the pipe "|" character as potentially dangerous. To mitigate the risk we are escaping pipe characters "\|" and adding a single quote and tab character to the start of any cell starting with the problematic characters (=2+2 becomes ' =2+2). These fields will be treated as text fields and will have no impact on performance or visual appearance outside of the additional characters but if these files are then loaded into other systems the reading of these files will include these added characters and may change how the file is read.

Conditions:
A CSV file includes cells that start with one of @, +, -, =, % or include "|".

Impact:
If there is an affected cell which is modified, that cell may not read properly if loaded into another system. If no cell has these properties no changes will be made from existing behavior; if a cell does have these properties only that cell will be affected.

Workaround:
Manually edit affected cells before loading them into another system.

Fix:
CSV exports are sanitized.


670255 : Existing transform rule updates from the cloud dashboard are not updated on local (on-premise) BIG-IQ devices.

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
When configuring import of transform rules from a WebService and using the SOC as the WebService, changes made by the FPS SOC to existing rules might not be updated on the BIG-IQ system.

Conditions:
Happens when the SOC or any other F5 FPS dashboard is used as the source of rules.

Impact:
Existing rules are not updated.

Workaround:
Delete the alert transform rule from BIG-IQ, delete the current alert transform rule import schedule and create a new alert transform rule import schedule.

Fix:
When importing transform rules form the SOC cloud dashboard to an on-premise BIG-IQ, all alerts in the BIG-IQ are now updated correctly.


668865-1 : Attempting to manually sync files in an HA pair may fail if a file sync task is in progress

Component: BIG-IQ System User Interface

Symptoms:
When viewing the BIG-IQ HA Settings page, the user is presented with a "Sync Files" button, allowing users to manually begin syncing files across an HA pair.

While this is already done automatically, users can manually start a file sync task. Only one of these tasks can run at a time, so if users begin a file sync task while one is in progress, the UI will present an error dialog. After closing the error dialog, a second dialog will appear which may show confusing information like a red error icon with text like "file sync successful".

Conditions:
The BIG-IQ is in an HA pair, and a file sync task is in progress.

Impact:
The user who attempts to start a second file sync task will see an error dialog followed by a second dialog with confusing text.

Workaround:
Close the dialog(s) after clicking "Sync Files" and receiving an error. This error will have no negative impact on the system.


668192 : Need unique ID for FPS alerts when forwarding to external reporting system.

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
There are no identifiers to correlate alerts with external reporting systems.

Conditions:
This happens when you use external reporting systems.

Impact:
It is hard to correlate between alerts shown there and the alerts displayed on the BIG-IQ dashboard.

Fix:
You can now forward the ID field of an alert to the external system using the web service configuration. To do this, include '{id}' in the forwarding rule format.


667524 : FPS: Searching alerts by account name

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
There is no option to search for alerts using the account name.

Conditions:
N/A

Impact:
You can't search by account name.

Fix:
Starting in this release, you can search alerts by account name from the Advanced filter.


666672 : Filtering FPS Unfiltered Alerts by alert type displays non-matching results

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
When filtering FPS Unfiltered Alerts by alert type, BIG-IQ displays alerts that don't match the filter.

Conditions:
Happens when filtering FPS unfiltered alerts.

Impact:
Search is showing unexpected results.

Fix:
BIG-IQ now displays the filtered FPS alert types correctly.


666309 : Alert transform rules deleted by the Security Operations Center (SOC) WebService

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
When you import alert transform rules from the SOC WebService, any rules deleted by the SOC might not be removed from the BIG-IQ system.

Conditions:
This happens when the SOC, or any other F5 FPS dashboard, is used as the source of the alert transform rules.

Impact:
Existing transform rules are not deleted.

Workaround:
Delete the alert transform rules from the BIG-IQ, and create a new alert transform rules import schedule.

Fix:
The alert transform rules are now properly synchronized between the SOC and BIG-IQ.


663919-1 : Pool Member Operator role cannot filter pools

Component: BIG-IQ Local Traffic & Management

Symptoms:
When creating pool member operator users under this role can see pools but they cannot filter them.

Conditions:
User in pool member operator role attempting to filter pools.

Impact:
When creating pool member operator users under this role can see pools but they cannot filter them.


659424 : Deployment failure due to SAML object deletion

Component: BIG-IQ Access

Symptoms:
This symptom observed on BIG-IQ is caused by a defect on BIG-IP systems.

This defect happens when BIG-IQ attempts to delete unreferenced SAML objects on deployment.

When this happens, the deployment will fail, and the following message will be displayed:


Failed submitting iControl REST transaction 1487875767493967: status:400, body:{"code":400,"message":"transaction failed:01070734:3: Configuration error: a
pm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/ipd.cooper.local
because it is being used by
aaa-saml-server (/Common/saml_sp)","errorStack":[],"apiError":1}

Conditions:
When unreferenced SAML objects are deleted by BIG-IQ at time of deployment.

Impact:
Failure to perform a BIG-IQ deployment.

Workaround:
Customers can administer BIG-IP, and remove the unused SAML objects, or reference them by a dummy Access Policy. Alternatively, BIG-IP systems call be upgraded once appropriate hotfixes are available.


658039 : License reactivation fails when a EULA has changed

Component: BIG-IQ Device User Interface

Symptoms:
If you try to reactivate a license when the EULA has changed, you get a message similar to: "The system returned an unexpected error (400 Bad Request). Validation of PATCH failed."

Conditions:
This can happen for utility, volume, and FPS licenses if you navigate away from the license properties page before accepting the new EULA.

Impact:
License fails to complete the reactivation.

Workaround:
This issue won't occur if you click the "Accept" button at the bottom of the screen before you navigate away from the license properties screen.


656828-2 : Setting the master key after upgrading a system with a large configuration from 5.x to 5.2 could result in an unsuccessful encryption of objects.

Component: REST Framework and TMOS Platform

Symptoms:
After upgrading the BIG-IQ system from 5.x to 5.2, when the user logs into the BIG-IQ UI, the user will be required to go through the setup wizard. When the master key passphrase is entered and the Next button clicked, the master key is created and the encryption upgrade starts.

The following two symptoms can occur:

Symptom 1:
If the encryption upgrade does not finish within five minutes, the user will see a 504 gateway timeout exception in the UI. This is a possible indication that the encryption upgrade will not succeed, so the user should click the Dismiss button, log out from the UI, and check to see if symptom 2 occurs after waiting another five minutes.

Symptom 2:
If the encryption upgrade does not complete in ten minutes, in the /var/log/restjavad.0.log file the following error message is observed:

[ERROR][12 Apr 2017 11:07:00 EDT][/cm/shared/secure-storage/masterkey SecureStorageMasterkeyGenerator] The BIG-IQ ran into error 'Encryption upgrade has failed to run to completion due to Timed out during execution of command. This may result in some attributes that are encrypted with the old encryption scheme that need to be manually upgraded.' when upgrading encrypted values. This may cause some encrypted values to be unusable.

If Symptoms 1 and 2 are both seen, the customer should proceed with the workaround.

Conditions:
The pre-upgraded 5.x system has large number of objects requiring encryption.
example:
The BIG-IQ system managed several hundred BIG-IP's, had several hundred rules, etc (a very large system) then such a system upon upgrade to 5.2 could have an issue setting the encryption master key upon first logging in to the BIG-IQ 5.2 UI.

