Release Notes : BIG-IP 11.5.0 LTM and TMOS Release Notes

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 11.5.0
Release Notes
Original Publication Date: 03/18/2018 Updated Date: 04/18/2019

Summary:

This release note documents the version 11.5.0 release of BIG-IP Local Traffic Manager and TMOS. You can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x.

Contents:

Supported platforms

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 800 (LTM only) C114
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, BIG-IP 5200v

BIG-IP 5050 (requires 11.4.1 HF3)

C109
BIG-IP 7000s, BIG-IP 7200v

BIG-IP 7050 (requires 11.4.1 HF3)

D110
BIG-IP 10000s, BIG-IP 10200v D113
BIG-IP 10050 (requires 11.4.1 HF3) D112
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION B4100, B4100N Blade A100, A105
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory on the platform or provisioned guest. For vCMP support and for Policy Enforcement Module (PEM), Carrier-Grade NAT (CGNAT), and the BIG-IP 800 platform, the following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
  • PEM and CGNAT supported platforms
    • VIPRION B2150, B2250, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition)
    • PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
  • BIG-IP 800 platform support
    • The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • Note that Global Traffic Manager (GTM) and Link Controller (LC) do not count toward the module-combination limit.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category).

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Note that GTM and LC do not count toward the module-combination limit.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

  • AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
  • AAM supports disk-based caching functionality on VIPRION chassis or blades.
  • AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory - 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:

  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 11.5.0 Documentation page.

New in 11.5.0

Security

ECC and DSA support for multiple client cert/key assignment in SSL client profiles

The BIG-IP system now includes support for Elliptical Curve Cryptography (ECC) and Digital Signature Algorithm (DSA) certificates in addition to the current RSA server certificate support for the client SSL profile. This is in support of new CA offerings where RSA and ECC and DSA server certificates are now being offered. Configuration options in the client SSL profile enable assignment of multiple certificate/keys pairs.

AES-GCM support for TLS version 1.2 for RSA and ECC Ciphers

The BIG-IP system now includes support for Advanced Encryption Standard-Galois Counter Mode (AES-GCM) on RSA and Elliptic Curve Cryptography (ECC) cipher suites for Transport Layer Security (TLS) version 1.2 protocol implementations. This level of support brings the BIG-IP system into compliance with IETF RFCs 5288 and 5289.

STARTTLS support for SMTP traffic

Using the new SMTPS profile type, you can activate support for the industry-standard STARTTLS extension to the SMTP protocol. When you create an SMTPS profile, you instruct the BIG-IP system to either allow, disallow, or require STARTTLS activation for SMTP traffic. The STARTTLS extension effectively upgrades a plain-text connection to an encrypted connection on the same port, instead of using a separate port for encrypted communication.

Enable/ Disable SSL Forward Proxy based Data Group Entries

There is a new iRule command to conditionally turn-off SSL Forward proxy. There is a new iRule on-box to support the command.

iControl Support for PKCS#12 Encrypted Password Container Format

This release supports PKCS#12 via iControl. This is a password container format that contains both public and private certificate pairs. This container is fully encrypted.

Improved PKCS#11 Interface Performance

This release contains performance enhancement to PKCS#11 Integration.  

SafeNet Luna SA HSM integration with BIG-IP system

SafeNet Luna SA is an external HSM that is now available for use with BIG-IP systems. Because it is a network-based appliance, rather than an internal card-based solution, you can use the SafeNet Luna SA solution with the majority of BIG-IP appliances that run 11.5.0, including the BIG-IP Virtual Editions (VE).

Enhanced security for environments with stateless network traffic

VLANs on the BIG-IP system now include an optional configuration setting that causes the system to load balance traffic, using a round robin algorithm, across TMM instances. When enabled, this feature ensures that the system distributes packets evenly across TMM instances. By load balancing packets in this way, the system can prevent events such as certain types of DDoS attacks designed to send all packets to a subset of TMM instances as a way to overload the system.

BIG-IP 7200v HSM and SSL

This release features support for the new BIG-IP 7200v-FIPS Hardware Security Module (HSM) and Turbo SSL models within the BIG-IP 7000 series appliances. The 7200v-FIPS HSM model includes a FIPS 140-2 Level 2 certified internal HSM card that offloads SSL/TLS processing with industry leading bulk crypto throughput and protection of private keys. The 7200v-SSL model delivers the highest SSL performance in its class enabling organizations to maximize SSL offloading from overburdened servers and provide in depth protection for web applications. For more information, see Platform Guide: 7000 Series and the BIG-IP System HARDWARE DATASHEET.

VIPRION 2200

This release provides support for the new VIPRION 2200 platform, a two-blade chassis that supports B2000 Series blades. You must install BIG-IP version 11.5.0 or greater on all blades used in this chassis. For more information, see Platform Guide: VIPRION 2200.

Application Fluency

TCP Enhancements

This release includes several user-configurable TCP enhancements to optimize traffic for mobile users, including multi-path TCP (MPTCP) support, additional congestion control algorithms (Woodside, Illinois, Hamilton), and rate pacing per TCP connection to prevent bursty packet transmission. Two pre-configured TCP mobile optimized profiles target service providers and enterprise environments.

Proxy Mode for HTTP profiles

This release introduces a new Proxy Mode setting for HTTP profiles. In previous releases, when the BIG-IP system functioned as a forward proxy or transparent proxy server, and the system detected malformed or unknown HTTP traffic, the default behavior was to deny the traffic and drop the connection. With the Proxy Mode feature, you can configure the BIG-IP system to manage responses from multiple servers, allow and deny connection requests from browser traffic, and forward invalid HTTP traffic to a specific server instead of dropping the connections. This feature is particularly useful for service providers who require more flexibility in the way that the BIG-IP system manages invalid or unknown HTTP traffic.

SOCKS Profile

You can now use the BIG-IP Local Traffic Manager SOCKS profile to configure the BIG-IP system to handle proxy requests and function as a gateway. By configuring browser traffic to use the proxy, you can control whether to allow or deny a requested connection.

BER/DER encoding and decoding

This release provides BER/DER encoding/decoding iRule primitives for building traffic management solutions for protocols such as LDAP and SNMP.

Microsoft SQL Server Proxy

There is now a profile for MSSQL DB Environments that provides native parsing of TDS protocol, proxies basic authentication, routes connections based on SQL command or user. Layer on additional traffic management functions such as Priority pool activation, MS SQL Monitor, Client Side SSL, and OneConnect.

FIX Protocol Profile

The BIG-IP system provides a FIX profile for Financial Information eXchange (FIX) tag substitution and load balancing based on tags, for example, SenderCompID. When a client's tags and an institution's tags are not equivalent, tag substitution can be formed. Because the BIG-IP system natively parses and validates the FIX protocol, the BIG-IP system can provide context-aware routing of connections. If a FIX message passes a syntax and checksum verification, the BIG-IP system allows transmission, triggers the FIX_MESSAGE iRule event, and optionally logs the message. If a FIX message is invalid, the BIG-IP system logs the error, and either disallows transmission or drops the connection, as configured by the profile.

ePVA support UDP Transport

ePVA now supports offload of UDP traffic when using FastL4 Profile.

Pre-Defined groupings for Analytics

In this release, Administrators can create groups of IP addresses; both IPv4 and IPv6 addresses are supported in a grouping. The subnet groupings are global per device and are not configurable on a per application basis to avoid subnet name conflicts. Subnet groupings cannot be used together with geo locations; a user can view either subnets or geography.

Infrastructure

iControl REST

This release introduces a REST interface to iControl to remotely execute TMSH. iControl REST APIs are available for all BIG-IP product modules. TMSH versioning  was added to provide script compatibility between versions of BIG-IP.

Network Virtualization Tunnels

This release introduces Layer 3 gateway functionality and support for the VXLAN (Unicast), NVGRE, and Transparent Ethernet Bridging tunnel types used in deploying virtualized networks.  

IPsec Tunnel Interface

This new tunnel interface framework enables an IPsec tunnel to be used like any BIG-IP VLAN. Using this feature gives you more flexibility in associating IPsec with other objects in the BIG-IP system, such as static routes and virtual servers.

HA group failover for traffic groups

Prior to this release, the HA group feature of the BIG-IP system calculated a single HA health score for per device, and if the score fell below a configured threshold, the system initiated the failover of all traffic groups on the device. With this release, you can configure a separate, unique HA group for each traffic group instance on a device, causing the BIG-IP software to calculate a separate health score for each traffic group instance on a device. The result is that the system can initiate failover for a specific traffic group according to the needs of the application traffic associated with that traffic group. For example, if you create traffic-group-2 containing the virtual IP address 192.168.20.10, and you create an HA group based on trunk health and assign it to the instance of traffic-group-2 on device Bigip_A, then that instance of traffic-group-2, if active for Bigip_A, fails over to another device in the device group whenever the number of links falls below the specified threshold.

New utility for DSC configuration

For BIG-IP users who need to expediently set up device service clustering (DSC) on an existing system, this release includes a separate Run Config Sync/HA Utility wizard, available within the BIG-IP Configuration utility on the About tab of the navigation pane. This wizard is similar to the Setup utility but focuses on DSC-related tasks only, such as setting up device trust and device groups, as well as configuring config sync, failover, and connection mirroring.

Appliance mode for vCMP guests

On a vCMP system, you can now enable or disable Appliance mode for each guest individually, with no need to include Appliance mode in the BIG-IP system license. Enabling appliance mode for a guest adds an additional layer of security by ensuring that administrators for the guest use the BIG-IP Configuration utility and the Traffic Management Shell (tmsh) only, with no access to the root account and the Bash shell.

Software update availability check

This release provides the ability to check the F5 Networks downloads server for software updates for your system. By default, the system automatically checks the downloads server weekly. When there are no updates for your server, the system indicates that, and when there are, you can click a link to go to the downloads server to retrieve the most recent release/hotfix, EUD, EPSEC, and geo location version. You can find Update Check on the Software Management submenu.

DAG Round Robin disaggregation

The new DAG Round Robin feature for VLANs prevents stateless traffic from overloading a few TMM instances, instead load balancing the traffic among TMMs evenly rather than using a static hash. Stateless traffic in this case includes non-IP Layer 2 traffic, ICMP, some UDP protocols, and others. DAG Round Robin is particularly useful for firewall and Domain Name System (DNS) traffic, and can help prevent certain types of DDoS attacks, such as an ICMP DDoS attack that can overload the system by sending the same packets repeatedly to a specific subset of TMMs.

ZebOS Updates

This release provides an update to ZebOS 7.10.2, as well as additional OSPFv3 enhancements (OSPFv3 NSSA support, OSPFv3 Multiple Address Family support (RFC 5838), BFD support for OSPFv3)

CGNAT

CGNAT :: PPTP ALG Profile

This release provides a point-to-point tunneling protocol (PPTP) profile that enables you to configure the BIG-IP system to support a secure virtual private network (VPN) tunnel that forwards PPTP control and data connections. You can create a secure VPN tunnel by configuring a PPTP Profile, and then assigning the PPTP profile to a virtual server.

CGNAT :: BIG-IP Deterministic NAT utility

This release provides improvements to the BIG-IP Deterministic NAT utility (dnatutil), which can now interpret logs from version 11.4 and later. The dnatutil provides reverse or forward map possible end-points of the subscriber. The dnatutil is now packaged to install and run on CentOS or Debian based Linux systems using archived logs and is not tied to a specific version or platform of BIG-IP, allowing you to store and process logs from any supported DNAT log destination, including LTM, Remote Syslog, and Splunk.

CGNAT :: 6rd Support

The 6rd (rapid deployment) feature is a solution to the IPv6 address transition. It provides a stateless protocol mechanism for tunneling IPv6 traffic from the IPv6 Internet over a service provider's (SP's) IPv4 network to the customer's IPv6 networks.

PCP

This release of BIG-IP software supports the Port Control Protocol (PCP). Client-side devices (such as BitTorrent and Xbox) can use PCP to control Network Address Translation (NAT) mappings for themselves. See RFC 6887 for an exact specification of PCP. A PCP client can request an address mapping (such as 192.168.25.10 to 172.14.2.34) for itself or on behalf of another client machine, and PCP servers on NAT and Carrier-Grade NAT (CGNAT) devices support that mapping. The PCP client can then advertise its public-side address to fellow clients from the same vendor. The BIG-IP system is a CGNAT device that supports PCP mappings.

IPFIX for CGNAT

This release of BIG-IP software supports IPFIX and NetFlow V9 logging. IPFIX is a set of IETF standards. This version of BIG-IP software supports logging of CGNAT translation events and AFM events over the IPFIX protocol. This implementation conforms to the IPFIX protocol specified in RFC 5101, and the information model described in RFC 5102.

Good, Better, Best

Maximized Enterprise Application Delivery Value

To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.
Good
Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
Better
Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
Best
Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.
You can learn more about these new software bundles from your F5 Networks Sales Representative.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Upgrading to 4th element versions from versions earlier than 11.5.0

You cannot directly update from pre-11.5.0 versions (e.g., v11.4.x, v11.2.x, etc.) to any 4th element version (e.g., v12.1.3.1, v13.1.0.1, etc.). Direct upgrade to 4th element versions is supported only from v11.5.0 and later. For pre-11.5.0 versions, you must first upgrade to v11.5.0 or later. The recommended upgrade path is from v11.4.1 to v12.1.3, and then to v12.1.3.1. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
ID 223704 When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. To work around this issue, before installing an SCF file, run the tmsh load sys config default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
ID 366172 A pre-v11.x configuration that was created with the bigpipe cli ip addr option set to name may cause configuration load failure on upgrade due to resolved names saved to the bigp.conf file rather than IP addresses. The workaround is to change the cli setting to 'cli ip addr number', save the config on the pre-v11.x unit, and then run the upgrade.
ID 370964 When upgrading a 10.x standard active/standby pair, the recommendation is to start with the device with the numerically highest management IP address. There is a change in behavior in 11.1.0 that automatically selects the system with the highest management IP address as the active member of the device group. Depending on your configuration, an upgrade could result in lost traffic.
ID 378430 "When upgrading to version 11.x, with a WAM policy containing no nodes, the upgrade fails with the following error message: Tmsh load failed: 01071419:3: Published policy (/Common/empty_policy) must have at least one node. Unexpected Error: Loading configuration process failed. There are two options for working around this problem: 1. Before upgrading, add a new node to the empty policy with the default settings. Publish the policy. Then upgrade. 2. Before upgrading, remove the empty policy from any applications and delete the policy. You may create a copy of the policy before deleting, as long as you do not publish the copied policy. Then upgrade."
ID 384569 "If an object is in a partition with the default route domain set, and that object refers to an object with an IP address in /Common, a config rolled forward from a previous release might not load. - When using the default route domain for a partition, all objects with addresses should be in that partition. To work around this issue, move objects into /Common or edit the config file and for all conflicting objects in common, append %0 to the name/address. For example, if a pool in partition_1 references a member in route-domain 0: ... shell write partition Common node 10.10.20.1 { addr 10.10.20.1 } ... shell write partition partition_1 pool rd0-pool1 { members 10.10.20.1:any {} } ... change it to: ... shell write partition Common node 10.10.20.1%0 { addr 10.10.20.1 } ... shell write partition partition_1 pool rd0-pool1 { members 10.10.20.1%0:any {} } ..."
ID 394873 The upgrade process does not update Tcl scripts (such as iRules) in the configuration. This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.
ID 398067 As of version 11.0 a check is performed to ensure a failover unicast address actually exists. In configurations using the management port for failover, the management IP and unicast failover IP must be identical for failover to function properly. They must also be identical before upgrading. Releases preceding and including 11.3.0 do not automatically modify the unicast failover IP when the management IP is changed or vice-versa. This can cause failures when loading the config after an upgrade. This is an example error: 0107146f:3: Self-device unicast source address cannot reference the non-existent Self IP (a failover IP); Create it in the /Common folder first. Before upgrading, ensure that the management IP and unicast failover IP are identical.
ID 399013 On 10.x-to-11.x upgrade, the UCS restore lowers the cache size by 25% for all web-acceleration profiles.
ID 399510 "On BIG-IP Virtual Edition systems running software prior to 11.3.0 with statically configured management port IP addresses only, disable the DHCP service with the command ""tmsh modify sys global-setting mgmt-dhcp disabled"" prior to upgrading to this release of BIG-IP software. Disabling the DHCP service prior to upgrading will preserve the static IP address configuration as part of the installation. Statically configured management port IP addresses on BIG-IP hardware platforms are not required to have this configuration change prior to upgrading."
ID 401367 Version 11.x added validation around the use of CACHE:: commands on virtual servers with RAM cache enabled. The result is that upgrading from version 10.x to 11.x fails under certain configuration conditions, for example, if the configuration contains a CACHE_RESPONSE event in an iRule, and there is not an associated Web Acceleration profile applied to that virtual server. To work around the upgrade failure, locate and remove the applicable iRules and virtual servers in the configuration, and try loading the configuration again.
ID 401828 "Problem: The below configurations are invalid for a SIP VS a)tcp virtual with a udp profile+sip profile b) udp virtual with a tcp profile+sip profile Result: If such a configuration exists in previous versions, it will load in 11.3 but may cause a core. Solution: Customer must fix their configuration manually - a) A SIP tcp virtual must have TCP as one of its profile type. b) A SIP udp virtual must have UDP as one of its profile type."
ID 402528 There is now more stringent validation on protocol profile combinations. You cannot configure UDP, TCP, and SCTP protocol profiles for handling the same client-side or server-size traffic. In addition, the following profiles are mutually exclusive: SIP, RTSP, HTTP, Diameter, RADIUS, FTP, and DNS. If one of these profiles is assigned to a virtual server, you cannot assign another one. In the past, the BIG-IP system did not prevent such invalid combinations; now it does. If you have previous configurations containing this invalid combination of profiles, you must correct the configuration before the upgrade can succeed. When you upgrade from pre-11.3.x versions, if you see such an error message during configuration load, fix those invalid combinations and try the upgrade again.
ID 403592 Platforms with less than 6.5 GB memory cannot be upgraded to version 11.3.0 if three or more modules are provisioned. Note that upgrades from version 10.0.x display only an "upgrade failed" message as a software status. All other versions show a clear error message, guiding the users to SOL13988. Before upgrading, make sure you have only one or two modules provisioned if the BIG-IP system has less than 6.5 GB of memory.
ID 403667 In this release, improved validation does not allow users to upgrade or configure VLANs with names greater than 64 characters. This mitigates system instability found when this validation was not present. During upgrade from 10.x to 11.x, this new validation code prevents VLANs with names longer than 64 characters from passing validation. The problem is complicated by the fact that the BIG-IP system prefixes partition_path to vlan_name. That means that a VLAN named vlan_site6 in the Common partition is actually named /Common/vlan_site6. If you have VLANs with names longer than 64 characters, upgrade fails. To work around this, change the VLAN names before upgrading. This involves changing the VLAN name as well as any configuration objects that refer to that VLAN.

