Release Notes :
BIG-IP APM 11.6.0
Applies To:
Show Versions
BIG-IP APM
- 11.6.0
Original Publication Date: 08/03/2017
Updated Date: 04/18/2019
Summary:
This release note documents the version 11.6.0 release of BIG-IP Access Policy Manager (APM).
Contents:
- Platform support
- Module combination support on the 3900
- Configuration utility browser support
- APM client browser support
- User documentation for this release
- Evaluation support
- New in 11.6.0
- Supported high availability configuration for Access Policy Manager
- Installation overview
- Upgrading from earlier versions
- Upgrading from earlier versions of APM
- Fixes in 11.6.0
- Usability
- Behavior changes in 11.6.0
- Known issues
- Windows 7 Support Known issues
- Windows 8.1 Support Known issues
- Contacting F5 Networks
- Legal notices
Platform support
This version of the software is supported on the following platforms:
| Platform name | Platform ID |
|---|---|
| BIG-IP 1600 | C102 |
| BIG-IP 3600 | C103 |
| BIG-IP 3900 | C106 |
| BIG-IP 6900 | D104 |
| BIG-IP 8900 | D106 |
| BIG-IP 8950 | D107 |
| BIG-IP 11000 | E101 |
| BIG-IP 11050 | E102 |
| BIG-IP 2000s, BIG-IP 2200s | C112 |
| BIG-IP 4000s, BIG-IP 4200v | C113 |
| BIG-IP 5000s, 5050s, 5200v, 5250v | C109 |
| BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 | D110 |
| BIG-IP 12250v | D111 |
| BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS | D112 |
| BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 | D113 |
| VIPRION B2100 Blade | A109 |
| VIPRION B2150 Blade | A113 |
| VIPRION B2250 Blade | A112 |
| VIPRION B4200, B4200N Blade | A107, A111 |
| VIPRION B4300, B4340N Blade | A108, A110 |
| VIPRION B4450 Blade | A114 |
| VIPRION C2200 Chassis | D114 |
| VIPRION C2400 Chassis | F100 |
| VIPRION C4400, C4400N Chassis | J100, J101 |
| VIPRION C4480, C4480N Chassis | J102, J103 |
| VIPRION C4800, C4800N Chassis | S100, S101 |
| Virtual Edition (VE) | Z100 |
| vCMP Guest | Z101 |
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies for all memory levels:
- vCMP supported platforms
- VIPRION B2100, B2150, B2250, B4200
- VIPRION B4300 blade in the 4400(J100)/4480(J102) and the 4800(S100)
- BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v
Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.
Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
- No more than three modules should be provisioned together.
- On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
- To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.
Memory: Less than 8 GB and more than 4 GB
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)
- No more than three modules (not including AAM) should be provisioned together.
- Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
- Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).
Memory: 4 GB or less
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.
- No more than two modules may be configured together.
- AAM should not be provisioned, except as Dedicated.
- ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.
vCMP memory provisioning calculations
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.
For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
- BIG-IP LTM standalone only
- BIG-IP GTM standalone only
- BIG-IP LTM and GTM combination only
Module combination support on the 3900
Note: The GTM+APM module combination is not supported on the 3900 product platform.
Although SOL10288 states that all modules are supported on all platforms as of BIG-IP version 11.4.0, this does not mean that all possible module combinations are allowed on every platform (especially, legacy platforms).
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 8.x, 11.x
- Mozilla Firefox 27.x
- Google Chrome 32.x
APM client browser support
For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 11.6.0 Documentation page.
Evaluation support
If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.
New in 11.6.0
SAML Artifact Support
The SAML protocol provides three bindings for transmitting SAML messages. APM now supports the Artifact binding. It allows the transmission of SAML messages using, in part, direct connections between the Identity Provider (IdP) and the Service Provider (SP).
Native MSRDP Support
Support for native Microsoft RDP client enables seamless connection to backend remote desktop without establishing a VPN tunnel.
Per-Request Authorization
Support for a Per-Request policy that allows access controls based on elements in the transaction (URL, HTTP headers, protocol, and so on), the environment (for example, date and time) and user attributes (group membership, other AAA attributes, and so on) is added. A Per-Request policy is now required for using Secure Web Gateway (SWG).
RSA SecurID (with soft token) Automation
It is now easier for users to establish a VPN connection using F5 BIG-IP Edge Client while using RSA SecurID with soft token. After the user enters their RSA SecurID pin, Edge Client will now automatically fetch the passcode from RSA SecurID to authenticate with. This is supported only with F5 BIG-IP Edge Client for Windows "full client" and F5 BIG-IP Edge Client for Mac OS X "full client".
Note: To use this feature, clients must have installed or upgraded to the 11.6.0 client package for BIG-IP Edge Client for Windows or BIG-IP Edge Client for Mac. Both client packages are available for download from the APM user interface.
Secure Web Gateway Safesearch Filtering
With search filtering enabled, a safe search string is returned and the search results are filtered to exclude explicit content. Search filtering is supported on Ask, Bing, DuckDuckGo, Google, Lycos, and Yahoo. Supported search engines may change, depending on the search engine's features.
URL Category Lookup
URL Category Lookup allows a user to enter a complete URL, such as http://www.cnn.com or a domain name, such as www.cnn.com or cnn.com to find the category information.
Customization Enhancements
Radio buttons can be used on the logon page. Additional improvements are also available to make customization easier and faster.
Supported high availability configuration for Access Policy Manager
Access Policy Manager is supported in an Active/Standby configuration with 2 BIG-IP systems only.
Note: Access Policy Manager is not supported in an Active-Active or an N+M configuration.
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
- Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
- Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
| Installation method | Command |
|---|---|
| Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
| Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.
After the installation finishes, you must complete the following steps before the system can pass traffic.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
- Convert any bigpipe scripts to tmsh. (Versions later than 10.x do not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Upgrading from earlier versions
Your upgrade process differs depending on the version of software you are currently running.
Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.
Upgrading from version 10.1.0 (or later) or 11.x
When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.
Upgrading from versions earlier than 10.1.0 11.x
You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.
Automatic firmware upgrades
If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.
Upgrading from earlier versions of APM
When you upgrade from an earlier version of Access Policy Manager (APM), you might need to resolve issues related to these configurations.
Secure Web Gateway 11.6.0 important post-upgrade tasks
Secure Web Gateway 11.6.0 provides improved functionality over that in 11.5 by allowing a flexible policy definition on a per-transaction basis. This allows new agents that implement functionality to be added as necessary to execute a policy, and allows the output of agents to steer policy decisions using expressions based on those outputs and other factors. Available agents include “dynamic date time”, “category lookup”, “response analytics”, “protocol lookup”, among many more.When upgrading from 11.5 to 11.6, URL filter and URL category configuration from 11.5 is preserved. However, configuration data associated with an SWG scheme is gone. This data included content scanning settings and URL schedules that specified which URL filter to apply at any given time.
As a result, an Access Policy that includes an SWG Scheme Assign agent allows the client unfiltered access through the SWG Explicit or Transparent forward proxy. This amounts to a 'Default Allow' policy. Web sites that would be blocked will be allowed through. HTTP traffic will not be inspected.
To establish URL filtering, content scanning, SSL bypass or SSL intercept (without the use of a iRule), and so on, you must configure one or more per-request policies. (Both an access policy with an SWG Scheme Assign action and a per-request policy are required. The access policy and the per-request policy must both be assigned to the same virtual server.)
For how to create per-request policies, and for examples of per-request policies, refer to BIG-IP Access Policy Manager: Secure Web Gateway Implementations on the AskF5 web site at http://support.f5.com.
Connectivity profiles
When upgrading from 10.x.x to 11.4.x, connectivity profiles are not fully recovered. You can work around the problem using one of these options:
- Option 1: Upgrade from 10.x.x to 11.4.x, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration utility.
- Option 2: Upgrade from 10.x.x to 11.x.x, where 11.x.x is earlier than 11.4.x, then continue upgrading to 11.4.x.
Kerberos SSO
Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0 and later. This happens because, starting in 11.4.0 the password is saved in encrypted form, while the password in 11.3.0 is saved as clear text. Re-enter Kerberos SSO password after upgrading from 11.3.0.
Citrix client packages
The 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after upgrade, but the Citrix client package file does not function properly. To work around this problem:
- Outside of APM, name or rename a Citrix client package without spaces in the name.
- Use the correctly named Citrix client package.
- To fix the problem before upgrade, replace any improperly named Citrix client package as needed.
- To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.
Machine accounts for NTLM front-end authentication
APM does not restore NLAD connections when the configuration is restored from a UCS file. After upgrading to 11.4.x, if the previous configuration was using NTLM front-end authentication, the functionality is not restored. To work around this problem, after the upgrade, manually delete the existing machine account configurations and then recreate them.Advanced customization
If you performed any advanced customization of files, you must upgrade these files manually.
Custom reports
Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.
OAM configuration
When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x.
Access policies that use session variables
If you are upgrading from 10.x, you might need to update access policies that use session variables. Version 11.x introduces the concept of partitions. A partition is added to an object name. An access policy that compares a session variable against a value would behave differently after upgrade. This example shows the difference in the value of a session variable between these versions.
- Version 10.x - session.ad.MyPolicy_act_active_directory_auth_ag.authresult
- Version 11.x - session.ad./Common/MyPolicy_act_active_directory_auth_ag.authresult
The partition, /Common, is added to the version 11.x object name.