Impact:
If the encryption upgrade fails, the upgraded BIG-IQ system will be unstable to use. There will be several errors in the product and in the log files.

Workaround:
If both symptoms 1 and 2 are seen, the customer can work around the issue as follows:

1. Log in to the BIG-IQ shell (not the UI)
2. cd /var/config/rest/tokuupgrade/encryption
3. sh run_encryption_upgrade.sh
4. Wait for the execution of this command to complete. When the execution completes, the following message will be displayed: "The Encryption upgrade script is complete"
5. Log back in to the UI and finish executing the setup wizard.


656112 : Scroll bars on device health, device, traffic, DNS, and local traffic statistics

Component: AppIQ

Symptoms:
When viewing graphs of statistical data for device health, device traffic, DNS, or local traffic graph pages, there are no scroll bars allowing you to scroll up and down to view content unable to fit in the browser window.

Conditions:
This occurs when view graph data as described by the title.

Impact:
You may not notice additional graphs hidden from view.

Workaround:
To scroll down to view graphs unable to fit in your browser window, you can do one of the following:

1. If your mouse has a wheel used for scrolling, position the mouse in the graphing panel, then you can scroll up and down using the wheel.

2. Click in the graph panel, then you can use the up-arrow, down-arrow, page-up, and page-down windows to scroll.

3. Resize your browser windows such that all charts fit into the window.

Fix:
This issue is now resolved.


655987-2 : Setting the Master Key in the setup wizard while upgrading devices with large configurations

Component: BIG-IQ System User Interface

Symptoms:
When setting the Master Key, the request might run for a long time and may time out. If the request times out, it was likely still successful but is taking some extra time to complete due to the existing configuration on the system.

Conditions:
The BIG-IQ is running a large configuration, and is upgraded to the latest BIG-IQ version.

Impact:
You might need to wait until the Master Key is established on the device. After the request times out, wait for a few minutes and refresh the page. If the page tells you that the Master Key has already been set, you can safely complete the setup wizard.

Fix:
This issue no longer occurs.


655123 : Network Access, LDAP, AD, CRLDP, TACACS+, and RADIUS server properties screens do not allow editing

Component: BIG-IQ Access

Symptoms:
If you click an instance of one of the following objects, the properties screen does not open, preventing you from editing the object:

LDAP, AD, CRLDP, TACACS+, or RADIUS server.

Conditions:
This happens after importing or reimporting Access.

This is due to the pool used by the object instance for LDAP, AD, CRLDP, TACACS, or Radius servers that don't exist in LTM.

Thus, the route-domain used by the Network Access object does not exist in LTM.

Impact:
Network Access, LDAP, AD, CRLDP, TACACS, and Radius server objects could not be edited.

Workaround:
To work around this issue, rediscover and reimport the BIG-IP device that the object belongs to (LDAP, AD, CRLDP, TACACS, or Radius server).

Fix:
The LDAP, AD, CRLDP, TACACS+, and RADIUS server properties screens now open properly, allowing you to edit the objects.


654212 : Fixed several vulnerabilities in the RH kernel

Component: REST Framework and TMOS Platform

Symptoms:
CVE-2017-6214 CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 CVE-2016-6136 CVE-2016-9555 CVE-2017-6074 CVE-2016-4998 CVE-2016-6828 CVE-2016-7117 were found.

Conditions:
Vulnerabilities

Impact:
Vulnerabilities

Fix:
CVE-2017-6214 CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 CVE-2016-6136 CVE-2016-9555 CVE-2017-6074 CVE-2016-4998 CVE-2016-6828 CVE-2016-7117 were fixed.


653529-1 : Deployment fails when attempting to deploy more than 4000 certs in a single deployment across multiple BIG-IPs

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Attempting to deploy more than 4000 certificates and key objects will result in deployment failure

Conditions:
Trying to deploy more than 4000 across multiple BIG-IPs

Impact:
Deployment fails and the 'restjavad' daemon must be restarted using the TMSH command 'bigstart restart restjavad' on BIG-IQ to get the device fully operational again, as BIG-IPs may be marked as unavailable.

Workaround:
Split the deployment by either reducing the number of devices or number of certificates and keys per deployment


653467 : Retaining more than 10 hours of raw statistical data may cause chart timeouts when querying for Last Day or Last 12-hours of data

Component: AppIQ

Symptoms:
When viewing data for Last 12 hours or Last Day for Virtual Servers or Pool and Pool Members, you may see timeouts when BIG-IQ attempts to display the data.

Conditions:
This occurs from a confluence of several potential items:
1. The default retention for the raw data time layer is set at greater than 10 hours.
2. Your environment does not have sufficient Data Collection devices to support the scale of your environment.
3. The storage for your Data Collection devices is too slow.

Impact:
Charts for virtual server and pool & pool member inspector pages may show timeouts when querying for last 12 hours and last day of data.

Workaround:
The BIG-IQ uses the raw time layer for the 12-hour and Last Day queries if the retention policy for the raw time layer is greater than 12 hours and 24 hours respectively. This causes a significant I/O burden to fulfill the query request. In some cases, this may be due to poor storage I/O performance for your Data Collection device(s) and/or not enough Data Collection devices to serve the needs of your environment. The BIG-IQ supports up to 5 Data Collection devices for collection of statistical data. When configuring virtual instances of Data Collection devices, ensure the underlying physical storage is spread out across physical disks, rather than shared on the same physical disk. If the issue cannot be resolved with infrastructure changes, you can change the raw time layer default back to 10 hours.

Fix:
This issue is now fixed.


651172 : CSV downloads after session details dialog is opened

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
When you click the CSV download button after viewing the details for the VDI Access Application, the download fails.

Conditions:
This happens only after session details dialog is opened.

Impact:
Minimal

Workaround:
To work around this issue, refresh the browser and click the CSV download button again.

Fix:
This issue no longer occurs.


647177 : BIG-IQ system performance with a high numbers of accumulated snapshots

Component: BIG-IQ Monitoring - Alerts & Notifications

Symptoms:
When managing large configurations with BIG-IQ, accumulated configuration snapshots can consume significant database resources. This can slow system performance when viewing large collections of objects in the UI or when performing deployment evaluation and/or new device discovery.

Conditions:
Managing large configurations.

Impact:
System performance may be affected.

Workaround:
If this happens, navigate to the Deployment->Snapshots menu, view the snapshots for each service, and delete old snapshots. You can delete several by at once by selecting them and clicking the delete button. After you delete the old snapshots, verify that system performance has returned to normal.

Fix:
System performance is no longer impacted by the number of stored snapshots.


642976 : Deployment diff shows unused objects to be deleted during deployment

Component: BIG-IQ Access

Symptoms:
Unused objects are deleted when you deploy a configuration change. The deployment diff shows objects to be deleted.

Conditions:
These objects are not used in the policy that gets deployed to device from BIG-IQ.

Impact:
Objects that are not used in policy in BIG-IP will get deleted.

Workaround:
From BIG-IQ, create a dummy policy that is not assigned to a virtual server and assign those objects to corresponding agencies in that policy. This will ensure those objects are not deleted during deployment because they're associated with a policy.

Fix:
Unused objects are no longer deleted when you deploy a configuration change.


642913 : BIG-IQ now has configurable maximum login attempts and lockout duration.

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ allowed local users 5 failed login attempts before being locked out for 5 minutes. This was not configurable.