Fixes in 11.5.0

ID Number Description
ID 223684 Toggling between Advanced/Basic mode now correctly shows and hides RADIUS and Diameter profile settings.
ID 242715 We now flush L2 forwarding tables on failover for vlans in vlangroups.
ID 248216 The SOAP monitor now allows configuring the SOAPAction HTTP header. This allows specifying the intent of a SOAP request in the form of a URI, as documented at [1]. The default value is the empty string (the header is still sent, but with no content).
ID 273195 "A new command has been created to enable or disable logging. The attribute is applied to the node or pool_member and is not saved to the configuration nor does it sync. Logging is continuous, and the file(s) are rotated and compressed regularly. The logs are stored in /var/log/monitors, while the old logs (such as bigdlog and monitor debug) remains consistent in behavior and location. To configure: TMSH ----------------------------------------------------- tmsh modify ltm node <name> logging enabled tmsh list ltm node <name> tmsh modify ltm pool <name> members modify { <name> { logging enabled } } tmsh list ltm pool <name> GUI ----------------------------------------------------- nodes >> node >> Logging pool >> members >> member >> Logging iControl ----------------------------------------------------- bigip.LocalLB.NodeAddressV2.set_monitor_logging_state(nodes=['/Common/172.27.92.215'], states=['STATE_ENABLED']) bigip.LocalLB.NodeAddressV2.get_monitor_logging_state(nodes=['/Common/172.27.92.215']) bigip.LocalLB.Pool.set_member_monitor_logging_state(pool_names=['/Common/p1'], members=[[{'address':'1.1.1.1', 'port':'80'}]], states=['STATE_ENABLED']) bigip.LocalLB.Pool.get_member_monitor_logging_state(pool_names=['/Common/p1'])"
ID 352848 HTTP::payload command now includes the proper data, and no additional data.
ID 353101 The system now handles the NULL, and SQL monitors do not hang. No workaround is necessary.
ID 353853 Retries have been added for the floating cluster member management address set request until it succeeds, or the primary switches.
ID 357536 HTTP::respond, HTTP::close and HTTP::disable now will work within an early server response. HTTP::collect and HTTP::retry still are non-functional.
ID 362984 When running the command 'tmsh modify sys global-settings mgmt-dhcp enabled', the system now posts the message 01071662:3: DHCP is not supported on this platform
ID 364814 Improvements in strict ipv6 compatibility and standards compliance.
ID 365472 IPv6 traffic from the Linux kernel will now use the correct source address as the routing decision in the kernel been disabled and only TMM does the routing.
ID 370561 In tmsh, setting /ltm/profile/one-connect/<one connect profile>/share-pools to enabled from the default of disabled allows sharing of node pools among virtual servers with the specified OneConnect profile.
ID 370941 Subject Alternative Name now accepts email address, URI, IP addresses including DNS names as valid input.
ID 372597 The merged process no longer takes most of the CPU.
ID 383767 SSL handshake referencing SSL certificate/key pairs on the Thales HSM no longer fail, and now operates correctly.
ID 384111 The iRule 'nexthop' command now updates only 'nexthop' for the connection, and no longer overwrites the selected remote node's address.
ID 385612 The HTTP::host iRule command has been improved so that 'HTTP::host www.example.com' will set the host header to www.example.com
ID 385615 The HTTP::query iRule command has been improved so that 'HTTP::query example_query=value' will set the query in the uri to 'example_query=value'
ID 389180 "Prior to 11.5, one could not configure the DSCP bits in the IP header. To configure the new attribute: TMSH: ----- tmsh create ltm monitor http ht1 ip-dscp <value> GUI: ---- monitors >> monitor >> IP DSCP iControl: --------- New monitor parameter 'type', 'STYPE_DSCP'. Can be used with: LocalLB.Monitor.set_template_string_property LocalLB.Monitor.get_template_string_property"
ID 389325 "This release adds four BigDB variables to control the behavior of the HTTP filter when it encounters invalid HTTP traffic. These new options are disabled by default. Important: The last three of these should be used only in a transparent proxy configuration. No checking is done once the HTTP filter switches to pass-through mode, and arbitrary traffic could proceed down the now open tunnel. Tmm.HTTP.passthru.truncated_redirect - For invalid HTTP redirects with missing trailing carriage returns, forwards the redirects to the client instead of dropping them. Tmm.HTTP.passthru.invalid_header - For traffic with invalid HTTP headers, passes through the traffic instead of dropping it. Tmm.HTTP.passthru.unknown_method - Treats unknown HTTP extension methods as 'invalid.' You can combine this method with the previous flag to cause unknown HTTP extension methods to be passed through. Tmm.HTTP.passthru.pipeline - Upon receipt of pipelined data, the HTTP filter switches to pass-through mode. This is useful when HTTP non-compliant traffic breaks the request-response idiom, for example, by sending binary data after a GET, and expecting that the data is sent to the server before that server responds to the earlier GET request."
ID 391165 The last sync type field now differentiates properly between incremental and full load synchronizations.
ID 392368 Enterprise Manager now supports statistics collection for managed BIG-IP pool members that have the any port designated.
ID 396489 Policies can set an internal virtual server and enable adaptation, and adaptation now occurs correctly.
ID 396915 The error message will still be displayed when the malformed packet is sent, but it will no longer crash the utility.
ID 400007 MCP validation has been added to prevent user from modifying the netmask. Kernel does not lose the IPv6 self IP address.
ID 402412 FastL4 no longer switches to idle timeout before data is received, so the 5-second tcp handshake timeout holds until the first data arrives, at which time it switches to idle timeout.
ID 403569 Can now create an internal virtual server in a different partition than the wildcard virtual.
ID 403758 BFD protocol configured for IS-IS over IPv6 addresses is able to establish a session with its neighbors.
ID 404134 In this release, modifications to the base profile will sync to peers.
ID 405053 Reduced error rate reading LOP CPLD sensors.
ID 406159 "In addition to reporting to the UIs which monitor produced the down result, it also reports what and when the last error encountered by the monitor as well as time since the last state change. TMSH ----------------------------------------------------- tmsh show ltm monitor <monitor type> <monitor name> GUI ----------------------------------------------------- pool >> pool members >> member >> Availability nodes >> node >> Availability"
ID 408761 Faulted message no longer occurs when a PSU is removed or the power cable is removed.
ID 408950 VIPRION P8 chassis firmware update now completes successfully when using serial port redirection.
ID 408950 VIPRION P8 chassis firmware update now completes successfully when using serial port redirection.
ID 409219 IPv6 packet reassembly now succeeds.
ID 410285 Optimizations made to tmsh significantly reduce the time required to save a huge configuration.
ID 411886 Replacement operations on the allow-service field of self IP addresses now function properly.
ID 412642 When the configuration of the floating management is handled internally, wipe out all other mgmt ip addresses and reprogram the floating ip as primary.
ID 413236 We now successfully resume SSL sessions with SSL profile names >=32 bytes.
ID 413354 Some excessively quick port reuse conditions are now fixed.
ID 414245 TMSH 'edit /ltm virtual' command now populates editor with appropriate content.
ID 414967 dnatutil will now properly warn when doing reverse lookup on address outside of one-to-one mapping range.
ID 415072 The spurious Latched Event log entry that indicates a power system fault no longer occurs.
ID 415714 DNS Cache now correctly truncates responses (for non-EDNS0 queries) to 512 bytes.
ID 415823 This race condition no longer exists. The BIG-IP will always use an encrypted connection from a the configsync-ip.
ID 415991 Active FTP works when there is no route back to the client.
ID 415995 Asymmetric profiles (one side UDP and the other TCP) were not working if the server-side profile was UDP. This has been corrected.
ID 416693 Beginning with software version 11.4.1, the ACPI _SDD operation fails silently, which is the correct behavior. The original diagnostic that produced the message was incorrect, and has been corrected with new, correct diagnostics.
ID 416803 The connection service now ignores excessive concurrent connection requests to the same address.
ID 416991 DEFAULT cipher string in SSL profiles will not include any SSLv3 cipher suites.
ID 417357 dnatutil can now use Syslog, Splunk log, and LTM logged deterministic NAT configurations for reverse mapping.
ID 417956 BIG-IP CGNAT will now translate the internet host IPv4 address into an IPv6 address using the IPv6 prefix from the virtual server.
ID 418495 "Changed the validation login in bigip to skip files with names matching the pattern: *.sw[pno]. For files with names not matching this pattern the work around is still required."
ID 418552 Erroneous sensor fault log messages no longer occur on system boot.
ID 418781 The TMM has been fixed to delay linking child route-domains until all the RD's are loaded.
ID 419036 HTTP iApps now correctly configures Slow Ramp Time when it is set to a non-default value in advanced configuration mode. Affected iApps are f5.http, f5.bea_weblogic, f5.microsoft_iis, f5.microsoft_sharepoint_2010, f5.oracle_as_10g, f5.oracle_ebs, f5.peoplesoft_9, f5.sap_enterprise_portal, and f5.sap_erp.
ID 419082 Voltage out of range warnings are no longer logged inappropriately for DC power supplies in BIG-IP 2400 chassis.
ID 419297 CGNAT now works correctly when total of the addresses in the virtual server source prefix and the translation prefix is greater than 8 million.
ID 419730 A defect in the handling of FTP traffic that led to TMM panics has been corrected.
ID 419969 BIG-IP no longer uses different source IP addresses for the Passive FTP data and control connections for virtual servers with an FTP profile and SNAT pool configured. Specific members of a snatpool can also now be selected in an iRule.
ID 420131 "Fixed a TMM core that could occur while processing certain connection teardown scenarios for virtual servers with a DNS profile. The following log message could indicate that this was encountered: 'Assertion 'valid pcb' failed'."
ID 420157 The system now checks for a NULL destination when creating a sideband connection variable in an iRule, and TMM no longer cores.
ID 420188 This release corrects the issue in which mcpd failed to synchronize a device group and logged the message indicating that the sync for the device group was already in progress to a different device. In this release, the system does not block a load when another load is already in progress.
ID 420200 More types of DNS messages are now passed through the BIGIP.
ID 420283 When a VXLAN tunnel is created, the two db variables are enabled automatically.
ID 420330 Fixed an issue on TMM SSL traffic handling to avoid crashing when TMM memory is exhausted.
ID 420475 Static routes created via tmsh or the web UI are now correctly propagated to ZebOS.
ID 420498 If a query that does not have the RD bit set is answered by a virtual server with transparent cache enabled, a subsequent query for the same query name with RD bit set will get a correct answer.
ID 420573 FIPS exported (.exp) keys containing colons in the keyname can now be successfully imported into the FIPS card using tmsh.
ID 420585 An occasional TMM crash when using a DNS cache resolver or validating resolver has been corrected.
ID 420723 In this version of software, the cluster synchronized configuration files have version control, so that a new blade or guest slot's configuration cannot overwrite the higher version of any existing configuration on any potential cluster primary member.
ID 420789 The standby system no longer crashes in a configuration containing a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled.
ID 420941 A potential TMM crash in low-resource situations with persistence cookies no longer occurs.
ID 421066 Syncs previously would fail if another sync was already in progress; this has been fixed.
ID 421117 Handling SSL traffic with a SAML Access profile on a BIG-IP 2000-series or 4000-series platform no longer causes TMM to core.
ID 421124 Role change is now updated in EM/BIG-IP system SSO setup
ID 421145 Systems with many hundreds of active server-side flows on the affected thread no longer result in port exhaustion.
ID 421171 SNMP OID now shows the correct treadstone variant for FIPS and SSL.
ID 421181 An issue is now fixed where newly created subfolders may fail to sync after an upgrade.
ID 421270 "Made the parameter (shutdown-timeout) configurable Default value is 5 seconds tmsh list ltm profile mblb all-properties"
ID 421289 Properly warn users when an invalid ceiling is configured in a parent rate class.
ID 421349 Using Enterprise Manager to manage HA pairs with FIPS no longer causes key handle mismatches.
ID 421528 ICMP messages are no longer reassembled when going through vlan group and original fragmentation is preserved.
ID 421567 The UI.logaccess DB variables used to control role-based access to the System Logs in the GUI now persist after reboot.
ID 421571 HTTP::respond with a zero-length body now works correctly with SPDY.
ID 421614 Handling of qnames in DNS requests has been made more robust.
ID 421648 Documentation now contains correct values for the 'Machine Info' agent.
ID 421670 Observe that TMM does not crash when plugins are in use and traffic exercises them.
ID 421721 With this fix, we ensure that SDN license is required in order to use VXLAN.
ID 421868 Firewall policy objects are now manageable through XConfig interface.
ID 421882 ospf6d no longer crashes while attempting to remove redistributed routes during failover.
ID 421886 MCPD will no longer crash when completing a file_sync operation. Steps were taken to ensure that the references to deleted information were removed.
ID 422082 tmrouted will no longer core
ID 422105 Transparent DNS Cache no longer inserts a truncated response into the cache.
ID 422330 A flaw has been fixed that would cause tmm to crash with compression enable under a particular corner case involving an aborted or dying flow.
ID 422359 The TMM no longer crashes when stalled SPDY streams are aborted.
ID 422471 alertd was missing requisite configuration and error map files. Those mappings are now populated and the traps should work.
ID 422630 Use the default port suggested by the RFC for VXLAN profile.
ID 422731 The management IP address now persists across reboots when configured via front panel LCD.
ID 422808 The connection to a down port specific virtual server is no longer answered by the next less specific port.
ID 422897 FTP will work in case of port translation is needed.
ID 423067 DSLite hairpinned connections now allow traffic to flow through.
ID 423115 mcpd no longer cores when virtual servers in a traffic group have non-floating ip address.
ID 423215 DH-anon (ADH) key exchange is now supported in NATIVE cipher suites instead of COMPAT.
ID 423306 CGNAT in deterministic mode translation will no longer fail and use the backup pool.
ID 423487 tmsh will no longer display an incorrect warning when validating an iRule that uses the recv command.
ID 423818 ICMP packet now gets reassembled only when 'reassemble-fragments' is enabled.
ID 423834 tmsh list with the one-line option now displays on one line for all objects as expected.
ID 423876 HTTP iApps now correctly configure Priority Group Activation (PGA) when it is selected. Affected iApps are f5.http, f5.bea_weblogic, f5.microsoft_iis, f5.microsoft_sharepoint_2010, f5.oracle_as_10g, f5.oracle_ebs, f5.peoplesoft_9, f5.sap_enterprise_portal, and f5.sap_erp.
ID 424031 An issue was fixed where CGNAT in Deterministic NAT translations were not using all the translation addresses and ports configured.
ID 424035 Allow pool member and node ratios greater than 100. With this fix, ratio values between 1 and 65535 are supported.
ID 424060 SPDY no longer causes a core in certain low-memory situations.
ID 424173 Network device configuration no longer cause some of the directories under /sys/class/net to become unreadable.
ID 424248 Virtual servers with the same ip address and port but different vlan assignment now successfully bind to tmm and process traffic as expected.
ID 424322 Re-designated an empty SFP port as capable of all media the MAC knows how to support until a PHY is installed. Trunks may now contain empty SFP ports on 2x00/4x00 platforms.
ID 424345 An issue has been resolved with the command 'tmsh load sys config verify' where the system may reboot into vCMP mode if the configuration being verified has a different vCMP provisioning level than the current running configuration.
ID 424379 Configuring BIG-IP with many FIPS keys no longer causes TMM to constantly reset.
ID 424561 Virtual server configured with preserve_port_strict now functions correctly with CMP.
ID 424728 BGP address-family IPv6 configuration is correctly saved.
ID 424822 OSPFv3 now retains non-default metric/metric-types for redistributed protocols when a unit transitions from active to standby.
ID 424842 UI escapes the ampersand sign in the certificate fields to prevent improper interpretation of symbol.
ID 424901 Introduced improvements in strict ipv6 compatibility and standards compliance.
ID 424972 All requested hardware devices are now assigned to the vCMP guest.
ID 425028 The BIGIP configuration will have correct failover traffic group assignment for the '/', '/Common' and other non-default system folders.
ID 425033 Validation will now prevent LSN pools with overlapping prefixes from being configured.
ID 425182 Improvements have been made to the way the system handles memory pressure, so the system does not slow down or become unstable.
ID 425250 TMM no longer crashes when using iRule parking commands with Datagram Load Balancing. This version silently drops any datagrams received after the first response datagram is egressed to the client.
ID 425333 Fixed an issue on ProxySSL with Stratos and VE platform during SSL renegotiation.
ID 425382 Improvements in strict ipv6 compatibility and standards compliance.
ID 425495 Private tmsh aliases no longer cause sync failures.
ID 425525 The system now correctly performs a slow-start when serving from cache, which results in correct buffering and traffic handling.
ID 425580 By setting the confg.allow.rfc3927 database variable to 'enable,' addresses in the 169.254.0.0/16 range can be configured on a BIG-IP.
ID 425589 Improvements in strict ipv6 compatibility and standards compliance
ID 425594 Added an option (generic-alert) in client-ssl/sever-ssl profile, when generic-alert is set to TRUE, BIGIP keeps the current implementation and send all Alert message with 'handshake failure' with fatal level. Otherwise, send the correct Alert message. The default is set to TRUE.
ID 425597 If (NATIVE+COMPAT) has overlap, SSL will now use NATIVE, not COMPAT.
ID 425736 The BIG-IP system no longer erroneously forwards ICMP error packets, so no extraneous flows are created.
ID 425670 You are now able to delete a wide IP in the LC web interface.
ID 425878 Loading a configuration with vcmp guests no longer causes incorrect guest settings.
ID 425953 The commit ID is now synchronized to secondary blades of a chassis; a sync will not be required if a different blade becomes primary.
ID 425974 HTTP::respond and HTTP::redirect respect the max_requests limit, closing the connection to the server when it is reached.
ID 426197 The maximum number of entries in the session cache is now configurable via the BigDB variable tmm.ssl.cachesize. Note that after changing this variable the TMMs must be restarted for the new value to take effect. The per-profile limit is now per TMM so if the limit is set to 32K entries, each TMM will be allowed to have 32K entries.
ID 426332 Rules and objects now appear correctly in the new partition.
ID 426341 BIND has been updated to address CVE-2013-4854.
ID 426373 OSPFv3 external (type 5) LSAs originated by TMOS contain a route tag only when a route tag is configured.
ID 426508 default-information originate' in OSPFv3 now correctly detects the additional and deletion of a default route.
ID 426570 tmm no longer leaks 'source address' memory.
ID 426625 The system no longer returns an error when a user tries to update a Data Group of type 'string' or 'integer' that have records containing a String but not a Value.
ID 426704 vCMP guest no longer gets stuck in waiting-install when all resources are in use.
ID 426802 Improvements in strict ipv6 compatibility and standards compliance
ID 426992 When more than one self IP is configured, those self IPs now correctly listen on default ports.
ID 427002 If a self-ip has the 'default' list included in the allow-services, then the system will validate all the other entries against the 'default' list. The tmm is now protected from an incorrect configuration with duplicated entries.
ID 427026 tmm no longer crashes with an assertion failure when duplicated flow_remove is called in software when error was encountered during traffic process.
ID 427071 Resolved issue preventing GUI from displaying traffic selector list.
ID 427077 "An option has been added to the TMSH config installation command that can be used to reset keys and certs associated with the trust domain. The option name is 'reset-trust' and it can be specified on the command line when manually loading a UCS file in TMOS. This command can be used to mitigate the problem of a UCS file not loading because of missing or incorrectly formed trust certs or device keys. To regenerate the trust-related certs and keys while loading an affected UCS, run the following command: tmsh load sys ucs <UCS File> reset-trust. Important: running this command on a device that is part of a trust domain requires the device to rejoin that trust domain."
ID 427085 BIG-IP sets the correct protocol version in Alert message when it receives a ClientHello with an unsupported protocol version.
ID 427092 BIGIP now sends Alert message with fatal level when it receives unsupported certificate type.
ID 427107 deterministic NAT LTM logged configuration snippets will no longer truncate needed information when LSN Pool name is longer than 20 characters.
ID 427112 For SSLv3, A no_certificate alert message is now sent in response to a certification request if no appropriate certificate is available.
ID 427118 BIG-IP now sends correct TLS alert messages in handshake failure modes.
ID 427201 The http-set-cookie action in an ltm policy now correctly uses the domain and path parameters when generating a Set-Cookie header. It is no longer possible to use the http-set-cookie actions without supplying a value.
ID 427239 The default node monitor now syncs even when full-load-on-sync is false on the failover device group.
ID 427342 If you filter by the Status column under Local Traffic > DNS Express Zones > DNS Express Zone List, the page now correctly renders without error.
ID 427357 The icmp-echo property is now set correctly for virtual addresses with network prefixes.
ID 427423 "HTTP now recognizes that 'generic' iRule commands can be executed on both the request and response. Instead of failing when the http_data structure ownership status is mismatched, HTTP will execute the iRule command. The remaining 'non-generic' HTTP commands that will still fail are: HTTP::version HTTP::collect HTTP::release HTTP::redirect HTTP::respond HTTP::retry HTTP::close HTTP::header insert_modssl_fields The commands that must be invoked in a request are: HTTP::method HTTP::uri HTTP::path HTTP::query The commands that must be invoked in a response are: HTTP::status HTTP::is_redirect This means that HTTP commands can now be executed in many more events. (Those raised by other filters.)"
ID 427448 The memory leak no longer occurs in the MCPd process, so that the previously memory exhaustion no longer occurs.
ID 427475 CGNAT: TMM no longer cores when running low on translation addresses and ports.
ID 427607 The fix is to modify the polling behavior in the quickassist driver to allow more efficient handling of hardware compression requests.
ID 427687 policy action 'server-ssl disable' now works correctly.
ID 427736 Occasional possibility of a TMM crash during sFlow sampling of HTTP traffic no longer occurs.
ID 427791 During rekey, there will not be leftover invalid security associations for IPsec tunnel between BIGIP and Fortigate firewall and traffic won't be stale for a prolonged period of time.
ID 427840 HSL log entries for deterministic NAT now contains unix-time, which can be use by dnatutil without timezone conversion.
ID 427886 You can now set a rule on a virtual server using iControl/REST.
ID 427928 "If the default LTM Policy, '_sys_CEC_video_policy', was modified using the GUI, the changes were not persisted (saved to /config/bigip.conf) and will be lost if 'load sys config' is executed or during an upgrade. If modification was done with TMSH, the changes were persisted. It is a good practice to clone the default configurations and make modifications on the clone as well as assign the cloned configuration to the virtual server instead of the default configuration. TMSH can be used to force persistence. For example a TMSH command to 'modify ltm policy _sys_CEC_video_policy strategy first-match' (or any modification even if it doesn't change the configuration value) followed by 'save sys config' causes the setting to be saved in bigip.conf."
ID 427952 Memory during load operations is properly re-claimed.
ID 427956 The system now properly reclaims the memory during load operations.
ID 428066 IPv6 router advertisement now works in vlan group.
ID 428153 TMUI -- Gateway Failsafe now properly rendered in IE
ID 428161 It is now possible to add a non-CA device to a trust domain.
ID 428405 Fixed a slow memory leak with client and server ssl profiles in mcpd.
ID 428494 A loss of high configuration data after loading bigip_base.conf has been largely corrected. Some scenarios still exist, however.
ID 428631 DWR now uses rewrite attributes configured in the Diameter profile (for example, origin-host-to-client, origin-host-to-server, origin-realm-to-server, and origin-realm-to-server).
ID 428642 A tmm crash bug has been resolved.
ID 428706 False positive messages warning of 100% CPU use have been corrected.
ID 428735 A TACACS+ system auth and file descriptors leak has been corrected.
ID 428750 changing LSN Pool translation-port-range for LSN Pool of deterministic mode will correctly trigger logging of deterministic NAT state information
ID 428884 Modified MBLB proxy to correctly detect irule running state.
ID 428895 The return value of the iRule 'active_members' command now matches the length of the list returned by the 'active_members -list' command, whether or not priority groups with minimum active members is configured on the pool.
ID 429114 Monitors now send traffic using the correct source address for the egress interface and do not falsely mark available pool members as down.
ID 429122 Even when there is corruption, istatsd will no longer use an excessive amount of CPU.
ID 429124 "This release adds support for accelerating connections that do not always use autolasthop but instead use a lasthop pool with a single member. The process now allows accelerating traffic from vlangroup members as long as those members are vlans."
ID 429393 11.4 now handles L7 policies created in 10.x that are stored in partitions that refer to pools with no partition.
ID 429396 HTTP Class profiles from previous versions may have url formats that are now invalid. If these profiles have urls that do not start with a http:// or / https://. Loading a configuration with such profiles now provides a descriptive error message and omits the profile.
ID 429429 Disabling plugins programmatically is now supported, and TMM memory use does not increase with traffic that would otherwise involve those plugins.
ID 429699 For translucent vlan groups, allow standby stratos in ha pair to use local vlan FDB entry for bridging the traffic between two interfaces on a child vlan in the given vlan group.
ID 429770 The pool now goes unavailable and comes back available.
ID 429827 recv command now checks timeout after check data received so good data received just before timeout is not discarded.
ID 429832 vCMP guest tmms will no longer report errors about missing external interfaces on trunks passed in from the hypervisor.
ID 429952 tmm no longer loops with plugin errors.
ID 429960 When a lookup fails is aborted, report that the lookup failed, instead of assuming a lookup always succeeds.
ID 429975 "OCSP Responder Timeout value has been made configurable to meet the required timeout values at site. #tmsh modify sys httpd ssl-ocsp-responder-timeout 500 Also as an other alternative you could try the following # tmsh modify sys httpd ssl-include ' SSLOCSPResponderTimeout 500'"
ID 430090 In OSPFv3, the standby unit no longer advertises the default route when 'default-information originate' is configured.
ID 430091 An adapt profile without an internal virtual selected will be treated as if it is disabled. This is correct behavior.
ID 430104 iControl fixed to not report error when done from localhost.
ID 430108 Connection limits are now managed correctly on the standby device so that connection limits are not exceeded erroneously.
ID 430114 The lsndb delete command has been updated to work correctly on chassis based systems.
ID 430728 Resolved an issue that would cause TMM to crash if a TCP iRule is suspended with an error while the peer sends a packet.
ID 430768 The system now detects changes in a parent profile (the one specified in 'defaults-from') and runs validation to ensure the new inherited values are acceptable on the child profile.
ID 430905 Policy sync now works with more than two devices.
ID 431141 This race window had been fixed properly and customer need to install recent patch.
ID 431251 IPSEC GUI now supports phase1 encrypt alg aes192 or aes256
ID 431305 Fixed TMM crash that could occur in rare instances of iSession use.
ID 431503 TMM no longer crashes on neighbor messages during the initial tunnel config load process.
ID 431618 Fixed a relatively rare coring condition where the SIP filter would access memory that was already freed.
ID 431635 SIP connections with MBLB+OneConnect are no longer being terminated upon failure to send/connect to the client.
ID 431667 Fixed the show cm device-group option that would intermittently specify incorrect options.
ID 431990 The TCL 'table' command now works correctly with SPDY.
ID 432208 The websecurity profile must be attached to a Virtual Server before you can attach an LTM policy that controls ASM. If you attach and detach LTM policies controlling ASM in the GUI that attach/detach will be done automatically for you. If you remove the policy with TMSH, the websecurity profile will remain attached. In the next release, the GUI will detect an existing websecurity profile and not attempt to add it again to avoid the validation error.
ID 432285 Configurations from releases prior to 11.3.0 which have routes named by their IP address will now load on upgrade.
ID 432492 The BIG-IP system transmits IPv6 BFD for single-hop sessions with a hop limit value of 255.
ID 432567 You can now set up sync between devices in two different time zones.
ID 432723 External Datagroup: TMM no longer cores on rapid creation/deletion cycle.
ID 432735 The RST of the two ALG clients no longer happens.
ID 432826 Passive LACP trunks now work upon reboot.
ID 432939 A memory leak in the SASP monitor has been corrected.
ID 433460 Client browser activity no longer causes serverside connection abort. Previously, this could result in pool members being marked down.
ID 433567 INVITEs with c= headers only in the media portion of the SDP message body correctly setup media flows.
ID 434397 Resets do not continue to occur if there is still capacity in low priority pool member.
ID 434515 The system no longer returns a truncated response when both ASM Policy and DOS Profile are assigned to the virtual server.
ID 434533 vCMP guests will now be upgraded into the same vCMP state as the currently running system.
ID 434907 Call from clientA is hairpinned by the BIGIP, a reinvite is sent from clientB, the media flows are properly setted up.
ID 435217 Single hyper-thread VCMP guest's are now manageable under maximum data-plane utilization.
ID 435296 A reset of statistics for a TCP virtual server will no longer cause the counters for the number of open connections, close_wait, fin_wait, time_wait or accepts to remain high.
ID 435407 ssl persistence no longer corrupts application data
ID 435598 The condition which could cause memory corruption in tmm related to the http-set-cookie action in an ltm policy has been fixed.
ID 435855 When a packet is cloned, the original packet flags were preserved. If the original packet was locked, then this flag was propagated to the cloned packet. The fix is to clear this flag in the cloned packet when it is created.
ID 435879 Improvements in strict ipv6 compatibility and standards compliance
ID 435959 The system now correctly handles packets output on members of vlangroups where the packets are cached replies for the same vlan on which the request arrived.
ID 435993 Establishment of CMP-redirected flows no longer erroneously expires/replaces NOEXPIRE flows, so this probably no longer occurs.
ID 436634 tmm won't crash if profile changes and then virtual is deleted.
ID 437006 The tmm now correctly processes large URIs when evaluating conditions of type http-uri in an ltm policy.
ID 437739 TMOS now monitors all tmms for looping/locked on a Centaur/Victoria2 BIGIP.
ID 437866 In this release, the system correctly decrements active jobs counter when this error is detected. CPU no longer runs high, and jobs are assigned to the correct compression queue.
ID 438081 Bug fixed in zxfrd to continue large response processing.
ID 438149 The innocuous message 'interface module id schema mismatch (3 != 0)' will longer be created in /var/log/ltm
ID 438222 The system now will correctly identify the changed configuration components during the modify operation on a built-in policy. The system will save and load correctly now after these modifications.
ID 438622 SFP insertion and removal events are detected automatically on BIG-IP 800 appliances.
ID 438685 Support SHA256/SHA384 sign/verify hash
ID 439048 TCP connections no longer stall when tcpdump is started on the BIG-IP system and tcp segmentation offload is enabled.
ID 439364 Extraneous DNAT log entries are no longer being generated.
ID 440877 Stateless virtual server now properly processes fragmented packets in this case.

Behavior changes in 11.5.0

ID Number Description
ID 247958 This is a behavior change that affects SSL profile configuration on both clientssl and serverssl. The certificates configured in 'Trusted CA certificates' are not included in the certificate chain that the BIG-IP system sends to the other end, if the SSL profile is configured to request/require a remote certificate. You can configure the certificates in the 'Chain' field instead of 'Trusted CA Certificates' field to include those certificates in this case.
ID 284369 LTM monitor passwords and secrets phrases are now encrypted in the configuration file.
ID 291315

The following sys db variables are no longer supported:

- platform.blade.main1.temperature.threshold

- platform.blade.main2.temperature.threshold

- platform.blade.main.internal.temperature.threshold

- platform.blade.mezz.dag.temperature.threshold

- platform.blade.mezz.hsb.temperature.threshold

- platform.blade.mezz.internal.temperature.threshold

- platform.chassis.temperature.threshold

- platform.chassis1.temperature.threshold

- platform.chassis2.temperature.threshold

If you try to get the value, the system returns a message similar to the following: 01020036:3: The requested BIGdb variable (platform.chassis.temperature.threshold) was not found.

ID 416991 DEFAULT cipher string in SSL profiles will not include any SSLv3 cipher suites.
ID 427154 In software versions earlier than 11.5.0, a device group could be configured so that changes to it were automatically synced to all devices in the group. By design, this synchronization defaulted to not perform a save on the sync target. The /cm trust-domain 'save-on-auto-sync' attribute governed the behavior. Setting the attribute to true instructed the system to perform a save operation on the sync target. Beginning in version 11.5.0, this option is no longer configured as part of the trust-domain, but is part of the configuration of a device group.
ID 427579 HA-Group score no longer includes active-bonus in data returned from command 'tmsh show sys ha-group'. Active bonus is only relevant for the active device of a traffic group.
ID 449402 In 11.5.0, ha-group failover settings are configured per traffic-group. In previous 11.x releases, ha-group settings were per device. When upgrading to 11.5.0, existing HA Group setting might need to be associated with traffic-groups manually. Without setting the traffic-group failover method, the ha-group score and failover cannot function. You can set the ha-group reference manually in the GUI or via tmsh.