Fixes in 11.6.0
| ID number | Description |
|---|---|
| 225651 | The installation path for the BIG-IP Edge Client was updated to avoid collision with third-party software installations. |
| 238350 | The new network access setting, Use Local Proxy Settings, is introduced. When it is enabled, after the client establishes a network access connection, proxy settings configured on the client continue to be used. |
| 337178 | Now BIG-IP Edge Client falls back to TLS from DTLS if http-proxy is used. |
| 337922 | Previously, when the administrator configured password caching on the Edge Client through the connectivity profile, the cached password was not always automatically submitted. This issue has been fixed. |
| 357360 | Mac network access client now supports static host entries. |
| 386641 | Stonewall driver is correctly updated when updating from Firepass to APM now. |
| 398134 | Now APM supports non-ascii usernames and passwords when performing NTLM Front-end Authentication and NTLM Back-end SSO. |
| 405348 | Modify the db variable "tmm.access.maxrequestbodysize" with a value larger than the maximum email body size you would like to support. |
| 410157 | BIG-IP Edge Client now displays PPP disconnection/reconnection notification quickly. |
| 413778 | A detailed error message is logged now when Active Directory authentication fails because Kerberos Key Distribution Center (KDC) is unreachable. |
| 416076 | Applying Access Policy completes two steps now. |
| 419809 | An error message formatting issue was fixed. |
| 420989 | When using an access policy with Windows Logon Integration, if you are denied access once, you can try again. |
| 420990 | Support for smart cards was added to Client Cert Inspection and On Demand Cert Inspection with Windows Logon Integration. |
| 421577 | Now you can set VDI logging level from the administrative GUI. |
| 422730 | A JavaScript error no longer displays if you click Delete Favorite in the Report UI when the Favorites list is empty. |
| 422818 | "Store information about client software in session variables" setting is removed from the Visual Policy Editor for these Endpoint Security (Client-Side) software checks: Antivirus, Anti-Spyware, Firewall, Hard Disk Encryption, Patch Management, Peer-to-peer, and Windows Health Agent." |
| 424006 | Windows Integration now uses domain names of servers specified on the BIG-IP system instead of raw IPs. |
| 424008 | APM now supports smart card logon on Windows-based systems with APM Windows Logon Integration. |
| 424368 | Parent HTML page dynamic re-writing is supported in case of Internet Explorer 10-11: JavaScript statements like parent.document.write(some_html_with_script) are handled correctly. |
| 424768 | WebSSO does additional logging now at debug level when it first starts. |
| 425070 | The HTML profile code was improved for security reasons. |
| 425507 | An issue in which logd could start to consume 99% of CPU after table rotation has been fixed. |
| 425731 | A TCP reset is not longer sent to a client during access policy execution. |
| 425882 | Configuration file handling for the BIG-IP Edge Client was improved to prevent configuration corruption. |
| 427962 | A new option is added to full webtop configuration: "Show warning message when webtop window closed." When this option is disabled, a user can close a webtop browser without also being prompted to close the Network Access tunnel that was launched from the full webtop. |
| 430435 | Network access webtop shows VPN tunnel details and BIG-IP Edge Client shows notification when session is about to timeout. |
| 430680 | When you create a new expression in the Date Time access policy item for a weekend date, the expression is correct. |
| 431355 | BIG-IP Edge Client log entries for DNS Relay proxy have been improved. |
| 431494 | Windows Group Policy sandboxes and ending agents that used Windows Group Policy files have been removed from the configuration. Windows Group Policy is no longer supported. |
| 431512 | Now APM validates the origin header of the WebSocket handshake and accepts connections with correct origin only. |
| 432260 | An AAA server pool remains reachable after the bigstart restart [mcpd] command runs. |
| 432333 | Now Java Application Tunnels work when Internet Explorer 11 runs with Enhanced Protected Mode. However, the tunnel is bound to 127.0.0.1 due to limitations of this mode. |
| 432537 | A call to ParseCookie() in PatchInfo::processSetCookie() no longer takes an improper length argument. |
| 433243 | BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to accommodate Service Providers whose clocks might be behind. |
| 433585 | Now all URLs in RSS feeds are rewritten. Only fixed URL strings (such as XML namespaces, categories, and so on) are left untouched. |
| 434675 | The cause of a relatively rare crash issue in the rewrite plugin has been fixed. |
| 435266 | Internal communication with the Secure Web Gateway content scanning engine has been optimized. This results in significant performance improvements. |
| 435449 | When using Kerberos End User logon with 401 response agent and Request Based Auth option enabled, the first request is now processed correctly. |
| 435575 | APM can now act as Microsoft Remote Desktop Gateway. Native RDP clients for Windows/Mac/iOS/Android can be configured to use APM as RD Gateway and gain access to RDP backends through APM. |
| 436556 | The correct list of Citrix apps render on an APM webtop when a Citrix resource uses Kerberos single sign-on to Citrix XML Broker. |
| 436569 | Now icons are displayed for Citrix applications on an APM webtop when Kerberos SSO is used. |
| 436616 | CTU correctly enables logs for 64-bit services on Windows systems. |
| 437347 | Web applications should function normally now even with long header values. |
| 437472 | Compatibility with XenDesktop 7 has been improved. |
| 437611 | An error about the access_license.c file is no longer logged during provisioning, system start up, reboot, or license upgrade. |
| 437652 | An HTML page that is loaded using HTTPS and contains a script that uses the document.write() call to change a closed document now works correctly on Internet Explorer 11 in portal access mode. |
| 437731 | Optimized tunnel does not crashes Internet Explorer now. |
| 438190 | DSCP marking for client traffic control is now passed through APM VPN tunnel. |
| 438256 | Forms with an absolute path in the action are now handled correctly. |
| 438433 | Uploading an image without proper message ID is now ignored. |
| 438436 | Security improvements resulting from F5 internal testing were made. |
| 438530 | Image file names are now validated and must include these characters only: a-z A-Z 0-9 _ - . The Advanced Customization GUI displays the correct error message when the name for an image is invalid. |
| 438595 | [Mac][EPS] backward compatibility with FP has been fixed. |
| 438664 | F5 Client Traffic Control Service now works on Windows 7. Previously the service started and then stopped. |
| 438696 | Now Java RDP and Java App Tunnels work without showing a security warning. |
| 438964 | Template files now include a version number and the Component Installer service updates correctly. |
| 438969 | HTML5 VMware View Client now works with APM when the virtual server is on a non-default route domain. |
| 439463 | Now Citrix Receiver for Mac and iOS gets the correct config.xml file when working through a Wi-Fi router and APM is integrated with Citrix Web Interface. |
| 439728 | An APM page that contains dynamic scripts now works correctly when a user opens it from another domain or protocol using the Chrome browser. |
| 440022 | Now an APM webtop renders Citrix apps when a Citrix resource uses a pool and Kerberos SSO. |
| 440290 | APM now prevents the retransmission of policy sync requests that caused status messages to fluctuate. |
| 440385 | Support of Internet Explorer 10 (without compatibility mode) for machine certificate checker was added, |
| 440432 | The iRule event agent (in an access policy) no longer logs BIG-IP Edge Client for Linux CLI users out before they can establish network access. |
| 440564 | Citrix Session Sharing did not work properly in some cases. Now it is fixed. |
| 440792 | Client proxy settings specified in a Network Access resource are applied without an occasional miss now. |
| 440841 | This split tunnelling log message is no longer written at the notice level: "Username used for SSO contains domain information. Please enable 'Split domain from full Username option in the Logon Page if domain info should be separated from username for SSO to work properly" The log is now written at the informational level. |
| 441073 | When using Portal Access, an input tag in forms now can receive a value that is dynamically created by JavaScript on the client. |
| 441210 | The tmm process provides more robust handling for PCoIP traffic. |
| 441256 | Some Secure Web Gateway URL category names that were truncated when displayed are now fully displayed. |
| 441507 | SWF patcher behaves properly now. |
| 441612 | BIG-IP Edge Client for Mac now can connect to a BIG-IP system on which a machine information agent is included in the access policy. |
| 441631 | Now you cannot start more than one instance of WebSSO for every MCPD channel number. For example, if websso.3 is running, then you cannot manually start websso -c 3. |
| 441659 | Fixed User-mode installer service: it does not require admin rights for limited users anymore. |
| 441681 | You can now use the Firefox browser to successfully edit these actions from the Visual Policy Editor: Advanced Resource Assign, LDAP Group Mapping, AD Group Mapping, and BWC Resource Assign. |
| 441809 | Network access connections now succeed after failover without encountering an IPv4 allocation failure error: "leasepool <name>is out of addresses". |
| 442026 | On any partition, customer can create a Portal Access resource using the Wizard. |
| 442393 | APM will now attempt to terminate Citrix session when user logs out of APM Webtop. |
| 442528 | Long URLs (up to 16K long) are handled correctly. |
| 444722 | Extra Secure Web Gateway sessions are no longer created when a session expires. |
| 445399 | Support was added for Network Access over PPPoE. |
| 445985 | Now JavaScript arithmetic assignment operators are handled correctly on the server and on the client. |
| 446207 | The "state" value in the session variables created after a software check (antivirus, anti-spyware, firewall, patch management, peer-to-peer, health agent and disk encryption) now contains the state of the specified product. |
| 447301 | The current HTML page continues to display without reloading if a user clicks a link that contains an undefined URL. |
| 447392 | The installer for the BIG-IP Edge Client for Windows now prompts the user if a reboot is required. |
| 448630 | VDI Profile now depends on Access profile for TCP virtuals. Administrators will see a configuration error if they try to attach VDI profile w/o having Access profile. |
| 448896 | An HTML page with base URI (HREF attribute of the BASE tag) is rewritten correctly. |
| 449141 | Notifications to the user when the BIG-IP Edge Client must reboot to complete updates have been improved. |
| 449225 | Windows, Mac and Linux clients were updated to prevent a crash when establishing a VPN connection in certain conditions. |
| 450021 | User can view the log from the file /var/log/apm in Admin UI like System-> Logs-> System (Packet Filter, Local Traffic, and so on). |
| 450161 | Added support of Microsoft Software Key Storage Provider to Machine Certificate Checker |
| 450298 | Logging on to Outlook Web App 2013 (SP1) using portal access with Firefox browser now works without producing an error. |
| 450299 | Misleading error records have been removed from TunnelServer.exe. |
| 450305 | When accessing OWA 2013 through portal access, users can successfully create a new message, calendar, or task item. |
| 450360 | Now Citrix Session Sharing works correctly for any version of XenApp. |