Impact:
Customers were not able to configure login configuration settings.

Fix:
You can now specify how many failed login attempts a locally-authentic user has before they get locked out.


640043 : You cannot delete a BIG-IP monitor from BIG-IQ

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Due to a defect on BIG-IP, BIG-IQ is unable to deploy changes that delete monitors.

Conditions:
This occurs when you try to delete a BIG-IP monitor from BIG-IQ.

Impact:
You can't delete a BIG-IP monitor from BIG-IQ.

Workaround:
You can delete unused monitors directly on a BIG-IP device, but the monitors will still display on BIG-IQ.


632799 : BIG-IQ cannot manage a BIG-IP 13.0.0 firewall rule with the "Send to Virtual" option

Component: BIG-IQ Network Security

Symptoms:
BIG-IQ does not support a firewall rule that includes the send to virtual option introduced in BIG-IP version 13.0.0.

Impact:
A modification from a BIG-IQ to a Firewall Rule with "Send to Virtual" configured will have the "Send to Virtual" configuration cleared if that associated rule is modified.

Workaround:
If the "Send to Virtual" option must be used on a BIG-IP 13.0.0 device, following a deployment from a BIG-IQ that clears the configuration, the configuration must be manually re-entered on the BIG-IP.

Fix:
BIG-IQ now supports the BIG-IP device's "Send to Virtual" rule option for firewall rules and rule lists.


626959 : FPS: Synchronizing of forwarding and transform rules to the Data Collection Devices

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
There is no indicator of synchronization for rules to the Data Collection Devices.

Conditions:
This happens when changes are made to the forwarding/transform rules for FPS alerts.

Impact:
The issue makes it hard to troubleshoot issues with forwarding/transform rules.

Fix:
BIG-IQ now displays the status of rules synchronization.


505455 : Adding a device to Access Group fails: Unable to calculate working config ID

Component: BIG-IQ Access

Symptoms:
Adding a device to an Access group fails when a device-specific object on the non-source device refers to an object that does not exist on the source device.

Conditions:
Adding a device to Access Group fails when there exists a shared object that is referred from a "Device-specific" object in the device being added.

Impact:
Failed to add the device to the Access Group.

Workaround:
To identify and resolve the issue, look into logs for errors such as "Failed to re-work references" and "Unable to calculate working config id". The logs will have information on the type of object that needs to be fixed on the BIG-IP system.



Known Issues in BIG-IQ CM v5.4.x


BIG-IQ Configuration - Access Issues

ID Number Severity Solution Article(s) Description
697674 3-Major   Object is not visible after User with a custom Role marks it as a device specific
695139 3-Major   Reimport shared allows reimport from a different device version than that off group.
686870 3-Major   User with Custom Role Type in strict mode cannot see an object they just created
686834 3-Major   Creating certain ACL objects
686162-1 3-Major   OAuth Profile deployment fails with JWK config failed trust verification with trusted CA bundle
685310-1 3-Major   Adding/reimport device to an Access Group
634100 4-Minor   Possible user conflict when editing access policies


BIG-IQ Configuration - Local Traffic Issues

ID Number Severity Solution Article(s) Description
671693 3-Major   BIG-IQ fails to import BIG-IP v11.x LTM profiles that reference certificates with names containing special characters


BIG-IQ Deployment - Evaluate & Deploy Issues

ID Number Severity Solution Article(s) Description
693594 4-Minor   Access deployment to BIG-IP HA Pair


BIG-IQ Device User Interface Issues

ID Number Severity Solution Article(s) Description
698430-1 3-Major   Attempts to backup over 500 BIG-IP devices fail


BIG-IQ Monitoring - Dashboards & Reports Issues

ID Number Severity Solution Article(s) Description
698670-1 3-Major   Exporting Network Access Connections Dashboard to CSV
639896 3-Major   Cannot view SWG Reports and download CSV Reports from standby BIG-IQ system


BIG-IQ System User Interface Issues

ID Number Severity Solution Article(s) Description
687048-1 3-Major   BIG-IQ backups on large configurations with encryption enabled may fail due to insufficient memory


BIG-IQ Access Issues

ID Number Severity Solution Article(s) Description
660828 2-Critical   Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"
698644 3-Major   Pinning Policy evaluation
612292 3-Major   Customization file changes are not deployed when customization template and customization group objects are created in deployment


BIG-IQ Local Traffic & Management Issues

ID Number Severity Solution Article(s) Description
698569-1 3-Major   Deployment of eviction policy deletion can disconnect an 11.6.x BIGIP HA cluster
697847-1 3-Major   Device RMA for Local Traffic can be incomplete if the device has IPFIX or Remote High-Speed Log Destinations
697478-1 3-Major   SSL file operation fails for non-admin user with error "Unable to add file to storage"
691185 4-Minor   LTM Profiles: (from pre-v12 BIG-IP) Inherited secure fields are not flagged for needing re-entry
688198-1 4-Minor   Log Filter device pinning for referenced Log Publisher
597135-1 4-Minor   Interfaces for VCMP guests can be disabled from BIG-IQ.


BIG-IQ Configuration - Infrastructure Issues

ID Number Severity Solution Article(s) Description
693515-1 3-Major   A '+' character in a log profile name causes import to fail
689374 3-Major   Discovery of DSC clustered BIG-IPs fails due to secure value decryption error


BIG-IQ Device Management Issues

ID Number Severity Solution Article(s) Description
697141 3-Major   Health statistics for managed devices after upgrading to BIG-IQ version 5.4
692135-1 4-Minor   Stats collection agent out of date alert


BIG-IQ DNS Management Issues

ID Number Severity Solution Article(s) Description
673763-1 3-Major   Wide IP grid shows incorrect number of associated pools


BIG-IQ Fraud Protection Service (FPS) Issues

ID Number Severity Solution Article(s) Description
688609-1 3-Major   FPS: Changes to web service configuration are populated to data collection devices with some delay
635584-3 3-Major   BIG-IQ setup wizard fails with "Cannot delete IP X.X.X.X because it would leave a route unreachable"


BIG-IQ Network Security Issues

ID Number Severity Solution Article(s) Description
695669-1 3-Major   Deploying from Network Security or Web Application Security removes the virtual server from the BIG-IP if it is deleted from LOCAL TRAFFIC
693907-1 3-Major   Deleting an imported blacklist publisher with a user-defined blacklist category
678664 3-Major   Policy and Rule List rules do not support the Protocol Inspection Profile or Classification Policy configuration options supported by BIG-IP version 13.1.0
632900 3-Major   Bot Signatures/Bot Signature Categories User Defined Flag Behavior
691239 4-Minor   Failure to discover BIG-IP device with "Failed to decrypt" message
638131 4-Minor   Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher would fail when Proactive Bot Defense is enabled
582701 4-Minor   HTML Report fails to render in IE and Edge browsers


REST Framework and TMOS Platform Issues

ID Number Severity Solution Article(s) Description
694788-1 2-Critical   Custom role in Relaxed Mode containing Address List resources provides very broad read access
693497-1 3-Major   Creating or editing a custom Resource Group with multiple Access (APM) objects selected
693399-1 3-Major   Changes popup does not have a loading indicator
693215-1 3-Major   Creating custom Resource Groups
689279-1 3-Major   Removing the last DCD in a cluster
686699 3-Major   User with a custom Role is not able to create SecurID object for Access (APM)
686125 3-Major   User is not able to mark Access objects as shared
665639 3-Major   Amazon EC2 Abuse Report upon a new deployment of BIG-IQ AMI instance
651149-1 3-Major   Grid refresh problem may cause some screens to display only a subset of the available rows
691531 4-Minor   Resource Group form's preview section