Known issues

ID Number Description
ID 221917 When the bd process restarts, the system stops all internal connections. If the next event that arrives on a halted connection is an HTTP request, the attempt to disable the plugin in HTTP_REQUEST fails, which logs a Tcl error to the /var/log/ltm file. This is a rarely encountered error that occurs in certain circumstances on a bd process restart. When this occurs, the system logs a Tcl error to the /var/log/ltm file. Workaround: There is no workaround. This is a benign error message that you can safely ignore.
ID 221956 Beginning with version 10.0.0, the system reports module memory mixed in with memory used by all processes. To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands. Workaround: None.
ID 221963 When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again. Workaround: None.
ID 222005 "On boot, the following message might be seen. It is innocuous and can be ignored: err ti_usb_3410_5052.c: ti_interrupt_callback - DATA ERROR, port 0, data 0x6C" Workaround: None.
ID 222034 If HTTP::respond is called in LB_FAILED with large headers and/or body, the response may be truncated. TCP congestion-control state determines the threshold. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Workaround: None.
ID 222184 When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state. Workaround: None.
ID 222221 "TCP::close doesn't work properly with SSL-related iRules. To work around this, remove tcp::close from the iRule. Although the SSL connection works, it will not be closed until a timeout." Workaround: To work around this, remove tcp::close from the iRule. Although the SSL connection works, it is not closed until a timeout.
ID 222287 On multi-core platforms running in CMP mode, rates configured in a rate class are internally divided between the active TMM instances. As a result, each flow is restricted to bandwidth equal to the configured rate divided by the number of active TMM instances. In order to achieve the actual rate set on the rate class, the system must be processing at least one flow on each active TMM instance. For more information, see SOL10858: Rate classes on CMP systems are divided among active TMM instances. Workaround: None.
ID 222344 If a route learned via any dynamic routing protocol exactly matches a management static route, traffic from the Linux host will follow the dynamic route. NOTE: Regarding affected modules, the problem affects any module provisioned in TMOS as the root cause is in the core functionality shared by all modules. Dynamic routes might override static management routes. Workaround: There is no workaround.
ID 223031 If you run the tcpdump utility from a Puma I blade on a VIPRION chassis containing a mix of Puma I and Puma II blades, the process does not show packets from the Puma II blades. Workaround: To work around this issue, run the tcpdump operation from the Puma II blade.
ID 223191 (CR128182) If you remove all remote endpoints from a configuration, any active dashboard continues to show the last remote endpoint as connected. To refresh the screen, close the dashboard and then reopen it. Workaround: None.
ID 223412 "When configuring a ConfigSync peer IP address, the IP address must reside in the default route domain. The default route domain has an implicit value of zero (0). ConfigSync operations will fail if you configure a peer address that contains an explicit route domain ID. For example: 192.168.20.100%10 When a ConfigSync operation fails due to this issue, the BIG-IP system returns error messages that appear similar to the following example (in older versions of the software): Checking configuration on local system and peer system... Peer's IP address: 192.168.20.100%10 Caught SOAP exception: Error calling getaddrinfo for 192.168.20.100%10 (Temporary failure in name resolution) Error: There is a problem accessing the peer system. BIGpipe parsing error: 01110034:3: The configuration for running config-sync is incorrect. Or, for versions 11.0 and beyond: Apr 19 14:15:04 beaker-vm2 err mcpd[5766]: 01071430:3: Cannot create CMI listener socket on address 10.20.222.2%10, port 6699, Cannot assign requested address" Workaround: None.
ID 223421 If a disk is removed from an array, the serial number of the disk persists in the system until the drive is manually removed. This occurs on multi-disk systems. The serial number of the disk persists even after the disk is removed from the array. Workaround: There is no workaround for this issue. The serial number of the disk persists in the system until the drive is manually removed.
ID 223426 Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. Enabling MD5 signatures allows the MD5 signature to be validated when it is present. Note that the problem does not affect TCP connections established from the host (for example, BGP connections). Workaround: None.
ID 223542 You cannot simply change the speed of an existing interface in a trunk, you must either delete all the interfaces and add them back at the new speed, or delete the trunk and recreate it. Workaround: None.
ID 223634 If you are in the tmsh utility, you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run util bigpipe arp <args...> at the tmsh command line. Workaround:
ID 223651 An SSH File Transfer Protocol (SFTP) client may emit an error message containing 'Received message too long' when the user is unprivileged and may not use SFTP. Workaround: The user must be authorized to use SCP.
ID 223720 If you restart the mcpd process and try to create a FIPS key, the operation occasionally fails with the message 'Key generation failed: error 11 - Would overwrite file' To work around this, restart mcpd and try the operation again. Workaround: To work around this, restart mcpd and try the operation again.
ID 223796 When an SFP is not inserted in a VIPRION interface socket, the interface status should show 'MS' (missing); instead, the interface status might show 'DN' (down). Workaround: None.
ID 223830 It is possible that with increased throughput, SNMP stats might report lower TMM CPU usage values than top. Workaround: None.
ID 223890 "In v10.0, LB-related ratio values of up to 65535 were allowed in configs and via iControl. Currently, validation prevents any value greater than 100." Workaround:
ID 223954 The system does not include the .tmshrc file in a ConfigSync operation. This occurs in config sync operations. That means that each unit in a high availability configuration might have a different set of remote users. Workaround: To work around this, you can manually sync the files by using a utility to copy the file from one system to the others.
ID 223959 A BIG-IP system has limits to the number of objects that may be configured when the configuration contains virtual servers for which Packet Velocity ASIC (PVA) acceleration is required. If more than the specified maximum number of objects is configured, virtual servers that otherwise qualify for PVA acceleration are demoted to wire mode (no PVA acceleration). For more information about the maximum number of objects allowed for the PVA, refer to SOL11038: Configuration sizing and PVA acceleration. Workaround: None.
ID 224073 Pinging the floating self-ip from the command line of the same system results in a no response to the ping. This no-response reply does not indicate that the floating self-ip is not working and is not responding to normal ping operations. This occurs when the floating self-IP tries to ping from the BIG-IP system command line This results in a no response to the ping. Workaround: To work around this, issue the ping from another host in the network.
ID 224142 There is a pause negotiation mismatch in a trunk containing a mix of fiber and copper. To work around this issue, do not mix fiber and copper in the same trunk. Workaround: To work around this issue, do not mix fiber and copper in the same trunk.
ID 224195 The system does not prevent you from deleting a self IP address that an EtherIP tunnel uses, or from creating an EtherIP tunnel using nonexistent IP addresses. Doing so, however, results in an inoperable tunnel. To ensure that an EtherIP tunnel operates as expected, do not delete any of the self IP addresses that are associated with VLAN 'wan' and specified in the EtherIP tunnel object. Workaround: None.
ID 224294 "SASP monitor validates timeout and interval although these values are not used by the monitor." Workaround: None.
ID 224372 When you are connected using the serial console to a multi-drive platform, you might see messages similar to the following: warning kernel: RAID1 conf printout and warning kernel: disk 0, wo:0, o:1, dev:dm-14. The messages are also logged in /var/log/kern.log file. These messages appear during the time a drive is rebuilding, and you can safely ignore them. Note that the messages appear only when you are directly connected by serial console. They do not appear when you are logged in using SSH. Workaround: None.
ID 224406 The dashboard cannot handle numbers that exceed 32 bits. If a statistic goes above that number, dashboard values will be incorrect. This occurs dashboard and numbers that exceed 32 bits. When this occurs, there will be incorrect dashboard values. Workaround: There is no workaround.
ID 224520 The bcm56xxd service's small form-factor pluggable (SFP) plug_check mechanism (for example, bs_i2c_sfp_plug_check()) looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) because the check does not look at pluggable media type changes. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module. Workaround: None.
ID 224665 VLAN groups are partitionable objects, so that a VLAN group created in one partition cannot be modified in another partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so results in issues for VLAN groups, so you should not attempt such a configuration. Workaround: None.
ID 224680 When you use the Wireshark program to view a packet from an EtherIP tunnel, the Wireshark program displays the EtherIP version as 0 rather than 3, as it should. This occurs because Wireshark evaluates the version based on the bottom four bits rather than the top. The Linux EtherIP implementation follows the same format used by coding developer David Kushi, which is correct according to RFC 3378 - EtherIP: Tunneling Ethernet Frames in IP Datagrams. Workaround: None.
ID 224698 Plugin-initiated connections do not use a SNAT pool, if configured (formerly CR 137381). Workaround: None.
ID 224881 On AOM-equipped platforms, changing the management IP via the front-panel LCD multiple times might result in fields on the LCD being displayed with a value of 0.0.0.0. The correct values will be displayed after a system restart. Workaround:
ID 225417 The installer allows you to install version 9.x software onto 8950 (D107) or 11050 (E102) platforms; however, version 9.x software does not support the 8950 or 11050 platform. Installing 9.x software onto 8950 or 11050 platforms might result in a nonfunctional system, so do not install version 9.x software onto 8950 or 11050 platforms. Workaround: None.
ID 225431 Disabling the LCD display is not persistent across system restarts. This is for diagnostic purposes. Workaround: None.
ID 225521 "On a partitioned system, if a 9.x installation operation fails or halts for any reason, including being canceled by the customer, subsequent installation operations fail and post the following messages to the liveinstall.log file: info: /dev/sda5 is mounted; will not make a filesystem here! error: VolumeSet_rebuild_fs(sda, 1) failed Terminal error: Failed to install. See log file. To work around this issue, always reboot the system after a failed installation operation, and then try the operation again. Note that this occurs only with halted version 9.x installation operations. Halted version 10.x installation operations do not exhibit the issue." Workaround: To work around this issue, always reboot the system after a failed installation operation, and then try the operation again. Note that this occurs only with halted version 9.x installation operations. Halted version 10.x installation operations do not exhibit the issue.
ID 225588 Error conditions such as unreachable IP addresses, and unavailable TACACS+/RADIUS services, are not logged to /var/log/ltm for the TACACS+ RADIUS audit forwarding accounting feature. Workaround: None.
ID 226564 "The LTM Statistics and GTM Statistics dashboard components might perform very slowly and/or cause out of memory errors when used in environments with large configurations (e.g., thousands of LTM and/or GTM objects)." Workaround: None.
ID 226892 With the packet filter enabled and its default action set to discard or reject, IP fragments matching an established connection may be dropped. Workaround: None.
ID 226964 "Node marked down by a monitor that is waiting for a manual resume mistakenly displays 'Enabled' state in its GUI properties while it stays down. In v11.0.0, the workaround is to click the Update button, which truly enables the node." Workaround:
ID 227272 If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status. Workaround: To work around this, remove and reseat the fiber SFP module.
ID 227319 Ramcache configurations that approach the limit of total memory allowed for use by ramcache might cause caching to be disabled for one or more virtual servers. The Cache Setting feature (referred to as RAM Cache in BIG-IP versions prior to 11.0.0) does not take the Clustered Multiprocessing (CMP) feature into account when calculating memory consumption. When the Cache Setting feature is configured for a virtual server on a CMP-enabled platform, the amount of memory allocated for the Cache Setting feature in the HTTP profile is provisioned for each instance of the Traffic Management Microkernel (TMM). Workaround: There is no workaround for this issue.
ID 227358 Using the source port preserve strict option requires special considerations to ensure proper traffic flow and distribution. Workaround: None.
ID 227362 When you are using Fast L4 profiles, make sure to set the PVA Acceleration setting to None if you also specify the Mimic setting for IP ToS to Client or IP ToS to Server. Otherwise, the system cannot perform the mimic functionality. Workaround:
ID 227369 Generating a SIGINT or SIGQUIT on the serial console during login causes all services to halt and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. This occurs when at any point while the password prompt is displayed, there is a signal generated, for example: -- For SIGINT, press Ctrl-C. -- For SIGQUIT, press Ctrl-4, Ctr-\, or (in some cases) SysReq. All services halt and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. Workaround: None. But the problem no longer occurs after the first successful login from the console.
ID 246871 When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. There is no workaround for this issue. Workaround: None.
ID 246962 The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). There is no workaround for this issue. Workaround: None.
ID 246983 A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. The user can manipulate the controls, and select different settings. However, the system does not accept the change. Workaround: None.
ID 247011 "Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors. That means that you can specify non-matching or invalid keys and certificates. There is no checking on the command line or in the browser-based Configuration utility to make sure keys and certificates are valid and usable." Workaround: None.
ID 247012 If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server. Workaround: None.
ID 247094 If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system posts messages until all systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer 10.60.10.3:1028 established. This occurs when upgrading redundant system configurations and the versions are not yet the same. The system posts messages until the software versions are the same. Workaround: There is no workaround for this condition. All units in a redundant system must be running the same version of the software.
ID 247099 After an import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade. Workaround: None.
ID 247135 Linux represents long VLAN names using the first 13 characters and an appended ~1. If you use the Linux system command ifconfig to retrieve the interface configuration of a VLAN with a name longer than 9 characters, the operation truncates the name to 8 or 9 characters. Workaround: To work around this issue, use the ip addr show command to retrieve the VLAN using the IP address.
ID 247200 When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. When that user logs back on, the system writes to the catalina.out file error messages such as com.f5.mcp.io.McpIOException: java.io.EOFException: Error while reading message at. These messages are benign, and you can safely ignore them. Workaround: None.
ID 247216 The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. As a workaround, you can click the Launch button to view the full text. Workaround: None.
ID 247241 "Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file: Dec 10 11:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms) The workaround is to create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic." Workaround: None.
ID 247300 "You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher, as it can result in a handshake failure." Workaround:
ID 247310 There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record. Workaround: None.
ID 247709 "When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example: err httpd[6246]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket) warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!? warning fcgi-[6376]: [warn] FastCGI: server '/usr/local/www/mcpq/mcpq' started (pid 6377) err httpd[6379]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 warning httpd[3064]: [warn] long lost child came home! (pid 6239) These messages occur primarily as a result of the process restart, and you can safely ignore them." Workaround: None.
ID 247727 When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, all properties become custom; that is, profile properties no longer inherit parent settings. The workaround is to use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance. Workaround: None.
ID 247894 "iRule substr function is not able to use a string with a number in it as a terminating string. Instead it converts that string to integer and mistakenly uses it as a substring length." Workaround: None.
ID 248489 If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. Workaround: To work around the situation, log on to the system as the root user or as the admin local user.
ID 248932 "Occasionally, a system restart might result in the system posting to the console messages of the following type: sshd(pam_audit)[4559]: user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start='Tue Aug 5 17:25:09 2008' end='Tue Aug 5 17:27:54 2008'. sshd(pam_audit)[4559]: 01070417:0: AUDIT - user root - RAW: sshd(pam_audit): user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start='Tue Aug 5 17:25:09 2008' end='Tue Aug 5 17:27:54 2008'. These messages occur when the system shuts down logging to the syslog-ng file before all users who are logged on have logged off. Should this error occur, when the system comes back up, you can use the boot marker in the audit files to confirm that the system logged out the remaining users." Workaround: None.
ID 249083 Address wildcard virtual server has to be deleted and re-created when changed from IPv6 to IPv4. Without the intervening deletion, neither IPv6 nor IPv4 traffic matches the virtual. It works as expected when changing from IPv4 to IPv6 (formerly CR 98831). Workaround: None.
ID 283445 "(CR98760) When you convert an encrypted key to Federal Information Processing Standards (FIPS) key, the system presents the error 'Unsupported key size', and does not perform the conversion. To perform a successful conversion in this case, you must use the command-line utility to decrypt the key, and then convert the key to a FIPS-type key." Workaround: None.
ID 284910 Once you configure the BIG-IP system to use the base FastHTTP profile, the profile continues to prime server-side connections, even if there are no virtual servers currently configured to use the FastHTTP profile. Workaround: None.
ID 285008 If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles. Workaround: None.
ID 291327 Configuring a virtual server for multicast communications inside a route domain does not work. Do not configure a virtual server for multicast communications inside a route domain. Workaround: None.
ID 291541 If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. Workaround: To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation.
ID 291689 "When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. In this release, you must use the following process to accomplish this. 1. Create a pool that uses the Weighted Least Connections (Node) load balancing method. 2. Explicitly create the node entries for the pool members on the Local Traffic Nodes Node List (create) screen. 3. For each node, specify a value other than 0 (zero) in the Connection Limit box. 4. Return to the pool configuration screen by clicking its link in the Local Traffic Pools Pool List. 5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step. If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error." Workaround: None.
ID 291704 If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. The workaround is to issue a bigstart restart bcm56xxd command. From the command line, 'bigstart restart bcm56xxd'. Workaround: None.
ID 291719 "When the Configuration Utility restarts, the system writes the following messages to catalina.out: log4j:ERROR A 'org.apache.log4j.ConsoleAppender' object is not assignable to a 'org.apache.log4j.Appender' variable. log4j:ERROR The class 'org.apache.log4j.Appender' was loaded by log4j:ERROR [org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type log4j:ERROR 'org.apache.log4j.ConsoleAppender' was loaded by [WebappClassLoader These messages are benign, and you can safely ignore them." Workaround: None.
ID 291742 In the ltm.log file, you might see mcpd warning messages similar to the following:' warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually.' When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them. Workaround: None.
ID 291756 On a multi-drive system, if the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. This is a cosmetic issue only, and has no effect on functionality. Workaround: None.
ID 291761 When you complete a new installation, the Firefox browser may not recognize the SSL certificate. When this occurs, the browser-based Configuration utility posts the message Please wait while this BIG-IP device reboots, shutting down device. This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. The issue happens only when doing a fresh install. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft Internet Explorer browser posts an accept-certificate dialog box when you restart the system. Workaround: None.
ID 291768 If you create VLANs in an administrative partition other than Common, but do not create a route domain in that partition, then the VLANs you create in that partition are automatically assigned to route domain 0. If you later change the default route domain of that partition, the VLAN stays in its existing route domain, unless the VLAN has a self IP address or virtual IP address assigned to it. In that case, the VLAN moves to the new default route domain. Workaround: None.
ID 291776 You might see an intermittent blank top banner in the browser-based configuration utility after an upgrade or installation operation. This might be especially likely when you use Microsoft Internet Explorer version 7 on a VIPRION system, and you leave the browser window open between the end of installation and the completion of the reboot operation. In this case, when you log on, the top banner is blank. You can use the browser refresh operation (F5 or Ctrl + F5) to redisplay the banner correctly. Workaround: None.
ID 291777 The software does not support running small form-factor pluggable (SFP)+ on SFP ports on VIPRION systems that contain PB100 blades, even if the ports are running at 1 GB. Although the system does not prevent you from doing so, and you might find such a configuration functional, we do not support nor recommend running in this configuration. Workaround: None.
ID 291786 When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. Workaround: To work around this issue, change the default to a different domain before the delete operation.
ID 291788 "Certain packet-size related events can result in messages similar to the following: crit tmm4[5689]: 01010025:2: Device error: hsb internal error PIM_RX_PORT_0_ERRS address 0x0000103c status 0x004e0100 These messages are benign, and you can safely ignore them." Workaround: None.
ID 305069 "Using the COMPRESS::disable call in an HTTP_REQUEST event in an iRule does not work. As a workaround, use the COMPRESS::disable call in an HTTP_RESPONSE event instead." Workaround: None.
ID 305091 You can create duplicate virtual servers with same address space that are enabled on different VLANs in the same partition. But you cannot create duplicate virtual servers with same address space enabled on different VLANs if the VLANs are in different partition. Workaround: None.
ID 305096 When using the vi editor to edit files on the BIG-IP 6900, you might have to enter as many as three escapes to return to command mode from insert mode. Workaround:
ID 305320 Thumb drive installation fails when the drive contains two product installation images. Workaround: To work around this issue, use thumb drives that contain only one image for installation.
ID 315650 "In order to change the baud rate when you are using a serial terminal console server on the VIPRION platform, you must follow a specific sequence to change the baud rate in three places, or you can lose communication with the system. 1- On each blade in the system, run the following command: bigpipe baud rate <your_baud_rate_value> Make sure to complete this change on all blades in the system before proceeding to step 2. 2- Next, change the Serial Port Redirector (SPR) baud rate by pressing ESC( to access the SPR Command Menu. When the menu opens, select B -- Set baud rate, and select from the six settings displayed. 3- Finally, change the baud rate of your serial terminal server. The syntax for completing this step varies depending on the terminal server you are using, so you should consult your serial terminal server documentation for more specific information." Workaround: None.
ID 323632 When you delete an interface that is configured for interface mirroring, the system halts mirroring on all other configured interfaces. Workaround: To work around this issue, when you delete an interface-mirroring configuration, recreate the configuration using all interfaces. As an alternative, after deleting an interface, save the configuration and issue the command bigstart restart.
ID 326906 When you swap a blade to the same slot in a different VIPRION chassis, the system uses VLAN MAC addresses based on the old chassis. The workaround is to avoid moving a blade to the same slot in another chassis. If necessary, shift blades around in the target chassis so that the incoming blade always goes into a slot that is different from the one it came out of. Workaround: None.
ID 333357 On first boot after initial installation on VIPRION systems, occasionally the system needs to reboot. In these cases, during the shutdown preceding reboot, you may see warnings from bigstart about getdb failing. In this context, these messages are harmless and may be ignored. Workaround: None.
ID 336885 There is a memory leak that affects Firefox 3.6 but not Internet Explorer 8. The leak occurs because of an interaction between the dashboard and the web browser. The workaround is to use Internet Explorer to view the dashboard. This occurs in Firefox 3.6 and involves the dashboard interaction with the web browser. When this occurs, there is a memory leak. Workaround: If running the dashboard for a long time, use Internet Explorer instead of Firefox.
ID 336986 If a hard drive is in the process of replicating and an install to a non-existent volume set is started, the array status for the replicating drive will transition to 'failed' while the volume sets are created. They are created at the very beginning of the installation, so this failed status should last no more than 1 minute. After the volume set is created, the status will go back to 'replicating', as expected. Workaround: None.
ID 338426 Clusterd can core on shutdown under certain circumstances, seen only so far with vCMP. It only happens when clusterd is shutting down, after it has taken care of all notifications to other system components, so the core can be safely ignored. Workaround: None.
ID 338450 "On VIPRION blades, the BIG-IP system might log error messages about kernel-owned interfaces similar to the following messages (these are innocuous and can be ignored): slot1/mychassis notice chmand[3782]: 012a0005:5: Tmstat::updateMgmtIf: HAL Svc error: MiiNic: failed to send cmd to driver: readPseMii ioctl on: eth2Phy &amp; Reg:1e:1a returns:Invalid argument slot1/mychassis notice chmand[3782]: 012a0005:5: Tmstat::updateMgmtIf: HAL Svc error: MiiNic: failed to send cmd to driver: getStatusReg: timeout wait for result" Workaround: None.
ID 342319 The parameters 'recursion yes' and 'forward only' are not being updated in named.conf when creating entries in the BIND Forwarder Server List from the GUI. For more information, see SOL12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file, http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12224.html. Workaround:
ID 342325 If username and password have not been configured for a RADIUS accounting monitor, it will try to connect with a <NULL> username-password. Workaround:
ID 342423 "The statsd process computes the value for system-wide CPU usage using a formula: process 'A' CPU usage divided by the number of CPUs on the chassis. Assuming a chassis is fully populated with PUMA I blades, the average is divided by 16. If a blade drops out, the number of CPUs is now 12, so while that blade is out of circulation, the data is divided by 12. However, even for the 5-second window: it is possible that the average might be calculated incorrectly. Example =========== From time1 to time4, there are 16 CPUs on the box, and processA is using 96% of its CPU. At time5, one of the blades drops out. The calculation to compute CPU and system usage happens at this time. Before the blade dropped out, the system-wide average was 96/16 = 6. When the blade drops out, the system-wide average is 96/12 = 8. That is a small difference. Although blades going down should not happen often, when it does happen, it is only the first 5-second system-wide average that is affected. The next average will be correct." Workaround: None.
ID 342670 Some disk management interfaces show the shelves with letters and some use numbers. For now, shelf 1 == a and shelf 2 == b between interfaces. Workaround: None.