| 450687 | After the GUI or the console displays an error message to a user who is configuring an SSO NTLMv1 (or NTLMv2) object, an incorrectly configured object is no longer created. |
| 450728 | Now APM correctly handles VMware View client requests with empty body. |
| 450845 | Under logging stress, logd no longer writes duplicate fd errors in the log. |
| 450940 | The default value for Max In Progress Sessions was previously set to 0. It now defaults to 128. |
| 451118 | Mistakes in French localization were fixed. |
| 451233 | The APD and ACCTD processes now parse any IP address that includes a route domain ID as a suffix. |
| 451260 | After upgrading directly from 11.4.0 to 11.6.0, the configuration loads successfully now even if it contains "citrix-client-package" files that were uploaded (and unzipped) using the GUI. |
| 451387 | Support of button-less logon pages is added to BIG-IP Edge Client. |
| 451588 | Portal access renders the data correctly when creating a new item on Sharepoint 2013. |
| 451777 | If a connection issue or a database problem occurs the first time that a user tries to create a custom report, an error message displays now. |
| 451806 | The network access GUI and default value for the Preserve Source Port Strict setting has changed. Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings (Basic). By default, the check box is cleared and the setting is disabled. |
| 451864 | Always preserve locally configured DNS suffixes when establishing VPN connection. |
| 452061 | The /var/tmp/logd.out file is moved and renamed to /var/log/logd.log. This change enables /var/log/logd.log file to be rotated like other log files. |
| 452182 | Flash ActionScript 3 rewriter now correctly rewrites URLs containing "../". |
| 452753 | Now EdgeClient clean up cookies for all intermediate hosts visited during connect |
| 452895 | Arrayed session variables, such as "session.machine_info.last.net_adapter.list.[0].mac_address", are evaluated and displayed correctly. |
| 453164 | Routes are restored after disconnecting from the Network Access connection. |
| 453188 | Custom Dialer no longer stays in an Authenticated state for 40 seconds to negotiate the IPv6 protocol when IPv6 is not enabled. |
| 453455 | SAML Single Logout is now supported on the BIG-IP Edge Client. |
| 453514 | A problem in memcached causing intermittent failures was fixed. |
| 453531 | Multidomain SSO no longer resets on secondary authentication domains. |
| 453722 | Alleviate issues such as GUI unresponsiveness or even disconnect when policy sync is applied to a device group that contains 5 or more members. |
| 453843 | An error that begins with iControlPortal.cgi[16404]: 0137010c:6:, is no longer printed to /var/log/ltm. |
| 454010 | APM now recognizes Internet Explorer in compatibility mode on Windows 8.1 correctly. |
| 454086 | When using portal access on Firefox with some applications, the browser would go into deadlock. This no longer occurs. |
| 454248 | Fixed unnecessary localdbmgr messages logged in /var/log/apm every minute at the notice level. |
| 454322 | When Allow Local DNS Servers option is enabled, DNS servers from interfaces which are down, won't be added to VPN exclusion list. |
| 454369 | The URLDB plugin comes up properly now and traffic proceeds normally. |
| 454370 | The messages that communicate status of PolicySync between devices can arrive unordered. This is now fixed. |
| 454547 | Forms - Client Initiated SSO authentication handles decryption failure correctly. |
| 454550 | Proxy auto configuration now works with Internet Explorer when a URL cannot be resolved on a client. |
| 455039 | Now Citrix HTML5 Receiver v.1.3 available with Storefront 2.5 can be hosted in APM Sandbox and launched from APM Full Webtop. |
| 455113 | ACCESS::session data get has been extended to return configuration variables: ACCESS::session data get [-sid <sid>] [-secure] [-config] [-ssid <ssid>] <key> |
| 455426 | Now a user with apostrophe in the name can log in with Citrix Receiver successfully. |
| 455892 | Now APM support AGEE SSO to new Citrix StoreFront 2.5 backends. |
| 456302 | APM clients heartbeat read overrun issue is now fixed. |
| 456608 | Correct rewriting for obj.src = some_url was added to support web applications. |
| 457525 | APM removes an app tunnel resource from a webtop only if all resource items are not DNS resolvable; otherwise, the app tunnel continues to work with resource items that are DNS resolvable. |
| 457603 | Web applications with portal access using Safari on iOS now work correctly when an 'onbeforeunload' event occurs. |
| 457925 | When BIG-IP as SAML SP, IdP-initiated authentication now works with the first attempt. |
| 458199 | Resource delete handler should check for the reference by psync-dynamic-resource. |
| 458211 | The EAM module now continues to function correctly when the size of a cookie in the HTTP request is greater than 4095. |
| 458474 | Support for htmlprinting ActiveX object "CLSID:62BC5DB2-0044-4040-B366-D628F3CFD551" was added. |
| 458485 | The code is updated so that APD no longer crashes on certain VPE expressions, such as Date Time check or 'encoding' command due to a change introduced by fixing 424938. |
| 458737 | When an AD or LDAP query is in use and the query returns binary attributes with the "|" character, APM now checks whether the value contains non-printable characters, and if so, hex encodes the value. If the value is printable, APM escapes the "\" and "|" characters because "|" is used as a separator for multivalue attributes. |
| 459870 | Now BIG-IP Edge Client in Always Connected mode properly processes cancelling captive portal detection. |
| 459953 | When an LDAP query runs and the user password is not retrieved or necessary, a misleading error message about NULL cyphertext is no longer logged. |
| 459977 | If there is a space in value for radio or select type input, logon page does not show the input elements. This is now fixed. |
| 460030 | In case the number terminal-out in a macros is added or subtracted manually, new validation code will catch this kind of discrepancy. |
| 460062 | Access policy export works correctly even when a resource with a long name has been assigned in the policy. |
| 460762 | Citrix apps consistently start from APM Webtop when using Kerberos SSO to XML Broker. |
| 460939 | Additional exception processing (for ObAccessException from the SDK) was added to the EAM module. The module now handles this exception by displaying an error. |
| 461624 | A problem with APD in chassis that resulted in the portal access connection terminating has been fixed. |
| 462268 | There is no limit on session variable value length in the variable assign agent. |
| 462669 | For Windows Phone clients in BIG-IP APM 11.6 session.client.platform value changed from "WinP8" to "WindowsPhone". |
| 463651 | After a network access session closes, if a PPP tunnel does not get closed in some time, a cleanup is forced on server side. |
| 464159 | JavaScript: Now isolated submit() calls are handled correctly and form action paths are rewritten at such calls. The situation when submit() call refers to separate function is also supported. |
| 464687 | Now it is possible to copy an access profile that contains a Machine Cert access policy item. |
| 464748 | In portal access, a cookie with an empty or wrong expires field no longer causes a JavaScript failure. |
| 465338 | The curl-apd component (curl7.25.0) no longer enables SSL_MODE_RELEASE_BUFFERS; it is no longer affected by OpenSSL vulnerability CVE-2010-5298. |
| 465339 | The curl-apd component (curl7.25.0) no longer enables SSL_MODE_RELEASE_BUFFERS and is no longer affected by OpenSSL vulnerability CVE-2014-0198. |
| 466273 | On Mac and Linux clients, recurrent checks do not end the user session when the access policy allows access on the fallback branch. |
| 466488 | Under high load conditions when the HTTP auth agent is configured in the access policy, now the access policy daemon (APD) continues to respond. |
| 466605 | JavaScript: Portal Access variable 'r' is now a local variable. |
| 468395 | Network Access clients can reconnect now and the lease pool does not run out of IP addresses. |
| 469335 | Validation is improved to ensure that a custom URL category includes at least one URL. |
| 469754 | User that is deleted from the local user database can no long log in regardless. |
| 470214 | This version provides strengthened management of session mirroring so the system can more accurately track connection mirroring. |
| 470382 | Location-specific objects display correctly in the Policy Sync GUI whether the Location Specific check box is cleared or selected on the Static Resources screen. |
| 471893 | A problem in which the BIG-IP system, configured as a SAML IdP , might reboot tmm when executing SLO protocol in certain conditions has been fixed. |
Usability
Session ID rotation has been implemented, and starting from 11.2.0, it is on by default. This breaks compatibility with earlier BIG-IP Edge Client and plugin versions. For example, when APM is configured for session ID rotation, an 11.1.0 Edge client is not allowed to log in to Access Policy Manager (APM) version 11.2.x. The expected behavior in this case is for APM to present the login page to the Edge client after each login attempt. To disable session ID rotation per-box, you can use the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable
Behavior changes in 11.6.0
| ID number | Description |
|---|---|
| 413229 | VDI functionality is now enabled using a new VDI Profile option in virtual server settings. A default profile, vdi, is provided for ease of configuration. |
| 420104 | Java launcher helped in automatic installation of the following components (taken from http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14947.html) in the browser: 1) F5 Network Access Plug-in 2) F5 SAM Inspection Host Plug-in After the removal of Java launcher, Safari and Firefox browsers on OS X will no longer be able to do automatic installation of these components. Users will have an option (and instructions on the web page) to do a manual installation every time they install or upgrade these components. |
| 430463 | The feature flag apm_ep_grouppolicy is removed from license files generated by the F5 License Server. The corresponding functionality for Windows Group Policy has been deprecated from APM. |
| 435575 | Now users can configure native RDP clients for Windows, Mac, iOS, and Android to use APM as a Remote Desktop Gateway. |
| 454976 | Before this release, the global database (db) variable apm.ldapautoescape was used to escape special characters in session variables in the LDAP Auth and LDAP Query agents. However, using the db variable did not offer a way to escape or unescape special characters selectively. In this release, apm.ldapautoescape is deprecated. APM escapes special characters in LDAP DNs and LDAP filters by default. To unescape a specific session variable, add the suffix "":noconv"" to the session variable; for example, %{session.my.variable:noconv}. |
| 457090 | Starting from this release, Access Policy Manager matches portal access, iSession, and Mobile AppTunnel traffic against any server-specific matching virtual server enabled on the secure connectivity (tunnel) interface. If there is a match, server-side traffic goes to the matching virtual server before going out. This change is introduced to perform Secure Web Gateway-related checks on matching virtual server traffic. |
| 457590 | The VDI & Java Support check box in virtual server settings has been renamed to Application Tunnels (Java & Per-App VPN). This check box no longer controls VDI functionality. VDI is now enabled using a new VDI Profile option in virtual server settings. |
| 459568 | The following settings in the client SSL profile should no longer be configured when using the client SSL profile with Secure Web Gateway (SWG): Destination IP Bypass, Destination IP Intercept, Source IP Bypass, Source IP Intercept, Hostname Bypass, and Hostname Intercept. |
Known issues
This release contains the following known issues.