BIG-IQ Web Application Security (ASM) Issues

ID Number Severity Solution Article(s) Description
698460-1 3-Major   Editing the session tracking policy sub-collection when an individual login page was selected
697588 3-Major   ASM: deployment for signature configuration changes
694675-1 3-Major   Configuration import for multiple large policies
685564 3-Major   ASM: deploy failure when using server technologies
685257 3-Major   Deployment of Server Technology ASM policy changes
658702 3-Major   After upgrading BIG-IQ to 5.2.0, already discovered 11.5.4 devices may fail on Web App Security rediscovery.
639347-1 3-Major   Creating or removing a custom signature
670913 4-Minor   Unexpected configuration differences after deployment for matchesWithinHeader field for custom signature changes


BIG-IQ Shared Security Issues

ID Number Severity Solution Article(s) Description
699069-1 2-Critical   Deployment of DoS Profiles to BIG-IP versions 13.0.0 and higher require the Application Security Module provisioned on the BIG_IP

 

Known Issue details for BIG-IQ CM v5.4.x

699069-1 : Deployment of DoS Profiles to BIG-IP versions 13.0.0 and higher require the Application Security Module provisioned on the BIG_IP

Component: BIG-IQ Shared Security

Symptoms:
Deployment of the Network Security configuration to a BIG-IP running version 13.0.0 or higher fails, if the BIG-IP does not have the Application Security Module (ASM) provisioned and a DoS Profile change exists.

Conditions:
The BIG-IP is running a version at or above 13.0.0, the Application Security Module is not provisioned and a DoS Profile change exists in the deployment evaluation.

Impact:
The user will not be able to manage DoS Profiles on a BIG-IP using the BIG-IQ if the BIG-IP version is 13.0.0 or higher and the Application Security Module is not provisioned on the BIG-IP. All Network Security deployments will fail as long a DoS Profile deployment change is part of the deployment and the conditions are met.

Workaround:
In order for DoS Profiles to be managed by the BIG-IQ, the Application Security Module must be provisioned in at least the Minimum provisioning setting. This can be accomplished even if the BIG-IP does not have a license for the Application Security Module.
If it is not feasible to provision the Application Security Module on the BIG-IP, then management of DoS Profiles must occur directly on the BIG-IP and the new configuration reimported into the BIG-IQ configuration. This will allow management of all other Network Security device configuration to occur via the BIG-IQ.


698670-1 : Exporting Network Access Connections Dashboard to CSV

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
An error message appears when you try to export Network Access Connections dashboard to CSV.

Conditions:
When you click the Export button from Network Access Connections Dashboard

Impact:
Cannot export Network Access Connections Dashboard Data to CSV.


698644 : Pinning Policy evaluation

Component: BIG-IQ Access

Symptoms:
When deploying a pinning policy evaluation, it fails with the following error:
"Evaluation error for Access, Difference operation failed: Object {OBJ_NAME} does not exist in snapshot"

Conditions:
User has pinned {OBJ_NAME} to the Pinning Policy of the device for which evaluation/deployment failed with above error.

User has objects of same type and with same name in multiple Access Groups. i.e. ad_employee present in multiple Access Groups.

Impact:
User is not able to evaluate and deploy configuration changes to the target device.

Workaround:
User must revisit the Pinning Policy for the device and make sure {OBJ_NAME} and other selected objects are from the Access Group to which the device belongs to.

User can use Global Search to find out {OBJ_NAME} and look at the Related Items section under preview for each object in the search result to find out which object is pinned in Pinning Policy.

User can also open Pinning Policy page and make sure correct {OBJ_NAME} is pinned by removing and carefully attaching correct {OBJ_NAME}.


698569-1 : Deployment of eviction policy deletion can disconnect an 11.6.x BIGIP HA cluster

Component: BIG-IQ Local Traffic & Management

Symptoms:
Under specific conditions, when you deploy a change to an 11.6.2 BIG-IP HA cluster that deletes both an eviction policy reference and its associated eviction policy, you get a device deployment error and a disconnected cluster.

Conditions:
This issue occurs only on an 11.6.x HA cluster when the eviction policy reference is part of a virtual server or is the general eviction policy reference. This issue does not occur when the eviction policy reference is part of a route domain. The issue also does not on occur on BIG-IP 12.x (latest hotfix) HA clusters and above.

Impact:
Failed deployment, disconnected BIG-IP cluster.

Workaround:
Perform a two-step deployment.
First, delete the reference to the eviction policy and create a deployment with "Keep Unused Objects" selected. When you deploy these changes, BIG-IQ removes only the eviction policy reference.

Next, create a second deployment. This time, select "Remove Unused Objects". When you deploy these changes, BIG-IQ removes the eviction policy.

If your HA cluster is in a disconnected state as a result of a one-step deployment with "Remove Unused Objects" selected, you can restore the HA cluster by performing a manual sync on the BIG-IP. The BIG-IP might be offline for a minute or so before the BIG-IP cluster is restored.


698460-1 : Editing the session tracking policy sub-collection when an individual login page was selected

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
You can't edit the session tracking sub-collection when an individual login page is defined. A popup message is shown, with a message indicating that there is an unexpected error, illegal reference.

Conditions:
The issue happens only when editing a session tracking configuration that was previously configured with a login page selected (use individual login page). Saving the initial selection of a login page will work as expected.

Impact:
An error is shown on the page, changes are not saved.

Workaround:
To avoid this error while editing, do the following:
a. Change the 'Application Username' first dropdown to 'None'
b. Save and close (there is a need to navigate out of the page, so 'Save' alone is insufficient).
c. Navigate to the policy session tracking configuration
d. Re-select the login page
e. Make the required changes
f. Save


698430-1 : Attempts to backup over 500 BIG-IP devices fail

Component: BIG-IQ Device User Interface

Symptoms:
A backup task fails with no indication of error in the UI. The restjavad logs have an error similar to:

[WARN][11 Dec 2017 15:31:20 EST][ LogUncaughtExceptionHandler] Uncaught exception on thread 42 com.f5.rest.workers.storage.ShortTransactionRequestProcessor: java.lang.StackOverflowError

Conditions:
This issue occurs when attempting to backup more than 500 BIG-IPs in a single task and the devices are selected individually and not by a device group.

Impact:
No backups are created.

Workaround:
The issue can be avoided by doing a group backup instead of selecting all the devices individually. Alternatively, the backups can be broken into groups of fewer than 500 BIG-IP devices.


697847-1 : Device RMA for Local Traffic can be incomplete if the device has IPFIX or Remote High-Speed Log Destinations

Component: BIG-IQ Local Traffic & Management

Symptoms:
If you select "Remove Services" (RMA) for a managed device that has the newly added Log Destination objects IPFIX or Remote High-Speed Log, the removal can be incomplete leaving some objects for this device existing in the Local Traffic Configuration.

Conditions:
This only happens if the RMA occurs for a BIG-IP that has Log Destinations IPFIX and/or Remote High-Speed Log

Impact:
The RMA process will be incomplete, leaving objects such as Pools and Nodes for the RMAd device still in the Local Traffic configuration.