ID 344226 Trying to create a CRLDP server using a name that already exists fails with the message 'An error has occurred while trying to process your request.' A more accurate message is 'The requested CRLDP server (<crldp_server_name>) already exists in <partition_name>.'. Workaround: None.
ID 345092 "When a RAID system is booting, the system posts the message: Press <CTRL-I>; to enter Configuration Utility... However, pressing Ctrl+I has no effect. It is not possible to enter the Configuration utility this way. This is a hardware constraint. Instead, you can configure RAID parameters through TMOS." Workaround: None.
ID 345529 The BIG-IP Configuration utility may incorrectly allow you to assign certain health monitors to pools while their pool members are configured with a wildcard service port. Workaround: To workaround this issue, make sure to specify an Alias Port on a monitor when it needs to probe a specific service port on wildcard pool members. For more information, see SOL12400 at http://support.f5.com/kb/en-us/solutions/public/12000/400/sol12400.html.
ID 347073 Configuration changes to objects are not immediately reflected in the LTM Statistics and GTM Statistics widgets in the dashboard. Workaround: To work around this issue, relaunch the dashboard.
ID 347174 "When starting BIG-IP VE on a Hyper-V platform, the BIG-IP VE system posts multiple Advanced Configuration and Power Interface (ACPI) messages such as: 'ACPI: LAPIC (acpi_id[0x3f] lapic_id[0x3e] disabled)' These messages are expected and you can ignore them." Workaround: None.
ID 348502 It is highly recommended to only use tmsh commands or iControl to delete vdisks. Deleting or renaming a vdisk from the file system (e.g., using bash) will not be detected by vcmpd and can lead to unexpected behavior if the system later attempts to use that vdisk. Workaround: None.
ID 348503 "WMI monitor reports 'not found' for LoadPercentage, CurrentConnection, GETRequestsPerSec, and POSTRequestsPerSec when probing IIS 7.5 on Windows 7." Workaround: None.
ID 349062 In this release, we removed the SSL peer certification mode 'auto' from all BIG-IP interfaces. The upgrade script contains logic to change 'auto' to 'ignore' in configuration files. However, we have not made a similar conversion for iRules because it is our policy not to alter iRules during upgrade. If you have iRules that use SSL peer certification mode 'auto', you must change them to use 'ignore'. Otherwise, they will not work. There is no functional change incurred by doing so. Workaround:
ID 349242 The load balancing method 'Ratio Least Connections (node)' does not perform correctly with 'Performance (Layer 4)' virtuals. Workaround: None.
ID 349753 An empty sub-folder, even after saving, might not properly load during the tmsh command 'load sys config partitions all'. If you delete an empty folder and then load the sys config, please create the folder again. Workaround: None.
ID 351519 The configuration files used by pam and tamd are changing names between 10.2.x and this release. The files are currently being saved and then restored on upgrade, and in addition, the new files are being created when the associated mcp objects are created, which results in both the old and new versions of the files being present after upgrade. Workaround: None.
ID 351874 When importing an ISO image into the Software Management screens in the Configuration utility, some browsers (for example, Microsoft Internet Explorer and Google Chrome), show /fakepath/ instead of the actual file path. This is expected behavior for HTML5-compatible browsers. You can work around this by adding the site to Trusted Sites. In addition, in Internet Explorer by setting the option Include local directory path when uploading files to a server in Internet Explorer :: Tools :: Internet Option :: Security :: Custom properties. Workaround: None.
ID 352560 SplitSSL is incompatible with persistence profiles. Workaround: None.
ID 352840 When using partition default route domains, an attempt to load a previously saved configuration which had a different default route domain on a VIPRION may result in the secondary daemons restarting. Workaround: To work around this, load the default configuration before loading a config that has a different default route domain on any partition.
ID 352957 Established flows via virtual servers with iRules using the 'node <addr>' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail (due to mis-routing of packets) after a route table change, even if the change does not affect any of the addresses used in the flow. New flows established after the route table change will work as expected. There is no workaround for the problem. Workaround: None.
ID 353249 LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected on PVA platforms, when using FastL4 profile with PVA in 'Assisted' mode. Workaround: None.
ID 353621 You can get an error from tmsh when adding a device to the trust-domain that says the device cannot be found: 'The requested device (10.10.20.30) was not found.' This error actually indicates the 'name' parameter was not specified in the command. Workaround: None.
ID 354467 When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. Workaround: To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart tmm.
ID 354972 In some cases, tmsh will not properly recognize hostnames as an item reference for commands. Workaround: Use IP addresses instead of hostnames when creating addresses with tmsh in this release.
ID 355299 PVA acceleration can be configured on a platform without a physical Packet Velocity ASIC present. The setting has no actual effect and is harmless. Workaround:
ID 355564 "The Error message 'The requested unknown (/Common/traffic-group-1 /Common/bigip1) was not found.' might appear in the log during startup. This message does not indicate a problem, and can be ignored in this situation." Configuration is new or has been set to defaults. The error message will appear in the log during the device name change. There is no impact, as the message appears due to the device name changing. Workaround: None.
ID 355616 ltm virtual-address objects are only shown in tmsh list output when specifically requested, as in 'list ltm virtual-address', not in commands such as 'list ltm'. This occurs when running 'tmsh ltm'. Virtual-address objects are not shown. Workaround: To workaround this, use 'list ltm virtual-address' instead.
ID 356073 Every part of the iApp template's presentation section is run every time, even the hidden parts. This means that anything that might crash (if something isn't provisioned) needs to be enclosed in a TCL block that is protected with a catch. Workaround: None.
ID 356319 You cannot reset the management port statistics (those that appear under Network: Interfaces: Statistics). The system does not report an error, but also does not reset statistics. Workaround: None.
ID 356611 You can invoke imish (the shell for configuring dynamic routing) from tmsh. When you subsequently press Ctrl + Z, sshd and imishd start consuming CPU until the imish shell times out. This occurs when tmsh is not the login shell. If the system is already in this state, run the fg command, and then exit imish. Workaround: None.
ID 356705 "After completing the setup wizard in the Configuration utility, the user is redirected to the Welcome screen. The menu at left should also change from the restricted setup menu to the full menu, but occasionally it does not. In this case, the workaround is to log out/in or refresh the browser." Workaround: None.
ID 356938 Special characters (such as the Yen sign) in data group names generate garbage characters. Do not use special characters of this type for data groups. Workaround:
ID 357262 As a workaround, reqlog now closes the connection whenever it serves an http response on logging error. Ideally, it would keep the connection open when the protocol is HTTP 1.1 or higher. Workaround: None.
ID 357656 "When you use bigstart restart to restart all daemons on a guest, the system logs the message: Apr 25 15:43:27 slot1/vcmp1 notice chmand[7975]: 012a0005:5: Chmand cleanup: Slot:Led:Color (1:3:0) not succeed: virtual void Hal::NullAnnunSvc::ledSet(Hal::LedFunction&amp;, Hal::LedColor&amp;, uint32_t&amp;, uint32_t&amp;, uint32_t&amp;) This is a benign message and you can safely ignore it." Workaround: None.
ID 357705 "Loading the default configuration may cause the system to go offline before resuming the active status." Workaround: None.
ID 357822 User can use 'delete cm trust-domain all' to create or fix trust-domain when loading a blank or inconsistent SCF. Workaround: None.
ID 357852 If a device is part of an established trust-domain but is added into a second, separate trust-domain, the devices in the original trust-domain will still have references to the device. It is recommended that you delete the device from the trust-domain from a certificate authority before adding it to a different trust-domain. Workaround: None.
ID 357874 "Creating an overlapping route can cause an unclear configuration exception message, such as: 1. [root@ltm-56:Active] config # tmsh create net route test_route_ipv6 network 2002::1/128 gw 2002::3 2. [root@ltm-56:Active] config # tmsh create net route default-inet6 { gw 2002::1 } 01070712:3: Caught configuration exception (0), Netlink reply from kernel has error: -113 (for static route create: ::/0 gw 2002::1 in vlan '') - net/validation/routing.cpp, line 332." Workaround: There is no workaround.
ID 358063 If you issue the command 'restart sys service all' from the tmsh shell, the next command you issue result in the error message: 'The connection to mcpd has been lost, try again.' Workaround: There is no workaround.
ID 358099 If two devices have different provisioned modules, then the application with those modules configured in one device might not be able to sync to the other device. The two devices will be out of sync and cannot recover in this situation. For sync to occur correctly, both devices must have the same provisioning. Workaround: None.
ID 358191 "If the user resets the trust and changes the host name of the device, the other devices in the trust domain still show the unchanged, former host name and show the device as still attached." Workaround: None.
ID 358575 The traditional ConfigSync mechanism has been replaced with a more robust MCP-to-MCP communication mechanism. As a result, UCS files now load the full configuration in all cases, and no longer have the concept or ability to only load the 'shared' portion. Loading of UCS files created on a different device is no longer supported. Workaround: There is no workaround.
ID 358615 "When modifying failover unicast addresses via tmsh, user should be aware that all addresses must be specified even if the intention is to remove or add a single address to/from the list. For example, given a device with two existing unicast addresses, this command will replace both addresses with a single address: modify cm device centmgmt1.f5net.com unicast-address { { ip 10.10.10.1 } }" Workaround: None.
ID 358655 The No such file or directory error always shows up around kernel installation, but it does not negatively impact the installation itself. Workaround: None.
ID 359393 In order to be compliant with the FIPS-140 standard. Keys cannot be exported from a FIPS card in plain text, hence they can only be exported by encrypting them with the master key on the FIPS card. If the master key on the FIPS card has changed since the keys have been exported, it will not be possible to import the keys back into the card. Workaround: None.
ID 359395 Invalid or empty SSL certificates, keys, or CRLs will not be rolled forward on upgrade to v11.0.0. Workaround: None.
ID 359491 When a system's hostname is set by the user via the tmsh setting 'modify sys global-settings hostname new-hostname.example.com' only the local copy of the self device is set. Remote copies of the hostname are not updated accordingly. Thus, running the command 'list cm device name-of-device hostname' would have the hostname 'new-hostname.example.com' on the local machine and 'old-hostname.example.com' on other machines in the trust domain. Workaround: None.
ID 359873 LTM-initiated SSL renegotiation will not be attempted when secure renegotiation is configured as required and the peer is unpatched (does not support SSL secure renegotiation). This applies both to configuration-based (e.g., renegotiate-period), as well as iRules-based attempts to renegotiate. Workaround: None.
ID 360122 The iControl method System.Statistics.reset_all_statistics() does not reset iStats. Workaround: "To work around this, do the following: 1. bigstart stop 2. Remove all files (not directories) in /var/tmstat2 3. bigstart start"
ID 360137 "After bringing up a BIG-IP newly licensed for Appliance Mode, the in-memory configuration is updated to change any user shell specifications set to bash to tmsh. However, if the configuration is not saved, those changes are lost and subsequent boot of the BIG-IP will fail to load the configuration file bigip_sys.conf. The workaround is to save the configuration after the first boot in Appliance Mode." Workaround: Save the configuration via either the tmsh /sys save config command or by changing something in the GUI.
ID 360263 In this release, the VIPRION 2400 reports a CPU Count of 8 instead of the expected 4 on the Device Configuration screen in the browser-based Configuration utility. This occurs because the implementation of hyper-threading causes the system to report double the actual number of cores. There is no workaround for this issue. Workaround: None.
ID 360485 Node statistics, especially after a statistics reset, may be too high for a node whose address is in a lasthop pool. Lasthop pool configured. Inaccurate node stats. Workaround: None.
ID 360675 Creating a configuration object with a FIPS 140 key will always create a key in the FIPS 140 device even when the configuration objects are not saved. Configuration objects that are not saved will require the user to delete FIPS 140 keys manually from the device. Keys can be deleted manually with 'tmsh delete sys crypto fips by-handle'. Key handles can be listed with 'tmsh show sys crypto fips'. Workaround: None.
ID 361035 Trust-domain members overwritten when discovering existing pair. There is no workaround for this issue. Workaround: None.
ID 361036 When the AOM powers down the Host for cause (for example, over temp) it abruptly stops the Host, bypassing a normal graceful power-down sequence. Because of this, some log messages sent from the AOM to the Host might be lost. Workaround: None.
ID 361094 im command gives error if im package is in root directory (formerly CR 100844). Workaround: None.
ID 361124 The App Editor role will be able to run any iApps template, but most of the iApps templates will not work for them because of permissions issues. Workaround:
ID 361181 "A 'fipsutil reset' resets the FIPS card and deletes all keys in the card but it does not delete the configuration objects representing those keys. It also does not modify SSL profiles using those keys. This results in the system failing to load the configuration on reboot. An error like this will be generated: Jun 6 06:02:30 RackC6-6900-1 notice mcpd[5816]: 01390002:5: The size of the configuration DB has been extended by 2097152 bytes, now using a total of 10485760 bytes Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: FipsMgr::get_handle_from_modulus error unable to obtain handle. Modulus(e1:fb:55...ef:89:b3), FIPS:ERR_HSM_NOT_INITIALIZED. Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: fips_insert_masked_object error on import, ERR_HSM_NOT_INITIALIZED. Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 01070712:3: Caught configuration exception (0), unable to import FIPS 140 key (/Common/zzFIPSTest) from key file.) - sys/validation/FileObject.cpp, line 4714. Jun 6 06:02:32 RackC6-6900-1 err tmsh[6948]: 01420006:3: Loading configuration process failed. To avoid this situation, delete the FIPS keys and remove the usage from profiles before resetting the FIPS device. If the system gets into the failure condition as shown previously, do the following: 1. Edit the bigip.conf file where the FIPS key is referenced. Delete all occurrences of the key. 2. Delete the key from /config/ssl/ssl.cavfips 3. Find and delete the key from filestore/files_d/<partition-name>/certificate_key_d/ 4. Run 'tmsh load sys config partitions all' to make sure the config loads. After this point, the config should load without issue after a reboot." Workaround: None.
ID 361315 if you go to the System > Preferences screen and simply click the Update button without editing any values, the system incorrectly posts a Changes pending notice (that is, recommendation for synchronization). Many values on this screen are not even synchronized across BIG-IP devices. Workaround: None.
ID 361470 If a virtual server's destination address is entered into tmsh with invalid IPv4 or IPv6 numbering or a hostname, the error message 'The requested virtual address (</PATH/ADDRESS>) was not found.' is displayed. This occurs when entering an invalid IPv4 or IPv6 numbering or a hostname in tmsh. The system posts the message. Workaround: None.
ID 362225 Disabling connection queuing via 'tmsh edit' while connections are queued will cause the queued connections to become stuck. The workaround is to use tmsh modify command instead of edit. Workaround: None.
ID 362299 You cannot enable/disable virtual servers owned by an application service, with strict updates enabled from the virtual server properties page. A 'strict updates' error results. The workaround is to enable/disable the virtual server from virtual server list page. Workaround: None.
ID 362405 If a vdisk migration occurs, the original copy is left unchanged on the source slot. The copy will not ever be synchronized with the new vdisk copy on the destination slot. After the migration is successful, the original vdisk can be safely deleted but can also be kept as a valuable backup. However, note that if the guest is once again allocated to the slot containing the old vdisk, then that old vdisk will be used without it first synchronizing with any other vdisk. If that slot is the only one the guest is allocated to, it will boot up with the old software, configuration, and license that existed on the guest at the time the guest was migrated to another slot. If, however, the guest is already deployed on other slots, the guest will use the old vdisk on that slot but will synchronize the software, configuration, and license from the guest's primary slot, per normal clustering behavior. Workaround: None.
ID 362406 Tmsh show sys failover cable' does not show the peer cable status anymore due to changes in the configsync process. Workaround: None.
ID 362802 If the server closed the connection after sending 401 response, websso in APM module may not work for portal access application. Workaround: None.
ID 362874 "After upgrading, the following message was posted on the Configuration utility browser window for several hours. 'Upgrading Device Trust Device trust is still being upgraded. Please do not make modifications to Device Management or Traffic Groups pages while this message is displayed.' This occurs when a device that is configured to be in a redundant pair is upgraded to version 11.0, but its peer device cannot be contacted. The banner indicates that the device is waiting for its peer to be contacted. If the peer device is no longer in use, the following workaround should be used to remove the banner message: * Set the trust.configupdatedone db variable to 'true'. * Set the failover.isredundant db variable to 'false'. * Restart devmgmgtd. * Reset trust." Workaround: None.
ID 363137 "When running an Active Directory (AD) auth access policy, the session might fail with the AD module, reporting a message such as: 'AD module: authentication with '...' failed: Cannot contact any KDC for realm ...'." Workaround: "Our domain controller closes Kerberos connections when source ports 22528 or 53249 are used. Change the ephemeral port range so these ports are not used: echo '22529 53248' > /proc/sys/net/ipv4/ip_local_port_range"
ID 363216 "A virtual server might say 'vlans-disabled', but does not include a list of which ones are disabled if that list is empty. For example, this means that the virtual server is disabled for no VLAN entries, which is the default setting: ltm virtual sample_vs { destination any:any profiles { fastL4 { } } vlans-disabled } This is harmless. Use the command 'list ltm virtual all-properties' to see the (empty) list of VLAN entries." Workaround: None.
ID 363284 The cipher list 'DEFAULT:!NATIVE' is different on v10.2.2 (valid) and v11.0.0 (invalid, empty). This can cause configurations to fail loading on v11.0.0 during the upgrade. This occurs because ciphers 'ALL' in the Client SSL profile only includes 'NATIVE' ciphers. That means that 'COMPAT' must be specified to include 'COMPAT' ciphers (e.g., EXP, EDH). As all SSLv2 ciphers are COMPAT ciphers, this also means that 'ALL:SSLv2' no longer includes SSLv2 ciphers. Note that this change impacts upgrade. So if your configuration uses COMPAT ciphers, it requires a configuration change (to specifically include COMPAT ciphers) for upgrade to complete successfully. Workaround: None.
ID 363361 The matchclass command is deprecated in favor of class match command. Do not specify a datagroup name as if it were a global variable. Workaround: None.
ID 363500 The system logs of a BIG-IP vCMP guest might show DriveReady Errors or an AbortedCommand in relation to /dev/hdc. These kernel warnings are innocuous and may be ignored. Workaround: None.
ID 363541 "If a user creates an 'and' rule for the default node monitor that includes the monitor '/Common/none' the state of the node will not be reported correctly." Workaround: None.
ID 363756 "Simultaneous blade-to-blade migrations of guests might occur. In rare instances, it's possible that multiple migration tasks will take longer than the allocated interval and as such migrating guests might encounter a timeout. If this happens three times, the guest will be placed in the 'failed' state. To recover a guest from this condition, wait until all guest migration tasks complete successfully or fail after three timed-out attempts. Then on any blade with a guest in the 'failed' state, execute the 'vretry' command. This will cause any guests in the failed state on that blade to retry the failed action. Executing 'vretry' one blade at a time and waiting until all migration tasks on that blade are complete will avoid these failsafe timeouts. If a guest's retry attempts also fail, re-provisioning the guest might resolve the issue. To do this, change the guest's state to 'configured' and then subsequently back to 'provisioned' or 'deployed', as preferred. Note that this might cause the guest to be allocated to a different blade." Workaround: "To recover a guest from this condition, wait until all guest migration tasks complete successfully or fail after three timed-out attempts. Then on any blade with a guest in the 'failed' state, execute the 'vretry' command. This will cause any guests in the failed state on that blade to retry the failed action. Executing 'vretry' one blade at a time and waiting until all migration tasks on that blade are complete will avoid these failsafe timeouts. If a guest's retry attempts also fail, re-provisioning the guest might resolve the issue. To do this, change the guest's state to 'configured' and then subsequently back to 'provisioned' or 'deployed', as preferred. Note that this might cause the guest to be allocated to a different blade."
ID 363912 In rare occasions, when there are no monitors assigned as the default node monitor, an entry 'none' may appear in the Active select box on the 'Default Monitor' page in the Configuration Utility. This still represents the fact that no monitors are selected as the default node monitor and the BIG-IP will operate as such. Workaround:
ID 364407 Even after vCMP is deprovisioned, VLAN deletion/modification is incurring a verification check that prevents VLAN from being deleted/modified. Workaround: To work around this, reprovision vCMP, delete/modify the guest, delete/modify the VLANs, and then deprovision vCMP (reboot required).
ID 364588 If you run the show command from /Common partition to display the details of a pool in another partition, the monitor instance line is missing. Workaround: To work around this, navigate to the partition first. Then the show command presents the expected results.
ID 364831 "When snmpd is restarted, you might get this warning message in the log file: '/config/snmp/subagents.conf: line 9: Warning: Unknown token: agentxPingInterval.' This message is benign and can safely be ignored." Workaround: None.
ID 364939 "When a BIG-IP system has been configured as part of a trust domain for the purpose of config sync, and the configuration has been saved to the configuration files (tmsh save sys config partitions all), the following sequence of commands will incorrectly remove the BIG-IP system from the trust domain and config sync will not work: tmsh load sys config default (set the config back to factory defaults) tmsh load sys config partitions all (load the configuration from config files in /config/...)" Workaround: None.
ID 364978 If an active/standby system is misconfigured with unit 2 failover objects, two traffic groups are automatically created: traffic-group-1 and traffic-group-2. For traffic-group-2, the default device points toward the unit 2 box. Instead, it should point to the unit 1 box, because it is an active/standby pair. Workaround: None.
ID 365006 Installing a 10.x UCS on a 'clean' 11.0 will cause daemons on secondary blades to restart. Workaround: None.
ID 365219 "Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log: -- com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:425): Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:200)}. -- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust." Upgrading high availability version 10.x configurations that use the factory default admin password. Trust upgrade for version 10.x high availability configuration fails. Workaround: Change the default admin password in the 10.x configuration before upgrading to 11.0.0. This is intended functionality. The default admin password should be changed before deployment.
ID 365375 DNS response packet is dropped when 'DNS::edns0' command is used with nsid option and there is no edns0 resource record in the packet. Workaround: To workaround this issue, always use 'DNS::edns0 exist' and 'DNS::edns0 exist nsid' to make sure the packet contains the edns0 RR.
ID 365555 The DES ciphers have been deprecated for TLS V1.2 but TMM is including them. These ciphers are supported on earlier versions of SSL/TLS, such as SSLv3 and TLS v1.0, which are widely used. TLS v1.2 is trying to depreciate and move to higher standards. F5 recommends that you do not use these ciphers. Workaround: None.
ID 365756 During the load of a bad SCF file, once the error is thrown, the user is left in the partition folder where the error occurred. If the user attempts a second load, they will get an error: 'Data Input Error: 01070734:3: Configuration error: Invalid mcpd context, folder not found' with the folder name at the end. They must change back to /Common and attempt to reload SCF after they fix the SCF file. Workaround: Fix the SCF file, change directory/context back to /Common and attempt to reload.
ID 365757 "Mixed mode is presented as an option for extra disks. When applied, this configuration option will present an error message similar to '01071372:3: Cannot change the mode for logical disk (HD2) from (NONE) to (MIXED). Disks cannot be changed to MIXED or CONTROL modes.'. For this release of BIG-IP software, only None and Datastor are functional modes for extra disks." Workaround: None.
ID 365836 "When using tmsh to switch to a vCMP provisioned system, a transaction should be used. The commands to do this are: # tmsh > create cli transaction > modify sys provision ltm level none # All modules must be set to none. Add any other commands here to do so following the previous ltm example. > modify sys provision vcmp level dedicated > submit cli transaction Secondary blades will likely reboot automatically due to this operation. There are conditions where the primary will reboot automatically as well. If the primary does not reboot and the status is REBOOT_REQUIRED, you should wait two full minutes before rebooting the primary blade. This is to ensure that provisioning completes, the secondaries have rebooted, vcmpd starts and the system enters a quiescent state. This only needs to be done when changing provisioning." vCMP capable platform not provisioned as vcmp System may end up provisioned with no modules or back to the previous provisioning levels Workaround: "Use the GUI or iControl to adjust the system provisioning level. Or, issue a provisioning transaction for vcmp with this carefully constructed command at the root prompt echo 'create cli transaction;modify sys provision ltm level none;modify sys provision vcmp level dedicated;submit cli transaction;quit'|/usr/bin/tmsh'"
ID 365979 After creating a new folder from tmsh the 'tmsh save sys config partitions all' command should be run. Workaround: None.
ID 367072 Running the command 'tmsh show sys hardware' on appliance-based system shows a Registration Key field with a -- value, even on licensed systems. This field is designed only for chassis-based systems, so you can ignore the value This occurs on appliance-based systems when running the command. The Registration Key field contains a -- value. Workaround: There is no workaround, but this field is designed only for chassis-based systems, so you can ignore the value.
ID 367198 Running 'tmsh show sys hardware' on appliances shows a blank Registration Key field. This is by design; this field is intended for VIPRION chassis only. Workaround:
ID 367714 When accessing the serial console on some BIG-IP platforms, if the baud rate is changed repeatedly on the serial client, the serial console port may cease functioning. In this case, a reboot of the BIG-IP system is required to restore serial console functionality. "This problem is known to occur on BIG-IP 6900 appliances, and may also occur on BIG-IP 1600, 3600, 3900, 8900, 8950, 11000 and 11050 appliances. This problem has been observed to occur more frequently when connecting to the BIG-IP serial console from a client using a USB-to-Serial adapter. Different makes and models of USB-to-Serial adapters do not perform identically." The serial console interface to the affected BIG-IP system is lost. A reboot of the BIG-IP system is required to restore serial console functionality. Workaround: The BIG-IP system can be accessed via the management IP address, or by the AOM management IP address if so configured.
ID 367759 Reconfiguring a VLAN from being 'tagged' on a particular interface to 'untagged' (or vice-versa) does not have an immediate effect, and instead, will only take effect after the TMM is restarted. BIG-IP Virtual Edition (VE), connected to an upstream network that expects a tagged (or alternately, untagged) VLAN. Traffic does not pass after this change, until TMM is restarted. Workaround: Restart TMM, or delete and recreate the VLAN with appropriate tagged/untagged configuration.