Upgrade issues
| ID number | Description |
|---|---|
| 384490 | In advanced customization, when an access policy uses an image that includes spaces in its name, problems can occur. It can be impossible to export the access policy. Problems with upgrade can also occur. Workaround: Rename the image without spaces, upload the renamed image, and change customization to support the new named image instead of the old one. |
| 417711 | After the upgrade, if the previous configuration used NTLM front end authentication, the functionality is not restored. |
| 421456 | Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0, because in 11.4.0 the password is saved in encrypted form while the password in 11.3.0 is saved as clear text. Workaround: Re-enter Kerberos SSO password after upgrade. |
| 432900 | APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this: Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: EPSEC::In copy_file - src (/config/filestore/files_d/Common_d/epsec_package_d/:Common:EPSEC:Images:epsec-1.0.0-160.0.iso_14866_1) dst (/shared/apm/images/epsec-1.0.0-160.0.iso) Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: Failed in file copy errno=(No such file or directory) .... 01071558:3: EPSEC - File Copy to /shared location failed Unexpected Error: Loading configuration process failed. Workaround: Create the directory /shared/apm and try to load the configuration again. |
Application access issues
| ID number | Description |
|---|---|
| 223712 | During a web applications session, when a user logs out of Microsoft Office Communicator and then attempts to log on again, the logon request fails. |
| 339865 | Microsoft SharePoint 2007 with Office Integration does not work in LTM+APM mode when Protected Workspace is used in an access policy. When you try to open a Microsoft Office document, an alert about a wrong URL is displayed. |
| 340549 | The rewrite plugin does not implement forwarding HTTPS requests through the HTTPS proxy correctly. (However, forwarding HTTP requests through the HTTP proxy does work correctly.) Workaround: Create a layered virtual to catch HTTPS traffic leaving APM and forward it to a HTTPS proxy server using CONNECT. Proxy authentication is not implemented and if response status from HTTPS proxy server is not 200, then use an iRule to close the connection. |
| 343280 | When using portal access in Safari 5.X, sometimes web pages do not load properly. A bug in Safari 5.X leads to accidental loss of all HTMLElement.prototype changes when setting HTMLElement.prototype properties in a window and accessing window.frameElement from any of its frames. (The problem also sometimes occurs in other less well-defined cases.) |
| 347100 | Every time the Hometab loads, a dialog box message is displayed stating: "This Page contains both secure and nonsecure items. Do you want to continue?" To work around this problem, disable the Hometab. |
| 362325 | Links in content are rewritten in HTML attachments from Outlook Web Access (OWA) after you open the attachments in the browser or save them to disk using the Save as action. This happens because APM application access patches the links in HTML attachments. This occurs with OWA 2003, 2007, and 2010. |
| 404899 | Webpage errors occur when opening a chat window in IBM Lotus iNotes 8.5 with Sametime through a portal access webtop. This happens only when using Internet Explorer 9. Workaround: To work around this problem, add a portal access item with the path "/sametime/stlinks/*" to the portal access resource and disable Home Tab for this item. |
| 423282 | JavaScript does not work if a page contains conditional comments inside its head tag. Workaround: To work around the problem, use an iRule. The exact commands to use depend on the situation. |
| 424936 | An extra line (that consists of "<?") appears at the top of the apm_mobile_ppc.css file and causes an error like this one: Jul 9 08:37:10 roeislfl4gm err httpd_sam[13917]: [error] [client 127.1.1.4] PHP Parse error: syntax error, unexpected '<' in /var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css on line 2 |
| 431337 | The LinkedIn button is a part of the new feature, Apps in Outlook Web App, in Outlook Web App 2013. A JavaScript error occurs if you click the LinkedIn button in Outlook Web App 2013 while using Internet Explorer 11. |
| 434464 | If a JavaScript function contains an Internet Explorer conditional compilation directive and a 'try ... catch' block inside this directive, it becomes inaccessible before declaration after re-writing. |
| 439887 | Drag-and-drop and some other mouse operations work incorrectly in Outlook Web App (OWA) 2010 if accessed using APM portal access from the Chrome v.31.x browser. |
| 444767 | Access to Office365 Outlook Web Access services using portal access is broken for HTML5-supported browsers. The user is redirected to the APM Logout page after successfully logging in to Office365. Workaround: iRule below disables OWA offline-caching support. |
| 454306 | When HTML style attributes with HTML entities are rewritten, it results in direct or incorrect links to resources. |
| 463642 | Web-application misfunction. |
| 474730 | In some cases, a form with absolute path in the action is handled incorrectly in Internet Explorer 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted. |
| 475163 | The result of submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL. Workaround: Add attribute "action=''" into the HTML form tag, either by modifying the source or by using an iRule. |
Portal access issues
| ID number | Description |
|---|---|
| 360889 | For ACLs that are generated from a portal access resource, port 0 (zero) matches against port 80 (when the scheme is HTTP) and against port 443 (when the scheme is HTTPS). For ACLs otherwise, port 0 matches against any port. |
| 384405 | With Access Policy Manager Portal Access, if you add a web-acceleration profile to the Local Traffic Virtual, it does not take effect until the you go to the command line and type "bigstart restart tmm". The web-acceleration profile is important to Portal Access performance, so this step is necessary to ensure caching occurs for Portal Access content. |
| 389881 | The portal access feature in APM does not support Flex Runtime Shared Libraries using ActionScript3. |
| 406040 | If an application uses a non-standard location for favicons (as permitted by the LINK meta tag) and you use Internet Explorer 10 for access to the application, then the BIG-IP system creates a new session for that URI. If you use Google Chrome version 25 or above, the BIG-IP system closes the current session during fetching favicons from the non-standard location. Related change in Google Chrome: https://code.google.com/p/chromium/issues/detail?id=114082 Workaround: An example of an iRule workaround is as follows: when HTTP_REQUEST { if { [string tolower [HTTP::path]] ends_with "favicon.ico" and [HTTP::cookie "MRHSession"] eq " } { ACCESS::disable } } |
| 425142 | When a customized server-agent header is configured via the http profile, the server header when adding APM doesn't change. Workaround: Admin can use an iRule to change the server header. (HTTP::header replace Server [<string>]) |
| 426492 | Multidomain SSO does not support custom ports. For multidomain SSO, redirection back to the virtual server that was used for initial session access always goes back to a standard 80/443 port. The virtual server used for initial session access must be on port 80/443. For example, suppose we set up a virtual server for https://siterequest.com:8888. Accessing this URL redirects to the primary virtual server, and login proceeds normally. Afterward, the redirect back to the initially accessed virtual server goes to https://siterequest.com on the standard 443 port. This occurs for multidomain SSO and nonstandard ports on the virtual server used for initial access. Administrators cannot configure multidomain SSO on ports other than 80 or 443. To work around the problem, only use ports 80 and 443. |
| 426963 | When the client sends an HTTP post with an expect 100-continue, APM will fail to forward it to the backend server. The client will wait about 3 seconds to timeout before sending the actual data of the post request. |
| 428268 | Some URLs might contain '&' separated parameters. If each '&' separated parameter is not followed with an equal sign (=), the APM system does not recognize it as a proper query string, and the redirection from the primary virtual server back to the secondary virtual server will be incorrectly parsed. Workaround: URL-Encode "&" and "=" in original URL before passing it to APM. Or follow every parameter with "=" or "=value". Both workarounds require application changes. |
| 428894 | When a user logs in with Multidomain SSO, some cookies are set. At logout, one set of these cookies does not have a domain set, and are not deleted. Workaround: Clearing the cookies allows the user to log in again. The problem does not seem to occur if you change "Cookie Scope" to "Domain" instead of "Host". |
| 439965 | BIG-IP APM currently cannot handle multiple browser tabs trying to create sessions at the same time. The most common example is saving multiple homepages in a web browser. When the web browser opens, requests from these tabs are sent within milliseconds. This can cause very unpredictable behavior where sometimes it will function correctly, and other times there will be connection resets or the user will see error pages. If the user is already authenticated and has a session, then multiple tabs can be opened. However, there is no workaround for session creation. |
| 441284 | With APM and ASM configured, the http "username" will always be inserted on the client-side of the proxy, and removed on the server-side. Any existing "username" headers will be removed in this process. Workaround: "when ACCESS_ACL_ALLOWED { set myusername [HTTP::header username] } when HTTP_REQUEST_RELEASE { if { [info exists myusername] } { HTTP::header replace username $myusername } }" |
| 441913 | When a large number of resources (more than 25) is assigned to access policy with full webtop, the system displays an empty webtop when accessed second time. Workaround: To work around the problem, you can only use fewer resources. |
| 460590 | If one of two name servers returns a response of "No such name" for a domain query, then the same domain query will not be tried in the second name server. |