Workaround:
Prior to RMA, you must manually remove any IPFIX or Remote High-Speed Log objects for this device.

Go to Configuration -> Local Traffic -> Logs -> Log Destinations. One by one, edit each Log Destination of the above two kinds. In the 'Device Specific' section at the bottom of the screen, remove each object for the device to be RMAd.

After this, RMA can proceed as normal with no side-effects.


697674 : Object is not visible after User with a custom Role marks it as a device specific

Component: BIG-IQ Configuration - Access

Symptoms:
If a user is associated with a custom Role configured in strict mode, user will not be able see object which they mark a shared object as device specific.

Conditions:
This can happen when a custom Role is in strict mode and associated with a Resource Group with access to only specific objects instead "Any Instance" option.

Impact:
User will not be able to see an object which is marked as device specific.

Workaround:
When you create a Custom Role in Strict mode, select the "Any Instance" option when you specify a Source for the associated Custom Resource Group if you are giving Special permission "Mark Shared" in associated Custom Role Type.


697588 : ASM: deployment for signature configuration changes

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Deployment for signature configuration changes sometimes fails with the message: "Could not set active".

Conditions:
The issue might happen when changes are deployed to user-defined signatures configuration and the BIG-IP does not have a fix for bug 608988.

Impact:
Deployment failure.

Workaround:
Redeploying the change usually succeeds.


697478-1 : SSL file operation fails for non-admin user with error "Unable to add file to storage"

Component: BIG-IQ Local Traffic & Management

Symptoms:
When creating or importing SSL certificates, keys, and CRLs, or renewing SSL certificates, the error "Unable to add file to storage" may be seen. The BIG-IQ log file /var/log/restjavad.0.log will show a message like this:

[WARN][07 Dec 2017 11:52:53 PST][/cm/adc-core/tasks/certificate-management/c035275b-8680-4206-b43b-d9deba70e89f/worker CertMgmtTaskWorker] A file failed to be saved to storage! java.lang.IllegalStateException: failed patching LFOState: com.mongodb.MongoWriteException: Lock not granted. Try restarting the transaction.

Conditions:
This error can occur the first time a user performs an operation that involves adding an SSL file (certificate, key, or CRL) to BIG-IQ's storage after services on the BIG-IQ have been restarted.

Impact:
Users have to retry the operation any time services are restarted on BIG-IQ, or the BIG-IQ is rebooted.

Workaround:
Retry the operation. The second and subsequent attempts should succeed.


697141 : Health statistics for managed devices after upgrading to BIG-IQ version 5.4

Component: BIG-IQ Device Management

Symptoms:
For about 24 hours after upgrading to BIG-IQ version 5.4, framework and license health statistics might change from healthy to unhealthy for your managed BIG-IP devices.

Conditions:
Upgrading a BIG-IQ managing one or more BIG-IPs to 5.4.0.

Impact:
Minimal. If BIG-IQ is upgraded from 5.0 or 5.1, the BIG-IP framework cannot be upgraded during the windows of time that BIG-IQ shows the BIG-IP framework being healthy.

Workaround:
The issue will self-resolve within 24 hours after the upgrade.


695669-1 : Deploying from Network Security or Web Application Security removes the virtual server from the BIG-IP if it is deleted from LOCAL TRAFFIC

Component: BIG-IQ Network Security

Symptoms:
When a virtual server is deleted from Local Traffic on the BIG-IQ, deploying from Network Security or Web Application Security will remove the virtual server from the BIG-IP.

Conditions:
When a virtual server is deleted from Local Traffic on the BIG-IQ but the change is not yet deployed to the BIG-IP.

Impact:
The virtual server on the BIG-IP is removed. This may surprise some users.


695139 : Reimport shared allows reimport from a different device version than that off group.

Component: BIG-IQ Configuration - Access

Symptoms:
Reimport shared does not check if the Access Group config version and the device version matches.

Conditions:
This can happen if the device is upgraded after it has been added to the group.

Impact:
Access Group config version gets upgrade to the latest device version.

Workaround:
If you've upgraded BIG-IP, remove and move the device to another access group.

If you've upgraded BIG-IP and did a shared reimport, then move devices in the group with a different version to another access group.


694788-1 : Custom role in Relaxed Mode containing Address List resources provides very broad read access

Component: REST Framework and TMOS Platform

Symptoms:
A custom role in relaxed mode that contains Address List resources grants read permissions to both Network Security, Local Traffic and Network services.

Conditions:
A user is assigned a role that is in relaxed mode and contains the Address List resource in it's associated resource group.

Impact:
Users will have read permissions for all objects in the Network Security, Shared Security, Local Traffic and Network services areas regardless of the role intent to use only the Network Security or Network version of the Address Lists.

This may be an unexpected and undesired consequence of having Address Lists reside in both the Network Security and Network service areas.

Workaround:
A workaround is available that requires the Address List resources be contained in a strict role and that role associated with the user along with another relaxed role that does not explicitly contain the Address List resources.


694675-1 : Configuration import for multiple large policies

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Configuration import failure can occur when multiple large policies are imported for the same device. An error of "Unable to post difference sub-collection results; too many differences" will be displayed in the UI.

Conditions:
The issue may occur when multiple large policies are imported. If the overall object count in policies for the imported device exceeds 200000 the issue might occur.

Impact:
Failure to import configuration for the selected device.

Workaround:
To workaround this issue, first export some of the large policies from the BIG-IP and import them as XML files into the BIG-IQ system before doing the device configuration import.


693907-1 : Deleting an imported blacklist publisher with a user-defined blacklist category

Component: BIG-IQ Network Security

Symptoms:
A deployment to a BIG-IP device fails when deleting an imported blacklist publisher that contains a user-defined blacklist category.

Conditions:
Import a BIG-IP device configuration containing a user-created blacklist publisher assigned to a user-defined blacklist category. The blacklist category is not used in any other configuration, or pinned to a pinning policy.

This happens for BIG-IP version 13.0.0 and earlier versions that do not allow the blacklist publisher and blacklist category to be deleted during the same deployment.

Impact:
Deployment failed with an error. This issue is fixed in BIG-IP version 13.1.0.

Workaround:
To workaround this problem, pin the user defined blacklist category to the BIG-IP pinning policy and deploy it again. This will avoid deletion of blacklist category and hence avoid the issue.


693594 : Access deployment to BIG-IP HA Pair

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
Deployment of an Access Policy to BIG-IP HA pairs after deleting an entire policy branch fails with the following error:

"The access policy item (....) is not referenced by any existing access policy"

Conditions:
Happens intermediately.

Impact:
The deployment fails.

Workaround:
Initiate the Access deployment again to the HA pairs.


693515-1 : A '+' character in a log profile name causes import to fail

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
When there is a '+' character in log profile name, importing the module on BIG-IQ fails as '+' is treated as a reserved character.

Impact:
Import fails due to reserved character

Workaround:
Do not use '+' in the name.


693497-1 : Creating or editing a custom Resource Group with multiple Access (APM) objects selected

Component: REST Framework and TMOS Platform

Symptoms:
If you select multiple Access (APM) objects while creating or editing a custom Resource Group, BIG-IQ displays a "No related items found" message.

Conditions:
This happens when you're creating editing a custom Resource Group and select multiple APM objects.

Impact:
Selecting multiple Objects for an Access (APM) Resource Group might result in missing permissions for Users associated with the custom role for that Resource Group.