ID 368888 The system allows you to create a virtual server (which creates the virtual address) in traffic-group 2 and a SNAT translation IP in traffic-group 1, and then to assign the SNAT IP to the virtual IP address, even though doing so could cause asymmetric routes if these traffic-groups were not active on the same unit. Workaround: To workaround this, only perform this type of configuration when two traffic groups are active on the same unit.
ID 370189 If you upgrade from BIG-IP v10.x and have a virtual server with more than one httpclass attached the compression profiles will not be updated. Workaround: Remove all but one httpclass from your virtual servers.
ID 370225 After a pool member is disabled from a DHCP Relay virtual server, connection flow data for the disabled pool member will persist until it times out. Workaround:
ID 372209 When the certificate used to verify a signed iRule expires, the iRule verification status will still remain 'Verified' as long as the certificate exists on the device. To avoid the misleading status, the signature for rules signed with an expired certificate should be modified to have the 'ignore verification' property set to true, or edited to remove the signature (edit the rule and remove the 'definition-signature' line). Workaround: None.
ID 372979 When using the config utility to configure a static IP address, it works correctly. But when using the config utility to select an automatic or DHCP address, the operation does not complete, and returns to the prompt without error. The workaround is to configure a static IP address. Workaround: None.
ID 373467 MD5 certificate will not work with TLS 1.2. Client will not be able to authenticate with certificates that is signed with rsa-md5. Workaround: None.
ID 374109 The radvd config is not migrated to tmsh syntax during a UCS restore. The workaround is to create the config manually with tmsh. Workaround: None.
ID 374259 BIG-IP allows clientssl profiles to be associated with certificates that aren't imported in BIG-IP. This does not affect v11.x. Workaround: None.
ID 374333 When the rate of new connections (CPS) is extremely low, observed/predictive load balancing can perform uneven connection distribution across pool members. Configure a pool using predictive or observed load balancing methods. Uneven connection distribution across pool. Workaround: None.
ID 375207 "On rare occasions, tmsh will write an innocuous error message to /var/log/ltm based on a query to mcpd. The error appears as: 01070734:3: Configuration error: Invalid wildcard query, invalid or missing class ID" Workaround: None.
ID 375434 Rarely, HSB lockup occurs on 8900 platform when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This occurs on the 8900 platform only. The system posts error messages similar to the following: 'Device error: hsb interface 3 soft resetting due to transmitter failure', subsequently indicating that the interface link is down, and then posting the error that the hsb interface disable tx ring timed out Workaround: There is no workaround for this.
ID 375434 Rarely, HSB lockup occurs on 8900 platform when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This occurs on the 8900 platform only. The system posts error messages similar to the following: 'Device error: hsb interface 3 soft resetting due to transmitter failure', subsequently indicating that the interface link is down, and then posting the error that the hsb interface disable tx ring timed out Workaround: There is no workaround for this.
ID 375887 Using the cluster member 'disable' command with a trunk that spans blades can cause a brief period where received broadcast and multicast packets will egress out the enabled trunk members of the cluster. To an external device running spanning tree protocol or variant, this can look like a loop. Workaround: None.
ID 375887 Using the cluster member 'disable' command with a trunk that spans blades can cause a brief period where received broadcast and multicast packets will egress out the enabled trunk members of the cluster. To an external device running spanning tree protocol or variant, this can look like a loop. Workaround: None.
ID 376166 QSFP+ module ports do not allow a media capability setting of 1 GbE. There is no workaround for this issue. Workaround: None.
ID 376447 "When using tmsh or iControl and the VLAN group feature, if a VLAN group member is used in the configuration of another object, an error may result similar to the following: 01070712:3: Caught configuration exception (0), Cannot create vlan 'vlanx' in rd0 - ioctl failed: File exists - net/validation/routing.cpp, line 395." Workaround: To avoid the problem, when using tmsh and the vlan group feature, only use the VLAN groups, never their members, when configuring other objects. Furthermore, it is not necessary to work with the VLAN group member (that is, in this case, the group is already in the route domain, so adding the VLAN itself is not even necessary).
ID 377231 VIPRION B4300 blades only support 9600 and 19200 baud, even though other baud rates are accepted. Workaround: None.
ID 378055 The serial console on the B2100 blade in a VIPRION C2400 chassis cannot be set to 38400 using the tmsh command 'tmsh mod sys console baud-rate 38400,' but can be set using the AOM Command Menu. After setting to 38400 via the AOM Command Menu you can use the tmsh command to see that the baud rate has been set to 38400. Workaround:
ID 378305 Because the first phase of the BIOS operates at a fixed baud rate of 19200, if you change the baud rate to any other speed, you do not see the BIOS splash screen, nor are you able to access BIOS setup while rebooting the B4200 blade. To see the splash screen or access BIOS setup, change the baud rate to 19200. Workaround:
ID 379738 "If a BIG-IP system has both an 11.x install and a 10.x install, in some cases falling back to 10.x will result in these error messages in /var/log/ltm Error 'unknown DS name 'rchits'' during rrd_update for rrd file '/var/rrd/ramcache If so, do the following bigstart stop statsd and either rm -f /var/rrd/ramcache* or cp /var/rrd/ramcache* to some permanent location. See note: bigstart start statsd statsd will then regenerated the rrd file. Note: this will result in the loss of RAMCACHE historical statistics. If that is unacceptable create a directory on /shared to hold the files example: While still running the 11.x partition bigstart stop statsd mkdir -p /shared/rrd11/ramcache mv /var/rrd/ramcache* /shared/rrd11/ramcache Then reboot to 10.x If you wish to restore these when switching back to 11.x (once rebooted to 11.x) bigstart stop statsd cp /shared/rrd11/ramcache/* /var/rrd/ bigstart start statsd" Workaround: None.
ID 380047 Listing certain objects in subfolders of the current folder (e.g. 'list ltm profile ntlm my_subfolder/my_ntlm_profile') may not show any output. Workaround: As a workaround, you can change into the subfolder ('cd my_subfolder') and then list the object: 'list ltm profile ntlm my_ntlm_profile'.
ID 380415 TMM CPU utilization statistics reported by sFlow or by running 'tmsh show sys tmm-info' are less than actual TMM CPU utilization. TMM CPU utilization stats can be found by running 'tmsh show sys proc-info tmm'. Workaround: None.
ID 381123 Enabling more than 10 sFlow receivers may impact the performance of the BIG-IP system and, therefore, is not recommended. Workaround: None.
ID 381710 The test-monitor and test-pool-monitor commands require the monitor or pool argument to include its partition; e.g. /Common/pool1. Tab completion from inside a partition will cause the partition name to be omitted. Workaround: To work around this, run these commands from the root partition, or to manually type the full pool or monitor argument including partition.
ID 382040 Config sync fails after changing IP address of a pool member with a node name. IP addr change achieved by deleting the pool member and node then recreating the pool member/node. "Delete an existing pool member which has a node name set. Recreate the pool member with a different IP address using the same node name before syncing the config. Sync the configuration. ltm pool ip_mod_pl { members { ip_mod2_nd:http { address 10.168.1.4 } ip_mod_nd:http { address 10.168.1.1 } } } ltm node ip_mod2_nd { address 10.168.1.4 } tmsh modify ltm pool ip_mod_pl members delete { ip_mod2_nd:http} tmsh delete ltm node ip_mod2_nd tmsh modify ltm pool ip_mod_pl members add { ip_mod2_nd:http { address 10.168.1.5 }} tmsh run cm config-sync to-group S48-S49 On 11.4.0 and up this only happens if a full load is being done. Note that full loads may still happen on occasion even if full-load-on-sync is false for the device group." Config sync fails Workaround: Current work around is to delete the pool member and node on the peer then sync the configuration. The issue does not affect pool members/nodes with no name associated with the node.
ID 382577 The imish 'terminal monitor' command has no effect in TMOS. Workaround: The workaround is to configure the log file (under /var/log) and use the tail command to monitor it in real-time. This workaround only works for users with access to bash.
ID 383128 While upgrading or booting between versions on the VIPRION B2400, B4200, and B4300 Blade Series, it should be expected that firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes. Workaround: None.
ID 383442 If a packet is split into multiple fragments and the matching part of the tcpdump filter would be in a later fragment, it will not match. Workaround: None.
ID 383590 When upgrading multiple machines that are members of the same trust domain, it is possible during mid-upgrade that there will be inconsistent sync status messages across the trust domain. Once the upgrades are complete, and all machines are in running state on the same version, the sync status should return to a consistent status across the domain. Workaround: None.
ID 384717 While viewing 'watch-trafficgroup-device', if the devices in the device group change, the 'watch-trafficgroup-device' can sometimes become non-responsive. Killing the tool and restarting after the device group membership stops changing will keep the 'watch-trafficgroup-device' running stable. Workaround: None.
ID 385274 This issue shows when an IPsec flow is routed via a gateway pool. When a monitored gateway pool member is detected to be down, a different member is selected as the gateway. The policy flow's nexthop is not always updated to reflect the member switch. IPsec flows need to be routable via a gateway pool. IPsec traffic continues to use the down pool member. Workaround: N/A
ID 385274 This issue shows when an IPsec flow is routed via a gateway pool. When a monitored gateway pool member is detected to be down, a different member is selected as the gateway. The policy flow's nexthop is not always updated to reflect the member switch. IPsec flows need to be routable via a gateway pool. IPsec traffic continues to use the down pool member. Workaround: N/A
ID 385508 Loading a pre-11.0 ucs onto a system running 11.0 or later will reset the device trust group, and should be avoided after the original migration. Save a new 11.0 ucs immediately after migration to 11.0 is complete and use this one going forward. Workaround: None.
ID 385825 The CMI watch_* scripts (like watch_devicegroup_device) should not be allowed to run indefinitely as they may adversely affect performance of the box after a few hours. Workaround: None.
ID 385915 After updating interface configuration from the web interface, the value of lldp-tlvmap changes from default of 130943 to 114552. None. None. Workaround: Manually modify the value as needed.
ID 386778 IPsec in HA deployment cannot use anonymous ike-peer Workaround: "- Create a new ike-peer with the required remote IP field holding the remote peer's IP address. - If using PSK you are OK. If using RSA (the default) uncheck the verify certificate field - Change the presented ID and verified ID fields to 'address' "
ID 387106 Ramcache statistics are associated with only one virtual server per profile. The statistics for all of the virtual servers that use this profile are reflected in the ramcache statistics for that virtual server. This occurs in reporting ramcache statistics. System reports statistics for only one virtual server per profile. Workaround: The workaround is to create a copy of the profile for each virtual server if the individual statistics are desired. However, this adds complexity to the configuration and should only be done when necessary.
ID 387448 "When monitoring a device group status from a device that does not belong to that group, the config sync status reported could be inconsistent with the device-level status. For example, the sync status for device A is 'Changes Pending,' but the device-group to which device A belongs shows a status of 'In sync.' The workaround is to view the sync status from a device in the device group." Workaround:
ID 388098 "dmesg may display a message similar to the following: localhost warning kernel: hda: host side 80-wire cable detection failed, limiting max speed to UDMA33 This is expected and does not indicate any problem with the hardware or software." Workaround:
ID 388273 "On a VIPRION, the failover daemon will not be able to communicate correctly with the peer chassis unless the customer configures the management port on each blade." Workaround: None.
ID 389642 The 'route' command will not display multiple nexthops for a route. If you have routes with multiple nexthops, use the 'ip route show' or 'ip -6 route show' command to view them, instead. Workaround: None.
ID 389912 When a single blade chassis is in the standby mode, there is no blade LED indication that the chassis is in standby mode. Workaround: None.
ID 389976 There is a memory leak in the kerberos delegation feature. There is no current workaround. Using Kerberos Delegation in Advance Client Authentication. APM functionality is not affected. Workaround: None.
ID 390248 Devices outside of a device group but in the trust domain may have an out-of-date Commit ID (CID) or Last-Successful-Sync (LSS) ID, causing configsync status to be displayed incorrectly on some devices and not others. Workaround: None.
ID 390423 Performing a 'sync from group' currently causes a mismatch in LSS 'Last Successful Sync' IDs such that viewing configsync status will be incorrect on some devices and not others. Workaround: None.
ID 390764 BFD session may not show the correct session 'Up Time' value when user displays BFD session information using the IMI shell command 'show bfd session detail'. any bfd session parameter is modified through imish. "No functional impact. Only diagnostic. BFD session will appear has having bounced when it has not." Workaround: None
ID 393647 The availability status for objects configured with a connection rate-limit can remain yellow even if the object is available to handle traffic. Once the connection rate falls below the configured value, the object's status will continue to show unavailable until the object receives additional traffic. This is a cosmetic issue and is limited to testing scenarios where the test tool stops sending traffic upon receiving a reset packet. ApacheBench is one such tool. In real world scenarios, continued traffic processing will automatically restore the correct status. Workaround: None.
ID 395208 On the BIG-IP 2000 and 4000 family of platforms, messages such as 'subscriber(%pfmand): Snapshot for req_id(XX) getting removed due to timeout.' might appear in the ltm log. These messages are innocuous and should be ignored. This occurs on the BIG-IP 2000 and 4000 series. Messages appear in the ltm log that can be ignored. Workaround: There is no workaround.
ID 395269 "Reapplying a template to reconfigure an Application Service Object will delete any firewall rules that have been created through the Security screen. To retain a set of firewall rules, include creation of the desired firewall rules in the template itself." Workaround: None.
ID 395720 On the BIG-IP 4000 platform, sometimes on boot, Ethernet devices do not get renamed. For example, eth6 should be renamed to pf1-7. This occurs on the BIG-IP 4000. Ethernet devices do not get renamed. Workaround: To work around this issue, reboot the device.
ID 395900 "After failover new primary unit can have wrong arp entries if opaque or translucent mode is used. This should expire eventually but for a while bigip would not be able to communicate with it's neighbors." HW failover traffic flow may be impacted Workaround: use transparent move for vlan group
ID 396122 In a non-homogeneous cluster, validation on a secondary blade may fail if the module is not allowed or resources are not available. Workaround: Make sure the primary member of a cluster is the blade with the least available resources (Puma1).
ID 396273 When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is likely a firmware bug on this device. Contact the card vendor for a firmware update. This can occur when 'lspci -vvv' has been executed. This is a benign message, and you can safely ignore it. Workaround: There is no workaround, but this is not a functional issue.
ID 396278 If you set MGMT IP address using the LCD module, the ltm log contains a message stating the management route was not found. This is the message: Aug 31 12:01:20 localhost err tmsh[9771]: 01420006:3: 01020036:3: The requested management route (/Common/default) was not found. This is a benign logging message that is reporting a non-existent error condition. This occurs when you set MGMT IP address using the LCD module on 1600, 2000, 3600, 3900, 4000, 5000, 6900, 7000, 8900, 10000, and 11000 platforms. The system writes this message to the ltm log: Aug 31 12:01:20 localhost err tmsh[9771]: 01420006:3: 01020036:3: The requested management route (/Common/default) was not found. Workaround: There is no workaround, but this is a benign logging message that is reporting a non-existent error condition.
ID 396293 SNAT bounceback does not work when the non-default CMP hash is used on a vlan carrying that kind of traffic. Workaround: None.
ID 396294 At startup, the BIG-IP 4000 logs a message 'SwEdge Error: No core edge found' in /var/log/ltm. This message is benign and reports a non-existent error condition. Workaround: None.
ID 396831 Provisioning Virtual Clustered Multiprocessing (vCMP) on 2000/4000 series platforms can cause a kernel panic. vCMP is not supported on these platforms. This can occur on the 2000/4000 series platforms. A kernel panic can occur. Workaround: The release notes contain information about which platforms support vCMP. You can also check the AskF5 Knowledgebase. If a vmdisks application-volume was created on a platform that does not support vCMP, it should be removed.
ID 397638 While performing a liveinstall, use the command 'tmsh modify sys global-settings mgmt-dhcp disabled' to preserve the static management-ip. Workaround: None.
ID 398947 It is possible that the text 'serial8250: too much work for irq4' may be seen on the host serial console. These messages are extremely rare. The cause of the message is a temporary overload of the serial port. However, once the serial port has recovered from the overload, it continues to operate normally. No character loss on the console has been observed when this condition is encountered. Workaround: None.
ID 399073 Encountering the error 'err ntpd[5766]: Frequency format error in /var/lib/ntp/drift' in /var/log/daemon.log once after boot is an innocuous condition. Workaround: None.
ID 399470 Switch based platforms do not support Fiber Channel SFP modules. Workaround:
ID 400078 When removing a pluggable module from some specific Centaur or Treadstone ports, it is possible for the adjoining ports to loose link briefly, e.g. when removing a pluggable module form Centaur ports 1.1 or 1.5, it may cause established link on ports 1.2 or 1.6 respectively, to drop briefly. Workaround: None.
ID 400346 a server_name field populated with a properly formatted URL in a DHCP response may cause the dhclient process to generate an error in daemon.log. The error message 'err dhclient: suspect value in server_name option - discarded' is innocuous and can safely be ignored. Workaround: None.
ID 400584 lsn-pool object can be created without any member prefix, however will not function for translation until prefixes are added. lsn-pool without any member prefix lsn-pool without any member prefix will no perform translation Workaround: add prefixes to lsn-pool
ID 400778 On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1. This occurs on a VIPRION system. The VIPRION posts messages: 'Oct 9 01:31:00 slot2/cluster err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete', 'Oct 9 01:31:00 slot2/cluster err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'. Workaround: None. These messages are benign and you can safely ignore them.
ID 401412 "The default dhclient request elements can be displayed with the command 'tmsh list sys management-dhcp sys-mgmt-dhcp-config' These elements can be managed by using add/delete statements under the management-dhcp object. This example disables updates to the system hostname from DHCP: tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { host-name }" Workaround: None.
ID 401917 When disk space is available on the primary blade of a chassis, but not available on one or more of the secondary blades mcpd validation will fail on the secondary blade(s) and cause mcpd to restart. Workaround: Use the GUI or tmsh to remove any unused application volumes from secondary blades.
ID 402004 When the persistence mode or address range of a LSN pool is changed and there are active persistence mappings, the 'Total Active Persistence Mappings' statistic will not immediately reflect the change. Any currently active persistence mappings that are invalidated by the change will be continued to be counted until they expire. Workaround: None.
ID 402115 Using the command 'tmsh show sys memory' displays zero usage for some entries. Any running product The division of memory usage may not be clear Workaround: None
ID 402455 Before attempting synchronization using the GUI setup wizard, clocks of the BIG-IP devices must be synchronized. It is recommended to use a NTP server for this. Workaround: None.
ID 402510 When TCP connection queuing and OneConnect are used together on the same virtual server, the connection count on the pool (and members) fails to properly decrement when bouncing off the connection limit. The pool eventually becomes permanently unavailable, showing itself as having reached conn limit, even after there are no active conns to the pool and the OneConnect conn pool is empty. This occurs when TCP connection queuing and OneConnect are used together on the same virtual server. The problem can only be corrected by a restart of TMM. Workaround: There is no workaround.
ID 402551 On BIG-IP 4000 Series platforms, any trunk which does not consist of 1,2,4, or 8 members will have imbalanced traffic. Workaround: On BIG-IP 4000 Series platforms, use trunks with 1,2,4, or 8 ports in order to balance traffic evenly across links. Non-power-of-two configurations will work, but traffic will not be balanced.
ID 402811 On hypervisor systems that host a BIG-IP Virtual Edition system, memory reservation should be configured as 100% of the Virtual Edition memory allocation. Workaround: None.
ID 402855 If a config is created with route domains and a config is created that is identical except without any route domains, then while one config is loaded, a load of a UCS of the other config may fail. Load will fail initially. Once defaults have been loaded, the configuration may be loaded again. Workaround: "Clear the current config by loading defaults before loading the UCS. i.e. tmsh load sys config default ; tmsh load sys ucs <ucs_name>"
ID 403002 It is not possible to set up configuration synchronization using a configsync-ip on a nonzero route domain, but the system does not prevent you from configuring a device in this manner. Workaround: None.
ID 403613 The drop counters for the 1.x interfaces on the 2000s / 2200s and 4200v platforms currently do not work in LTM mode due to a hardware issue. This occurs on 2000s / 2200s and 4200v platforms drop counters for 1.x interfaces. Drop counters do not work in LTM mode. Workaround: There is no workaround.
ID 403688 Hardware syncookies currently require both client side and server side profile context to have hardware syncookies enabled in order to function. Workaround: None.
ID 403764 If a log message is not matched by any filter, then the log will be processed by the syslog-ng daemon. Workaround: To disable log processing by the syslog-ng daemon, create a filter with source equal to 'all' and level equal to 'debug' then route as desired.
ID 403782 When you run an access policy sync, sometimes the status (available from the top left corner of the screen) is 'Not all devices in Sync' or 'Unknown'. This can happen even when the access policy sync succeeds. Although the status is confusing, there is no functional impact. Workaround: None.
ID 403829 When editing the configuration of a SNAT, changing the Translation type from IP Address to SNAT Pool results in an error. This occurs when editing SNAT configuration Translation type from IP Address to SNAT Pool. "System posts error: 01070734:3: Configuration error: Snat Translation Address Name /Common/1.2.2.2 encodes IP address 1.2.2.2 which differs from object IP address field" Workaround: "The workaround is to use tmsh to modify the SNAT pool with the following command: tmsh modify ltm snat my_snat { snatpool /Common/my_snat_pool }"
ID 404398 Using tmsh merge to update route-domains does not work. Workaround: A workaround is to manually merge the changes to /config/bigip_base.conf (or /config/partitions/<partition_name>/bigip_base.conf) and load.
ID 404443 The VIPRION 4800 chassis only support blades running 11.3.0 software. If you attempt to add a blade running older versions, it will be unable to join the cluster and some daemons on that blade might begin restarting repeatedly. Workaround: None.
ID 404588 LSN iRules persistence-entry get/set and inbound-entry get/set may not work properly for RTSP if 'after' command is used Workaround: None.
ID 404668 Device sync can be lost between a device with GTM and LTM licensed and provisioned, and a device with LTM licensed and GTM provisioned but not licensed. This can arise when loading scf files even if they reflect the current configuration. Workaround: To work around this, after you load back the scf files and then save them, run a tmsh load cmd. This 'activates' the trust and requests a sync for the device group.
ID 404711 To prevent config sync issues, you should ensure that non-floating self-IP items are not dependent on system unique resources that do not also config sync. For example, a tunnel used by a self-IP should be placed in a folder that does not sync (the devicegroup setting is set to 'none'). Workaround: None.
ID 404716 With the packet filter enabled and its default action set to discard or reject, decapsulated tunnel packets may be dropped. Workaround: None.
ID 405255 Issuing a 'reset-stats net interface' command in tmsh does not clear the stats for an interface with status 'disabled'. Enabling the interface with 'modify net interface x.y enabled' before resetting stats causes the stats to correctly clear. The interface can be disabled again afterwards if desired. Workaround: None.
ID 405356 Hot swapping hard drives at a rate of approximately once per second may result in the drive failing to show back up after insertion. Occurs when the swapping occurs at a rate of approximately once per second. Loss of access to an affected drive. Workaround: "It is possible to recover missing devices by manually forcing the kernel to rescan the SATA/SCSI host bus. To find out how many SATA/SCSI busses you have: shell> ls -l /sys/class/scsi_host/ drwxr-xr-x 3 root root 0 Feb 12 19:01 host0 drwxr-xr-x 3 root root 0 Feb 12 19:01 host1 drwxr-xr-x 3 root root 0 Feb 12 19:01 host2 drwxr-xr-x 3 root root 0 Feb 12 19:01 host3 drwxr-xr-x 3 root root 0 Feb 12 19:01 host4 drwxr-xr-x 3 root root 0 Feb 12 19:01 host5 To find out which device(s) may have an error perform the following: dmesg | grep -i sata Example Output: ata1: SATA link down (SStatus 0 SControl 300) (Indicating host bus 1 (ata1) is down. If you know the host interface which you need to rescan, perform the following: (wildcarding the Channel, Id, and LUN with '- - -'). shell> echo '- - -' > /sys/class/scsi_host/host<n>/scan (replace the <n> with the number of the SATA/SCSI host bus to be rescanned) NOTE: Do not perform this procedure on a mounted device! To verify the device was recognized and attached by the SATA/SCSI subsystem, use the proc interface. shell> cat /proc/scsi/scsi An example of the output: Attached devices: Host: scsi0 Channel: 00 Id: 00 Lun: 00 Vendor: ATA Model: WDC WD1000CHTZ-0 Rev: 04.0 Type: Direct-Access ANSI SCSI revision: 05 Host: scsi1 Channel: 00 Id: 00 Lun: 00 Vendor: ATA Model: WDC WD1000CHTZ-0 Rev: 04.0 Type: Direct-Access ANSI SCSI revision: 05 Notice after the 'Attached devices:' line above, there are 3 lines for each recognized device. Each host will show its host bus number. In the example above there are two devices. host bus 0 (scsi0) and host bus 1 (scsi(1)."
ID 405539 "There is exist incorrect indication for interface in GUI. After disable and reenable interface back it will still DISABLED. Correct indication can be returned after reboot (till next disabling)." Workaround: None.
ID 406238 FTP active mode data connection does not work from the BIG-IP system command line, if the connection is exiting through an interface with SP DAG. "cmp-hash = src-ip or dst-ip ftp initiated from the BIG-IP" the data connection cannot be established with active mode. Workaround: Use FTP passive mode for data transfer.
ID 406878 If you have a version of TMOS on multiple devices configured for sync, when you upgrade them all to a later TMOS version, there might be inconsistency in what versions one device reports as being present on other devices. You can run the command 'list cm device' on a given device to see the version/build correctly shown for that particular device. This occurs after upgrading members of a trust domain from TMOS v11.0.0 or later. Sync occurs correctly; this is only a cosmetic problem. Workaround: Make a change to the device's description field, or some other non-operational change. This will force the device to advertise an updated trust configuration, including the updated version field.
ID 407930 In rare, low memory cases, TMM may core when using the STREAM::match command in an iRule that reports many Tcl errors. You can prevent this by fixing any Tcl errors. This occurs when there is very low memory available for TMM, and there are large numbers of errors reported in logs for iRules in a filter. "The core stack ends with output similar to the following: #0 0xf7e10113 in ?? () #1 0x00527d7b in vsnprintf (str=<optimized out>, size=<optimized out>, format=<optimized out>, ap=<optimized out>) at ../lib/stdio.c:553" Workaround: Resolve errors.