| 461327 | Most of the time when ACCESS_SESSION_CLOSED is raised, it happens during session expire or an explicit logout. In such cases, no flow is attached to the event. As a result, if an asynchronous command were to be used in this event, it would not have a flow to park on - hence, ACCESS_SESSION_CLOSED was never designed to support such commands. Workaround: Do not use asynchronous commands in ACCESS_SESSION_CLOSED. |
| 468130 | When Kerberos auth is used with RBA enabled, the first POST request sent to the BIG-IP system could replaced by a dummy POST and authentication then fails. This can occur when the BIG-IP system is configured as a SAML Identity Provider and the http-post SSO binding is used. Workaround: Disable RBA in Kerberos agent. |
| 471331 | Sometimes the APM RBA plugin resets and writes an error to the log that includes this phrase: [0x19fd874:459] Internal error (APM::RBA requested abort (trans end error)). The problem can happen intermittently and usually occurs when multiple tabs are used. |
| 471421 | When there is a high load on the system and a user changes an access policy, it can lead to slow rendering of the webtop or the access page. |
| 473092 | After evaluating the access policy with an on-demand cert auth agent, there will be a connection reset. |
| 473592 | The external logon page is unable to find the original landing URI for a request, leading to a reset when the access policy completes. |
Client issues
| ID Number | Description |
|---|---|
| 223583 | Inside PWS on Windows Vista, a user can create folders only in some locations using the context menu; that is, only a "Folder" item appears on the "New" menu. However, a user can create standard type files using the context menu directly on the desktop and in the user's home folder. Workaround: Files can be created on the Desktop and then moved to the desired location. |
| 376615 | Username and password are not sent when the On-Demand Cert Auth agent is used in an access policy; as a result logon fails. The problem happens for these clients: iOS, Android, Windows Mobile, and Linux CLI. To work around this problem, configure the access policy so that the Logon page agent is before the On-Demand Cert Agent. Workaround: To work around the problem, put the Logon page agent before the On-Demand Cert Agent in the access policy. |
| 393043 | During an APM remote connection, the progress bar might not render correctly on a Linux system when using the Chrome browser. |
| 399552 | CD/DVD burning through SPTI inside PWS works even though the policy disallows it. |
| 404890 | This is a rare issue that happens for Internet Explorer when pop-up screens are set to be blocked by browser. When you launch a Java app-tunnel for the first time in Internet Explorer, the message "Allow pop-ups for this site?" is displayed. In rare cases, when you click Allow once, the Java app-tunnel freezes in the Initializing state and cannot be used. Workaround: To work around the problem, add a virtual server to the allowed sites for pop-ups from Tools > Internet options in Internet Explorer. |
| 409233 | VMware View Client becomes unresponsive for about one minute after associated APM session is terminated by administrator. |
| 420550 | WYSE client cannot launch any application if the APM session expired. |
| 428904 | Printer redirection and keyboard redirection ('special keyboard commands') in non-fullscreen mode do not work on Win7/Win8 |
| 432020 | By default, Internet Explorer 11 starts with Enhanced Protected Mode enabled and the browser process runs inside AppContainer. Enhanced Protected Mode (AppContainer technology) in Internet Explorer 11 prevents the interception of connection requests. As a result APM App tunnels cannot redirect traffic to a proxy running on the loopback address. To work around the problem, you have 2 options to choose from: 1. Disable Enhanced Protected Mode in Internet Explorer 11 and 2. Add the backend server to the Trusted or Intranet Sites List. |
| 432515 | The external logon page does not post the 'Action required' pop-up dialog box of BIG-IP Edge Client. Workaround: To workaround this issue, you must inject the following Javascript code into the External Logon page: <body onload="OnLoad()"> ... <script language="javascript"> function OnLoad() { try{ if ( "undefined" != typeof(window.external) && "unknown" != typeof(window.external) && "undefined" != typeof(window.external.WebLogonNotifyUser) && "unknown" != typeof(window.external.WebLogonNotifyUser) ){ window.external.WebLogonNotifyUser(); } }catch(e){alert(e)}; } </script> |
| 434831 | When the client connects to APM (with Safari) and launches the Application Tunnel, the tunnel will be created, but the application configured to launch will not. There is no error, only indication is that application is not started by the Application Tunnel. |
| 440375 | Under the Built-in Administrator account inside Protected Workspace, a VPN connection cannot be established if VPN components are not installed already. Workaround: Install VPN components before Protected Workspace on an account other than Built-in Administrator. |
| 440380 | Citrix Receiver for iOS may fail to connect throught APM in integration mode when ICA file generated by backend is missing the following properties: DoNotUseDefaultCSL=On, HTTPBrowserAddress=!, LocHttpBrowserAddress=! |
| 462985 | Remote Desktop session terminates after TCP idle timeout without any activity from the client. Workaround: Configure AD policy: Set "keep-alive connection interval" of 1 minute for the terminal servers: http://technet.microsoft.com/library/cc731606.aspx Set "idle session limit" to "Never" for Remote Desktop Services sessions: http://technet.microsoft.com/library/cc754272.aspx Increase TCP idle timeout to 900 seconds on the BIG-IP system if the RDP clients that you support do not send keep-alive packets. |
| 466454 | APM PCoIP Proxy cannot connect to a View Desktop (either native or HTML5) that advertises its address as an FQDN. Workaround: To work around the problem, reconfigure View Desktop so that it returns an IP address. |
| 469110 | Microsoft Remote Desktop for iOS might hang if invalid credentials are entered. Workaround: Restarting the Microsoft Remote Desktop for iOS application and entering valid credentials remedies the issue. |
| 469727 | Users are unable to launch the Citrix HTML5 client from the APM Webtop. To work around this issue, perform the following steps: 1. Go to Access Policy->Hosted Content->Manage Profile Access. 2. Select the check box next to the Access Profile that is associated with the Citrix Virtual Server and click OK. |
| 471117 | If an HTML page contains an iframe with JavaScript code in 'src' attribute, some web applications might not work correctly through portal access in Internet Explorer 11. |
| 472382 | VMware View Logon page for RADIUS does not display challenge message when challenge occurs on RADIUS server Workaround: Use RSA instead. |
| 477090 | The View Connections Server Settings for a VMware Horizon View server include Blast Secure Gateway settings. To be able to launch VMware View sessions from an APM webtop using an HTML5 client, ensure that the check box, Use Blast Secure Gateway for HTML access, is cleared. |
| 477841 | On OS X 10.10 systems, Safari 8 does not use Network Access proxy settings that are applied to the system. A user can launch Network Access proxies on other browsers, excluding Safari 8. |
| 483113 | On OS X 10.10 systems, when a user displays a list of servers, white squares appear next to each server name in the list. The Remove Server icon that displays to the right of each server name also displays a white background. |
| 483107 | On OS X 10.10 systems, the BIG-IP Edge Client icon is highlighted if the user taps the icon. The highlight does not disappear until the user exits BIG-IP Edge Client. |
| 477843 | On OS X 10.10 systems, BIG-IP Edge Client displays the throughput as black text on the black menu bar. A user finds it difficult to read the text. |
| 479242 | On OS X 10.10 systems, Network Access does not work with modes such as Split Tunneling or Force all traffic. After a connection is established, the connection routes are not set to a MAC address route table. |
| 480595 | On OS X 10.10 systems, when a user taps Calender > New Event, the New Event page displays an empty page. |
| 480592 | On OS X 10.10 systems, the Send button on the New Message menu does not work. |
| 495235 | To use the Reuse Windows Logon Credentials option, you must include an uncustomized Logon Page action in the access policy. Other logon page actions do not support the Reuse Windows Logon Credentials option. If you add fields to the Logon Page action or if you remove F5-provided JavaScript from it, Windows logon credentials are not reused and the BIG-IP Edge Client prompts for credentials. This is expected behavior. |
| 505010 | Patch management checker checks for "Apple software update" on Mac which requires admin privilege to check the number of missing patches. Even when the user is logged in as admin, this check does not pass because BIG-IP Edge Client does not support privilege escalation for endpoint inspections currently. |
Network access
| ID number | Description |
|---|---|
| 342035 | A SIP client cannot communicate with a SIP server when connecting over a network access tunnel. Workaround: SIP protocol uses fixed UDP ports, and communication fails because Network Access tunnel translates the source port of the connection. Configure a layered virtual server using the SIP UDP port and set the Source Port option to Preserve Strict. |
| 351360 | Sometimes when assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client can go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains and try to access the same IP address on the internal network using the same TCP/IP protocol. Workaround: To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles. |
| 356419 | On Linux, PPP routes might be lost if network access is configured with the allow local subnet option enabled. This behavior is rare. Workaround: To work around the problem, disconnect from the server using the "f5fpc -o" command and then reconnect to the server. |
| 356766 | Removing or updating Network Access device or client components while the system has an active Network Access connection might cause the system to drop the existing connection and fail to establish a new connection until after a system reboot. |
| 364061 | On a Linux client, the network access Show log file link does not display the log file unless gedit is installed. Workaround: To work around this problem, install gedit on the Linux client. |