Workaround:
To work around this issue, select only one Access (APM) object at a time.


693399-1 : Changes popup does not have a loading indicator

Component: REST Framework and TMOS Platform

Symptoms:
The changes popup dialog does not have a loading indicator.

Conditions:
In some cases the differences can take a few seconds to appear in the dialog, for example, when viewing Web Application Signature changes in the Audit Log.

Impact:
You might assume that no difference exists before the diff loads.

Workaround:
Wait for a few seconds for a diff to appear.


693215-1 : Creating custom Resource Groups

Component: REST Framework and TMOS Platform

Symptoms:
If you are creating a custom resource group, you will need to make sure to include the "template" object in that group for certain kinds of objects (detailed below). This is because these objects can have device-specific instances which are referenced from this "template" object. For proper access, you need to select both the template object as well as any device-specific objects.

In order to do this, you must select all the instances for the devices you want (the device column will be filled in with the device name) AND select the template instance. The template instance is the one object of that name with no device column filled in.

Conditions:
This is the case for these object types:

LTM:
Log Destinations - IPFIX
Log Destinations - Remote High Speed Log
Log Destinations - Management Port

and, in general, all objects in Access Roles.

Impact:
If you do not select the template object, then the role will not have proper permission to access the selected device instances. This will cause errors in virtually every workflow that uses the above object types detailed above.

Workaround:
The only issue is that this is not done automatically for custom roles. As long as the template object is selected, custom roles using the above mentioned objects will behave properly.


692135-1 : Stats collection agent out of date alert

Component: BIG-IQ Device Management

Symptoms:
Upgrades to latest version of BIG-IQ can mistakenly trigger the "Stats collection agent out of date" alert

Conditions:
Upgrade to latest version of BIG-IQ

Impact:
Cosmetic

Workaround:
Rediscover BIG-IP device to clear alert


691531 : Resource Group form's preview section

Component: REST Framework and TMOS Platform

Symptoms:
On the Resource Group form, the lower section of the page shows a grid featuring objects which can be added to the resource group. The lower right section shows a preview of objects selected in the lower left portion. If you select one or more items, then deselect them, you might see outdated preview content in the lower right portion of the page.

Conditions:
When you select and deselect resource group objects.

Impact:
You might see outdated preview content.


691239 : Failure to discover BIG-IP device with "Failed to decrypt" message

Component: BIG-IQ Network Security

Symptoms:
BIG-IQ fails to discover a BIG-IP device with one of the following error messages:

"Failed to decrypt silverline password.."
"Failed to decrypt ssh profile auth info private key.."
"Failed to decrypt feed password.."

Conditions:
When BIG-IP IControl REST fails to decrypt the password or private key from the MCP database, the BIG-IP passes the encrypted password/private key to the BIG-IQ during discovery. When this occurs, the BIG-IQ cannot decrypt the password/private key which causes discovery to fail.

Impact:
BIG-IQ fails to discover BIG-IP systems with the specified error message.

Workaround:
In the BIG-IP tmsh shell, issue the following command:
restart sys service restjavad

Once the restart is complete, rediscover the BIG-IP device.


691185 : LTM Profiles: (from pre-v12 BIG-IP) Inherited secure fields are not flagged for needing re-entry

Component: BIG-IQ Local Traffic & Management

Symptoms:
If a secure field is inherited, the profile will not be flagged on the grid as needing field re-entry. At evaluation, the parent profile with the actual value appears in the warning. Deployment will succeed to the originating device, but it will not succeed to other devices. The originating device has the value for the encrypted field and will succeed, other BIG-IP deployments will not.

Conditions:
A profile with a secure is imported from a pre-v12 BIG-IP and re-deployed to another BIG-IP.

Profiles imported from v12+ BIG-IPs are not affected by this issue.

Impact:
Deployments will fail until the secure field is entered on BIG-IQ.

Workaround:
Enter the secure field on BIG-IQ for the parent profile.


689374 : Discovery of DSC clustered BIG-IPs fails due to secure value decryption error

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
After initially pairing a DSC cluster, iControl-REST on BIG-IP can fail to decrypt the secure values due to a stale BIG-IP master key in its cache, and returns the secure values encrypted by the BIG-IP master key. BIG-IQ is unable to decrypt these secure values and fails to discover the BIG-IP.

Impact:
Discovery fails due to secure value decryption error.

Workaround:
Restart iControl-REST server on the BIG-IP.

On BIG-IP 12.0.0 and later, in TMSH, run 'restart sys service restjavad'. In the console, run 'bigstart restart restjavad'.

On BIG-IP 11.x.x, in TMSH, run 'restart sys service icrd'. In the console, run 'bigstart restart icrd'.


689279-1 : Removing the last DCD in a cluster

Component: REST Framework and TMOS Platform

Symptoms:
When you remove the last DCD in a cluster, the cluster health dsiplays as RED and alerts/stats/events ingestion is NOT happening.

Conditions:
Last DCD in the cluster was removed.

Impact:
alerts/stats/events ingestion is NOT happening.

Workaround:
After removing the last DCD, if you want to start from a clean slate, run the reset-data-collection-cluster script.


688609-1 : FPS: Changes to web service configuration are populated to data collection devices with some delay

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
FPS: Changes to web service configuration are populated to data collection devices with some delay.

Impact:
There is a delay of up to 5 minutes before the changes take effect.

Workaround:
Customers are advised to wait for 5 minutes for the changes to take effect.


688198-1 : Log Filter device pinning for referenced Log Publisher

Component: BIG-IQ Local Traffic & Management

Symptoms:
In ADC configuration, both Log Filters and Log Publishers need to be pinned to any device(s) that they are to be deployed to. This is because there are no device-specific objects that refer to these shared objects.

In most cases, BIG-IQ will automatically keep device pinning in-sync between Log Filters and any Log Publishers that they reference.

However, in the case of Log Filters being pinned to a new device, the corresponding Log Publisher (if the Filter, in fact, references a Log Publisher) will not be automatically pinned to the same device.

Conditions:
This happens for any Log Filter that is pinned to a new device.

Impact:
Unless the user also pins the corresponding Log Publisher to the device, the deployment will fail.

Workaround:
You must pin both the Log Filter as well as the referenced Log Publisher to all device(s).


687048-1 : BIG-IQ backups on large configurations with encryption enabled may fail due to insufficient memory

Component: BIG-IQ System User Interface

Symptoms:
BIG-IQ backups may fail due to insufficient memory.

Conditions:
This can occur when the configuration is large (multiple hundred BIG-IPs discovered) and the encryption option is selected for the backup.

Impact:
As a result, a backup of BIG-IQ cannot be created.

Workaround:
Do not select the encryption option for large BIG-IQ backups.


686870 : User with Custom Role Type in strict mode cannot see an object they just created

Component: BIG-IQ Configuration - Access

Symptoms:
If a user is associated with a Custom Role Type configured in strict mode, they might not be able to see all the objects they need to, even if they create the object.

Conditions:
This can happen when a Customer Role Type is configured in strict mode and associated with a Resource Group with access to only specific objects.

Impact:
User might not be able to see a newly-created object.

Workaround:
When you create a Custom Role in Strict mode, select the "Any Instance" option when you specify a Source for the associated Custom Resource Group.


686834 : Creating certain ACL objects

Component: BIG-IQ Configuration - Access

Symptoms:
A User associated with a Role is not able to create certain ACL object.