ID 408248 When the network forwards a packet to a Standby Unit destined to a masquerade MAC address and a listener on TMM, and TMM has a packet filter rule configured with action reject, TMM on that unit performs the packet filter rule of action reject, even though it's in standby. When the network forwards a packet to a Standby Unit destined to a masquerade MAC address and a listener on TMM, and TMM has a packet filter rule configured with action reject In this case, the network seemingly 'floods' an Ack packet which is related to a valid connection flow on the Active Unit, however when this Ack packet arrives at the standby, TMM responds with a RST,ACK (honoring the sequence and acknowledgment numbers, but is not sourced from the masquerade MAC address) resulting in the standby Unit interfering with and tearing down the TCP connection. Workaround: packetfilter.defaultaction 'discard' silently drop.
ID 408810 BIG-IP with Vyatta neighbor on a single link may appear to be stuck in ExStart/Exchange state because Vyatta incorrectly drops a database description packet containing a 24 byte router-LSA (zero link LSA). "OSPFv2 or OSPFv3 Neighbor is a Vyatta router" OSPF session will not come up Workaround: None
ID 409697 A user cannot create certificates and keys in subfolders using the web interface. creation of keys and certificates in subfolders using UI Workaround: use tmsh/iControl
ID 410036 "If a client and server attempt to resume a TLS connection using TLS session tickets through a BIG-IP virtual server configured for Proxy SSL, the BIG-IP will reset the connection. If Reset Cause Logging is enabled (refer to SOL13223), the reset cause is 'SSL Session Not Cached.'" #NAME? Resumed handshakes do not succeed, which may result in traffic disruption for the affected clients through the virtual server. Workaround: Disable TLS session tickets on either the pool members, or the client systems.
ID 410114 When OSPF protocol running on BIGIP sends a 24 byte router LSA, Vyatta discards such an LSA and this may cause OSPF protocol to get stuck in ExStart/Exchange and never reach FULL state. This occurs intermittently. OSPF v2 protocol configured between BIGIP and a Vyatta neighbor. OSPFv2 protocol does not synchronize without manual intervention. Workaround: In imi shell, 'clear ip ospf process'. May need to do this a few times.
ID 410223 For a virtual with a SIP profile configured as an ALG using the TCP transport, TCP FIN and RST packets are being unnecessarily sent by the BIG-IP to multiple peer clients/servers when one of the client/servers issues a FIN or RST packet. SIP ALG TCP virtual configuration and one of the clients/servers send a FIN or RST packet to the virtual. Unless the SIP clients/servers are configured to automatically reconnect when they receive an unexpected FIN or RST, the in-progress sessions/calls that are using the connection being closed will fail. Workaround: "Add the following mblb profile to the SIP virtual: ltm profile mblb /Common/test { defaults-from /Common/mblb isolate-abort enabled isolate-client enabled isolate-expire enabled isolate-server enabled }"
ID 411636 "If user commits the changes this is what users will see 'Disable DCHP from LCD before setting IP'. LCD System is enhanced with a new menu for DHCP. This menu reflects the current dhcp value set either via LCD DHCP or via other means like tmsh or config script. If dhcp value is enabled, the LCD System Management menu still allows n/w operator to type values for the management data. However, the n/w operator cannot commit successfully, an error is shown on LCD stating 'Disable DCHP from LCD before setting IP'." Appliance boxes only Workaround: If the users want to enter IP address then disable DCHP first in LCD.
ID 414018 Hairpin connections between different subscriber hosts fail. The subscriber network(s) and the internet are in different route domains. Applications on different subscriber hosts cannot establish connections. Workaround: Use the same route domain for the subscriber networks and the internet.
ID 414160 Configuring the VLAN used for inter-device mirroring for an IP cmp-hash mode may cause errors establishing the mirroring connection between devices. Workaround: Configure the VLANs used for the mirroring connection with the default cmp-hash mode, not an IP cmp-hash mode.
ID 414454 When you update an iRule and replace an event that contains script content with a blank script, TMM cores with a stack trace. In response, TMM cores because it is trying to compile an empty script. Note that when creating a new iRule, there is a check for adding an event script with no content, so the error does not occur on create. This occurs when replacing iRule events containing valid Tcl code with whitespace or with no Tcl code. When the issue occurs, TMM cores with stack trace. Workaround: To work around this issue, delete or comment out the empty event, or insert a comment.
ID 414454 When you update an iRule and replace an event that contains script content with a blank script, TMM cores with a stack trace. In response, TMM cores because it is trying to compile an empty script. Note that when creating a new iRule, there is a check for adding an event script with no content, so the error does not occur on create. This occurs when replacing iRule events containing valid Tcl code with whitespace or with no Tcl code. When the issue occurs, TMM cores with stack trace. Workaround: To work around this issue, delete or comment out the empty event, or insert a comment.
ID 415716 "The iControl REST service offers an API designed for managing a BIG-IP device. The iControl REST service is accessible through HTTPS on any BIG-IP interface. Typically, you access iControl REST through its management-IP address, the one you use to access tmsh or the BIG-IP GUI. The BIG-IP device runs rate-limiting software on its management interface, which can artificially slow down script or program calls to iControl REST." Workaround: Use an alternate BIG-IP address for iControl REST, such as a self-IP address.
ID 415961 Unused HTTP Class profiles are not rolled forward during upgrade or UCS restore. If you have defined HTTP Class profiles but have not assigned them to virtual servers, the system does not bring forward those profiles into the new configuration when you upgrade. No Policy is created from the HTTP Class profile and the profile does not appear in the new configuration. This occurs when upgrading a pre-v11.4.0 configuration with a HTTP Class profile not attached to a virtual server. You might lose unused HTTP Class profiles in the configuration. Workaround: Attach all HTTP Class profiles to a virtual server before upgrade or save of a UCS.
ID 416496 Cancelling tmsh during a show command might restart TMMs. The TMM processes, and possibly mcpd, may restart because the process runs out of memory if the command 'show sys connection' from tmsh is interrupted while processing. This intermittent issue occurs when the system has a large number of active connections in the TMM processes (number varies by platform), and tmsh is formatting the connection table for output. System restarts cause all connections to be lost, and the appliance is unusable for a short time while the processes begin again. Workaround: None, but you can prevent the issue from occurring by waiting for tmsh to complete the collection and formatting of connection table information. Specifically, do not interrupt the operation from the command 'show sys connection'.
ID 417526 "When a power cable is reconnected to a power supply, a message will typically show up in the log /var/log/ltm like this: Mar 29 11:09:37 SJPtengs-Treadstone notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good But sometimes, the status may switch from Good to Bad, then back to Good within seconds: Mar 29 11:09:37 SJPtengs-Treadstone notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good Mar 29 11:09:37 SJPtengs-Treadstone crit chmand[9322]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV04G): Bad Mar 29 11:09:40 SJPtengs-Treadstone notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good" This may happen when a power cable is disconnected, then re-connected to an AC power supply. This does not affect the normal operation of the BIG-IP. It simply means it may take a few seconds for the fan in the power supply to go up to speed. Workaround: None.
ID 417548 If thousands of FIPS keys are configured, it is possible to cause an out of memory error in the web UI. This will present itself as a blank page in the GUI. When thousands of FIPS keys are configured this sometimes will happen. Workaround: A simple workaround is to use TMSH to list FIPS keys. Or run tmsh modify sys db provision.tomcat.extramb value 64. This will increase memory provisioned to GUI database query
ID 417899 If you run the command 'service network restart' to stop and start all the network interfaces, the connection to LOP is lost, and the log shows 'Lopd status: 2' in the log messages to indicate the LOP has no response. This occurs when you run the command 'service network restart'. TMOS is not able to communicate with LOP firmware, which reports data about sensor and backplane interface status. Workaround: Recreate the special VLAN that connects to LOP by running the command 'service lopd restart' to restart lopd.
ID 418685 Unable to execute tmsh when using custom MIB, this is because snmpd is not allowed byselinux to run tmsh by default Workaround: "Workaround is to add SELinux policy so that allow snmpd to run tmsh. 1. Reset my policies #semodule -r <nameofmodules> 2. Restart snmpd #bigstart restart snmpd 3. create new module based on a complete list of AVC messages #vi audit_snmpd.log type=AVC msg=audit(1375337597.590:526): avc: denied { execute } for pid=12206 comm='snmpd' name='tmsh' dev=dm-12 ino=154992 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmsh_exec_t:s0 tclass=file type=AVC msg=audit(1375338586.172:580): avc: denied { read } for pid=12315 comm='snmpd' name='tmsh' dev=dm-12 ino=154992 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmsh_exec_t:s0 tclass=file type=AVC msg=audit(1375338622.864:596): avc: denied { setattr } for pid=12358 comm='tmsh' name='tmsh' dev=dm-0 ino=3063865 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1375338622.865:598): avc: denied { unix_read unix_write } for pid=12358 comm='tmsh' key=-168956060 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:tmm_t:s0 tclass=shm type=AVC msg=audit(1375338642.258:601): avc: denied { create } for pid=12388 comm='tmsh' name='c6s3XK' scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1375338642.285:605): avc: denied { associate } for pid=12388 comm='tmsh' key=-168956060 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:tmm_t:s0 tclass=shm type=AVC msg=audit(1375338660.669:620): avc: denied { rmdir } for pid=12428 comm='tmsh' name='MznKPU' dev=dm-0 ino=3064056 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1375338660.670:622): avc: denied { read write } for pid=12428 comm='tmsh' key=-168956060 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:tmm_t:s0 tclass=shm type=AVC msg=audit(1375338660.711:624): avc: denied { write } for pid=12433 comm='mv' name='root' dev=dm-11 ino=47105 scontext=system_u:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1375338723.612:643): avc: denied { remove_name } for pid=12495 comm='mv' name='.tmsh-history-root' dev=dm-11 ino=47177 scontext=system_u:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1375338741.562:646): avc: denied { add_name } for pid=12532 comm='mv' name='.tmsh-history-root' scontext=system_u:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1375338741.777:647): avc: denied { add_name } for pid=12533 comm='tmsh' name='.tmsh-history-root' scontext=system_u:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1375338756.189:650): avc: denied { create } for pid=12563 comm='tmsh' name='.tmsh-history-root' scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338772.068:655): avc: denied { read append } for pid=12598 comm='tmsh' name='.tmsh-history-root' dev=dm-11 ino=47176 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338772.069:656): avc: denied { read write } for pid=12598 comm='tmsh' name='.tmsh-history-root' dev=dm-11 ino=47176 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338792.149:660): avc: denied { lock } for pid=12633 comm='tmsh' path='/root/.tmsh-history-root' dev=dm-11 ino=47176 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338806.671:665): avc: denied { getattr } for pid=12673 comm='mv' path='/root/.tmsh-history-root' dev=dm-11 ino=47176 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338819.790:669): avc: denied { unlink } for pid=12716 comm='mv' name='.tmsh-history-root' dev=dm-11 ino=47176 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338832.287:672): avc: denied { relabelfrom } for pid=12753 comm='mv' name='.tmsh-history-root' dev=dm-11 ino=47116 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1375338845.499:681): avc: denied { relabelto } for pid=12792 comm='mv' name='.tmsh-history-root' dev=dm-11 ino=47116 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1375343821.370:1020): avc: denied { execute_no_trans } for pid=15279 comm='snmpd' path='/usr/bin/tmsh' dev=dm-12 ino=154992 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmsh_exec_t:s0 tclass=file # audit2allow -M snmpdallow < audit_snmpd.log # semodule -i snmpdallow.pp"
ID 418709 The LCD module reports, 'Low fan speed', but does not specify which fan component on the unit is low. Uncertainty of which component is failing which helps neither the customer or NSE (for RMA). Workaround: Please use the console to determine which fan is low either by viewing console messages/warnings as they show up or by running 'tmsh show sys hardware' or viewing the /var/log/ltm file.
ID 418890 When trying to upgrade from version 10.x to version 11.x, SSL keys can fail to roll forward. The roll-forward process does not handle what appears to be an OpenSSL bug (tested through OpenSSL 1.0.1c). This occurs when rolling forward RSA keys from version 10.x to 11.x. Rather than receiving the expected decrypt failure unable to load Private Key with a bad decrypt, approximately 0.3% respond differently, where the return is non-zero and does not contain 'bad decrypt'. In this case, the system considers the key bad even though it is fine. Workaround: There is no workaround.
ID 418967 If two iRules in HTTP_RESPOND events are present with different priorities, and the iRule to run first executes 'HTTP::retry', the second iRule will cause an error to be generated. Workaround: Perform iRules with HTTP::retry with higher priority.
ID 419621 After a blade failover, an existing inbound session may not have the delete event logged when it completes. "lsn-pool with NAPT Inbound session logging enabled HA configuration After failover" The add event for the inbound session may not have a matching delete event. Workaround: None.
ID 419623 If a command that needs to suspend processing (for example, table, session, after, sideband, and persist) is evaluated within the content of an expr block, tmm cores. This occurs when using the table, session, after, sideband and persist commands inside an expr block within an iRule. Tmm cores. Workaround: Assign result of command to a variable outside the block and operate on that value.
ID 419730 "TMM panics with a message like: ' panic: ../modules/hudproxy/bigproto/bigproto.c:4039: Assertion 'syncookie' failed'" FTP traffic is being processed by the BIG-IP system. The impact is that the BIG-IP system fails over or stops working. Workaround: None
ID 419733 BIG-IP systems configured with additional non-default management routes via static, OSPF or other protocols may encounter an route_mgmt_entry count Error during the operation of the '/usr/bin/config' script. Workaround: Alternative methods exist for configuring the mgmt address and default route via The Web based Configuration Utility, iControl, tmsh and configuration file load in this release of BIG-IP software. Please refer to the BIG-IP documentation for more information on these methods.
ID 419741 TMM will crash and dump core. Core analysis would be necessary to determine if this bug is the cause. Triggering this bug is difficult and seems to require vip-targeting-vip (e.g. use of the 'virtual' command in an iRule) and more than one blade. In rare situations, the TMM will crash. The system will recover automatically. Workaround: This workaround has not be verified, but in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.
ID 419946 When slow ramp is turned on for a pool with low-to-no traffic, the first few connections can be sent to lower priority group members (number of connections dependent on the number of TMMs and number of pool members) until a min-up number of poolmembers in the higher priority group have received a connection. This is due to the slow ramp not being removed by time, but instead removed by traffic. This occurs when slow ramp is turned on for a pool with low-to-no traffic. Slow ramp does not auto-disengage after 15 seconds without traffic. Workaround: There is no workaround.
ID 419969 "If FTP Virtual is configured to use snat pool, Passive FTP may use different IP addresses in the snat pool for data channel and control channel and result in failure of setting up data channel. FTP command will fail. Additionally, selection of a specific snatpool member in an iRule may be ignored, resulting in round-robin selection of a member from the snatpool." "passive FTP SNAT is used" FTP will fail. Workaround: Don't configure snat for ftp VS. Or Configure only one Pool member in the snat pool if snat is really necessary.
ID 420153 When bwc is attached to ftp virtual passive ftp does not get restricted by the bwc policy create bwc policy and attach it to ftp virtual bandwidth does not get restricted by bwc policy Workaround: user irule or pem policy to restrict the bandwidth.
ID 420184 A transaction fails when you create a new folder and then create an object in that new folder in a batched set of command-line commands. This occurs when a folder does not yet exist, and you try to create the folder and the object in a batched set of command-line commands. The transaction fails with an error similar to the following: 01070734:3: Configuration error: Invalid mcpd context, folder not found (/AAA). Workaround: To work around this, create a folder before using batch commands to create objects in a folder.
ID 420344 When BFD is configured between the HA pair neighbor and the HA pair units, BFD fails to establish a session because the IS-IS routing module uses floating self IP address for establishing adjacency rather than non-floating self IP address. BFD is used with IS-IS in HA pair configuration. BFD cannot be used with IS-IS in HA pair configuration. Workaround: None.
ID 420360 The files for APM customization might be lost during software upgrade with forwarding configuration or config upgrade using a UCS file. This problem is intermittent. Configuration will fail to load with the error 'no copy in trash bin'. "Not all configuration errors that display the 'no copy in trash bin' error are of the kind described here. You can check for this particular error as follows: - cd to /config/filestore/files_d/Common_d/ or some other partitions such as /config/filestore/files_d/MY_PARTITION/ if you have other partitions. - look for these directories: customization_group_d, customization_image_d, and customization_template_d. If these directories are not present, you have run into this problem." Cannot load configuration after upgrade. This problem is intermittent. Workaround: "It is always a good idea to store your known good configuration in a UCS tarball. If you run into this problem after upgrade, extract the contents of the UCS tarball into a directory, such as, /var/tmp/ucs. Run 'tar zxvf YOUR_CONFIG.ucs'. You must create the missing directories and set the permission to 777. For example, if the customization_group_d and customization_image_d directories are missing, create them like this: mkdir /config/filestore/files_d/Common_d/customization_group_d mkdir /config/filestore/files_d/Common_d/customization_image_d chmod 777 /config/filestore/files_d/Common-d/customization_group_d chmod 777 /config/filestore/files_d/Common_d/customization_image_d If you have other partitions, replace Common_d in the above commands with the name of your partition. Copy files from the tar extract directories to the missing directories. cp /shared/ucs/var/tmp/filestore_temp/files_d/Common_d/customization_group_d/* /config/filestore/files_d/Common_d/customization_group_d cp /shared/ucs/var/tmp/filestore_temp/files_d/Common_d/customization_image_d/* /config/filestore/files_d/Common_d/customization_image_d If you have more than one partition, replace Common_d in the above commands with the name of your partition. Run 'tmsh load sys config' to load the configuration again."
ID 420438 In an NSSA configuration with a DR, BDR and HA pair BIG-IP systems, we see three default routes each from DR, BDR and standby BIG-IP system. The standby BIG-IP system shouldn't send out any default routes. NSSA configuration with a DR, BDR and HA pair BIG-IP systems. Traffic is directed to the standby when it should not. Workaround: None.
ID 420588 The default SIP ingress queue length of 16 causes responses to be dropped under heavy load. At smaller load sizes, this is not an issue. Messages are dropped under heavy load. Workaround: None.
ID 420689 A single configuration file (SCF) as generated by 'save sys config file <name>' does not contain information describing what configuration objects have synchronized between the device and other devices. Loading the SCF will make the system lose track of this information. Workaround: From one device, run 'modify cm device-group <device group name> devices modify { <device name> { set-sync-leader } }'.
ID 420776 Discovering the device in EM causes it to be in impaired state. Having iRules with comments having line continuations. EM fails to completely discover the device, causing some of the configuration objects to be not visible in configuration viewer, not available for deployment. Workaround: Remove the line continuations from the comments in iRule.
ID 420789 Occasionally, the standby system crashes in a configuration containing a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled. When the crash occurs, the system posts the following assert: tmm failed assertion, non-zero ha_unit required for mirrored flow This occurs in 11.4.0 on an active-standby setup in which there is a l4 forwarding virtual server configuration with a wildcard IP address and port, with and connection mirroring enabled. The standby crashes. Workaround: None.
ID 420810 After increasing the slots to a B4300 deployed vcmp guest from 1 slot to multiple slots, the incoming dataplane traffic will continue to arrive on the original slot and can impact performance due to the need for tmm to redirect the flows to new slots. Workaround: The workaround requires taking the guest down to configured, and then back to deployed.
ID 420848 "when 11.x is installed, root user description is set to root in bigip_base.conf, and it's set to none upon tmsh save sys config. ===== bigip_user.conf ---before reboot--- auth user root { description 'root' ---after reboot--- auth user root { description none =====" Upgrade to 11.X from 10.X, then run 'tmsh save sys config'. Minimal; description changed. Workaround: None.
ID 421092 The maximum number of named variables in an iRule is 4,194,304. This occurs when using iRules. No more than 4,194,304 named variables can exist in an iRule. Workaround: None.
ID 421401 In parent child relationship of the rateshaper on VE with one core the rate-shaping parent class does not seem to enforce the configured ceiling. "tmsh list net rate-shaping net rate-shaping class extra { ceiling 2mbps ceiling-percentage 100 drop-policy policyname max-burst 25k parent t3-parent queue pfifo rate 1240kbps rate-percentage 62 } net rate-shaping class ms { ceiling 2mbps ceiling-percentage 100 drop-policy policyname max-burst 25k parent t3-parent queue pfifo rate 740kbps rate-percentage 37 } net rate-shaping class t3-parent { ceiling 2mbps drop-policy policyname queue pfifo } [root@bigip1:Active:Disconnected] config # tmsh list ltm virtual ltm virtual ms { destination 0.0.0.0:microsoft-ds ip-protocol tcp mask any profiles { tcp { } } rate-class ms translate-address disabled translate-port disabled vlans-disabled } ltm virtual vs_extra { destination 0.0.0.0:rtsp ip-protocol tcp mask any profiles { tcp { } } rate-class extra translate-address disabled vlans-disabled }" Parent rate class does not restrict the bandwidth to configured limit on VE system. Workaround: None
ID 421611 SIP messages are sent directly to the peer and not to the SIP-Proxy when both peers are inside the NAT. "CGNAT and SIP-ALG are configured. Peer1 and Peer2 are in the NAT'd network. (subscribers) SIP-Proxy is located outside the NAT network. (internet)" Some SIP messages may not be seen by the SIP-Proxy and cause missed messages and accounting gaps. Workaround: None
ID 421640 Entries that mention yourtheme.css show up in the httpd error logs. Using the UI for iApps will trigger this condition. Entries show up in httpd_errors referencing yourtheme.css. There is no impact, visual or otherwise, to the UI or the rest of the BIG-IP system. Workaround: None.
ID 421702 BIG-IP publishes the mgmt MAC addresses using offsets of the chassis base MAC address, instead of the MAC addresses from the kernel as ifconfig and dmesg reported. Workaround: None.
ID 421851 "When iRules are saved into bigip.conf, first line is automatically indented with 4 whitespaces. Usually these whitespaces are removed when config is loaded, but in case when rule starts with commented line this doesn't happen. And every save/load cycle adds another 4 whitespaces. When users adds checksum to the iRule, the above problem causes loading fail at checksum verification error" "When the following are both true: 1. Line started with '#' and white spaces 2. Checksum the irule" Load failure. Workaround: Remove the white spaces
ID 421964 When there is one way packet loss on a LACP-enabled link, the packet-loss side BIG-IP system still aggregates the LACP link. LACP trunk does not fully work. Workaround: None.
ID 421964 When there is one way packet loss on a LACP-enabled link, the packet-loss side BIG-IP system still aggregates the LACP link. LACP trunk does not fully work. Workaround: None.
ID 421965 "The TMOS daemon bcm56xxd may restart due to L2 parity error. The log will look like this: Dec 5 23:19:49 slot1/ske-vip-82114-03a info bcm56xxd[8127]: 012c0016:6: unit 0 L2_ENTRY_ONLY entry 120673 parity error Dec 5 23:19:49 slot1/ske-vip-82114-03a info bcm56xxd[8127]: 012c0012:6: Exiting on parity errors. Dec 5 23:19:49 slot1/ske-vip-82114-03a notice mcpd[7108]: 01070406:5: Removed publication with publisher id BCM56xxPublisher Dec 5 23:19:50 slot1/ske-vip-82114-03a info bcm56xxd: 012c0013:6: BCM56xxd starting. debug=0, foreground=1, packet=1, bcm_debug=0x7, soc_debug=0x0" This rarely happens and cannot be predicated. bcm56xxd will re-initialize the internal switch. Data traffic may be affected briefly. Workaround: There is no known workaround.
ID 421971 Renewing an existing certificate fails in UI if a user provides Subject Alternative Name (SAN) as input. Provide SAN while renewing certificate. Cannot renew certificate. Workaround: Do not provide SAN information while renewing certificates.
ID 422085 "The sysL2Forward stats do not return data even after they have been activated from tmsh: 1) modify sys snmp l2forward-vlan <vlan-name or all> 2) snmpwalk -v 2c -c public localhost 1.3.6.1.4.1.3375.2.1.2.5" You have enabled l2forward-vlan for one or all VLANs using tmsh, for example 'modify sys snmp l2forward-vlan all' You attempt to access the SNMP stat sysL2ForwardStat, for example vi a 'snmpwalk -v 2c -c public localhost 1.3.6.1.4.1.3375.2.1.2.5' and it does not show any of the VLAN information you specified using tmsh. Workaround: None.
ID 422471 Unit does not generate SNMP trap when link state changes (e.g. from UP to DOWN). Device is configured to generate SNMP traps. Management agents will not detect link state transitions. Workaround: None
ID 422709 Intermittently, if a secondary blade is being disabled, it may miss the command and stay enabled. Unknown. Secondary blade will still pass traffic as if it is active. It will not be considered inactive for counting of min-up-members. Workaround: As this only happens rarely, you can re-enable the blade and re-disable the blade.
ID 422808 "In versions prior to 11.2.0, a disabled port specific virtual server (10.10.80.80:80) will answer and then reject the connection. In version 11.2.0 and later, the connection to a down port specific virtual server (10.10.80.80:80) will be answered by the next less specific port, in this test it was a :0 any port virtual server." In version 11.2.0 and later, the connection to a down port specific virtual server (10.10.80.80:80) will be answered by the next less specific port, in this test it was a :0 any port virtual server. "In versions prior to 11.2.0, a disabled port specific virtual server (10.10.80.80:80) will answer and then reject the connection. In version 11.2.0 and later, the connection to a down port specific virtual server (10.10.80.80:80) will be answered by the next less specific port, in this test it was a :0 any port virtual server." Workaround: None.
ID 423061 Creating or modifying SNMP v3 users using the GUI or tmsh adds passwords in plain text to the /config/net-snmp/snmpd.conf file. You have created or modified an SNMP v3 user using the GUI or with the command 'tmsh modify sys snmp users ...' SNMP v3 user passwords are visible to those with root read access on the BIG-IP system until you run bigstart restart to restart the snmp process. Workaround: Run the command 'bigstart restart snmp' to restart snmp after creating or modifying SNMP v3 users. This results in encrypted passwords in the file.
ID 423287 If the SendWeights messages are received by the SASP monitor prior to completion of registration of all pool members, then the pool member status might not be as reported by the SendWeights message. It is updated correctly on receiving subsequent SendWeight messages. Temporary flapping of pool member status can be seen. Workaround: None.
ID 423304 Objects may display extra parameters that don't belong to the object. "When deleting a monitor or profile object and recreating it as a different type with the same name, after syncing parameters from former object get appended to the new object. e.g.: delete ltm monitor https monitor1 create ltm monitor http monitor1 <...> 'monitor1' now changed to http type will have parameters from the original https monitor." Bad configuration on the box that is synced to, and no obvious warning signs. Workaround: "Do the changes and sync incrementally. e.g.: delete ltm monitor https monitor1 <sync> create ltm monitor http monitor1 <...> <sync>"
ID 423522 When SIP iRule events fire multiple times, it may execute rules which may no longer present be in the running configuration. Configure a virtual with a SIP profile and an iRule applied via a profile (e.g. a persistence profile). The iRule must handle SIP related events. When the rule is modified, both the old and new versions of the SIP related rules will fire. Rule will not function as anticipated. Impact to traffic will vary. Workaround: Apply the iRule directly, rather than via a profile.