| 373889 | You can configure a network access tunnel to update a session (that is, to extend expiration time) based on a traffic threshold and a window of time. Traffic measurements are taken every 5 seconds, but they are not divided by 5 before being used in the calculation. As a result, instead of bytes per second, bytes per 5 seconds is calculated, which is incorrect. Workaround: To work around this, select the network access resource you want to update, then select Network Settings and Advanced from General Settings. Proceed as follows: 1) Set Session Update Threshold to 5 times the desired bytes/second rate 2) Set Session Update Window to 2 or higher Note: The session life management might not be exact. |
| 383607 | After a network access client loses connectivity and reconnects with another IP address, the client cannot open tunnels to optimized hosts for 4 to 7 minutes. |
| 398339 | When you use the Fedora OS with SELinux enabled and use the Firefox web browser to connect to APM for network access, you might get SELinux blocking notifications. Workaround: A. Execute the following command on terminal as root user (not sudo) 1. "setsebool -P mozilla_plugin_enable_homedirs on" 2. "setsebool -P unconfined_mozilla_plugin_transition 0" B. Restart Firefox and try connecting to the APM server again. |
| 403082 | Networks Access cannot perform routing table clean-up if user closes browser windows without logouting from webtop or if user closes browser window without waiting for logout process to complete. |
| 416412 | A network access webtop does not show warning windows about session expiration. A full webtop does not show warnings intermittently. |
| 423161 | When a network access session and an APM session are closed simultaneously, one of these logs is written: apm logs: "VPN Cleanup: failed to release IPv4 ERR_ARG" tmm logs: "address <p> in leasepool <lease pool> is unassigned - can't release" This happens when a network access resource and a network access webtop are assigned using the Advanced Resource Assign action, and the network access session is closed. |
| 425245 | If TM.TcpSegmentationOffload is enabled then we would see larger TCP segments size; and for network access use case icmp fragmentation needed would be seen; this increases the response time for Network access traffic mostly non-http traffic. Workaround: "Disable TcpSegmentationOffload /usr/libexec/bigpipe db TM.TcpSegmentationOffload disable" |
| 433535 | DTLS renegotiation stops after one try. |
| 435542 | In some cases re-installation of the VPN driver on Windows 8.1 requires a system reboot. Without reboot the user can be presented with this error: "The modem (or other connecting device) is already in use or is not configured properly." |
| 438056 | The APM network access client for Windows systems can fail to establish a VPN connection if the client SSL profile is configured with the options no-tls or sslv3 and the BIG-IP system selects an AES cipher. Windows Schannel API does not consider AES as a valid cipher for an SSLv3-only connection and can reject the connection to the BIG-IP system. Workaround: If you restrict client SSL to SSLv3-only you might need to exclude AES ciphers (defined in RFC3268) by adding ':!AES' to the 'ciphers' option in the client-ssl profile to work around compatibility issues with Windows clients: for example ltm profile client-ssl clientssl_ssl3_only { ... ciphers SSLv3:!AES ... } |
| 469852 | Users lose connectivity to resources through VPN when forwarding virtual servers are disabled. Workaround: The Network Access connectivity works if all the forwarding virtual servers are enabled or deleted completely. |
Admin issues
| ID number | Description |
|---|---|
| 224145 | The visual policy editor can, on rare occasions, return a non-specific failure when attempting to create new items. Workaround: The failure is transient; the request invariably succeeds on retry. |
| 359639 | Some long captions for resources can be longer than the bounding box in Firefox 7. This problem does not affect the workflow. |
| 360141 | Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin GUI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration. |
| 360734 | When previewing pages, the Preview pane does not automatically refresh when the language is switched. Workaround: Click on an item in the Preview tree pane to cause the page to refresh in the new language. |
| 360742 | When the logon page is customized in visual policy editor in multiple languages, the images appear broken. Workaround: To work around the problem, customize the logon page using localization customization. (Refer to Access Policy > Customization.) |
| 362200 | When customizing messages, you cannot use special characters, such as ', ", &, < |
| 362351 | Branch names cannot start with the word fallback in the visual policy editor. |
| 363188 | Using a space in an alias for a virtual server can cause unexpected results when you use tmsh to add or update a connectivity profile. No spaces are allowed in aliases for virtual server. |
| 384479 | When you configure a virtual server for Oracle Access Manager integration (by selecting the OAM Support option), the option to select a specific AccessGate does not apply to OAM 10g environments. |
| 398361 | Not all configuration objects validate and reject an object name that contains the space character. As a best practice, when you create a configuration object do not include a space in the object name. |
| 403659 | When configuring a BIG-IP system as a SAML Identity Provider, the displayed range of possible values in seconds for the assertion validity timeout is incorrect. The correct range is 1 - 86400 seconds. |
| 403722 | If you initiate an access policy sync from the Standby node, an admin must resolve any conflicts on the Active partner. Ideally, an access policy created on the Standby node would be synced to the Active node automatically without admin intervention. Workaround: To work around this problem, avoid syncing an access policy from a Standby node. Otherwise, you must resolve conflicts, if any, on the Active node. |
| 404765 | If you export an access policy with a SAML SP connector that uses a certificate, the certificate name (including partition) is not formatted correctly. This prevents import from working. Workaround: To work around the problem, create the SP connector and import the associated certificate on the target system. |
| 404936 | Files named core.xxxx, where xxxx is a number, are created in advanced customization directories during the build process when the customization build cores because of invalid characters in the default customization file. These core files are listed in the user interface. |
| 405352 | If you enter a bad FQDN for domain controller in an NTLM Auth configuration and a DNS server responds with DNS SERVFAIL, the NTLM Auth configuration does not work even after you fix the incorrect FQDN. Workaround: To work around this problem, after you correct the FQDN in the NTLM Auth configuration, restart the ECA plugin and NLAD daemon using this command: bigstart restart nlad. Note: To avoid future problems due to misconfigurations, you can configure your DNS server to return a negative response. |
| 414411 | When you use visual policy editor from the Chrome browser, images do not preload and as a result, the navigation bar flickers. Workaround: Use Firefox or Internet Explorer. |
| 419748 | After a hosted content file is referenced by a portal access resource, the file cannot be deleted, even if the link-type of the resource is not "hosted-content". Workaround: Use tmsh to clear the sandbox file reference in the resource. Example: tmsh modify apm resource portal-access <NAME> sandbox-file none Now the sandbox file can be deleted. |
| 419754 | When using a local user database instance for authentication on APM, if a user that is flagged to change password leaves the password field empty, the user is prompted again to change password. Whether the user types a new password or leaves the password field empty again, the user is prompted again to change password. Workaround: APM handles a subsequently entered non-empty password correctly. |
| 419836 | When you switch from editing one file to editing another file in advanced customization without saving the first file, changes to the first file are lost. Workaround: User need to modify the file again after the change is lost. |
| 419996 | When you import users to a local user database, any first or last name with a space in it is truncated to the first space. |
| 420506 | When using the Local Database agent with a "write" action, the list of properties available includes "groups"; however, this property is a read-only property and any attempt to write to it fails. |
| 435514 | If you export an access profile in which you selected Secure Web Gateway log settings, the selections are lost. |
| 437743 | An access profile configuration that uses an SSL Certificate fails to import. This happens because of a change in the method to import SSL certificates. Workaround: You can either exclude above-mentioned objects prior to export and then recreate them after the import or (not recommended) or edit the config manually and import the SSL certificate prior to import. |
| 440177 | If you type or cut and paste an image file name into the General Customization interface, the file name does not fit the expected naming convention. After you save the file and reopen it, errors occur if you click Restore Default. Always use the image selector to change image files. |
| 451982 | In some cases the GUI will show that a Access Policy Sync Operation has failed with the specific error "The folder /Common/POLICYSYNC_ap1 cannot be deleted because it is not empty." |
| 458241 | The last system authentication profile cannot be deleted even if it is not active. Workaround: If an Admin wants to delete the associated profile they must first complete the following two steps: 1) Ensure that an Auth type other then Remote - APM Based is selected. 2) Run `tmsh delete auth apm-auth all` |
Authentication and SSO-related issues
| ID number | Description |
|---|---|
| 355490 | TACACS+ accounting STOP messages are sent successfully and are properly logged on the TACACS+ accounting server. Sometimes when the reply from the TACACS+ server is processed, "Invalid reply error message" is logged on APM. However, this message does not indicate any failure in sending the accounting STOP message to the TACACS+ server. This error message can be ignored because the accounting functionality works. |
| 355981 | APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported. |