Conditions:
This happens when the User is associated with a Custom Role configured in Strict Mode and the associated Custom Role Type has permissions to only specific objects.

Impact:
BIG-IQ returns an error that the ACL order is invalid.

Workaround:
When you create a Custom Role in Strict mode, give (at least) Read permissions for all related kinds as well and for the associated Custom Resource, select the Any Instance setting so the user can successfully create an ACL object.


686699 : User with a custom Role is not able to create SecurID object for Access (APM)

Component: REST Framework and TMOS Platform

Symptoms:
A User associated with a custom Role is not able to create SecurID object for Access (APM).

Conditions:
This happens when the associated Custom Role is configured in Strict Mode and the Custom Resource Group does not have the Any Instances option selected for the Source setting.

Impact:
The user will see error when trying to create SecurID object.

Workaround:
When you create a Custom Role in Strict mode, select the "Any Instance" option when you specify a Source for the associated Custom Resource Group.


686162-1 : OAuth Profile deployment fails with JWK config failed trust verification with trusted CA bundle

Component: BIG-IQ Configuration - Access

Symptoms:
For OAuth Profile with Support JWT Token enabled, BIGIP verifies the primary key trust with Trusted Certificate Authorities. This trust verification is not done on BIG-IQ. If the user configures a mismatch primary key and trusted CA, the deployment fails.

Conditions:
When a mismatch primary key and trusted CA bundle is selected for OAuth Profile.

Impact:
Verification of the primary key and trusted Certificate Authority Bundle in OAuth Profile (when Support JWT Token is enabled) is not done in BIG-IQ, the Deployment fails.

Workaround:
Configure the matching Trusted Certificate Authority Bundle for the chosen Primary Key in order for the deployment to succeed.


686125 : User is not able to mark Access objects as shared

Component: REST Framework and TMOS Platform

Symptoms:
A user associated with a custom role is not able to mark Access Policy (APM) objects as shared.

Conditions:
This occurs when the user does not have Delete permission for particular Object Type.

Impact:
User will not be able to mark any instance of the object type for which Delete permission is missing.

Workaround:
To resolve this issue, you must provide Delete permission for all Role Types with the Mark Shared permission.


685564 : ASM: deploy failure when using server technologies

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
ASM: deploy failure when using server technologies.

Conditions:
The issue happens when the managed BIG-IP does not contain a fix for bug 685571

Impact:
Deployment failure

Workaround:
Retrying the deployment usually fixes the issue


685310-1 : Adding/reimport device to an Access Group

Component: BIG-IQ Configuration - Access

Symptoms:
After adding a device or reimporting a device-specific configuration to a BIG-IQ Access Group, any Kerberos object for the added or reimported device must be manually fixed by uploading an appropriate keytab file object. By default, it uses the object from the source device.

Conditions:
All Kerberos LSO device instances in BIG-IQ use the same keytab file as the source device after adding a device or reimporting a device-specific configuration from the device.

Impact:
Kerberos might use the wrong keytab file from source-device on BIG-IP after deployment. This may result in Kerberos authentication failure.

Workaround:
Upload the keytab file in BIG-IQ for each Kerberos object and deploy.


685257 : Deployment of Server Technology ASM policy changes

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
ASM deployment fails with the following device error: Failed pushing added objects to device BIG-IP-X: Could not add the Policy Server Technology. Method not implemented.

Conditions:
The issue can occur on BIG-IP 13.0.x and is fixed in BIG-IP 13.1. Issue occurs while deploying ASM policies that were created on the BIG-IP and discovered.

Impact:
You will not be able to deploy BIG-IP ASM policies with server technologies that were already present on BIG-IP although you can create a new ASM policy on BIG-IQ and deploy that policy with server technologies.

Workaround:
You can workaround this issue by exporting the ASM policy with server technologies in 13.0.x format and then importing the policy on BIG-IP.


678664 : Policy and Rule List rules do not support the Protocol Inspection Profile or Classification Policy configuration options supported by BIG-IP version 13.1.0

Component: BIG-IQ Network Security

Symptoms:
Two new options were added to the BIG-IP 13.1.0 release for the firewall rules: Protocol Inspection Profile and Traffic Intelligence Classification Policy. These are similar to the Service Policy, iRule or Send-to-Virtual implementations.

If these two new properties are configured on a rule and imported into the BIG-IQ, they will be un-configured on the next deployment that modifies that rule.

Conditions:
If these two new properties are configured on a rule and imported into the BIG-IQ, they will be un-configured on the next deployment that modifies that rule.

Impact:
Protocol Inspection Profile and Traffic Intelligence Classification Policy will be un-configured upon AFM Deployment to a BIG-IP if the rule is modified on BIG-IQ.

Workaround:
After the deployment of the new rule configuration from the BIG-IQ to the BIG-IP, the affected rule on the BIG-IP may have the Protocol Inspection Profile and Traffic Intelligence Classification Policy re-configured via the BIG-IP if desired.


673763-1 : Wide IP grid shows incorrect number of associated pools

Component: BIG-IQ DNS Management

Symptoms:
Due to a defect on BIG-IP, BIG-IQ is unable to display a correct number of DNS pools that are referenced by Wide IP.

Conditions:
This can occur when BIG-IP is version 12.x or 13.x and a DNS sync-group is configured with Wide IP that references an arbitrary number of DNS pools.

Impact:
In Big-IQ under Configuration tab --> DNS --> GSLB --> Wide IPs.
The fields below may show an incorrect number of DNS pools:
1. Pools column in the main grid
2. Pools related item entry
3. Pools table section in the properties page of a Wide IP

Workaround:
The is no workaround at this time


671693 : BIG-IQ fails to import BIG-IP v11.x LTM profiles that reference certificates with names containing special characters

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Importing LTM for BIG-IP version 11.x fails with a message similar to:
      "current-config requester failed: Reason: java.lang.IllegalArgumentException: kind is missing"

Conditions:
This issue can occur when BIG-IP is version 11.x and an LTM profile references a certificate with a name containing a special character (such as an asterisk).

Impact:
The LTM service cannot be managed for affected devices.

Workaround:
You can avoid this issue by renaming keys/certs so they do not include special characters.


670913 : Unexpected configuration differences after deployment for matchesWithinHeader field for custom signature changes

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
A second evaluation is showing difference right after an initial deployment for custom signatures. The difference is shown for the 'matchesWithinHeader' field.

Conditions:
This issue happens when using devices that have no fix for bug 610777

Impact:
Unexpected differences are shown


665639 : Amazon EC2 Abuse Report upon a new deployment of BIG-IQ AMI instance

Component: REST Framework and TMOS Platform

Symptoms:
Upon deploying a new BIG-IQ AMI instance and a successful login to the BIG-IQ web user interface, within minutes Amazon EC2 flags an abuse report about potential port scanning activities from the BIG-IQ instance to the client machine initiating the browser session.

Conditions:
New BIG-IQ AMI instance deployed and running in EC2, with first successful login from an arbitrary client into the BIG-IQ web user interface, using an internet browser with websocket support (Firefox, Chrome, Safari, etc.). Even the idle user interface left untouched (without browsing BIG-IQ UI pages) would trigger the EC2 Abuse report.

Impact:
The customer owning the EC2/AMI deployment of BIG-IQ will get an email with the Amazon EC2 Abuse Report.