ID 423705 The SIP monitor is intended to retransmit a UDP SIP request if it hasn't received a response after 0.5s, 1s, 2s, and 4s (after each retransmission, the interval increases). Server doesn't respond to request before the interval expires. SIP monitor doesn't retransmit. This could mean adverse side affects - the pool member won't change states. Workaround: restart bigd.
ID 424143 Upon installation of TMOS v11.2.1 HF 5, SNMP configuration in the GUI is not saved. SNMP configuration was saved only in /var/run/snmpd.conf, not in bigip_base.conf. TMOS v11.2.1 HF 5 is installed. The SNMP configuration is actually not lost. Instead, it was saved only to /var/run/snmpd.conf, but not in bigip_base.conf, which causes it not to be shown in the GUI. Workaround: Use tmsh to set up and save SNMP configuration.
ID 424228 If a virtual server is created without an assigned pool (i.e. the pool is assigned in the iRule) and the iRule parks, the iRule may not return from suspension and the packet will be dropped. A virtual server is created and an iRule is assigned that parks, and the virtual server has no assigned default pool. Packets are dropped Workaround: Either use the CLIENT_ACCEPTED event for UDP data or assign a default pool.
ID 424649 Blades will continually fail over with a large enough translation address space in an lsn-pool in DNAT mode. An example of a translation prefix large enough to cause this problem would be /8, or several translation prefixes summing to a large number of translation addresses. an lsn-pool in deterministic mode, assigned to a virtual, with a /8 prefix (or similar number of addresses.) System is rendered unusable until DNAT mode is disabled. Workaround: Change to NAPT mode, or use a smaller translation prefix range. There is no other workaround.
ID 424698 "When attempting to configure a LTM Policy with a target of 'forward', event of 'request', action of 'select' and parameters of 'clone-pool', 'node', 'member', 'nexthop', or 'rateclass', a message such as the following is logged in /var/log/ltm: err tmm[11363]: 016e0000:3: Could not bind action 'forward select policy=/Common/policy-name rule=rule-name action-id=0 node=/Common/10.1.2.3', reason ERR_NOT_SUPPORTED Although the configuration appears to successfully save, traffic which matches at or below this rule in the policy malfunctions. These features were not intended to be available yet in the affected releases." An LTM Policy with a target of 'forward', event of 'request', action of 'select' and parameters of 'clone-pool', 'node', 'member', 'nexthop', or 'rateclass'. Traffic matched by the policy at the effected rule or a later rule will malfunction. Workaround: "To work around forwarding to a node, configure a pool with the desired node IP as a member, and use the pool in the policy in place of the node IP address. To work around other forwarding options, create an iRule which performs the desired logic."
ID 424797 "Some parts of the UI become non-functional. Tomcat logs (/var/log/tomcat/catalina.out) will show java.lang.OutOfMemoryError: PermGen space error(s). Other parts of the UI will continue to function, particularly ones that the user has used most recently." Issue has been seen over extended use with LTM, AAM, and AVR all provisioned. Issue is possible with other combinations. Some parts of the UI become non-functional. Other parts of the UI will continue to function, particularly ones that the user has used most recently. Other BIG-IP functionality is not affected. Workaround: "On command-line, as root, run the following command: bigstart restart tomcat"
ID 424931 Upon the creation of a large file, such as a UCS archive, csyncd can raise the CPU utilization of a system for an extended period of time. Create a large file in a directory monitored by csyncd (see /etc/csyncd.conf). Increased CPU utilization can lead to system instability. Workaround: None.
ID 425018 Linux host applications may not be able to connect when they are expected to. Create a config with a self IP on a VLAN and a default gateway route on that VLAN, save a SCF file, then modify the self IP in that SCF file and then load the SCF. Linux kernel default gateway route is dropped and host applications looking for the route may not be able to connect. Workaround: "Reset the config to default before loading modified SCF: 1. tmsh load sys default 2. tmsh load sys scf <SCF_filename>"
ID 425124 "Tunneled packets inherently carry two flows, one that is for the external IP header, and the other for the internal flow. If the internal flow happens to be handled by a different TMM using DAG lib, the packets are CMP-forwarded to the correct TMM. Logically, the return packets are supposed to traverse the same two TMMs in reverse order. This appears not the case in several tunnel types, such as GRE." BIG-IP system's virtuals send and receive traffic over wild-card IP tunnels (IPIP, GRE) with multiple TMMs. Performance degradation and service dysfunction. Workaround: Avoid wild-card tunnel, and instantiate tunnels with explicit local- and remote-addresses.
ID 425347 vCMP guests report 'unknown' as platform type. Customer is unable to remotely determine exactly which platform is being monitored. Workaround: None.
ID 425817 boot_marker entries found in system logs do not accurately reflect the version of the active slot. Slots names must share a common prefix, such as 'HD1.test' and 'HD1.testing'. None. Workaround: None.
ID 425826 notice panic: ../kern/xbuf.c:2273: Assertion 'valid xfrag' failed. It is unclear whether this is an HSB issue or a driver issue. The return buffer is provided by the driver and used by HSB to return the packets. Either the provided buffer is corrupt or HSB somehow corrupts it. This issue is rare and has been seen across several platforms and HSB bitfiles. Rare issue that results in kernel panic. Workaround: This is typically cleared on reboot. The issue might also be cleared with a bitfile upgrade.
ID 425992 If the BIG-IP mgmt interface is connected to a switch port with fixed settings (e.g., 100Mbps Full duplex) but with auto-negotiation Disabled, the BIG-IP mgmt interface will be set to 100Mbps HALF duplex instead. "1. The remote switch port is configured with fixed media settings (speed, duplex) and auto-negotiation disabled. 2. The Management interface on the BIG-IP system is configured with fixed media settings (speed, duplex)." Inability to access BIG-IP via mgmt interface. Workaround: "1. Enable auto-negotiation on remote switch (with only the desired option advertised). 2. Toggle the mgmt interface media setting between 'auto' and '100TX-FD' after the BIG-IP boots."
ID 426128 If the passphrase for the pkcs12 file being installed is greater than 49 characters in length, installation could fail with the error - 'Key management library returned bad status: -28, Bad password'. This occurs with pkcs12 files with passphrases greater than 49 characters. When this occurs, installation could fail with the error - 'Key management library returned bad status: -28, Bad password'. Workaround: Use passphrases containing fewer than 50 characters for pkcs12 files.
ID 426129 CGNAT translation logs sent to ArcSight HSL destinations will not be in a compatible format for ArcSight to parse. "LSN pools are configured for a virtual server A log profile is configured to use an ArcSight destination and attached to the LSN pool" CGNAT log messages will not be processed correctly by ArcSight Workaround: "Modify ArcSight for custom parsing Use a different log server."
ID When you load a UCS, you receive an error similar to the following: 01070313:3: Error reading key PEM file /config/filestore/.stage_d/1_d/Common_d/certificate_key_d/:Common:mykey.key_1 for profile /Common/myssl: error:0B080074:x509 certificateroutines:X509_check_private_key:key values mismatch. This occurs on any platform using SSL, 11.0.0 and later. When this occurs, configuration load completely fails. Workaround: If you have not upgraded the BIG-IP system, you can prevent this issue by ensuring the BIG-IP system has SSL certificates/keys residing in only the /config/ssl/ssl.crt or /config/ssl/ssl.key directories and removing any existing copies residing in other directories. If you have encountered this issue, you can modify the UCS archive by removing the incorrect SSL certificates/keys and restoring the UCS archive. For more information, see SOL13534: The BIG-IP system may erroneously import the incorrect SSL certificates or keys to the filestore, available here: http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13534.html.
ID 426569 BIG-IP uses a message-based framework internally. Timed events and session responses did not properly respect the boundaries of the framework and could cause connection data to become corrupted or freed too early, leading to difficult-to-diagnose crashes. Workaround: None.
ID 426803 B2100 or B2150 blades include locking levers for securing the blade into a blade chassis (i.e. C2400). These levers should be open during blade chassis insertion. As the blade is pushed the final distance in the chassis the blade locking levers will close securing the blade in the chassis. It has been discovered that if the locking levers are closed before blade chassis insertion that the blade will power on even though the blade is not fully mounted in the chassis. Even though the blade is powered on, the blade will not properly function in the chassis. This problem only exists if the user inserts a B2100 or B2150 blade into a chassis with the blade locking levers closed. Blades inserted with the locking levers closed do not mount properly with chassis connectors inhibiting proper operation. The blades will however power on. Workaround: Make sure the locking levers are open prior to blade insertion as described in the product guide.
ID 427260 Type tmsh show sys pptp and it shows the identical flow with different stats incremented CGNAT and PPTP-ALG with default DAG Cosmetic but may be confusing Workaround: Grep and aggregate the stats for a unified view
ID 427479 "SOAP monitor only verifies top-level content. For example: <body> <tag1>top level content</tag1> </body> It doesn't check nested content, for example: <body> <outer><inner>nested content</inner></outer> </body>" Workaround: Use an HTTP monitor with an iRule on the pool member.
ID 427580 When a PSU is absent from the system, LCD warning does not display module number. When the condition is detected, the ltm contains a log with all the information about which module is reporting the alert. PSU is absent. None. Workaround: Use the ltm logs for troubleshooting.
ID 427791 In some cases, IKE agent(v1) negotiates multiple Security Associations (SAs) for the same tunnel. Some of the third-party IPsec vendors delete redundant SAs and only keep one pair of working(MATURE) SAs. If the remote IKE agent doesn't send a DELETE payload to the BIG-IP system, the BIG-IP system ends up with a pair of invalid SAs. Furthermore, during (lifetime) rekey when one of the valid SAs goes away due to a BIG-IP system implementation bug, if the new SAs has not been negotiated, the BIG-IP system might try to use the invalid SA, which causes the traffic to stop. IPsec rekey while interop with some 3rd party IPsec vendor. Traffic becomes stale (from seconds to minutes) until all the invalid SAs are expired. Workaround: When this happens, users can manually delete an SA using the 'tmsh delete net ipsec ipsec-sa ' command to remove the invalid SAs.
ID 427832 On platforms with software-only syncookies, when a tcp virtual server is under SYN and ACK attacks, and is also under regular traffic loads, some regular connections were dropped. This occurs only on platforms with software-only syncookies, on a tcp virtual server that is under SYN and ACK attacks. Small amount of valid traffic may be dropped when under SYN/ACK attacks. Workaround: Use fastl4 profile, or tcp profile with RFC1323 turned off.
ID 427924 "When inserting a new blade in a VIPRION C2400 chassis, with UDP or TCP hash set to 'ipport', the new blade uses the 'port' hash instead. Rebooting the blade or restarting bcm56xxd &amp; tmm causes the correct DAG (Disaggregator) hash to be used." "UDP or TCP hash algorithm changed from default (e.g. changed from 'port' to 'ipport'). UDP or TCP virtual servers configured New blade inserted into chassis. New blade includes external interface to which traffic will arrive." Prevents adequate distribution of traffic within a chassis, which may disrupt traffic flows or reduce the traffic throughput of the BIG-IP system. Workaround: "Reboot the new blade after it has been configured. Issue the 'bigstart restart' command (to restart the bcm56xxd &amp; tmm modules and program the DAG with the correct hash type)."
ID 428071 When you install the required BIG-IQ components on BIG-IP devices running on a VIPRION with more than one blade, the components load only on the primary blade. VIPRION chassis with 2 or more blades. VIPRIONs require manual workaround to be managed by a BIG-IQ. Workaround: To install the required components on the remaining blades, for each blade, run the update_bigip.sh script then disable the blade through TMUI. After you run the script on all blades, re-enable them through TMUI.
ID 428072 If an iRule refers to a pool by the full /folder/pool name, the virtual server status does not reflect the pool's status. While traffic can still be served to the pool_member despite the virtual server status, for changes at the virtual server level (for example, route health injection), the system needs a reliable the virtual server health status. Workaround: None.
ID 428284 In a multi-blade cluster, when a cluster primary is determined, it tries to upgrade the chassis annunciator firmware if a newer version is available. If the primary also needs to reboot to another volume, due to a user request either as part of an earlier install command or a reboot command in tmsh, it interrupts the chassis firmware update, putting the chassis annunciator in boot loader mode, which in turn causes TMOS startup failures after reboot because the system needs the annunciator to access the critical data on the chassis PROMISE. This occurs when upgrading the chassis annunciator on the cluster primary of a multi-blade chassis. When this occurs, TMOS startup fails after reboot. Workaround: To work around this, use the bladectl utility to manually update the chassis annunciator firmware.
ID 428752 "After a shutdown, halt or reboot is initiated, the system console may display this message: 011d0002: Can not access the database because mcpd is not running. the ltm log file will show the same database warning along with a date and system entry: Aug 23 14:31:02 BIG-IP.web1 warning diskmonitor: 011d0002: Can not access the database because mcpd is not running." system is shutting down, halting or rebooting The diskmonitor script will automatically run when the system is booted next and detect disk space issues at that time. Workaround: The warning is innocuous on shutdown and may be ignored
ID 428864 Virtual server connection limit won't be effective when value set to lower in traffic load "Virtual server has set connection limit. The virtual server is processing traffic. Lower virtual server connection limit. The change won't be effective." New virtual server configuration does not limit the number of connection. Workaround: Change virtual server connection limit configuration when there is no traffic.
ID 428976 If a self IP is configured for advertisement in OSPF and is moved to a different VLAN, the LSA may be removed from the database and not readded. OSPF enabled, self IP moved between VLANs. Missing prefix from OSPF. Workaround: Remove and readd connected route redistribution, delete and readd the self IP, or clear the OSPF process ('clear ip ospf process' in imish).
ID 429011 For switch based platforms, the bcm56xxd daemon monitors the active/standby state using the failover.bigipunitmask DB variable and if this indicates a transition from Active to Standby, it downs external links and starts a timer for re-enabling the links after a customer-specified delay as per the failover.standby.linkdowntime DB variable. This support is not yet available on the 2000s, 2200s, 4000s, and 4200v platforms. 2000s, 2200s, 4000s, and 4200v platforms. No support for external link down time on network failover. Workaround: None.
ID 429075 Unable to use the WMI monitor to monitor a pool of IIS servers. A Windows Server running IIS on a virtual machine with the F5.IsHandler.dll installed. Unable to use the WMI monitor to monitor a pool of IIS servers. Workaround: None.
ID 429096 Various tools, including the Dashboard, display an SSL TPS limit provided in the base license, ignoring any additional licensing modules that might increase the TPS limit. This occurs when the system is using licensing modules that increase base SSL TPS. An incorrect SSL TPS limit is reported. Workaround: None. This a display issue only. The correct SSL TPS limit is actually used.
ID 429365 FTP data connections do not honor LSN pool translation port ranges. This affects all FTP data connections in all LSN modes(NAPT and DNAT). The BIG-IP system chooses any valid ephemeral port instead of the range specified in the LSN pool It is not possible to trace which subscriber initiated a data connection using LSN logs. Workaround: None.
ID 429368 SIP RTP/RTCP connections do not honor LSN pool translation port ranges. This affects all SIP RTP/RTCP connections in all LSN modes(NAPT and DNAT). The BIG-IP system chooses any valid ephemeral port instead of the range specified in the LSN pool. Its is not possible to trace which subscriber initiated a RTP/RTCP connection using LSN logs. Workaround: There is no workaround for this issue.
ID 429613 TACACS+ accounting packets are only sent to the authentication server. Workaround: There is no workaround for this issue.
ID 429810 2000/4000 platforms can end up in indeterminate ARL/FDB state under certain conditions. This occurs when one of these platforms is subjected to a stream of frames arriving from one MAC address on two different ports on a VLAN simultaneously. The result is an indeterminate ARL/FDB state. Workaround: There is no workaround.
ID 430265 If an iRule runs a periodic after{} command containing a sideband connection that is closed in a different event, a core may occur if the flow is aborted because the periodic after command was not alerted that the flow is gone. Using a periodic after { sideband connection stuff } with the opening and closing of the sideband in different events from the after command core Workaround: Let the completion of the iRule close the sideband connection.
ID 430354 When an alarm light is present on the primary blade and the USB LCD dongle is then attached all of the blades go from green/Pri or green/sec to amber status and alarm light is erased. A few moments later once the LCD screen is up the blades go back to their original green pri/sec assignment but the alarm light never returns. Although the alarm message is present on the LCD after it comes up the alarm light should stay on until the alarm has been cleared. Inserting or removing USB LCD module. The alarm message is present on the LCD after it comes up. Workaround: To work around this, run system_check manually.
ID 430797 Pages that are browsed to by an HTTP POST (namely changing the Statistics Type under any of the stats pages) are not normally cached by the browser. So if you hit the browser back button to a page that was received via a POST, Firefox will display a Document Expired page. Click the browser back button in Firefox to a page that was received by an HTTP POST. The browser displays a Document Expired error page to the user. Workaround: Click the 'Try Again' button on the Document Expired page. This will force Firefox to cache the page.
ID 430912 FTP traffic may fail to pass intermittently. This issue presents in vCMP guests running BIGIP versions prior to 11.4.1 when the guest is configured to have multiple blades with a single cpu core. FTP traffic may fail to pass intermittently. Workaround: None
ID 431239 RTSP established media connections will choose ports that are not consistent with the CGNAT configuration. RTSP ALG profile with a VS using any LSN pool It may use ports outside the LSN pool range Deterministic NAT configurations - will get incorrect results or no results when reverse mapping an RTP media flow Workaround: There is no workaround.
ID 431283 "binary command does not check if the offset argument causing moving beyond the internal buffer boundary, this may core tmm. Here is an example: binary scan [TCP::payload] @${offset_num}c var1 if 'offset_num' is larger than payload buffer length, tmm may core." "Here is an example: binary scan [TCP::payload] @${offset_num}c var1 if 'offset_num' is larger than payload buffer length, tmm may core." tmm may core. Workaround: Check payload length and compare with the offset argument before using the command.
ID 431936 The SASP monitor does not mark pool members down when the GWM server cannot be reached. The GWM server does not send a RST packet to terminate its connection to the SASP monitor in case of a network failure. The pool members are not marked down for a SASP monitor in case of a GWM/network failure. They are marked down when the TCP connection to the GWM terminates on a connection timeout which was observed around 10 minutes. Workaround: Use the icmp monitor in conjunction with the SASP monitor. The icmp monitor should use the GWM server as its destination. This monitor should be associated with each of the nodes that are present in the pool using the SASP monitor. The pool members will be marked down when the GWM server cannot be reached.
ID 431985 Monitor instance is not re-enabled by an incremental sync. If you set a monitor to be disabled and then perform a sync, when you later set the monitor to enabled, a subsequent incremental sync does not update the monitor status to enabled. This occurs after disabling a monitor, syncing a configuration, enabling the monitor, and incrementally syncing the configuration. The effect is that the monitor status does not update. Workaround: You can work around this by forcing a full load sync from the active device. Either use 'Overwrite Configuration' on the Device Management Overview page, or the tmsh command 'modify cm device-group <device group name> devices modify { <current device name> { set-sync-leader } }'.
ID 432407 The GUI becomes inaccessible after the system logs become large and the user navigates to log lists under System :: Logs. This event is most likely to occur when the logging options are configured to show the most output. For example: Enabled, Verbose, Debug. The issue is most easily seen when the system has been configured with Audit logging enabled, particularly MCP, it sends numerous messages to the var/log/audit log. This causes the log to become large, which after time might render the GUI inaccessible. When logs become large, the GUI might become inaccessible if the user attempts to view the log files through the GUI. Workaround: Configure logging options to show only the most severe output: Emergency, Error, etc. (available under the System :: Logs). If the system is already in this unresponsive state, issue the command 'bigstart restart tomcat'.
ID 432939 SASPD_monitor's memory usage keeps continuously increasing. Depending on how many monitors are configured, it may increase at the rate of 18M per day and may over time lead to memory being exhausted and reboot. SASP Monitors need to be configured and operational Memory usage continuously increases, and may eventually lead to automatic reboot of bigip when all memory is used. Workaround: None, except disabling the SASP Monitor
ID 433223 "On a VIPRION B4300 blade or BIG-IP 10000-series appliance, messages similar to the following may be logged in the LTM log every 2 seconds: info bcm56xxd[25425]: 012c0016:6: _soc_xgs3_mem_dma: ING_SERVICE_COUNTER_TABLE_Y.ipipe0 failed(NAK) info bcm56xxd[7610]: 012c0016:6: _soc_xgs3_mem_dma: EGR_VINTF_COUNTER_TABLE_Y.epipe0 failed(NAK) info bcm56xxd[11548]: 012c0016:6: _soc_xgs3_mem_dma: EGR_SERVICE_COUNTER_TABLE_X.epipe0 failed(NAK) Similar errors also appear in the bcm56xxd log file." This error is logged if an internal parity error is reported by the Broadcom switch chip when stats are read from the chip by BIG-IP. Since these errors are reported for the interface that is used to retrieve stats from the Broadcom switch chip, they are not expected to impact the packet path/traffic passing. Workaround: "To stop logging of these errors and clear the internal parity error from the Broadcom switch chip, perform one of the following actions: 1. Restart the bcm56xxd daemon: bigstart restart bcm56xxd 2. Reboot the affected blade or appliance."
ID 433323 When a client request contains no-cache directive, ramcache excludes the request from caching and passes the request through. Because caching is disabled, the resource is not invalidated and the response is not cached. The expectation is the action should cause revalidation of the resource. Configure a virtual server with HTTP caching. Failure to invalidate resource. Increased load on origin server. Workaround: None.
ID 433466 When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1). Disabling bundled interfaces affects first member of associated unbundled interfaces. Traffic unable to pass due to ports 'Down' status. Workaround: Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.
ID 433572 DTLS handshake does not work. rfcdtls cipher vic2 platform Workaround: no
ID 433897 If a datagroup contains entries that are longer than the maximum length allowed by a TCL object, the datagroup will fail to load the element without warning. Tmm may core if this non-loaded element is referenced. Incorrect datagroup, possible core Workaround: Individual datagroup entries should be less than 65k in length.
ID 434468 "For 11.5 htsplit mode is enabled by default. htsplit is actuals only for platform/blades which have CPU with hyper-threading. htsplit mode decrease number of tmms in twice. So after upgrade from 11.4 to 11.5, customer may see that DOS attacks happens on normal traffic rates. Example: Customer have Treadstone with 11.4 with 12 tmm, so he configured DOS accordingly. Then he make upgrade to 11.5 and get Treadstone with 6 tmm because of htsplit mode." Platform/blade CPU have hyper-threading and sys db scheduler.splitplanes.ltm = 'true' Customer may see false-alarm DOS attack on normal traffic rates. Workaround: Increase thresholds for AFM DOS vectors in twice.
ID 434517 If a HTTP_RESPONSE event fires due to the server sending an early response. (i.e. a response before the entire request has been sent.) Then HTTP::retry will not work correctly. Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event. Typically, early server responses are error conditions. Retrying the request might make sense... but is prevented by this issue. Workaround: HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.
ID 434573 "While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name. For example, the 'tmsh show sys hardware' command may display a Platform ID like the following: Platform Name D113 instead of the official platform marketing name, such as: Platform Name BIG-IP 10000F" This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release. Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID. Workaround: Update platform-identification scripts to include the relevant platform IDs among the recognized match values.
ID 434573 "While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name. For example, the 'tmsh show sys hardware' command may display a Platform ID like the following: Platform Name D113 instead of the official platform marketing name, such as: Platform Name BIG-IP 10000F" This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release. Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID. Workaround: Update platform-identification scripts to include the relevant platform IDs among the recognized match values.
ID 434573 "While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name. For example, the 'tmsh show sys hardware' command may display a Platform ID like the following: Platform Name D113 instead of the official platform marketing name, such as: Platform Name BIG-IP 10000F" This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release. Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID. Workaround: Update platform-identification scripts to include the relevant platform IDs among the recognized match values.
ID 434573 "While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name. For example, the 'tmsh show sys hardware' command may display a Platform ID like the following: Platform Name D113 instead of the official platform marketing name, such as: Platform Name BIG-IP 10000F" This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release. Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID. Workaround: Update platform-identification scripts to include the relevant platform IDs among the recognized match values.
ID 435332 If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x. Here is a sample user config from 10.2.1: user v-abban { password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/' description 'v-abban' group 500 home '/home/v-abban' shell '/bin/false' role administrator in Common } Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] }
ID 435022 The tmm process crashes when an ICMP event encounters a UDP client connflow before first real packet. This occurs when an ICMP event encounters a UDP client connflow before first real packet. The tmm process crashes. Workaround: None.
ID 435385 Unable to access the GUI. Frequent add/delete of VCMP guests. TMUI becomes unresponsive. Workaround: To work around this, run the command bigstart restart.
ID 435482 UCS containing filenames with spaces cannot be rolled forward. In versions prior to 11.4.0, the UCS does not save files containing spaces in the names. That means that any files that had spaces in the name would not be written to the UCS file and the UCS save would appear to succeed. When a UCS file which was saved in this manner is subsequently applied to 11.4.0 or greater, the configuration load will fail because the referenced file(s) (with spaces in their names) are not present in the UCS. 1. The UCS being applied was saved in a release prior to 11.4.0. 2. The configuration contained config objects with spaces in their names. 3. The UCS is being applied to 11.4.0 or greater. After upgrading into the newer release, the initial config load will fail. Alternatively, manually loading any UCS saved in this manner will result in a similar configuration load failure. Workaround: Boot back to the previous version and rename all the files in question so they don't have spaces in their names. Save the UCS again, and upgrade.
ID 435488 Can not configure route domain for CMI device unicast-address. Try to configure non-default route-domain for CMI device unicast-address. Not supported configuration. Low impact. Workaround: don't configure route-domain for CMI device unicast-address.
ID 435494 DTLS handshake may fail when UDP messages are round robin among TMMs. "DTLS configuration. Round Robin DAG enabled for DTLS UDP packets." DTLS handshake could fail Workaround: Disable Round Robin DAG for DTLS packets.