| 367621 | Access Policy Manager does not support IPv6 for communicating with the OCSP responder. Configuring the OCSP URL with an IPv6 address or a hostname that resolves to an IPv6 address will not work. Acess Policy Manager uses OpenSSL BIO APIs to connect to the OCSP responder and these calls do not support IPv6. |
| 399696 | Selecting an SSO configuration with WEBSSO::select does not work for form-based client-initiated and SAML SSO configurations. Workaround: Use a variable to assign the configuration object name: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config |
| 400726 | When the BIG-IP system acts as a SAML IdP, you cannot create the assertion with multi-valued attributes. When the BIG-IP system acts as a SAML SP and there is a multi-valued attribute inside the assertion, then the BIG-IP system processes only the first value of that multi-valued attribute. |
| 427745 | In APM RSA SecurID authentication, when PIN reset is required for RSA and the APM logon page is localized to use o/n (oui/non in French) or si/no (in Spanish) in place of Y/N do not work; it only accepts y or n. |
| 428387 | SAML AuthRequest and Assertion generation could fail if the configuration (IdpEntityID, ACS, SAML Attributes, and so on) contain special XML characters, such as [&,<,>,",']. |
| 432102 | If the RelayState parameter includes HTML and XHTML special characters, then BIG-IP as IdP or BIG-IP as SP does not process them correctly, and does not send complete RelayState value to the Peer. |
| 433242 | SAML Single Logout (SLO) does not work when all of the following are true: The BIG-IP system is acting as a SAML Identity Provider (IdP) or SAML Service Provier (SP); The other party configuration has SLO configured; The SP connector or IdP connector on the BIG-IP system is missing a SAML SLO Request URL or SAML SLO response URL. Workaround: To work around the problem, configure both SAML SLO Request URL and SAML SLO Response URL for SP and IdP connectors. |
| 434547 | Intermittently, when deleting an AAA OAM server object, the corresponding configuration does not clear from the BIG-IP system at /config/aaa/oam/<partition_name>/ . |
| 435277 | When an OAM AccessGate object is deleted from UI, the corresponding directory on Bigip (/config/aaa/oam/<partition_name>/<aaa_oam_server_obj_name>/ ) does not get deleted automatically as expected. |
| 435719 | When AD Query is configured before AD Auth in an Access Policy, and "password expiration warning" is enabled OR the user password is expired AND the user types the wrong original password, then password change fails. However, the BIG-IP system continues to prompt for new credentials until reaching the "Max Password Reset Attempts Allowed" and all attempts fail because the original password is incorrect. |
| 439452 | SAML single log out (SLO) does not work if the NameID value in the SAML Assertion contains spaces. Workaround: If the NameID value includes a space, then URL encode the space to %20. Type %20 in place of space into the Assertion Subject Value field. You configure this field when the BIG-IP system acts as a SAML Identity Provider (IdP) and you are configuring a Local IdP Service and setting Assertion Settings for it. |
| 439680 | The BIG-IP system as SP supports only rsa-oaep (as defined here: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) for key transport. When the BIG-IP system configured as SP receives a SAML assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails. The only issue here is that the error reported does not directly point to the cause of failure which makes troubleshooting more difficult. |
| 440395 | If you have an HA pair and try to reset AD cache (group cache or PSO cache), the standby node logs this misleading message: Cannot cleanup cache if other options were changed for AAA AD Server. |
| 440468 | When the BIG-IP system is configured as a SAML Service Provider (SP), APD can crash if the IdP connector object that is used specifies a single logout URL. A crash occurs only when the SP receives a SAML assertion that does not include a SessionIndex attribute in the AuthnStatement element. Workaround: To work around the problem: 1. Reconfigure IdP to send Assertion with SessionIndex attribute in AuthnStatement element, or 2. Clear single-logout-url in IdP connector object on the BIG-IP system. |
| 441537 | In APM form-based SSO (v1), the dash character '-' should not be URL-encoded for fields such as hidden parameter. |
| 442698 | The APD Active Directory module might leak memory if an exception happens. |
| 446187 | If a certain BIG-IP service is started and working and another instance of the same service is started manually, the original one spins in a loop, consumes around 100% CPU and, becomes nonfunctional. These services are affected: apd, websso, eam, acctd, aced, rba. |
| 451409 | When performing Access Policy sync with SAML resources we receive an error that the saml_sp_connector object cannot be found on the receiving device. Feb 27 13:30:40 cooper-apm-11-4-1-2 err mcpd[6222]: 01070734:3: Configuration error: Cannot find saml_sp_connector object /Common/SomethingTOSync associated with saml_sso_config object /Common/federate.f5.com-attask" Workaround: Create the saml-sp-connector on the second BIG-IP system and then perform the sync. Sync will complete successfully for the other objects. Here are tmsh commands for creating a SAML SP connector: apm sso saml-sp-connector SomethingTOSync { assertion-consumer-uri http://SomethingToSync entity-id http://SomethingTOSync.com } (It appears that when creating a new object, the order is not correct and the saml-sp-connector does not get created before the resource object.) |
| 452010 | RADIUS Authentication fails when the logon name contains non-ASCII characters. The problem is caused due to failure in conversion from UTF8 to Windows1252. |
| 452022 | System authentication using APM methods will not work if the user name and password contains Unicode characters (e.g., Chinese characters) or the symbols &, :, <, and '. |
| 461189 | Generated by BIG-IP assertion may contain HEX-encoded attributes under certain conditions. Workaround: On SP side values could be treated as HEX. |
| 463230 | If a child process is killed or cored or dies, the parent process does not restart it and the service stops serving SecureID authentication. |
| 473488 | Access policy daemon (apd) consumes about 100% CPU and puts a heavy load on the network sometimes when resolving nested groups in AD Query. The AD Group Cache updates in a loop. |
| 475049 | NTLM authentication feature requires at least one Domain Controller to be specified in the list. This is a design as NTLM authentications can cause unwanted load to the server as authentication shall be perform per connection basis, and we need to have the administrator to specify a particular server(s). There is no DC autodiscovery mechanism implemented for this by design. Having this list empty caused a unexpected behavior which authentication is not being performed, and considered a success. This Domain Controller configuration is different with Domain Controller for NTLM machine account. For this case, BIG-IP shall automatically discover one of available DCs using DNS method or administrator can specify one. We are asking the administrator to specify this DC configuration. |
| 475977 | The BIG–IP system supports exclusive canonicalization only, which is recommended in the SAML 2.0 specification. As a result, signed messages canonicalized with other algorithms are rejected by the BIG-IP system. The supported algorithm is documented at http://www.w3.org/2001/10/xml-exc-c14n#. |
| 485387 | An encrypted assertion from an external IdP can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element. BIG-IP as SP does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: - Cannot decrypt SAML Assertion - failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found. |
Secure Web Gateway issues
| ID number | Description |
|---|---|
| 504852 | Documentation provides the incorrect instructions for updating URL blocking messages. To customize messages for display after a per-request policy terminates at a reject ending, you must customize the logout messages for the access profile. 1. Select Access Policy > Customization > General. 2. From the left pane, select the Text tab. 3. Expand Access Profiles. 4. Find the access profile and expand it. 4. Expand Logout and click General. 5. In the right pane, customize the messages. 6. When you are done, click the Save icon in the toolbar. 7. Click the Apply Access Policy link at the top of the page. 8. Verify that the updated access profile is selected from the list and click the Apply Access Policy button. |
| 431077 | You cannot use tmsh to change the logging level for Secure Web Gateway content analytics. |
| 436138 | If you use Kerberos authentication with the Request Based Auth option set to Enabled and you use Secure Web Gateway explicit forward proxy, access to web sites fails. Workaround: Set the Request Based Auth option to Disabled. |
| 436224 | Secure Web Gateway transparent proxy configuration fails to authenticate user when using Kerberos with Request Based Authentication option enabled. Workaround: Set Request Based Authentication option to "disable". |
| 451849 | This information is missing from BIG-IP Access Policy Manager: Secure Web Gateway Implementations. For safe search filtering to work correctly,the URL of a supported search engine site cannot be added to a custom category. The search engine's domain must remain categorized in the Search Engines and Portals category. |
| 455284 | Ant server listens on port 54321 on all interfaces. IP table rules were added to protect ant server from security vulnerabilities. But, this is blocking traffic for port 54321 even in deployments without Secure Web Gateway where the ant server is not running. To work around this, add the following iptables to /config/startup: /sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable /sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset. |
| 479287 | When using an HTTP 407 Response or HTTP 401 Response agent in an access policy for SWG-Explicit or SWG-Transparent profile type, respectively, without additional configuration Kerberos authentication attempts always fail. The session variable, session.server.network.name, seems to be set to the actual website to which the client is trying to connect instead of to the proxy URL (virtual server proxy domain name). This results in GSS-API errors when getting credential information for Kerberos authentication. The access policy (with access profile type SWG+Explicit or SWG+Transparent) includes HTTP 407 Response (for SWG+Expliceit) or HTTP 401 Response (for SWG+Transparent) and Kerberos Auth actions and an Allow ending. (For APM versions earlier than 11.6.0, the access policy would include an SWG Scheme action before the ending.) Users cannot authenticate to the SWG-Explicit or the SWG-Transparent proxy if attempting to use Kerberos authentication. To work around the problem, add a Variable Assign agent to the access policy after the HTTP 407 Response (or HTTP 401 Response) action. Add a Variable Assign entry as follows. Type this custom variable in the left pane: session.server.network.name and, in the right pane, select Text and type the appropriate domain name. |
Other issues
| ID number | Description |
|---|---|
| 294032 | When you access an older version of APM software using the Windows system client and a pre-logon antivirus check is configured, the OPSWAT AV control gets loaded into your browser. The control does not unload successfully and, as a result, the antivirus check fails. You cannot log on until the control is unloaded. Workaround: Reboot the client system. |
| 371015 | On chassis platforms, in some scenarios, more than one value is displayed under the 'Local Time' column in the 'All Sessions' report. |
| 382390 | OCSP authentication support for the Machine Cert agent does not work. |
| 383464 | In reports, names that contain a single quote are displayed in hex-encoded format. For example, the name O'Brian might be displayed as O%27Brian. |
| 383511 | The Device EPSEC Status screen should reflect the recent status of all devices in the device group. When a request to see the device status of a device group is made, the Changes pending link displays. After sync, the link should disappear and the status should be displayed. Workaround: Perform "Sync from group" by clicking the Changes pending link and navigate to the Device EPSEC Status screen. The status displays. |
| 415262 | If you use tmsh to create a connectivity profile and set another connectivity profile as the parent, the profile that you create does not inherit this information: Win/Mac Edge client, Server List, Location DNS list, All Mobile client settings. |
| 424704 | Profile Access is a prefix for the names of Access Profile, Access Policy Actions, and Access Policy Agents. If you copy an access profile and Profile Access is very long, there is a possibility that the copy might result in an invalid configuration. Workaround: If such configuration existed it necessary to manually edit bigip.conf with following steps: 0. Backup bigip.conf 1. Determine which actions share the same agent 2. Duplicated agent with different names 3. Change one action to use agent created on step 2. 4. Save edit bigip.conf 5. Reload configuration. |
| 431149 | In scenarios where there are multiple slots on a chassis in an HA pair (in both vCMP and chassis only mode), the error "Access Policy configuration has changed on gateway" might be displayed when a user connects to a virtual server. |
| 436196 | Searches on event logs for Secure Web Gateway time out when the number of records is close to the maximum, 1 million, that can be stored. Workaround: Simple custom search works fine. |
| 440203 | When you use an iApp to create an APM service, after the access policy and related objects are created, the notification Apply Access Policy on the GUI might still be enabled. This happens even though the generation number in the corresponding access profile has been increased by 1. To disable this notification, you can click the Apply Access Policy link. Workaround: Click the "Apply Access Policy" to turn off this notification. Another workaround is to modify the iApp script by putting the command "tmsh modify apm profile access <NAME> generation-action increment" into a different transaction. This can be done by creating a shell script from the iApp script. The shell script consists of two lines: sleep <SAY 5 SECONDS> tmsh modify apm profile access <NAME> generation-action increment Then in the iApp script execute this shell script in the background. |
| 441482 | Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms. This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.) Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.' Workaround: You may provision APM plus SWG only on platforms with 8 GB of memory or more. To use APM and SWG together on platforms with exactly 8 GB of memory, LTM provisioning must be set to None. (To do so, uncheck the box next to Local Traffic (LTM) on the Resources Provisioning screen, if applicable.) To fully support the LTM-APM-SWG combination, reserve at least 12 GB of memory for VE instances, or at least 16 GB for vCMP guests on BIG-IP or VIPRION platforms. |
| 452059 | When the storage partition for MySQL is full and the system is under a heavy load, logd can go into a busy wait looping state. Workaround: To work around the problem, clean up the disk partition of MySQL. |
| 452321 | APM does not support more than one traffic group with different HA order. Here is an example configuration: cm traffic-group /Common/traffic-group-1 { ha-order { /Common/RM-F5-SKY.IT-01.sky.local } unit-id 1 } cm traffic-group /Common/traffic-group-2 { ha-order { /Common/RM-F5-SKY.IT-02.sky.local } unit-id 2 } This configuration causes the creation of an Active/Active HA pair and APM does not support this configuration. |
| 457773 | The wrong datatype is used to represent the apmAccessStatCurrentActiveSessions OID. |
| 464693 | The following schema changes were made in 11.6: Removed all attributes for swg-scheme except name, and description; Removed all attributes for Endpoint-window-group-policy agent because it is no longer supported; Removed the fetch-nested-groups attribute for the AAA LDAP agent. |
| 472256 | When running the command "tmctl profile_access_stat", the values displayed for sessions_eval_cur, sessions_active_cur, and/or sessions_estab_cur may be unusually high. name vs_name sessions_tot estab_sessions_tot -------------- ----------------- ------------ ------------------ /Common/MyVirt /Common/MyVirt_vs 1 2 /Common/access _listener 0 0 _tmm_apm_acl _listener 0 0 access _listener 0 0 sessions_active_cur sessions_eval_cur sessions_estab_cur sessions_logout -------------------- -------------------- ------------------ --------------- 18446744073709551615 18446744073709551615 0 2 0 0 0 0 0 0 0 0 0 0 0 0 sessions_admin_term sessions_misc_term acc_policy_allow acc_policy_deny ------------------- ------------------ ---------------- --------------- 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 acc_policy_redir acc_policy_redir_session allowed_requests denied_requests ---------------- ------------------------ ---------------- --------------- 0 0 7 0 0 0 0 0 0 0 0 0 0 0 0 0 Same issue also happens when showing profile access stat in tmsh: root@(c2400-vcmp5mgmt)(cfg-sync Standalone)(/S3-green-P:Active)(/Common)(tmos)# show apm profile access MyVirt ---------------------------------------------------------- ACCESS Profile: MyVirt ---------------------------------------------------------- User Session Statistics: ---------------------------------------------------------- total sessions: 1 total established sessions: 2 current active sessions: 18446744073709551616.0E current pending sessions: 18446744073709551616.0E current established sessions: 0 sessions terminated due to user logged out: 2 sessions terminated due to admin termination: 0 sessions terminated due to timeout or errors: 0 sessions resulted into allow ending: 2 sessions resulted into deny ending: 0 sessions resulted into redirect ending: 0 sessions resulted into redirect ending with session: 0 requests allowed by ACL: 7 requests denied by ACL: 0 |
| 657732 | After you generate log message reports in APM and export them to CSV files, the CSV files contain only the parameters for the log messages. To rebuild the actual log messages from the CSV file requires log templates and they are not available. This occurs when exporting to CSV by navigating to Access Policy :: Reports: View Reports : General Reports: System Messages : Run Report (right-click) : displaying log messages : Export to CSV File. CSV log files are hard to interpret without the log templates and the templates are not available. (Beginning in version 12.0.0, log messages in CSV reports generated and downloaded from the APM UI include complete log messages.) |
Windows 7 Support Known issues
| ID number | Description |
|---|---|
| 436201 | Internet Explorer 11 ignores the X-UA-Compatible tag when Internet Explorer 11 specifies it after a script tag in the HTML head. |
| 435566 | Internet Explorer 11 always prompts to save credentials on the APM logon page. |
| 437652 | Internet Explorer 11 generates security exception with document.write()call in HTTPS. |
| 4431337 | Internet Explorer outputs a JavaScript error when you click the LinkedIn button. |
| 440785 | When using Internet Explorer 11 with enabled EPM on Windows 7 (64 bit),the APM full webtop is empty. |
| 432668 | On Windows 7 Protected Workspace does not exit after user logs out from BIG-IP APM. |
| 437485 | When you log into SharePoint 2013, go to Recent > Announcements > New Announcements, and click the Calendar icon that is located opposite of the Expires field, the Calendar does not show up. |
Windows 8.1 Support Known issues
| ID number | Description |
|---|---|
| 386472 | Rewritten SharePoint uses HTTP instead of DAV when user open file through direct link or context menu. |
| 417139 | Modifying Session state through iRules may cause issues over Gx. To work around this issue, do not modify the session state if session is active. |
| 431083 | When you download and install an old VPN driver, and then select Update Driver Software, the VPN driver does not update. |
| 439280 | If client components without BZ430965 fixed are installed and then uninstalled on Windows 8.1 F5 Networks VPN Adapter will be uninstalled only partially. A subsequent attempt to install VPN Adapter driver on such client machine may lead to BSOD. To work around this issue, you must uninstall the VPN Adapter driver completely.
|
| 441830 | If you have an older VPN driver (such as 7050, 2011, 607, 846 10.2.4 HF7), when you try to update components with a browser or package and establish a connection, you will get either an error or a BSOD. |
Contacting F5 Networks
| Phone: | (206) 272-6888 |
| Fax: | (206) 272-6802 |
| Web: | http://support.f5.com |
| Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.