Workaround:
At this time there are no clear indications of illegal port scanning activities originated from the BIG-IQ AMI instance to the client machine initiating the BIG-IQ UI browser session.

A current assumption is that Amazon EC2 may have some initial sensitivity for websocket-based browser connections, with a relatively high number of websocket frames being exchanged between a client browser and the BIG-IQ AMI instance, although the number of websocket ports involved in this traffic remains relatively low (below a dozen).


660828 : Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"

Component: BIG-IQ Access

Symptoms:
Deployment failure with error similar to the one below:

Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"

Conditions:
Deployment fails when advanced customization is involved.

Impact:
The BIG-IQ APM deployment fails.

Workaround:
On the failed device, remove the object that uses the customization group, which in-turn will remove the customization-group (logon page agent in policy or policy macro), then deploy to the device again.


658702 : After upgrading BIG-IQ to 5.2.0, already discovered 11.5.4 devices may fail on Web App Security rediscovery.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
After upgrading to 5.2.0, rediscovery of an 11.5.4 device may fail with "Duplicate item. Key already exists: name : brute-force-attack-prevention".

Conditions:
11.5.4 managed device present when upgrading to BIG-IQ version 5.2.0.

Impact:
Unable to rediscover (in Web App Security) the device after upgrade

Workaround:
Following an upgrade, if the above error occurs on Web App Security rediscovery, perform the following:

- remove the device
- discover/import the device (LTM,ASM)
- rediscover/reimport the device (LTM,ASM)


651149-1 : Grid refresh problem may cause some screens to display only a subset of the available rows

Component: REST Framework and TMOS Platform

Symptoms:
The list on the Configuration > LOCAL TRAFFIC > Logs > Log Destination screen might be truncated so it doesn't show all of the log destination.

Conditions:
This happens most often when you use the '...' button to navigate back after applying edits to device-specific objects.

Impact:
Minimal.

Workaround:
Refresh the screen using the F5 button or refresh your browser to view the whole list.


639896 : Cannot view SWG Reports and download CSV Reports from standby BIG-IQ system

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
When attempting to view or download SWG and some Access reports from the standby BIG-IQ system, BIG-IQ returns a Request failed error message.

Impact:
Admin cannot view SWG Reports and few Access Reports , cannot download CSV reports from the stand-by BIG-IQ device.

Workaround:
To work around this issue, view and download reports from the active BIG-IQ system.


639347-1 : Creating or removing a custom signature

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Intermittently, after creating or removing a custom signature, you might have to refresh your browser for the change to display.

Conditions:
After creating or removing a custom signature.

Impact:
The changes don't take effect.

Workaround:
If you have waited more than 10 seconds and have not yet seen the changes take effect, manually refresh your browser.


638131 : Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher would fail when Proactive Bot Defense is enabled

Component: BIG-IQ Network Security

Symptoms:
When a BIG-IQ Centralized Management user discovers a BIG-IP device that is 11.6.x, the Bot Signature Check is disabled and is read-only in a DoS profile.

Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher would fail, when Proactive Bot Defense is enabled.

Conditions:
Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher, when Proactive Bot Defense is enabled.

Impact:
User cannot deploy a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher, when Proactive Bot Defense is enabled.

Workaround:
First, in the Dos Profile, select the Application Security Proactive Bot Defense tab, and record the current setting of the Operation mode setting. Then set Operation mode to off. You can set it back to its previous value.
As a result, the Bot Signature Check in Bot Signature screen is set to Enabled automatically.
At this point the Bot Signatures and Bot Signature Categories should be visible and editable.
Save the configuration.


635584-3 : BIG-IQ setup wizard fails with "Cannot delete IP X.X.X.X because it would leave a route unreachable"

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
BIG-IQ setup wizard fails to configure management address with error "Cannot delete IP X.X.X.X because it would leave a route unreachable".

Conditions:
This issue is applicable when trunking used for VLANs not named internal. The BIG-IQ UI does not support configuring trunks, but such configuration can be created via other means (e.g. tmsh).

Impact:
As a result, system setup cannot be completed.

Workaround:
BIG-IQ system setup should be completed prior to creating trunks on new installations. For upgrade scenarios, the network configuration has to be removed so that system setup can be completed, after which the network configuration can be restored.


634100 : Possible user conflict when editing access policies

Component: BIG-IQ Configuration - Access

Symptoms:
If multiple users open the same policy with no pending changes, some user changes will not be made known to the other users.

Conditions:
Only changes are to policy endings, macro properties, or macro terminals.

Impact:
Changes made to policy endings, macro properties, or macro terminals are not seen by the other users until they refresh the browser.

Workaround:
If a user wants to make a change to policy endings, macro properties, or macro terminals, they could indicate that the policy is being modified by temporarily changing something in the diagram. This will cause changes from other uses to be blocked.


632900 : Bot Signatures/Bot Signature Categories User Defined Flag Behavior

Component: BIG-IQ Network Security

Symptoms:
In some cases, user-created Bot Signatures and Bot Signature Categories imported from BIG-IP are classified as "system defined" on the BIG-IQ after import. This behavior is true even if a bot signature or bot signature category is designated as "user defined" on BIG-IP.

Conditions:
Seen when discovering user defined bot signatures from "pre 13.0.0" version BIG-IP devices.

Impact:
Bot Signatures and Bot Signature Categories created by a user on the BIG-IP get re-classified as "system defined" upon import into the BIG-IQ. Bot signatures so classified are not editable in BIG-IQ.

Workaround:
To make the bot signature editable in BIG-IQ simply reset the bot signature or bot signature category to "user defined" to match the "user defined" setting in BIG-IP.


612292 : Customization file changes are not deployed when customization template and customization group objects are created in deployment

Component: BIG-IQ Access

Symptoms:
Customization file changes are not deployed when customization template and customization group objects are created in deployment.

Deployment is successful. On a subsequent evaluation, it indicates that BIG-IQ customization group is different from the one on BIG-IP.

Conditions:
When customization template and corresponding customization group is deployed first time to a non-source device, deployment is successful.

Impact:
Customization group files are not deployed in such cases.

Workaround:
Perform one more deployment and it deploys the customization group correctly.


597135-1 : Interfaces for VCMP guests can be disabled from BIG-IQ.

Component: BIG-IQ Local Traffic & Management

Symptoms:
Interfaces should not be disabled for BIG-IP VCMP guests (platform z101). The BIG-IP GUI prevents interfaces from being disabled, however in some version the interface can be disabled using TMSH. This is a known issue on BIG-IP (see sol15487).

Devices managed on BIG-IQ reflect the same issue where the interface for these devices can be disabled.

Conditions:
BIG-IQ is managing VCMP guests and the user disables an interface.

Impact:
The sol15487 indicates this will potentially interrupt traffic on the BIG-IP.

Workaround:
Do not disable interfaces on VCMP guests.


582701 : HTML Report fails to render in IE and Edge browsers

Component: BIG-IQ Network Security

Symptoms:
In IE & Edge browsers, the HTML report fails to generate when the report has too much data to display.

Conditions:
This can happen if you select a large number of devices to generate the report and/or the data per device is too large.

Impact:
Reports are not available while using certain browser.

Workaround:
There are two possible workarounds:
1) Use Firefox/Chrome.
2) Try reducing the number of devices selected for the report.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Wed Dec 27 10:49:36 2017 PST
Copyright F5 Networks (2017) - All Rights Reserved