ID 435646 lsn-pool inbound setting does not work when not associated with a virtual. "lsn-pool with inbound or hairpinning enabled That lsn-pool is not associated with a virtual but is assigned by an iRule." inbound and hairpinning is not enabled for subscribers using that lsn-pool when assigned via an iRule. Workaround: Create a virtual for each lsn-pool.
ID 435670 The configuration item specified in a value_list (part of the file object feature) gives an error during a load that the item is not found. The configuration item was removed from the running config, but exists inside a saved config. The chosen configuration file does not load. Workaround: None.
ID 435814 CGNAT connections for a single client might exceed connection limits. This occurs when the persistence-timeout value is fewer than 30 seconds on lsn-pools with connection limits Connection limits are not enforced. Workaround: Set persistence timeout to a value greater than 30 seconds.
ID 435946 "TMSH incorrectly allows a user to configure two mutually exclusive failover methods, namely auto failback and HA group, concurrently without warning. In this case, the HA group method will be used." Using TMSH to configure failover and selecting these two methods. HA group method takes the place of auto failback, which may be unexpected if the user does not know about this issue. Workaround: Use the web interface instead. It prevents invalid selections.
ID 436674 After the reboot of the SNMP agent (snmpd), the SNMPv3 trap messages generated from the BIG-IP may contain the incorrect msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values. After that, msgAuthoritativeEngineBoots value will also be out of sync with the engineBoots value in /config/net-snmp/snmpd.conf. Configure SNMPv3 trap destination on the BIG-IP and observe the msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values in the generated trap messages. Reboot the SNMP agent (e.g., 'tmsh restart sys service snmpd') and observe these values again in the subsequent SNMPv3 trap messages. Some SNMP monitoring servers (e.g., SpectroSERVER) can loose the ability to poll the BIG-IP. When the BIG-IP sends out the incorrect values, the monitoring server thinks the information has been spoofed and it looses the ability to poll the BIG-IP until manual intervention. Workaround: None.
ID 436678 Any imported certs with expiration date past 29 years shows cert with incorrect expiration date. This occurs when importing certs that have an expiration date past 29 years. After importing, the cert shows the incorrect expiration date. Workaround: There is no workaround.
ID 436825 Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1. Upgrading to 11.0 or 11.1 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain - That partition contains nodes with no route domain set (so the default is used) - That partition contains other nodes in route domain 0" Those objects may no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane."
ID 437430 Enabling ISO 8601 timestamps in syslog breaks alertd message parsing, inhibiting system alerts. This includes LCD panel messages, alarm LEDs, SNMP traps and alert emails. modify sys syslog iso-date enable No system alerts are generated. Workaround: modify sys syslog iso-date disable
ID 437586 "Some Broadcom chipsets advertise support for reading/writing the VPD (Vital Product Data), but do not really support it. When lspci -vv (or -vvv) is run and sees the claimed capability, it tries to read the VPD from a sysfs file, but it times out with the following message from dmesg output: linux-kernel-bde 0000:12:00.0: vpd r/w failed. This is likely a firmware bug on this device. Contact the card vendor for a firmware update. This is indeed a firmware (or chipset bug)." "Only happens when lspci -vv or -vvv is run on systems with the affected Broadcom chipsets." "Cosmetic other than time it takes for the pci subsystem to timeout when it tries to read the VPD from the Broadcom chipset." Workaround: Ignore this output from dmesg or in kern.log.
ID 437627 TMM may crash if a fast L4 profile has a fragmented packet "fastl4 configure incoming fragmented packets" tmm crash Workaround: In fast L4 profile, enable option 'Reassemble IP Fragments'
ID 437768 Do not use 'bigip1' as device name. BIGIP uses it as factory default device name. Workaround: None.
ID 437773 Some of the Link Aggregation Control Protocol (LACP) trunk members are missing after rebooting the primary blade. This occurs on VIPRION chassis configured for LACP after rebooting the primary blade. Some LACP trunk members are missing. Workaround: There is no workaround.
ID 438048 tmm will core when the irule on the client side sends a TCP:notify request An irule that does TCP::notify on the client side is needed, and the server side (peer conflow) of this client side should not exist and be NULL. tmm will core Workaround: None
ID 438177 RSA key/cert pair must be configured as a default in clientssl profile even for only DSA/ECDSA ciphers. If ciphers only contain DSA/ECDSA ciphers. The connection cannot be built up if no RSA key/cert is configured on clientssl profile. Workaround: The clientssl profile must have RSA key/cert configured.
ID 438504 "Running show sys route-domain displays extra information. The command should display firewall stats, not VLAN's stat." This occurs when the system has a VLAN defined. The command does not return information from route-domain. Workaround: There is no workaround, but this has no effect on BIG-IP system functionality.
ID 438558 TMM core on listener lookup Not known yet Loss of traffic Workaround: None
ID 438666 iControl/REST relies on automatic parsing of tmsh output in order to reply to requests. The structure of 'show sys raid array' does not conform to the standard and, thus, the array-members are dropped and not returned in the output. This happens for any 'stats' query on a BIG-IP that has RAID. Clients will not be able to get array-members via iControl/REST. Workaround: Use tmsh or other UI (iControl/SOAP).
ID 438674 The log filter functionality in TMOS allows users to publish logs from a specific set of processes to various log destinations. When a log filter includes tamd, the tamd process may start to leak descriptors. Configure log filter which includes tamd. Client authentication may fail. Workaround: Do not define log filters which include tamd (tamd is included in 'all').
ID 438792 If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). If persistence records are examined, you will find multiple, conflicting entries in this case. Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up Inconsistent persistence behavior, conflicting persistence entries Workaround: "Add an iRule command to the PERSIST_DOWN event which deletes the persistence entry for this connection. One example might be: when PERSIST_DOWN { persist delete source_addr [IP::client_addr] }"
ID 439054 Running 'qkview' from the Primary blade on a chassis based system with more than one blade installed does not produce Secondary blades files. This occurs on chassis based systems with more than 1 blade installed. No secondary blade files are produced. Workaround: Run 'qkview' on each blade.
ID 439119 tmsh run sys crypto check-cert' is not reliable for checking validity of certificate bundles. This command can not be used to figure out if certificates have expired. Workaround: None.
ID 439343 When LDAP Client Certificate SSL Authentication is configured to bind to the LDAP server with a password, the bind fails due to an incorrect password. "LDAP client certificate SSL authentication enabled LDAP server requires password to bind" Client certificates cannot be authenticated Workaround: None.
ID 439363 "Mcpd will fail to load with an error similar to: 0107141f:3: The maximum allowable length of 255 for a full path has been exceeded. The object name was auto-generated-policy-name), the truncated folder path was /somefolder/truncated-auto-generated-policy-name). Unexpected Error: Loading configuration process failed." Virtual servers containing many attached HTTP Class profiles or virtual servers containing HTTP Class profiles with long names. Upgrades and UCS restores will fail. Workaround: Shorten the names of the HTTP Class profiles before upgrade.
ID 439490 The BIG-IP system does not reconnect to SafeNet HSM if the connection is interrupted. That means that SSL connections that utilize a key stored on the network HSM fail. This occurs when the BIG-IP system is configured to use a SafeNet network HSM and the connection between the BIG-IP system and the network HSM is interrupted. When this occurs, the system experiences traffic interruptions for SSL connections that utilize a key stored on the network HSM until manual corrective action is taken. Workaround: To work around this issue, restart the pkcs11d process using the command 'tmsh restart sys service pkcs11d'.
ID 439507 QKVIEW may take a very long time (up to 20 minutes or more if there are thousands of tunnels or virtual IPs created. More than 500 virtual network interfaces have been created. qkviews are slow to generate. Workaround: Wait for qkview to finish, up to 30 minutes.
ID 439540 SSL connections or DNSSEC operations that utilize a key stored on the network HSM may fail. "All of these: The BIG-IP is configured to use a network HSM. The BIG-IP connects to the network HSM using a SelfIP address. The BIG-IP is rebooted or all of the BIG-IP services are restarted." Traffic interruptions for SSL connections or DNSSEC operations that utilize a key stored on the network HSM until manual corrective action is taken. Workaround: Restart the pkcs11d process. The command is 'tmsh restart sys service pkcs11d'.
ID 439628 Updating the Dynamic Ratio of a node or pool member using TMSH or iControl, instead of a built-in dynamic ratio monitor such as SNMP, results in a configuration sync needed status, or an automatic sync if auto sync is enabled. "- Multiple devices in a device group. - Updating dynamic ratio via TMSH or iControl. - For automatic sync, auto sync is enabled on the sync-failover group." "The sync status may unexpectedly transition to 'Changes Pending'. If automatic sync is enabled, the device group performs a ConfigSync immediately. If automatic sync is enabled, and the dynamic ratio is updated frequently (such as by an External monitor or an iControl script), the following additional impacts may occur: - An administrator's pending changes to the configuration may unexpectedly roll back on a receiving device. - A sync conflict may potentially occur." Workaround: "The following 'guishell' command syntax can be used to update the dynamic ratio as an alternative to using TMSH. guishell -c 'update pool_member set dynamic_ratio=<number> where pool_name='/<path>/<pool_name>' and node_name='/<path>/<node_name>' and port='<port#>'' The node name is the full folder path to the object name, which may be the node address with the pool folder prepended. In external monitor scripts, the node name is available in the NODE_NAME environment variable. Example: guishell -c 'update pool_member set dynamic_ratio=123 where pool_name='/Common/SMTP_Servers' and node_name='/Common/10.50.5.251' and port='25''"
ID 440210 When configuring DUTs with NetHSM as a HA pair, the NetHSM vendor config does not sync between the peers. Workaround: The work around is to manually add the config in the each peer during installation.
ID 440215 When setting the Ethernet ports on BIG-IP 5000 and 7000 series platforms to half duplex and then pinging, the Activity LED blinks Green instead of Amber. This occurs because half-duplex operation is not supported at any speeds. This occurs when setting half-duplex on Ethernet ports on BIG-IP 5000 and 7000 series platforms. Operating in half-duplex may hang a port. Workaround: There is no workaround. User must operate in full-duplex modes. This is as designed.
ID 440346 If devices are in a failover device group, and this group contains a pool with multiple health monitors enabled, then using the 'Overwrite Configuration' option may cause some monitors to be removed from the pool. Workaround: None.
ID 440365 At upgrade or UCS installation time, one or more files which share the same name may not be copied to a staging location, eventually leading to an error message at configuration load time, of the form, 'File object by name (<file>) is missing.' In a 10.x system it's possible that files of different types (e.g. certificates, keys, external monitors, etc.) which are to be upgraded to file-objects in an 11.x system may have identical filenames though they reside in different directories on the BIG-IP system. For instance, a certificate located in /config/ssl/ssl.crt/example and a key in /config/ssl/ssl.key/example, on a 10.x system which is to be upgraded could cause this condition. Error at first boot of a newly upgraded partition, or UCS load time. Workaround: Modify the duplicately named files and any references to them in the configuration before upgrade.
ID 440425 SOCKS and HTTP Explicit Proxy Profiles require DSN Resolver. The SOCKS and HTTP Explicit Proxy profiles require a DNS Resolver. You must create the resolver before configuring the profile. You can create the resolver by navigating to Network :: DNS Resolvers in the GUI. Once the resolver is created, it appears in the list of DNS Resolvers when configuring the SOCKS or HTTP Explicit Proxy profiles. This is new functionality with version 11.5.0. If you do not create and specify a DNS Resolver, SOCKS and HTTP Explicit Proxy Profiles do not work. You must create the resolver before attempting to create the SOCKS or Explicit Proxy profiles.
ID 440526 "When collecting support information mcpd will spit out error message about providers for static and dynamic routes. This is benign and all routes should be present in output file." This happens always with 11.5 code cosmetic Workaround: none
ID 440854 If the HA mirroring connection resets (tmctl ha_stat, in any of the columns expires, aborts, or overflows), then any flow-close messages in the failed batch will be lost. The flows will age out normally in the standby unit. Resets in the HA mirroring channel (tmctl ha_stat, any non-zero numbers in expires, aborts, or overflows). Possibly higher memory usage on standby. Workaround: None. However, high resets on the mirroring connection indicate that failover is unlikely to work properly, and should be corrected first.
ID 440959 "Symptoms: - within the threshold of configured timeout and retry, in the event of an ICMP unreachable, the monitor marks the weight to the default (1)." Configure a pool_member with SNMP_DCA monitor. Delay the SNMP server's response. Delayed SNMP responses are rejected by the monitor. Workaround: "The only workaround is to write an external monitor script, using the snmpget utility. For example: ------------ # values provided by bigd node_ip=`echo $1 | sed 's/::ffff://'` # example: use snmp get command=$(snmpget -v 2c -c private '$node_ip' -r 3 -t 5 .1.3.6.1.4.1.2021.4.5.0 .1.3.6.1.4.1.2021.4.6.0 .1.3.6.1.4.1.2021.11.50.0 .1.3.6.1.4.1.2021.11.51.0 .1.3.6.1.4.1.2021.11.52.0 .1.3.6.1.4.1.2021.11.53.0 .1.3.6.1.4.1.2021.9.1.2 .1.3.6.1.4.1.2021.9.1.9) To configure an external monitor: --------------------------------- tmsh create sys file external-monitor my_snmp_exec source-path file:/config/monitors/my_snmp2.sh tmsh create ltm monitor external my_snmp run my_snmp_exec tmsh create ltm node nodeA address 1.1.1.1 monitor my_snmp"
ID 441013 "When you change root password in single user mode, you will see following error error: unable to obtain slot from LOP : send to lopd failed [lopd addr:/var/run/lopdsvr] [client root password change succeeds, but root password sync to LOP fails, because LOP is not running in single user mode." Attempting root password change in single user mode root password change is not sync'ed to LOP, you may fail to login LOP when you use new password. Workaround: Change password in multi user mode again
ID 441027 Some SElinux warnings are normal in this release. There is no impact to the system. Workaround: There is no workaround.
ID 441146 Flooding on forwarding ports are being delayed due to the absence of the flushing requests for blocked port l2 entries from the HSB. Tmm should also act on l2 flush requests other than just for mcp delete operations. Workaround: None.
ID 441174 A fragmented UDP packet will be dropped if its dest port is included in the sys db dag.roundrobin.udp.portlist and its vlan has dag-round-robin enabled. Workaround: Either remove the dest port from dag.roundrobin.udp.portlist or disable dag-round-robin on the vlan.
ID 441400 "When a single disk drive in a raid array is physically removed from a running system, the following errors will be logged every 5secs until the system is rebooted: statsd[13166]: 011b0203:3: Error 'No such file or directory' opening file /sys/block/sda/stat err statsd[13166]: 011b0900:3: TMSTAT error max disk stat: read failed." Systems supporting RAID configurations Annoying log messages every 5 secs. Workaround: None.
ID 441462 During installation, you might see the following message: error: tm_install::Device::Device_get_ext2_info -- get free_blocks for /dev/vg-db-sda/dat.swapvol.1 failed The error is reported during the installation process across many platforms, and is related to the swap volume. When the error condition occurs, the system writes the message to /var/log/liveinstall.log. Workaround: There is no workaround. Analysis indicates that this message is not indicating any real failure or any real warning.
ID 441482 Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms. This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.) Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.' Workaround: You may provision APM plus SWG only on platforms with 8 GB of memory or more. To use APM and SWG together on platforms with exactly 8 GB of memory, LTM provisioning must be set to None. (To do so, uncheck the box next to Local Traffic (LTM) on the Resources Provisioning screen, if applicable.) To fully support the LTM-APM-SWG combination, reserve at least 12 GB of memory for VE instances, or at least 16 GB for vCMP guests on BIG-IP or VIPRION platforms.
ID 441792 Virtual server has more than one L7 profile applied and won't pass FIX traffic. Virtual server has more than one L7 profile applied, for example, both HTTP and FIX profiles are applied at the same virtual server. Virtual server does not pass FIX traffic. Workaround: Remove the extraneous L7 profiles.
ID 441888 Hardware syn cookies are not supported on non-HSB platforms such as 4200/2200 platforms. However, both CLI and GUI have options to enable this option. Enabling this option has no effect on unsupported platforms. This occurs on non-HSB platforms when using hardware syn cookies. Enabling this option has no effect on unsupported platforms. This is a cosmetic issue, and there is no workaround. The system internally detects whether a platform supports hardware syn cookies and ignores the setting on unsupported platforms. Workaround:
ID 442034 SSL [session id] persistence can prematurely close (FIN) a TCP connection before forwarding all data. SSL persistence must be in use. A slow client side (WAN) will exacerbate the issue. Premature close of TCP connection / data loss. Workaround: None.
ID 442034 SSL [session id] persistence can prematurely close (FIN) a TCP connection before forwarding all data. SSL persistence must be in use. A slow client side (WAN) will exacerbate the issue. Premature close of TCP connection / data loss. Workaround: None.
ID 442191 HTTP Class profiles globs are upgraded to a policy with a contains condition when it should be equals. The upgrade process will succeed, but the policy will not use the correct syntax. A UCS or config with HTTP Class profiles containing globs for matching must be applied to 11.4.0 or 11.4.1 to encounter this state. The UCS must be from 11.3.x or earlier. After the upgrade to 11.4.x, The policy will match more than the HTTP Class profile did. Network traffic will be impacted. Workaround: Manually modify policies with the incorrect condition after upgrading to 11.4.x.
ID 442199 If the ccmode utility (for installations requiring Common Criteria compliance) is run prior to set-up of an HA group, the HA pairing process will fail. In the GUI, upon attempting the Peer Discovery step, an iControl connection failure error will be returned. Unable to set up HA group. Workaround: Create all HA groups before running the ccmode utility.
ID 442227 When using tmsh, a user can set the start time or end time for the database download schedule as 24:01. The supported time range is between 00:00 and 23:59. User could set the download schedule more than 24 hours in start time or end time using tmsh Download schedule might behave randomly. Workaround: To prevent any problem with the schedule, set the time range between 00:00 and 23:59 or use the GUI to set the time.
ID 442322 If VCMP guest names exceed 32 characters it can impact the display of statistics for the guests. VCMP guest names that exceed 32 characters. The tmstat table entries can collapse and omit stats for the long named guests. Workaround: None.
ID 442330 User receives 'error occurred' page when updating a user property. User has limited ciphers used by httpd to AES_256. Cosmetic error page Workaround: Install JCE policy files to BigIP to allow use of AES_256 ciphers.
ID 442409 "The panic results in log messages in ltm log: <13> Dec 20 08:11:12 WA0201DA01 notice bge_fast_ifoutput: packet_data_compact failed to reduce pkt size below 4. <13> Dec 20 08:11:12 WA0201DA01 notice panic: ifoutput: packet_data_compact failed to reduce pkt size below 4." This has been seen only on certain types of gigabit ethernet interfaces. BigIP operation will be interrupted during while the system reboots. Workaround: There is no workaround known for this.
ID 442569 "There are some SELinux errors that can occur in this release when installing a hotfix, including /usr/sbin/load_policy: Can't load policy: No such file or directory. These errors are benign and SELInux will correct itself when rebooted into the release." Installing a hotfix. None. Workaround: None.
ID 442608 Data groups can be deleted even when in use by FIX profile. The data group is already applied to FIX profile. FIX tag substitution is still performed according to the data group data when it is applied. Workaround: To disable the tag substitution feature, first change the configuration of FIX profile and then delete the data group.
ID 442613 After user modifies tag map data group content, the tag replacement function may still use the old tag mapping data. After user assigns a data group to FIX profile's sender tag map attributes, user modifies the content of the data group. The replaced tag may still be the data defined in the old data group, this causes the FIX message receiver does not recognize the tag and reject the message. Workaround: After user modifies data group, user comes to FIX profile configuration to re-define the attribute by removing the sender tag map and adding it back.
ID 442625 When attempting to create an IPsec Authentication Header (AH) traffic-selector, you might encounter errors, and TMM might crash. The crash occurs when a TCP virtual server retransmits over an IPsec AH tunnel. The system posts alerts similar to the following: err alertd[6623]: 01100014:3: Action tmsh create net ipsec traffic-selector NET18 Source-Address 200.4.18.0/24 destination-port any destination-address 0.0.0.0/0 ipsec-policy test_tunnel is failed. err mcpd[5973]: 01020037:3: The requested unknown (/Common/NET19) already exists. err tmsh[32652]: 01420006:3: 01020037:3: The requested unknown (/Common/NET19) already exists. Workaround: None.
ID 443098 The aggressive sweeper on a vCMP guest can be activated very often when the system is under high memory pressure. The resulting graphs show that the connections are leaking. This occurs when using the aggressive sweeper on a vCMP guest. When this occurs, connections are leaked, and the amount of used memory is proportional to the number of connections. Workaround: There is no workaround.
ID 443895 In some cases, ICMP unreachable messages generated by the BIG-IP system through IPsec tunnels might be looping between tmm processes. TMM using 100% cpu in 2 cores This occurs when multiple IPsec Tunnels are configured and up. On the terminating IPsec endpoint, if traffic coming out of the tunnel is unreachable from the BIG-IP system, the generated ICMP unreachable messages can occasionally go through the wrong tunnel, and in some cases the ICMP packet can loop between tmm processes. When this occurs, TMM uses 100% of the CPU. Workaround: To work around this, delete IPsec tunnel using the command 'tmsh delete net ipsec ipsec-sa' can get the system out of the state. However, doing so also brings down the tunnels. In addition, the system might return to this state if the ICMP unreachable messages are constantly generated by the BIG-IP system .
ID 444387 When an iRule contains a table command which attempts to insert (set, add, replace subcommands) a large set of data (over 128k) and session mirroring is enabled, tmm will crash. "A large table insert operation and session mirroring. Example: table set my_table $excessive_data" tmm crashes which may result in network outage. Workaround: Revise iRule to avoid insert of large datum.
ID 444710 Out-of-order TCP packet will be dropped if it occurs during 3-way handshake. "Client initiates TCP connection to BigIP with ACK segment arriving after (i.e. out-of-order) a second packet. Resultant sequence: 1. Client -> BigIP : SYN 2. BigIP -> Client : SYN-ACK 3. Client -> BigIP : PSH, ACK <-- Out-of-order ; Must be retransmitted. 4. Client -> BigIP : ACK" Packet must be retransmitted by client. Workaround: None.
ID 445532 When MCP logging on a chassis is set to Enabled, Verbose, or Debug for Audit Logging, the system sends numerous messages to the var/log/audit log. This causes the log to fill, which might render the GUI inaccessible. This occurs on chassis only when the Audit Logging option MCP is set to Enabled, Verbose, or Debug. When the var/log/audit log is full, the GUI might become inaccessible. Workaround: The workaround is to specify Disabled for the MCP option in Audit Logging (available under the System :: Logs).
ID 445610 When a VXLAN tunnel is given an IPv6 self IP and when we try to ping the self IP of the other side, the ping traffic cannot go through this tunnel. Workaround:
ID 445911 tmm fast forwarded flows are offloaded to ePVA, which is incorrect behavior. This occurs on ePVA. tmm fast forwarded flows are offloaded to ePVA, which is incorrect behavior. Workaround: For versions 11.3.x and 11.4.0, there is no workaround. On version 11.4.1 or later, you can use the following command to turn off tmm fast forward when using the guaranteed hardware acceleration mode: 'tmsh modify sys db tmm.ffwd.enable value false'.
ID 445919 Issuing the command 'tmsh show sys conn' when you have over one million connections might cause TMM or MCPD to exhaust its memory and restart. Workaround: "To avoid the issue, use a filter with the show sys conn command that reduces the result set to below one million results. You can check the number of connections currently running on the system by issuing the command 'tmsh show sys performance conn'."
ID 446549 In certain cases, mcpd can crash during configuration synchronization. An object was getting deleted while still being processed. This often occurs after an upgrade. A BIG-IP that was active will go to standby when MCPD crashes. Workaround: None
ID 446676 "Systems licensed with an ADF SKU might reboot repeatedly after licensing. This is due to a prior defect in the licenses delivered to these systems. The clear indication of this problem is the duplication of a number of feature flags in /config/bigip.license, most importantly perf_CPU_frequency. Note that the flag is listed twice, which causes the total value to be twice the expected value. W # Accumulated Tokens for Modules # ADF, Aperf_CPU_frequency 1200000 key AAAAAAA-AAAAAAA # ADF, Aperf_CPU_frequency 1200000 key AAAAAAA-AAAAAAA # # Accumulated Tokens for Modules # ADF, Aperf_SSL_total_TPS 563 key AAAAAAA-AAAAAAA # ADF, Aperf_SSL_total_TPS 563 key AAAAAAA-AAAAAAA # perf_CPU_frequency : 2400000 perf_SSL_total_TPS : 1126" This may be observed if the system is running an ADF license which was first activated before 1/30/2014. The system will reboot repeatedly after applying one of these licenses. Workaround: Obtain a new registration key for the license package you've purchased previously. Activate the new registration key.
ID 446713 1st boot to v11.5.0 causes daemon restarts and error messages on B4300/B4300N blades. This happens on each blade except blade1 (which is the Primary). When this occurs, the system posts various error messages and the daemon restarts. Workaround: None.
ID 446717 When running 'tmsh show sys hardware' on the Primary blade, the 'Blade Temperature Status' reports a blade other than the Primary. In addition, all other slots under this category are not reported. This occurs when running the command 'tmsh show sys hardware' on the Primary blade. tmsh reports the wrong slot under 'Blade Temperature Status' on the Primary blade. Workaround: To find out the temperature status of the Primary blade, use the EUD sensor test.
ID 449402 Upgrades from 11.x to 11.5.0 might fail to properly set the ha-group reference in the traffic-groups when the original configuration is using ha-groups. This affects users of ha-groups who upgrade to 11.5.0 from 11.x. Upgrade from 10.x work correctly. This occurs because in 11.5.0, ha-group failover settings are configured per traffic-group, and are no longer per device. The ha-group failover method might not be functional unless it is manually set as the failover method for a specific traffic group. Workaround: Set the ha-group reference manually in the GUI or via tmsh.
ID 450058 On BIG-IP and BIG-IQ platforms provisioned with SSD swap space, there is a possible race condition that can lock up some of the CPUs, causing a disruption of service from that CPU. This occurs only on BIG-IP 5000s, 5200v, 5050, 7000s, 7200v, 7050, 10000s, and 10200v platforms, and on VIPRION B2150 and B2250 blades. Swap activity can lock up the system, requiring a power cycle or AOM host reset. Workaround: None. However, this is a rare occurrence.
ID 455284 Firewall rules intended to restrict access to an APM daemon running on the BIG-IP system might incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321. This can occur even if a BIG-IP system is not provisioned for APM or SWG. This may result in monitors incorrectly failing, and pool members incorrectly marked down. A packet capture of the monitor traffic will show the BIG-IP system receive a SYN/ACK from a pool member, and respond with an ICMP port unreachable error. Workaround: As a workaround, add these iptables commands to the '/config/startup' script, and reboot the BIG-IP system (or manually run these commands once). These commands modify the firewall rule to prevent interference with monitoring: '/sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable' '/sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset' '/sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset'.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices